Auto Triage
Added option to enable running auto triage automatically on startup, which can be enabled in the install to usb dialog and use settings last set
Added splash screen and progress bar when running auto triage as a standalone option
Analyze Shadow Copy
Added ability to find shadow copies from analyze dialog without adding to case first
Boot VM
Will now display a proper error message when booting from VirtualBox failed (eg. when Intel VT-x/AMD-V is not enabled)
Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
Added check and display error for partition-only images without a supported OS before mounting as physical disk
Added support for password bypass for Win 10/Server 2016 Builds 17763 and 19041 (via PEPassPass v1.2.3)
Case Manager
Support for adding recovered partitions to case
Added ability to save and load custom templates for evidence categories
Added ability to rename case devices after they have been added
Add Device, changed the default display name to include the date the shadow copy was taken
Added time zone names to time zone drop down and case report
Report Generation, separated the HTML and PDF report options into different templates, no longer need to generate a HTML report to get a PDF copy
Report Generation, added the details of OSFOrensics digital signature to generated reports
Report Generation, updated "Link to case files" and "Copy files to report location" options to "Create Redacted Report" and "Create Full Length Report" to be more descriptive
Report Generation, added ability to toggle the inclusion of signature certificate verification information in report generation dialog
Report Generation, Added "Software Verification" link in report sidebar
Report Generation, Added certificate verification information to non HTML reports
Clipboard Viewer / ThumbCache Viewer
Will now draw checkerboard background for improved display of transparent images
Improved drawing of images to reduce flickering
Deleted Files
File carving, optimization. Improved accuracy for JPG files and overall performance. Compared to final V9 release, current file carving code is over 6x faster (benchmarked with an Mac E01 disk image with default carving config)
File carving, optimization, updated extensions with header signature
?ftyp to \x00\x00\x00?ftyp instead. Changed empty buffer detection to faster implementation to detect empty or repeating blocks read from disk. Scanning empty sectors is now 6 times faster
File carving, optimization, improved efficiency of pattern matching code. This change roughly doubles the speed of file carving
File carving, optimization, improved the responsiveness for OSForensics when carving is running
File carving, optimization, increased the number of carving threads to 75% of available logical processors, up to a max of 32
For FAT and NTFS files systems, added option to carve only Allocated sectors
Updated to allow selecting of carving of MFT Only, MFT and Carving, or Carving Only
MFT and Carving now enabled by default
Added minimum size requirement for carved JPGs (126 bytes), GIFs (43 Bytes), PNGs (68 bytes)
Changed name Plist to Binary Plist and improved detection to limit false positives
File carving, fixed possible crash when carving MP3 files
File carving, improved MP3/JPG detection to cut down on the number of false positive results returned
Added secondary sorting on second column (via dropdown and/or control click on details tab)
Disabled sorting while deleted file scan is in progress
Lowered priority level of carving threads to improve response from computer when carving is in progress
Thumbnail Tab, added a quality level indicator to the thumbnails preview
Added support for carving MFT file records on non-NTFS quick formatted volumes
Added support for recovering files from carved MFT records. This enables recovery of files from a quick-formatted volume
Added new scan method to config window, changed dropdown box to checkboxes
Prepend "Carved MFT" to 'Source String' of files recovered from carved MFT records to differentiate from normal deleted files
Added check for large buffer sizes before allocating memory when detecting faces
Background LED indicator fixed, indicator would incorrectly reset after "Saving Delete File to Disk" while scan is running
File carving, improved carving of HTML files
File carving, reduced false positives for FLV files
File carving, changed the naming of file to be more informative, new format "Carved .JPG file found at 310GB - byte offset 0x482D709C00.jpg"
File carving, better handling of .eml files (will verify that both "From:" and "Date:" field are present
File carving, reduced repeated carving for file signatures with the same headers (e.g. TIFF family, ZIP family)
File carving, ensure recovered carved file will not exceed the max file size specified by extension (or 100 MB, whichever is less)
Opening internal viewer for Plist Files from within the deleted files module should now work
NTFS, fixed potential memory issue when restoring deleted files
NTFS, added more debug verbosity when restoring deleted files to disk
Device Manager
Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space
Disk Image and Filesystem Support
HFS+, preliminary support for compressed files
HFS+, fixed bug in decompressing zlib-compressed file data
HFS+, support for reading lzvn-compressed file data stored in resource fork
APFS, fixed bug causing buffer overflow when reading extended attributes (eg. compressed files)
APFS, fixed reading compressed file data for files with hard links
APFS, fixed bug in decompressing zlib-compressed file data
NTFS, fixed bug in incorrect file being opened due to hash collision
E-mail Viewer
Message body containing inline content (eg. base64-encoded jpgs) now displayed as attachments
Thumbnail preview for supported image attachments on mouse over
ESEDB Viewer
Viewer now displays when binary data has been found
Search now looks for ASCII strings present in binary data fields
Event Log Viewer
Added "Device Connected/Disconnected" option to the filter preset list
File Name Search
Added Hash Set column which identifies which hash set the file was located in
Fixed $FILE_NAME dates not being displayed for entire disk images added to case
Added a reset button to config dialog which sets all changes made by user back to their defaults
Made several popup dialogs to close when 'esc' is pressed
Now using ffmpeg library instead of exiftool for counting video tracks for better performance
