Thema: Forensic Software diverses

[SiLæncer]

Changelog

Case Log:
Added preliminary implementation of Case activity logging
Case Management:
Made add note window resizable
Added veritcal and horizontal scrollbars to Add note dialog, allowing more data to be saved and making it easier to format the notes.
Deleted files:
Fixed crash when displaying deleted file thumbnails on ext2/HFS+ drives (due to different threads sharing same drive handle)
Hash Sets:
Fixed bug in deleting hash set from Tree View
Web Browser:
Fixed missing URL info when adding web snapshot to case
WinPEBuilder:
Can pass in .cfg file to preload some values of WinPEBuilder.exe
Install to USB:
Updated GUI. If installing to USB Drive, then only USB location will be allowed. If creating a bootable device, then any folder is allowed. OSForensics will prefill the output destination of OSForensics (via WinPE Builder config file) when launching WinPE Builder (Requires WinPE Builder 1.0.107 and up).
Misc:
Updated System information library

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

    Create Index
        Added indexing of From, To, CC, BCC, etc. fields for PST attachments.
        Added indexing of From/CC/To etc. addresses from MSG attachments.
        Added missing support for indexing headers for MSG files
        The start and end dates for the advanced search options are now correctly using the current case timezone setting when a search is performed
        Fixed bug in Create Index -> Edit Template -> "Scan system paging and hibernation files" setting being lost.
        Fixed bug with Search Index -> Email Attachments -> Export ... results carrying incorrect From/To/CC information from previous results.
        Fixed bug with indexing attachments from MSG files (failing to recognize file type properly)
        Fixes for crashes and infinite loops when indexing corrupt DOC, XLS and PPT files.
        Fixed bug with empty emails in PST files causing previous buffer to be used for content and custom meta.
    Case Manager
        User can now specify whether logging is enabled/disabled when creating or editing a case
        Error message is displayed if the log file is corrupted or tampered with
        When generating a report Added "No title" to when there was no title for an item so the link to the file is visibly created
        When renaming (moving) cases, case items still used the old metafile path causing issues with non-existant paths. Fixed by reloading case after moving.
        E-mail attachment paths now include the attachment index number, due to the possibility of having multiple attachments with the same name
    Case Log
        Supplemental log entries added across all modules
        When logging is disabled, controls are now disabled and message is shown to the user
    Create/Verify Hash
        Fixed drive drop down list to include Case devices
    CSV Exports
        Removed "," separator between date and times for CSV exports so that Excel will automatically pick them up as dates
    Deleted Files
        Fixed bug with retrieving the clusters of a deleted NTFS file. This bug can potential cause an invalid memory access crash
        Unallocated cluster information now being used for mounted devices
        Fixed bug with unable to save multiple deleted files from a partition without a drive letter (due to invalid characters in the device path)
        The number of files that were not saved due to reallocation now displayed
        Improved performance of saving deleted NTFS files
        Deleted files stored in multiple MFT records are now being handled
        Proper stream names are being used when restoring a deleted NTFS file
    Disk Imaging
        Fixed no default drive being selected in 'Hidden Areas - HPA/DCO' tab
        Added check for no physical disk selected
        The sizes of each respective max LBA are now displayed in the log after detecting HPA/DCO
    Event Info
        Bug fix, stripped trailing space character from event title.
    Email Viewer
        A dotted border is now custom drawn on the selected folder/e-mail so that even when the control loses focus, the selection is still apparent
        Fixed not being able to add multiple e-mail attachments with the same name. Each attachment now has a unique path.
    File Name Search
        Added 'Save to disk' right-click option. Re-arranged right-click menu to be more readable
    Hash sets
        Files less than 5 bytes in size are now excluded from hash set lookups (this is to prevent tiny file (eg 0 byte files always appearing in a hash set where there was a 0 byte file on creation)
    Password Recovery (Windows Login Passwords)
        Added cached domain users to recovery for local drives
        Fixed a crash that could happen when recovering cached domain users
    Recent Activity
        Added timestamps to WLAN items for the associated XML profile or registry key (where available)
        Bug fix, export event to CSV will now include the item's title.
        Columns will remember their widths when filtering, sorting and navigating to different activity types.
    Search Index
        Added To/From/CC information to attachment output when searching an index
        Removed the from/to/cc fields from the CSV export of an search for items that aren't emails/attachments
        Fixed bug with broken links in search index results for files containing percent encoding in filename
    System Information
        Added cached domain users to "Get User Info (registry)"
    ThumbCache Viewer
        Fixed 'In Case' flag incorrectly displayed for all items in thumbnail view
    User Interface
        List/tree views across OSF now shows the selected item regardless of when the control loses focus
        Fixed drawing issues when minimizing navigation buttons
        Removed flickering when resizing window
        Fixed buttons not being displayed when resizing window
        Fixed drawing issues when resizing file/folder popup dialog
    WinPEBuilder
        Bug Fix. Selecting OSForensics or BurnInTest as the selected program in WinPEBuilder will now add the required WinPE packages on the WinPE/Packages tab.
    Misc
        Updated help for new Case Activity Log section to describe logging feature
        Updated help with info on user editable file carving configuration file, osf_filecarve.conf
        Updated help to mention timezone in case management
        Updated System information library

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Case Manager

    E-mail attachment paths now include the attachment index number following the file name (eg. c:\email.pst*990*attach.txt:2). This is to distinguish multiple attachments with the same name.

