Announcement

Collapse
No announcement yet.

OSForensics V7.0 Beta

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V7.0 Beta

    A beta version for V7 of OSForensics is now available for testing.

    DOWNLOAD:
    UPDATE: The final V7 version has been released.
    Downloads are on the OSForensics download page.


    PROBLEMS
    If you find any problems, either post them in the forum here, or EMail us.

    KEYS and UPGRADES
    V6 keys will not work in V7.
    Free upgrades will be available (with new keys) if you have current paid up support at the date of the final V7 release.
    Otherwise a discounted upgrade will be available.
    This download will function as a 30 day trial without a key.

    EXPECTED RELEASE DATE
    Baring any major problems we are hoping to do the final V7 release late July 2019.

    WHAT'S NEW

    Platform support
    - OSF will no longer run on Windows XP systems. (But disk images from XP machines can still be investigated). If support for installing the software on a XP system is required, then V6 will need to be used.

    Add Device
    - Bitlocker volume details (eg. key protectors, encryption, etc) now displayed when adding a bitlocker-encrypted drive to case
    - Removed "Forensics Dude" from the Add Device window. The formatting of the help text was changed to the same look as the other windows. RIP Forensics Dude.

    Android Logical
    - Fixed issue where during logical copy, some directories were not being included.

    Android Artifact
    - Removed misleading text indicated "images" can be added to scan. Added warning if adding ".vhd" (e.g. from logical copy) that it needs to be added to device first.
    - Photo artifacts were only looking at the "data\\com.google.android.apps.photos\\db\\gph otos 0.db" (specified in Help File). But will now also do a quick scan for known image file extensions. Added notification to user to use File Name Search module for more advance viewing/search options.
    - MMS extracted with OSFExtract will show recipients on the message.

    Android Copy
    - Copying to a Logical Image (VHD) will no longer require a full scan to calculate disk size. This should increase its responsiveness.
    - Updated OSFExtract to V1.0.1003. Change: App will transfer "canonical_address" table from mmssms.db database file. Which contains the addresses (recipients) for MMS threads.

    Auto triage
    - Added configuration options for logical image creation

    Boot Virtual Machine
    - Added ability to boot an image as a VM from OSForensics.
    - Image to be booted can be read only, as the image file is never modified. Instead changes to the image are written to separate cache files.
    - Images format support includes E01, Raw, Split images, VMDK, VHD, etc..
    - Write cache files are now used in mounting when 'Restore existing disk state' is checked, so VM can be restarted were you left off
    - Added new menu option in Workflow navigation, "Boot Virtual machine" with 3 tabs showing running machines, and associated drives.
    - Added 'Boot Virtual Machine' icon to Start page
    - User can select number of cores to allocate to the VM, RAM size and if networking is enabled. Default values are scaled based on system specs of host.
    - Support for booting partition images by pre-pending an MBR image to the disk in the .vmdk file. (normally it is impossible to boot just a bare partition). This includes images that use with ntldr for booting (Windows XP) and bootmgr + BCD images (Vista and above). Machines with EFI System Partitions are also supported.
    - VMWare 14,15 and VirtualBox 6 are supported as hypervisors
    - Host machine needs to be 64bit. Guest can be 32bit or 64bit. Guest image can be Mac OS X 10.13 (High Sierra), Windows XP to Win10 and some Linux distributions.
    - Preliminary support for disk with multiple bootable partitions. Added warning text when multiple O/Ses are detected on the disk. Note: Not all permutations of multi-boot O/Ss will be supported (there are too many to test). Mac and Windows on the same disk is known to be problematic.
    - Added option to bypass Windows login by patching a Windows system file and setting automatic logon option in the registry. This method is fast, but it doesn't crack the password of the user. So any files encrypted with EFS are not decrypted. As patching of system files are required, not all releases of Windows are supported. The Win 10 releases from March 2019 (17763) is known to have a problem.
    - There is support for selecting which user account to auto-logon into in the case where the machine has multiple accounts.
    - A new version of OSFMount is included with the package. V3.0 build 1005. This allows mounting of images as (emulated) physical drives and caching of disk writes to temp files.


