Thema: Forensic Software diverses

[SiLæncer]

Firefox Autocomplete Spy is the free tool to easily view and delete all your autocomplete data from Firefox browser. Firefox stores Autocomplete entries (typically form fields) such as login name, email, address, phone, credit/debit card number, search history etc in an internal database file.

'Firefox Autocomplete Spy' helps you to automatically find and view all the Autocomplete history data from Firefox profile location. For each of the entry, it display following details,

    Field Name
    Value
    Total Used Count
    First Used Date
    Last Used Date

You can also use it to view from history file belonging to another user on same or remote system. It also provides one click solution to delete all the displayed Autocomplete data from the history file. It is very simple to use for everyone, especially makes it handy tool for Forensic investigators.

Firefox Autocomplete Spy is fully portable and works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 10.

Whats new:>>

Mega edition with the support for Windows 10 version. Added more features like right click context menu & fixed the sizing problem with higher resolution computers.

http://securityxploded.com/firefox-autocomplete-spy.php

[SiLæncer]

Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

Credit card account search.
Encoding/decoding of extracted files to avoid anti-virus alerts/quarantine.
Ingest history used to warn before doing redundant analysis.
Options panel for managing custom tag names.
Options panel for setting external viewer associations.
Keyboard shortcut for applying Bookmark tags.
Improved PhotoRec carver ingest module cancellation responsiveness.
Results content viewer formats dates.
Update to PostgreSQL 9.5.
Assorted bug fixes and minor enhancements.

[close]

http://www.sleuthkit.org/autopsy/desc.php

[SiLæncer]

Changelog

Password recovery:

Wifi passwords are now recovered & decrypted from the registry and file system.
Windows auto-logon password are now recovered & decrypted from registry.
Outlook & Windows live mail passwords are now recovered & decrypted.
Microsoft product keys are extracted from the Windows registry
New Configuration window has been added to allow the user to select what items are recovered, enter in an account password for offline decryption & select a dictionary for brute force attacks on the account password.
Specific rows in the password report can now be selected for export or adding to the case.
GPU accelerated hardware support for brute force password recovery on Office documents, PDF, Zip & RAR file. (Work in progress)
Support for new MS Office 2013 encryption standards for DOCX, PPTX, etc... (SHA512 hashing has been implemented in addition to SHA-1).
New columns in the report have been added for password strength & length, which can be useful when checking for compliance with password policies.
Added NTLM hash cracking to the common password check for the Windows login password
Added NTLM hash rainbow table generation.

User interface & work flow:

It is now possible to change the order of buttons in the left menu. Now called the Work Flow menu. This can allow the button order to reflect the chronological order of specific forensics processed.
Checkboxes in several windows rather than multi-select with having to continuously hold select/ctrl.
New 'File Details' tab in several windows that displays the search results in a list view.

Recent activity artifacts:

Added mobile backups, lists the backups found from iTunes (e.g. iPod, iPad, and iPhone).
Updates in Recent Activity for newer browsers (including Edge)
Faster collection of Window Search terms in recent activity (reducing hours to minutes for the worst case)
Added additional USB devices from SYSTEMCurrentControlSetEnumUSB in Recent activity
Added USB first connected time from parsing setupapi.dev.log
The ability to reorganize and/or hide show certain columns by right clicking on the column title area to configure it on the File Details tab was added.
GUI will show incrementing artefact count during the scan

File system support & imaging:

exFAT is now a supported
Added read-support for .Ex01, .Lx01, and .L01 image formats
Improvements to HFS+ support for Macs.
Added the ability for users to create Logical images from the Forensic Copy feature. Logical images are created as a .VHD virtual disk & can be remounted back into OSF or manipulated with 3rd party tools.
Added a log option for Forensics Copy
Added ability to supply multiple source paths when performing Forensic Copy
Owner/group/permissions are now preserved in Forensic Copy
Better exposed the function to compare shadow copies.

Memory viewer:

The Memory Viewer has been overhauled. Now has 47 columns of metadata for all processes.
Handles and loaded Modules are displayed per process when available
Users can create Process Specific binary dumps through right click options and add to the case.