Create Index

    Fixed some bugs relating to email attachments
    New URL format for attachments
    Fixed bugs with indexing attachments from mbox (.eml) in nested format
    Fixed bug with not indexing From/To details for Mbox attachments
    Fixed bug with indexing attachment titles incorrectly
    Fixed a bug that was causing "Failed to rename file zoom_pagedata.tmp to ..." appear at end of indexing

Email Viewer

    When extracting e-mail details, if FILETYPE_UNKNOWN is specified as the e-mail file type, the function will try opening the file with each format until successful
    Fixed potential heap corruption when exporting an e-mail with a large text body
    Fixed possible memory leak

Recent Activity

    Added shellbag item from registry files collection and display
    Fixed a date conversion issue with Google chrome downloads date

Search Index

    Fixed some results not being filtered into the correct tab (eg. images in e-mail attachments)
    E-mail attachments with the same name can now be distinguished properly
    When doing bulk adding of items to case, user is no longer prompted when the item already exists in the case after checking the 'Repeat action' checkbox.
    Fixed various problems related to adding nested attachments/e-mails/archives to case.
    For E-mail paths that do not have a message ID in the path, a message ID of "0" is assigned
    Fixed issues with the case flags not appearing for some items

Misc

    Fixed some date formatting bugs introduced in the previous build that were causing dates to appear blank

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Create Index:

Improved MSG/EML/MBOX indexing support. Now using MIMETIC.
Fixed many common errors and warning messages and file recognition
Fixed many issues with .zip, .gz, and .tar.gz archives. And recursive archives.
Fixed filter buttons/checkboxes not working when viewing a failed/cancelled index
Added fix for "Core engine is not responding" when indexer was stuck in "Finishing" stage due to large index or slow disk write

Email Viewer:

Added right-click option to jump to the message ID of an e-mail file
Added progress details when scanning for deleted e-mails
fixed bug with deleted e-mails not being displayed in the EmailViewer
Fixed 'assert' error appearing when Subject field is missing in MIME headers

Index Log Viewer:

Fixed crash when trying to view a previous index log while an indexing job is running.

Recent activity:

Fixed an issue when trying to get IE10+ URLs from a read only drive
Fixed an issue with "dirty" IE10+ databases that were displaying a "Failed to attach IE10 database" error in some cases
Fixed an "autofill_dates" missing error caused by a Chrome update removing this table
Fixed a "malformed" database error when getting Chrome cookie information
Fixed some display and sorting issues with shellbag items on the file details tab

Registry Viewer:

Fixed a crash when opening a corrupt registry file

Misc:

exFAT partitions are now properly detected as opposed to being identified as "Unknown"

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Create Index:

Added support for zipx, 7z, rar, .arj, .dmg, .iso, .chm, .cab, .bz2, .lzo
Fixed indexing bug with repeated "Core engine not responding" messages

Disk Imaging:

Reduced the vertical space used by the controls to support lower resolutions

EmailViewer:

Can now re-scan for recovered e-mails after cancelling a previously started scan
Removed 'Tools' menu

Misc:

Help updates for system information

[close]

http://www.osforensics.com/

[SiLæncer]

Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Whats new:>>

Multi-user cases supported that allow collaboration using network-based services.
Image Gallery feature released.
Assorted minor fixes and enhancements.

http://www.sleuthkit.org/autopsy/desc.php

[SiLæncer]

Changelog

Case Management:

Increased Notes character limit to 64000 characters
Can now remove file from case in right-click menu
When adding an attachment to case that already exists, prompt the user to overwrite

Create Signature:

E-mail files are no longer saved as temporary files when creating a hash of the file. This improves the speed when creating a signature.
Fixed wrong directory path being displayed especially when hashing large files.
Fixed performance bug when hashing NTFS compressed files. Caused a 20x slowdown reading compressed files.

Compare Signature:

When comparing file attributes, mask out the extra attributes used by OSForensics Forensics mode (eg. FILE_ATTRIBUTE_ATTR_MODIFY). This gives a more accurate list of modified files.