    Case Manager
    - Fixed bug with trailing space characters allowed in case name (causing invalid Windows folder names to be created)
    - Defined new hash set flag level "major" for Project VIC
    - Add info dialog when adding a Bitlocker-encrypted drive to Case
    - Added new case item group for virtual machines
    - Fixed an annoyance, sometimes when switching cases the OSForensics GUI will lose focus and another window will be on Top.
    - Fixed a bug where sometimes the status dialog window size can appear too large while generating report.
    - Reporting, "Extra Information" box will export and identify $FILE_NAME timestamps for applicable items and label it as such. Note: Applies to new items added to case. Existing items in cases will not have the extra timestamps.
    - Reporting, "Skip Empty" checkbox to do not include empty artifact categories in the generated reports.
    - Add button for the Case Narrative (html) editor in the main Manage Case module.
    - Double-clicking on virtual machine case item switches to 'Boot Virtual Machine' module and selecting the VM in the list

    Create Index / Browse Index
    - New Indexing feature added, Optical character recognition (OCR) for PDF files. Previously this was only done on photographic images.
    - Updated indexing engine, with lots of more minor changes for handling different file types & performance.
    - Added ability to skip pre-scan when creating an index
    - At Step 1, have all options check-marked by default except binary executable files, which don't contain much useful text.
    - Fixed bug with search being prematurely truncated when indexed 0x1A character in meta data (title, description, etc.)
    - Fixed bug with substring searches applying within exact phrases
    - Fixed bug with exact phrase searches spanning across page SECTIONS. This caused some exact phrase searches (containing words which occur on the page many times but not in that sequence) to take extraordinarily long.
    - Fixed Check/Uncheck all buttons not affecting new file type options
    - Fixed buffer overflow issues & crash bugs in Browse Index (removed unnecessary dictionary counting) and when Filtering results
    - Fixed bug with filenames not being indexed for PDF files and other plugin formats
    - Improved error messages when failing to launch indexer

    Create Signature
    - File system cache is now cleared before creating a signature in Direct Access mode. This is important for live file systems where the content is changing while OSF is running.

    Compare Signature
    - Increased number of recently selected signature comparison files (displayed in drop list when selecting a signature) from 10 to 15
    - When creating a hash set from a comparison there is now the option to include all files in the comparison or just new ones
    - Added a new difference type of "Attributes Modified"

    Deleted Files
    - Hashing of files will only be performed for non-empty files (0 byte files are skipped).

    Drive preparation
    - Fixed an open file handle from the Drive test that would prevent the data pattern write if the drive test was run first. This fixes a possible false report saying the drive was faulty, when in fact the drive was just locked

    Email Viewer
    - Fixed UI issues when minimizing and restoring windows

    ESEDB Viewer
    - Changed behaviour to load all items for selected table into data buffer so we can sort columns correctly, still only displaying 1000 entries per page. Will mean a slower initial load but much faster sorting and searching.
    - Columns can now be sorted by clicking on the column heading
    - Added SRUDB.dat to known esedb list when opening the ESEDB viewer and fixed some date display issues for the SRUDB date / time format.

    File Carving
    - Updated FileCarver to be threaded for better performance (by adding threading to several operations). Resulted in 2.6x faster carving on a test system.
    - Added option to look within a sector for header pattern match. Enabled by default (same as previous behaviour) OSF only looks at the bytes only at the beginning of the sector.
    - Added definition for HEIC/HEIF image file format to allow these types of images to be carved.

