Case Management:
Added "Export case" button
Added a list of reports that have been generated (in case directory or last known export directory)
When creating/editing case, user can now specify whether or not USB write-block should be enabled. Whenever the USB write-block settings are changed, a warning is displayed to the user to detach/re-attach connected USB devices for the settings to take effect.
Changed list view to allow groups (devices, reports, files etc) to be collapsible
Added last access date to case management when case is loaded
Fixed error copying files with long file paths in when a report was created and the report contained deep / long paths.
Fixed a bug when creating a case report that was leaving a file handle open
Added support for encrypting PDF report
Added predefined offenses list to 'Offense' drop down list when creating/editing case
Case Details Dialog, fixed bug that might cause case narrative text to be reset to default when editing case details.
Case Details Dialog, will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
Case Export, changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.
Re-added "E-mail Delivery Time" to report and the associated timezone
Case load window was added at startup and when a case is loaded from the Case Management window. This is useful for showing load progress for very large cases with 10,000s of files in the case.
Report production progress window was added to show some progress activity when very large reports are produced.
New Command Line Parameter to load a specific case (-C <PathToCaseFolder>), if path does not exists or CaseDetails.OSFCase file cannot be found, OSF will default to loading the the last case used.
Create Index:
New indexing engine (Zoom V8 with multi-threaded offline indexing)
Much better indexing performance (3x speed increase)
Updated Create Index interface with new file type selections,
New "Memory optimization / Indexing Limits" step to bypass Pre-scan
Added support for user configurable number of indexing threads (up to 10)
Added options to enable/disable RAM drive
Improved RAM estimations and Indexing Limits settings
Improved indexing Status interface
Updated OSF interface to show multi-threaded indexing
Updated OSF Create Index options to offer more control with file type selection
Removed unnecessary indexing warnings
Added count display for Prescan
Added thousands grouping for large numbers shown in Create Index windows
Increased sleep/wait time while starting indexer to allow for a slower initialisation which could cause an error to be displayed
Renamed indexing process. Now using "OSFIndexer32.exe" and "OSFIndexer64.exe" instead of ZoomEngine32.exe and ZoomEngine64.exe, this should make it more obvious what is running in task manager.
Added some internal checking to clean up detached instances of OSFIndexer and temporary RAM drives.
Fixed a bug with indexing the compete content of Emails in PST files that were text only EMails.
Deleted Files:
Column ordering, visibility and size now saved in OSForensics config file
Configuration options now saved in OSForensics config file
Fixed a crash caused by logging a magic number incorrectly when getting deleted files
Fixed uncaught exception error when loading MFT for some OSF devices
Fix Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
Added check for buffer overrun when looking for slack $I30 entries
Errors when parsing non-resident attributes of deleted MFT records no longer causes the search to terminate and throw an error message. This is an expected case. Errors are now written to the debug log and the process continues.
Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
File Carver, added minimum file size option when carving. Changed "Reserved/Future Use" field in osf_filecarve.conf to "Min File Size"
File Carver, TIFF/CR2 extraction should be better.
Disk Imaging:
Added extra check if the first read fails when verifying the image created.
Disk Preparation
Can now wipe BitLocked drives. Previously these drives appeared to be lock and could not be formatted.
Disk Test:
Fixed issue with formatting as FAT32 on small drives.
Fixed Crash when formatting as FAT32 fails.