Deleted File Search:

Added 'Remove deleted file from case' right-click menu option
Fixed search results clearing when flags are updated

Drive Preparation:

Added WAIT icon to drive refresh, so user can see when refresh is complete.
Fixed physical drives are now supported, including system drive. However, if the system drive is selected, an error message is displayed

Drive Imaging:

By default, 'Verify Image File' and 'Disable Shadow Copy' checkboxes are now checked.
Added option to attach Image metadata (.info) file to case on completion
Changed extension of Image metadata file from .info to .info.txt

Email Viewer:

When parsing DBX e-mail files in forensics mode, a temporary copy of the file is no longer created. This saves some time opening the file.

ESEDB viewer:

Updated the Extensible Storage Engine database (ESEDB) viewer to support the new Win10 file structure.
Fixed list of records being cleared when attempting to access a page that is out of bounds
Fixed bug with non NULL-terminated string
Added sanity check for endianness for Vista DBs due to possibility of fields being either big or little endian

File Indexer:

12x increased unique words capacity (from 16 million base words to 200 million). Allows more documents to be indexed in a single index.
Approximate 5x faster Forensics Mode indexing. This resulted from better caching, better parsing of the MFT and new low overhead methods of getting file attributes.
Improved JPG, PNG image indexing speed with new methods of calling exiftool. Performance is approximately 5x faster on photographic images.
Fixed bugs with indexing of archives (zip, tar, 7z, etc.) in Forensics Mode.
Added support for ZIP files using non-DEFLATE methods (e.g. IMPLODE)
Improved file type identifications and attempted indexing methods. At lot fewer warnings and errors should now be logged when indexing.
Fixed 64-bit bugs with 7z64.dll
Fixed corrupt messages e.g. "Error: Cannot delete output file: ... ". Sometimes this error was caused by indexing E-mails that contained malware. The antivirus (AV) solutions running on machines would detect the malware on extraction of attachments from the E-mail and unexpectedly delete the temporary file, causing a cascade of errors. We have a work around for the errors, but active AV solutions can still prevent indexing of files containing malware. Which can be a good or bad thing depending on your point of view.
Fixed failing to open .gz and .tar.gz files from forensic mode mounted drive
Fixed bugs with failing to extract files from certain problematic ZIPs and attempting every file (with magic and extraction and indexing) causing 3 error messages per file in the Zip file. Corrupted Zip files should no longer produce this cascade of errors.
Fixed crash bug with truncated MP3 files
Fixed OLE parsing bug when loading corrupted MSG Email file
Improved memory estimation of indexing, to better judge if there is sufficient RAM available to start the indexing job. No point starting an indexing job only to die half way through it.

File Name Search:

Fixed 'Current Folder' not being correctly displayed
Fixed search results clearing when flags are updated

File System Browser:

Display "(Sparse)" for the "Starting LCN" column of sparse files
Fixed incomplete folder size being displayed when folder size calculation is cancelled midway (eg. when items are being sorted)
Speed improvement when calculating folder sizes in forensics mode. Approx 3x faster depending on collection of files.

Internal Viewer:

File info: For reparse points the linked path is now displayed
No longer displays message box when failing to open file
Hex viewer, Display error message in the status bar when failing to open file

Mismatch Search:

Fixed 'Current Folder' not being correctly displayed

Password Recovery:

Fixed crash when writing an entry to the log
Windows Login - List views are now resized
Windows Login - Added 'Password Required' column to 'Local Users' table to indicate whether a password is required for login
Windows Login - Fixed crash when saving local users/domain users to file

Recent Activity:

Added file type sub classification for Windows Search Items. Files are classified using the MIME type and extensions
Removed directories from Windows Search Items
Fixed Security event log entries not appearing in the results
Selected items in 'File Details' and 'File List' tabs are now independent of each other. This caused problems when the exported list of selected items contain items that were not selected
Re-arranged the order of tabs so that 'File Details' is the default tab.
Fixed scan status not displaying in 'File Details' view
Fixed sorting of items in 'File Details' view
flickering of tree view
Fixed error message appearing when JumpList is not selected in the scan
Fixed a shellbag retrieval crash in Windows 10
Fixed a jumplist crash in Windows 10
Fixed a bug preventing some jumplist items from being retrieved
Changed "Stream Number" jumplist item name to "Entry ID"
Fixed an offset bug when getting the name of a shellbag item in Windows 10 which caused names with invalid characters to appear
Updated function that retrieves Windows desktop search terms. The database format recently changed in Win10 and broke older releases of OSF.

Registry Viewer:

Can switch between Hex, ASCII, Unicode in right-click menu
Hives under \Windows\System32\config\RegBack are now listed when selecting a registry hive to open
Added buttons for common operations (Add file, Add to case, Export, Find)
Fixed a crash when trying to view/open the SAM file in Windows 10

Search Index:

Updated search engine code to support new increased capacity index format with extended unique words.
Added 'Remove item from case' right-click menu option
Fixed search results clearing when flags are updated

Thumbnail View:

Improved performance of loading photographic image thumbnails in forensics mode. Is approx 10x faster.
Improved speed + memory usage when drawing thumbnails. Especially noticeable when scrolling the display, which should now be smoother.