    File Name Search
    - Allow the user to enable the other four ($FILE_NAME attribute) time stamps in the File Name Search Details View.
    - Added ability to create a New Preset option in the Config window. Defaults are still loaded from FileNameSearchPresets.txt file in AppData directory. User defined Presets are saved in the OSF config file, config.OSFCfg.
    - Change the module icon from "disk" to "binocular" to be consistent with the main menu.
    - Config, fixed bug where hash sets were not populating in the drop down selection.
    - Added right-click option to show only checkmarked files.
    - Added ability to include additional folders and/or exclude folders from the File Name Search.
    - When switching cases, any previous search result previously performed will be cleared.
    - Fixed a bug when enabling $FILE_NAMES attributes, the horizontal scroll will disappear in the List View.
    - Added Right-Click menu option to "Jump to Thumbnail View" from the File Details and File List tab. And "Jump to File Details" from the Thumbnail Tab.
    - Started saving column ordering, visibility and size in OSF config file

    File System Browser
    - Refreshing the current folder using the F5 now clears the file system cache and allows user to see changes to live file system.
    - Fixed hidden scrollbar when minimizing/restoring the window
    - Fixed vector Out of bounds crash

    Forensic Imaging
    - Create a Drive Imaging queue to allow user to add other drives to image once the first imaging job is complete.

    Forensic Copy
    - Added option to add individual files to the image list instead of just only folders.

    Hash Set
    - Added new built in hash sets for: Keyloggers, VPN Software, Peer to Peer (P2P) software, Cryptocurrency
    - Added feature to import folder of VIC files. "Import VIC file set" will now prompt to either "import into existing active database" or "create new database". Updated import VIC feature to ignore Category: 0 which are considered Safe files
    - Added support for importing V2.0 format VIC hash set.
    - Added support for importing SHA1, MediaSize, LastUpdated fields from V1.3 VIC file format
    - Fixed Bug with Right Click->Export to Text file output being corrupted. (Column Indexes to the ListView were not correct).
    - Fixed Bug where Right Click->View with Internal Viewer was unable to open deleted files entries.
    - Fixed Bug where false positive matches were being returned. (Previous result was not being cleared).
    - When quitting, OSF will remember the current active hashset & reselect that hashset on startup.
    - Made error message more descriptive on import failure. Fixed bug holding hast set open after failure to import that was preventing deletion.
    - Fixed a bug preventing pasting folder locations into the NSRL data set input folder when importing
    - Added "Delete" option from Hash Set Viewer window (right click menu)
    - Added confirmation message box when deleting a hash set
    - Added a more descriptive error message when an NSRL import fails due to errors in the file contents (eg invalid product number)
    - Removed warning message about selecting a non-example / new hash set when importing an NSRL hash set (a new hash set is created by default when importing a NSRL hash set)
    - Added more prominent highlighting when file is in hash set to highlight Project VIC hash sets
    - Improved error message when failing to open .OSFHashSet file which is read only
    - NSRL hash set import, added an error message when an operating system ID doesn't exist (eg corrupt/incomplete dataset). Will now add a dummy "unknown" entry and continue to import.

    Install to USB
    - Added option to exclude password recovery dictionaries and rainbow tables from USB install
    - Changed out of space error message to use MB instead of bytes
    - Added option to include Hash Sets to be exported during install.

    Internal Viewer
    - File Info, added text to indicate if the file does not exist at the location
    - Added 'Help' link. Moved 'Capture' button and 'Alt Stream' Combo box to the left
    - Added preservation of 'create' and 'access' times, when available
    - Fixed contents of certain .rar files not being displayed (RAR5)
    - CSVReader, fixed a possible crash opening CSV files with individual elements that contain over 512 characters (element will be truncated to 511 characters now)
    - Hex View, will display file slack space in internal viewer. Can enable/disable in 'Settings'.

    MemViewer
    - Added warning if trying to save memory dump to a filesystem that doesn't support the file size of the dump e.g. Over 4GB on FAT32.