E-mail Viewer:
E-mail times now include the timezone offset, both 'Delivery Time' and 'Client Submit Time'
Fixed printed e-mails missing e-mail addresses due to HTML entities not being escaped
Fixed bug where case item title set to '<Use item name>' when selecting 'Use same details for all'
File System Browser:
Added right-click menu option to jump to MFT record in the raw disk viewer
Fixed stack overflow when attempting to add device to case
File Name Search:
Added an "Uncheck all" menu item to uncheck currently selected items
Added 'Windows Shortcut Files' (ie. lnk files) to the file name search presets list
Column ordering, visibility and size now saved in OSForensics config file
Removed folders from results when filtering using hash set
When filtering using hash set, fixed bug with current file being added to results after cancelling search
In hash set' flag is now set for results when hash set is used and made active
Added support for filtering by whether or not the file belongs in the hash set. This allows the user to search for files on disk that match a set of hash values
Re-arranged configuration dialog
Forensic Imaging
Re-arranged tabs
Create Image, for physical disks, disk model and serial number are now saved in the info file
Added new 'Device and SMART Info' for displaying physical disk attributes + SMART info
Device & SMART Info, Added support for export and adding report to case
Device/SMART Info, added mouseover tooltip descriptions for SMART attributes
Forensics Copy:
Moved allocation of virtual disk image to thread to prevent system from being unresponsive
Hash Set:
Added option to create 'Quick hash set', allowing the user to quickly create a hash set by specifying a list of hashes
Fixed deleted hash set databases appearing in the file name search config drop down box
Re-organised buttons in main window
Added functionality for importing Project VIC JSON files with MD5 hashes & optimised the import load time.
Added default database name when importing VIC data set
Stopped navigation bar being disabled when importing hash set. User can now do other tasks in parallel to importing a large hash set.
Fixed hash set operation LED still "active" when there's an error
Fixed number display and file size formatting to be more readable for large import files (> 4GB)
When creating hash set databases, columns are no longer created for hashes that don't exist (eg. VIC/NSRL datasets)
Hash set lookup
Added right click menu option to open files in internal viewer
Fixed incorrect # files hashed text due to not updating the dialog once all files are hashed
When performing hash set lookups, hashes are no longer checked for columns that do not exist. This reduces the query time for large hash sets. e.g. we don't check for SHA1 matches if the particular hash set doesn't have SHA1 values.
When performing single file hash lookups, filename matches are no longer queried. This reduces the query time for large hash sets.
Install to USB:
Added help Link
Added separate "temp build" directory field when using WinPEBuilder.
Internal File Viewer:
EFS Support. When an EFS file now opened in the file viewer a temp copy will be created and passed to the hex and text viewee. If the matching certificate has been installed on the system then the text should appear decrypted.
Hex View, added right-click option to add selected strings to case (as HTML file)
Fixed potential mem leak when generating video thumbnails
Fixed potential concurrency issues when loading videos
Memory viewer:
Column ordering, visibility and size now saved in OSForensics config file
Added button to add memory dump to case
Removed 'Error' text and icon from message box when process memory cannot be dumped because of access restrictions
Mismatch File Search:
Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV
NSRL Hash Import:
Import 9x faster. While importing repeated file hashes, checks for duplicity are no longer being done using a lookup on non-indexed database (very slow). Now checks are done by comparing product code between two consecutive lines in input file.
Import will create new database automatically with default name based on date and time. Thus, incremental import is no longer an option.
New NSRL import config window to specify input and (temp) output folders
Temp Output folder can be specified so that user can specify RAM drive or SSD to speed up the import. Database is then moved from temp location to default hash sets location.
Updated help file with info about allocating enough space on a RAM drive.
Status now displays percentage counter during file importing
Password Recovery:
Added tab to allow PFX certificates to be installed on the local system, to facilitate opening EFS encrypted files when the certificate and password are available
Column ordering, visibility and size now saved in OSForensics config file
Browser passwords, made some changes to Firefox login recovery, now has a 64bit and 32bit helper executable (as FireFox have started distributing as 64bit).
Registry passwords, now displaying password hint value next to 'NT Password' column. Displays '(empty)' if not present.
Registry Passwords , added support for win10 anniversary update for live system in Forensics mode
Removed a "File not found" error when running the windows password search on a non system drive
Prefetch Viewer:
Added right-click option to export selected items to CSV
Rainbow Tables:
Fixed crash occurring when cracking hashes from a pwdump txt file - wrong data types were being past to format string when secure case logger was enabled
Raw Disk Viewer:
Added progress window when carving to file
Renamed 'Decode' window to 'Disk Info'
Renamed 'Data Interpreter' window to 'Data Decode', split windows and shuffled content between decode window.