Forensic and Cloud Imaging
Rebuild RAID Disk, added support for detecting and rebuilding Linux mdadm RAID using superblock v1.X
Forensics Copy, added ability to export forensic image as zip file
Internal Viewer
Perform initialization/shutdown of Media Foundation once rather than for every internal viewer instance
Fixed issue that prevented deleted files opened from File System Browser from showing in the File Viewer
Fixed incorrect thumbnail being draw for current item, after the list is updated
Migrated library for media playback from Windows Media Foundation to ffmpeg
Added support for playing media from memory buffer sources (eg. deleted files)
Will now display a specific error message when attempting to open media file with corrupted attributes (duration, video pixel format, etc)
Fixed flickering from redrawing thumbnails from deleted search result
Automatically rotate videos if rotation metadata available
Added a check to only redraw thumbnails if the items changed
Metadata, display an error message if exiftool executable was not found
Fixed multithreading bug causing media playback issues when opening multiple instances of the same file
Fixed video paint issues when resizing window
Fixed first video frame occasionally being displayed immediately after loading preview thumbnail images
File viewer support, added opening deleted files (image, video/audio, android backup, compressed archive, office files)
Added right-click menu support for deleted files
Install to USB
Fixed bug, files required by the web browser module were not being copied
Localisation
Added localisation support for Korean, Chinese (simplified and traditional), Japanese, Spanish, German and French
Mismatch File Search
Separated default and user-created filters, removed "built-in" text
OSForensics Digital Signature Verification
Added button to start screen (in housekeeping section) that verifies the integrity the program and displays a dialog with the information. Equivalent to going to the properties for the OSF executable, going to the digital signatures tab and clicking the details of the signature to verify the digital certificate is valid
Password Recovery
Fixed decrypting of wifi passwords on some machines due to a bug in PBKDF2 algorithm
Updated common passwords dictionary with passwords obtained from more recent data breaches, increased number of unique passwords from ~10,000 to ~2.3 Million
Fixed password recovery issue with the records in "Windows.old" folder
Fixed crash in ZIP password recovery when testing a single password
Search Index
Fixed GDI handle leak
SQLite Browser
New Tab to shown Unallocated Space (Free Pages/Blocks) within SQLite database file
Fixed bug to address possible circular reference/offset when parsing corrupted/bad free blocks
Added Run SQL tab, allows users to write their own SQL statements
Updated sqlite source files from 3.8.11.1 to V3.38.0
Start Window
Added settings option to allow for selecting language in use
System Information
Added partition selection dialog when scanning whole disk image with multiple partitions
Added category for basic system information collection from non Windows machines
Thumbnail Cache / Viewer
Attempt to generate video file thumbnails if file extension is a known video type
Attempt to load thumbnails only if the filename has a known file extension
Set maximum thumbnail cache size of 2000 to prevent exceeding GDI handle limit
Fixed multithreaded handling of video thumbnail generation using Media Foundation
Fixed thumbnail icons not appearing in thumbnail view
Added check for large buffer sizes before allocating memory for displaying thumbnails
Migrated library used for video thumbnail generation from Windows Media Foundation to ffmpeg
Fixed pixelated play icon for video thumbnails
User Activity
Added Cortana history category. Finds reminders, events, contacts and search history as well as location at time of creation
Added "Create Super Timeline" button that performs a complete scan of all activity sub-categories
USB timeline, added support to collect USB Artifacts of USB storage device connection and disconnection history. This feature is achieved by analyzing event ID 1006 (from Microsoft-Windows-Partition%4Diagnostic.evtx) and event IDs 2003 and 2012 (Microsoft-Windows-DriverFrameworks-UserMode/Operational channel). Event logging of the later channel is not enabled by default, users / system administrators need to have enabled it in the past in order for OSF to collect the relevant events
Added parsing for Linux log files located in the /var/log directory
Passwords, added an option to scan "Windows.old" folder which stores the backups of the previously installed Windows, this option is enabled by default and can be disabled from the Config dialog
Fixed an issue where Moved Downloads not recognizing the system drive on live acquisition mode
Added browser artifact support for some modern versions of Linux
MRU, shortcut Files, will prompt users if they would like to open the .lnk file itself if the target file/directory is no longer available
Added warning when attempting to scan a drive image that does not exist
Shellbag, fixed possible heap corruption crash when parsing (corrupted) URI shell item
Added check and warning message for missing case device when starting scan
Web Server Log Viewer
Added menu for filtering for common web exploits such as SQL injections
Misc
Refresh physical disk info only when there is device change notification, to reduce costly re-scanning of physical disks
Keep single instance of physical disk info shared between all modules
Fixed bugs with some MessageBoxes opening to wrong handle
Changed some dialogs to close when 'esc' is pressed and centred others
Installer, added language selection when running installer
Rearranged some ok/cancel buttons for consistency, fixed up some out of place buttons/controls
GPUSupport DLLs, changed the runtime library for them to /MT instead of /MD to avoid a missing VC runtime error on older Windows systems
Centred some dialogs to main window for consistency
Help file, updated file carving config info + images
UI adjustments, centred additional dialogs
Installer, updated OSFMount to v3.1.1001
Installer, added Japanese language selection option
Removed "Selected items" option from the right-click menu for consistency. Affected modules include JSON Viewer, ThumbCache Viewer, Web Server Log Viewer
Updated DirectIO driver used for system information collection to work with Win11 22H2 release