    OSFDevMgr
    - Fixed buffer overflow when calling FindFirstFile() on a group device's root directory (eg. "group_device:")
    - Fixed FindFirstFile() not returning the list of subdevices for a group device's root directory (eg. "group_device:")
    - Fixed a crash that could occur when a badly formed system path is passed to SplitFilePath

    Password Recovery
    - Fixed an issue where passwords from the windows credential manager were returned when running using the "scan drive" option when they are only available for the "live acquisition" option
    - Made some changes so the registry reading code at this point so it is now thread safe and will work better with the auto triage.
    - Started saving column ordering, visibility and size in OSF config file
    - Changed LM/NT references from "(disabled)" to "(empty)"
    - Added ability to add sequential decryption jobs in the Decryption & Password Recovery tab.
    - 40-Bit Encryption, fix for parsing output of 40-bit file.
    - Windows Login Passwords, updated GUI so list views expand as the size of the main window expands.
    - Enabled debug logging for run_server.exe when OSF is ran in debug mode. Log can be found in run_server.exe directory while running and then is moved to the OSF documents folder when finished.
    - Fixed bug that could cause possible memory corruption issue if GPU decryption is enabled.

    Prefetch Viewer
    - Added all available run times to results list and exports

    Raw disk viewer
    - Fixed incorrect GPT 'Partition name' in Data Decode window

    Recent Activity
    - Made the recent activity navigation pane with the Tree view resizable.
    - Started encoding HTML special characters (eg <>&) in the HTML output for some items when exporting
    - P2P, Fixed crash when running on Ubuntu drive
    - Changed "Show empty activity types" checkbox to default to on so empty types are displayed
    - Windows search is now using the ESEDB viewer to load the windows search database, will sometimes be slower but should be more reliable (no need to repair database using esentutl which would often crash or leave database in a dirty state still).
    - No longer stopping the windows search service when the windows search option is selected for a live system scan
    - Added new Recycle Bin activity. Will show items in the Recycle Bin (original file path/name and date deleted).
    - Added the Last-Visited and Open/Save MRU's to the MRU category: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\LastVisitedPidlMRU and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\OpenSavePIDlMRU
    - Added the other 7 run time stamps for Prefetch Files (for 8 total).
    - Fixed bug with non-ascii characters for recent activities that use a sqlite database (mostly browser - chrome, firefox, opera - activities)
    - Added Event Log Login Types description
    - Added MRU Adobe Acrobat Reader DC Artifacts
    - Added Office 16 and Office365 Word, Excel and Powerpoint Artifacts from desktop install
    - MRU, Fixed crash when parsing Window's XP Registry files for OpenSave and LastVisit MRU
    - Added subcategories for the various browser artifacts (Firefox, Chrome, Edge, IE, etc)
    - Added checkmarks besides each artifact category. Users can then deselect any artifacts they don’t want without going into the config settings.
    - Added +/- expand collapse for artifacts that have subcategories.
    - Add subcategories for Windows Event Logs (OAlerts, System, Security, Application, etc.)
    - Fixed bug where the number of checked items links was not being shown in the File List Tab.
    - Added VLC artifacts for Windows and OSX/Mac
    - Added Windows Media Player Last played and folders artifacts
    - Added Mapped Network Locations from HKCU\Network

    Registry Viewer
    - Unknown value data types will be shown as hex data by default (previously the data was not displayed at all. Useful for looking at Windows Store App's settings.dat file which are special registry hive with non documented value data types).

    System Information
    - Removed "Get" from the Registry Commands.
    - Get User Info (Registry), fixed an issue where user accounts could display "Account disabled" incorrectly
    - Changed error message slightly when only live acquisition tasks are in selected list when a drive letter is chosen instead of live acquisition
    - Added a quick search box to search the text of the current result tab.
    - Added full name, description and password hint to “Get user information (Registry)” output
    - Fix to process "Enter" key notification while using the Find Text Control.

    Misc
    - Made some changes so OSF will start as the top most window (sometimes it would start in the background)
    - Updated help file
    - Fixed bug with unable to access Case devices as underlying drives. This caused problems reading from Bitlocker-encrypted drives
    - Added ClearFileSystemCache_direct() function to clear the file system cache (for live disks). Previously changes in the live file system where not reflected in File System Browser due to caching.
    - Updated 7zip DLL
    - Better reporting of SQL errors with hashset databases
    - Fix for bug with scroll bars in Compare Signature and Browse Index
    - New logging engine when using DEBUGMODE. Has more detail and has less overhead.

    continued in next post....
    Last edited by Tim (PassMark); 07-26-2019, 04:00 AM.