Added right-click menu options to 'Data Decode' window, Jump to File and Jump to File Record.
Clicking on file paths now open the internal viewer
Clicking on LCN/offsets now jump to the offset in the raw disk viewer
Data Interpreter window now shows the MFT record number and filepath if the current cursor position is inside the $MFT file
Fixed crash issue when sector size could not be determined
Fixed right-click "Jump to offset" not working some of the time
Recent Activity:
Added a quick filter option (text box and button) to quickly apply a text filter to recent activity items
"Show empty activity types" checkbox to default to on so empty types are displayed
Results are now sorted by Date (desc order) by default
Fixed possible crash when reading jumplist info
Registry Viewer:
Support for generating reports for known registry hives (currently only SOFTWARE hive at the moment)
Fixed a possible crash when processing a registry file
SQLite Browser:
Will checks for Skype Sqlite database files during "Scan for DB Files".
Resizeable Dialog/Controls
Option (enabled by default) to convert known timestamps to readable format
Scan Folder button is now more useful. Will now populate with locations of known SQLite files (e.g. Chrome and Firefox profile directories)
Scan Folder button will scan for known Android user data directory (where apps usually store their own data) on currently selected drive
System Information:
A new tab is now created for every new result
Added option to restore command lists back to default
Added "Recovery of Bitlocker Keys" to command list
Added ability to assign a name to an entered command. This name will then be displayed in the output/report.
Added support for Embedded Python 3.6.5
Removed the "Get" from the start of some item names.
Changed button text from 'Add...' to 'New...' when adding new commands
Moved 'Reset lists to default' option to dialog window. Added confirmation prompt to prevent accidental press.
Replaced spin control for moving items up/down due to overriding the handling of mouse wheel messages
Re-organized controls
Added command to get current clipboard contents
Added command to get anti malware (windows defender) software status
Added command to get current TPM status
Started encoding HTML special entities in output from tools so anything with HTML characters will display correctly
Fixed crash possible with getting printer info when system returns bad information.
Triage Wizard (now renamed to Auto-Triage):
Changed Wizard icon to fingerprint icon & removed forensics dude. R.I.P forensics dude, we loved you, but the world just wan't ready for you.
Added option to create logical image with known system files
Added agent help text when mouse is hovering over a control
Added a free disk space check (for at least 1GB + memory size if memory dump selected)
Fixed a unhandled exception that could occur in the triage wizard when running a scan on a non system drive (eg D) and having only windows passwords selected.
Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found
Fixed a crash caused by trial limitations when running the triage wizard
Web Browser:
Added status bar to browser.
Can now select export format as Web Archive Format (.mht) when exporting webpage.
Can now export linked PDF, ZIP and other files. Also added check boxes to allow user to select what is downloaded.
There is an option to download videos (MP4 format) from sites such as YouTube and add them to the case.
Added a progress indicator for downloading large files.
Misc:
Added colour coding of encrypted files displayed in a file list
Added exit confirmation message
Added warning message on OSF shutdown whenever the USB write-protect settings are changed during the course of execution
Fixed a long delay at startup when not running as Admin
Removed agent icon from feature description text on start window
After successfully saving a file to disk, fixed a bug with activity monitor displaying task is still active
Changed how temp files are stored, each thread now has a temp folder
Increased a timeout (from 60 seconds to 180 seconds) when trying to repair esedb databases with esetutl as was timing out during triage runs
To prevent machine from sleeping when running from USB, the mouse will jiggle if the time between user input (i.e. keyboard or mouse input) surpasses 10 secs.
Added DLL (MSVCR120.dll) required by wkhtmltopdf.exe to installer (error seen on windows )
Switched debug logging to logging library g3log for thread-safe, crash-safe, faster logging