Drive imaging:

Fixed error "Unable to read end of drive". This occurred when imaging a volume (e.g. Drive F:), when the size of the file system (e.g. NTFS) is smaller than the volume size. The imaging process will now continue beyond the end of the file system to read the entire volume.

Misc:

Fixed some memory leaks found by the leak checker

Licensing:

In the free edition of the software,
The indexing process will be restricted to 10,000 files or E-mails.
The search results from an index will be limited to 250 files per search.
Only 10 items to be added to each Case file.
Only the first 10 passwords from each browser type will be listed in the passwords function

Installer:

The installer package is now signed with an Extended Validation coding signing certificate. This avoids some SmartScreen installation warnings in Windows 10, like Windows "prevented an unrecognised app from starting".

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Deleted Files Search

    File Carving, naming of recovered carved files has been changed to "Carved (type) file (Sector Location in HEX).extention" e.g. Carved 'jpg' file 0x00001F2B.jpg

File name search

    Fixed a bug that was preventing sort by foreground/background colour working correctly on results when OSForensics was using direct access (eg direct access of an image file)

Hash Sets

    Fixed a crash when first trying to open the hash sets tab

Misc

    Some help file updates

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Deleted Files - FileCarving

    Fixed Crash. TIF file format has internal pointers to location within the file, when these pointer contains a corrupted/invalid value, it would possibly cause OSForensics to crash.
    Added slider to configuration to allow selection of start and end percent/location of drive to carve.
    Fixed possible crash when searching for HFS+ deleted files.

File Indexer

    New Zoom build, fixed issues with not starting indexing on HFS image with "Invalid folder" errors.

Misc

    Fixed retrieving file attributes on non-ntfs file systems
    Fixed possible crash when access HFS+ filesystem
    Added detection of file system for MBR partitions due to possible differences in reported partition type and actual file system

[close]

http://www.osforensics.com/

[SiLæncer]

Whats new:>>

Email Viewer

    Fixed stack overflow crash bug when saving MSG attachment with multiple levels of nesting

File Indexer

    New Zoom indexer build, fixed a crash bug for nested MSG files within PST files

http://www.osforensics.com/

[SiLæncer]

OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.

In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF). AFF is an open and extensible format to store disk images and associated metadata. An open standard enables investigators to use quickly and efficiently their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis with PassMark OSForensics™.

OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard drive. Boot into OSFClone and create disk clones of FAT, NTFS, and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.

Freeware

Whats new:>>

Updated Tiny Core Linux to Core 7.0
Updated dc3dd to 7.2.641
Added HFS+ support (If journalled is enabled, drive/partition is read only).
Updated libewf to 20160329
USB image of OSFClone is now UEFI/BIOS bootable

http://osforensics.com/tools/create-disk-images.html

[SiLæncer]

Changelog

Case Manager

    Added warning when attempting to add the entire image to case when there is a partition table
    Allow the option to select the "entire image file" when adding images to case

File Indexer

    New Zoom builds with added recognition for extensions .plt and .dxf to index filename only
    Fixed stack/buffer overflow issue when indexing PST emails.

Raw disk viewer

    When viewing the raw sectors of entire images, the partition table info is now decoded

Search Index

    Fixed special characters such as '&' in the filepath from the search results not being decoded properly

Misc

    Device dropdown list now includes the image file's partition (or "Entire image")
    Fixed bug with not being able to read the raw bytes of image files using UNC paths
    Accessing the entire image file with a valid partition table (ie. without specifying a partition) no longer returns error

[close]

http://www.osforensics.com/

[SiLæncer]

Whats new:>>

Fixed bugged where you may not be able to select partition as a source.
Will no longer mount the drive during scanning of available drives by default. As a consequence, OSFClone will no longer show disk space usage. To return to previous behavior, this can be re-enabled in the options.

http://osforensics.com/tools/create-disk-images.html

[SiLæncer]

Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Whats new:>>

New list view in Timeline tool
VMWare virtual machine files (vmdk) and Microsoft Virtual Hard Drives (vhd) can be added as data sources.
New ingest module detects vmdk and vhd files embedded in other data sources and adds them as data sources.
Text associated with blackboard artifacts is indexed and searched for keywords.
Custom (user-defined) blackboard artifact and attribute types are displayed in the UI and included in reports.
File size and MIME type conditions can be specified for interesting files set membership rules.
Assorted bug fixes and minor enhancements.

http://www.sleuthkit.org/autopsy/desc.php

[SiLæncer]

Whats new:>>

Bug fix to enable some Python modules to run again.

http://www.sleuthkit.org/autopsy/desc.php