  • #2
    Changes in Beta 2

    Auto Triage
    - Fixed logical image file type preset not being set to recursive
    - Increased width of logical image config dialog

    Case Management
    - Added case details tab for customizing category definitions
    - When deleting a device that was the case default device the defualt device will now be set to the first device associated with the case or the C drive if there are no more devices.

    Hash Sets
    - Added support for importing Categories from Project VIC files.
    - Added support for highlighting files as "PF_IN_HASHSET_MAJOR" for Category 2 files

    Password Recovery
    - Fixed bug where checked item count was not being reset if "Acquire password" was clicked again

    Recent Activity
    - Opera, fixed opera version being read incorrectly for new versions of opera
    - Opera, fixed bug stopping opera password data being read correctly

    Misc
    - Consolidated Red/Green/Yellow bookmarks into single generic bookmark
    - Made another change to force OSF to be the foreground window

    Changes in Beta 3

    Auto Triage
    - Moved deleted files report export to a separate thread to improve responsiveness
    - Moved recent activity report export to a separate thread to improve responsiveness
    - Disabled hashing of signature file list to improve responsiveness

    Boot VM
    - Fixed help link

    Case Management
    - Removed "Results of forensics analysis" and "Executive Overview" headings from case narrative / auto triage report
    - When removing categories, all case items belonging to category shall be unassigned

    Deleted Files
    - Improved responsiveness by not redrawing window if not visible
    - Fixed a lockup that could occur
    - Added new status tab while scanning to show number of files (grouped by extension) found/recovered.
    - Removed message dialog when no files are found

    Forensic Copy
    - Improved performance of looking up duplicate paths by keeping track of hashes
    - Fixed copy operation not aborting after pressing 'Stop'
    - Changed source list view to owner draw for better performance
    - Moved total file size calculation to a separate thread for better response

    Hash Sets
    - Changed "Look up Hash Set" dialog to not close window when user cancels look up.

    Raw Disk Viewer
    - Fixed bookmark handling (removed red/yellow/green bookmarks, added category)

    Recent Activity
    - Fixed an issue seen where no Chrome information could be retrieved when doing a live scan due to not being able to get the current windows user/profile/known folders

    Misc
    - No longer supporting XP due to some use of required windows API functions that are not supported on XP

    Changes in Beta 4

    Auto Triage
    - Fixed logical image settings not resetting when starting a new scan

    Case Manager
    - Categories can now have optional "Notes" property
    - Added button to manage categories, when adding/editing case items, can click on 'Category' link to manage categories
    - Fixed dialog not closing when editing Case narrative
    - When adding or editing case items, a new category can be entered in the Category dropdown
    - Added banner text for the Category dropdown
    - Separated "Offences" list and "Categories" list. Defined a new "Categories" list that reflects more common categorization types.

    Create Index
    - Fixed "Failed to add folder" bug with Create Index -> Add folder

    Deleted Files / File Carving
    - Checkbox added to enable/disable extensions for file carving.
    - Updated JPG file header definition to decrease number of false positive when carving.
    - Added definition for SQLite files
    - Added definition and extractors for Intel based Assembly Files (.asm)
    - Added definition and extractors for .torrent, .nef (Nikon RAW Image), .orf (Olympus RAW Image), .arw (Sony RAW Image) and .raw (Lecia/Panasonic RAW Image) formats

    File Previewer/Image viewer
    - Added support for single image HEIC files

    Memory Viewer / Static analysis
    - Raw Memory Dump, added progress bar and estimated time remaining.
    - Updated volatility compiled executable to 2.6.1 and volatility workbench to 2.1.1000 to support new profiles for Win 10 builds 17763 and 17134

    Recent activity
    - Installed programs, added date collection using the InstallDate registry value when available and when not available uses the last write date of the registry entry

    Thumbnail View
    - Items found in hash set are now entirely highlighted (not just text)

    Misc
    - Changed warning message to be less severe when registry SAM permissions need changing on live system (for recent activity and password recovery)
    - Renamed 'bookmarks' to 'tags'

    Changes in Beta 5

    Case Manager
    - Updated GUI text on "Add to Case" options and adjusted Edit Case dialog to show Help File link
    - Fixed crash where adding a category could cause a crash if "notes" was empty

    Misc
    - Added 'tag' icon to replace previous 'flag' icon
    - Added category shortcuts for tagging items to a particular category
    - Added marking items belonging to a particular category with the assigned colour
    - Added generating report of case items grouped by category

    Changes in Beta 6

    Case Manager
    - Fixed bug where downloads/attachments were not being loaded into case after OSF restart.
    - Fixed grouping and working of buttons
    - Added warning message when modifying category details without clicking 'Save'
    - Removed all options other than 'Delete' when right-clicking multiple selected items
    - Fixed assertion when sorting Case Item name
    - Added missing 'Raw Disk' exports to generated report
    - Updated GUI text on Edit Categories from "Modify" to "Save"
    - Added exporting case items grouped by categories

    Create Index
    - New Indexer builds fixed bugs with handling multi-partition images
    - Fixed bug with Index names ending with "." which caused various failures
    - Fixed indexing unallocated clusters for entire disk images
    - Increased width of drive drop down
    - Cleaned up some error messages

    ESEDB viewer
    - Added check on viewer size when first opening to prevent window being too small
    - Fixed bug where columns with data type binary weren't being displayed correctly
    - Fixed bug where using the "clear search" button wouldn't display the original list correctly

    Deleted Files / File Carving
    - Added header definition for FUJI Raw Image Format (.raf) and Mobile Video Format (.3gp).
    - List view in Status Window showing total files found is now sortable.

    File Name Search
    - Added sorting by category
    - Fixed default title not being updated when adding multiple files to case

    Help
    - Updated Case Management screenshots and descriptions
    - Added section on Case Categories

    Recent Activity
    - Initial addition of SRUM database scanning. Currently only displaying results from the "Windows Network Data Usage Monitor" table but will be expanded to add information from the other tables. Full table can still be viewed in ESEDB viewer.

    Web Browser
    - Updated video download script to support recent changes at Youtube which broke video download feature.

    Changes in Beta 7

    Create Index

    - Fixed bug where a files was closed incorrectly

    File Name Search
    - Files belonging in categories now marked by corresponding highlight colour in File List and Thumbnail view

    File Viewer
    - Hex View, fixed bug where hex view would not load and return "Unable to open file: File access is denied" when a file failed to open the underlying disk in raw mode (to load slack space). Show Slack Space is not available for resident MFT files or files on devices not added in forensics mode within OSForensics.

    Raw Disk Viewer
    - Added option to select where (beginning, current position, end) to jump from when jumping using bytes or sectors. (Using a negative sign will jump backwards.)

    Search Index
    - Fixed opening of unallocated clusters for entire disk images in internal viewer

    User Activity (Previously “Recent Activity”)
    - Renamed "Recent Activity" to "User Activity"
    - SRUM database, now collects information from more available tables
    Last edited by Tim (PassMark); 07-26-2019, 04:01 AM.

    Comment


    • #3
      NO HA HABIDO MEJORA....?, POR EJEMPLO ME GUSTARÍA QUE MUESTRE LA FECHA DE INSTALACIÓN DE los PROGRAMAs

      Comment


      • #4
        ademas, seria excelente que este programa venga en español o castellano. GRACIAS. saludo de su cliente de Perú

        Comment


        • #5
          We're looking into adding dates for installed programs for the next beta.
          There won't be any localisation for version 7 but we'll make a note to keep it in mind in the future.

          Comment

          Working...
          X