ESEDB Viewer:

Dialog to select from a list of known files now shows the file size
Added right-click option to copy values (ie. cells) to clipboard
Added right-click option to view values (ie. cells) as binary data in the internal viewer
Added right-click option to export values (ie. cells) as binary data to file
Added right-click option to export values (ie. cells) as binary data to case
Added right-click option to export tables to case
Fixed some memory allocation issues when exporting tables that can cause a crash
Fixed horizontal scroll bar not appearing for some tables
Binary data is now displayed in byte groupings
Fixed a bug when retrieving a record multi-value

File name search:

The user can now edit the list of pre-sets by editing the FileNameSearchPresets.txt file (in the C:ProgramDataPassmarkOSForensics folder).
Peer to peer file types have been added as a new pre-set search selection.
The number of characters allowed in the search string field has been increased from 256 characters to 1023 characters.
Improved the default settings
Ability to group the search results by file type in 'File Details' view
When grouping the results by file type, the groups are collapsed by default

File indexing and searching:

Added image file EXIF header indexing for Camera Make Model, GPS date/time, GPS Latitude, and GPS Longitude
Improved relevance scoring when hundreds of matches are found within the same file
Restored torrent file indexing which got accidentally broken in a past release.
Fixed bug when indexing invalid file types (e.g. misnamed or corrupt files) causing incorrect content to be indexed.
Improved search results layout
Fixed bugs when indexing meta data (title, keywords, etc) from DOC files

Reporting & Case Management:

PDF output added.
New streamlined report layout, including a sidebar for quick access to specific forensic artifacts
Added option to include file EXIF metadata in the report
Custom Logos are now easier to added
Added two custom fields to Case Information (The Edit Case and New Case windows) & allow the user to rename the fields
Added and Add External report feature in case management will support adding an external HTML report directory to properly display other tools report.
Reduced the time required to populate the list of log entries
Index search history is now loaded on demand to reduce case load time.
File size of the case item is no longer retrieved to reduce case load time
The default mount name for volume shadows now contains the index number
When mounting devices, there is no longer an attempt to open a handle to the drive to reduce case load time.
When adding device to case, 'Case default device' checkbox is set by default
Improved error message when generating a report in a location that already contains an existing report
Fixed error when generating links in a report to a file that contains > 260 characters
Fixed forward slashes in links being escaped causing problems in some browsers (eg. Chrome)
Fixed error when deleting a read-only file from case
Fixed error when deleting a file with long file name from case
Added retry mechanism when attempting to add a file to case that is being used
When automatically adding files to case, added option to ignore future errors
Updated Report Templates to include the 'Case Activity Log' section in the main report
Added checkbox option to include 'Case Activity Log' into the main report
When generating a Case Log report, the exported log entries are exactly as displayed in the Case Log Viewer (ie. Verbosity, filters, sorting, etc applied)
Added a HTML Editor to allow user to modify case summary narrative. Can be located under "Edit Case Details".
Added progress bar when saving the case files to a folder before the case is deleted.
Added new report type 'Log Report' for Case Log reports

Shadow copies:

Fixed an issue when adding shadow copies to a case, if selecting an individual shadow copy it would store an incorrect Device path (eg Drive-C instead of Drive-C:) which would lead to it not being displayed on the analyze shadow copy dialog.
Added an Shadow Copy Analyze icon to start page
Stopped a shadow copy entities being compared against itself as it only makes sense to compare different shadows.
Added a warning message when opening the analyze dialog if no shadow copies were added to the case.

System information:

BitLocker Detection preset added to System Information
Updates to System information to detect new CPU types
Added Printer Info from registry for live/scan drive and Printer Info from (WinSpool) for Live Systems in the System Information module.

Registry Hive viewer:

Fixed a bug when opening a backup hive that was locked and a shadow copy was required to provide access.
Dialog to select from a list of known files now shows the file size

Hashing:

Button to add Hash results to case

Thumbnail database viewer:

Fixed large memory usage when reading Win10 thumbcache files.
Added support for Win10 thumbcache files. The Win10 thumbcache header uses a different format than previous versions
Added to list of known thumbnail cache files
Replaced thumbnail size radio buttons with combo box
Dialog to select from a list of known files now shows the file size

Internal file viewer:

Updated video previewer to support more video formats. Including video in these formats. 3GP, ASF, ADTS, MPEG-4, SAMI, AAC, WMA, DV Video, H.264/H.263, WMV
Can do screen capture from the File Viewer.

Email searching:

Added BCC searching for Emails.
Additional details are indexed when indexing Emails (for some formats).
Support for MIME UTF8 encoded FROM, TO, CC, BCC, SUBJECT fields in MBOX files

Deleted files:

Added a new checkbox for full disk / unallocated space carving. Previously only unallocated space was used for caving, as it is usually much faster. But in rare situations the full disk option can be useful (e.g. file slack space examination).
Added a new window showing the list of File Types that are carved (opened from within the config window). This list can be modified to add custom signatures by the user by editing the osf_filecarve.conf file.
Ability to group the search results by file type in 'File Details' view
When grouping the results by file type, the groups are collapsed by default

Other changes:

Added better time resolution, now fractions of seconds, in File Name Search/Mismatch Search/Deleted Search
Added support for Win10 prefetch files, which are compressed using lzxpress huffman stream encoding
Compare signatures can now display identical files. This is useful for duplicate file detection. There is a configuration dialog for specifying folders to exclude and file extensions to include.
Dozens of other bug fixes and minor usability improvements, including fixing a couple of crash bugs
Fixed up broken XP compatibility. This is very likely the last release we do that has any support for running on Window XP.
Populating the drive list (for drive preparation) is no longer performed on program startup to speed up load time
Loading of Magic config file (for mismatch search)is now performed on demand to speed up program load time
Populating the device list (for raw disk viewer) is no longer performed on program startup to speed up load time
When loading the log file (secure log), a buffer is now used to speed up load time

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Case Manager:

When generating report, fixed incorrect links being generated when 'Copy files' is checked
Improved the performance of adding items to case by performing the hash calculations all at once (rather than separately)
Improved the performance of updating case flags by not re-drawing the lists for File Name Search, Mismatch Search, Deleted File Search, Index Search, File System Browser
Allowed the HTMLeditor to be left opened from the "Edit Case Detail" dialog window. However, as a result, the case narrative is prevented from being edited from the New Case dialog procedure.

Case Log Viewer:

Improved the performance of adding new log entries

Decryption & Password Recovery:

Added Openoffice (LibreOffice) extensions to select file dialog
Removed bell sound from gpu client, cpu client, and server and replaced with a different (chime) sound
Fixed typo in default definition file

Forensic Copy:

Added a clear log button and started displaying the number of files copied
Reduced the amount of memory used substantially during the forensic copy process

Recent Activity:

Added Time Source Column for 'All'

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Activity Monitor
Added separate tasks for adding files to case
Case Manager
Fixed synchronization issues with hash table causing an exception to be thrown
Add file to case dialog has been changed to modeless, allowing the user to switch to another module while files are being added.
Added synchronization to CaseManager class to support concurrent access to case items
Added error message when creating/importing/loading/deleting a case while a task is still running
When closing the program, a warning dialog is displayed when any task is still running (as opposed to a select few tasks)
Fixed scroll bar being reset every time case items are added/removed
Adjusted the maximum text to 245K characters in the rich edit box for case narrative
Changed the case item list view to owner draw to improve performance
Decreased the time required to delete a large number of items from case
Fixed ‘re-use input’ checkbox not working when adding bookmarked files to case
Added error message when attempting to add bookmarked folders to case
Increased the frequency of progress updates when adding multiple files to case
Case items are now sorted by date in ascending order by default
Fixed bug when attempting to overwrite an existing external report in case
Fixed non-existent case default drive appearing in drop down box when editing case
Improved performance of updating list items (eg. in File Search, Mismatch Search, Deleted Search) when case flags are updated
Fixed memory leaks in case log
Decryption & Password Recovery
Added more info to display, client thread status, benchmark, password length and prefix. Adjusted job size for CPU clients.
Deleted Files Search
Fixed junk characters showing up in error message when prompting to overwrite a file
Fixed case flags not being updated in thumbnail view
Email Viewer
Fixed unhandled exception when failing to load e-mail file
File indexing and searching
Fixed bug with Doc/Ppt/Xls indexing „last modified“ as „Author“. Will now prioritize „Author“ and only index „Last modified“ if „Author“ is not available.
Added support for Comments property (appended to KEYWORDS meta tag) in DOC files, and support for „Category“ property (as „ZOOMCATEGORY“ meta tag) in PPT and XLS files
Raw Disk Viewer
Fixed bookmarks showing up twice when reloading a case
ThumbCache Viewer
Fixed ‘use same details for all’ checkbox not working when adding to case
Due to changes in Win10, the ‘name’ column should now show the thumbnail cache ID in hex format (instead of a cryptic string)
Misc
Updated HTML Editor to show character count

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Support for slack space on files (as separate virtual files) to enable keyword searching and other analysis
Simple mode for the file extension mismatch module that focuses on only only multimedia and executable files to reduce false positives
New view in tree that shows the MIME types
Tagged items are highlighted in table views
Ordering of columns is saved when user changes them
Support for Android devices with preloaders (uses backup GPT)
Support for images with no file systems (all data is added as unallocated space)
User can bulk add list of keywords to a keyword list
New "Experimental" module (activate via Tools, Plugins) with auto ingest feature
Assorted bug fixes and minor enhancements

[close]

http://www.sleuthkit.org/autopsy/desc.php

[SiLæncer]

Changelog

Keyword search regular expressions now work with spaces.
A sparse VHD file can be created when analyzing a local drive (USB) so that you don't need to acquire first.
Ingest filters allow you to run the ingest modules only a subset of files during triage
Ingest profiles allow you to pick an ingest filter and set of ingest modules to make it eaiser to preprogram for triage
User can edit keyword lists.
Import/export of interesting files set membership rules.
Fix resolution issue with high DPI systems
Updated Recent Activity ingest module to use RegRipper 2.8 plugins.
Ability to customize HTML report logo.
Assorted small enhancements and bug fixes.

[close]

http://www.sleuthkit.org/autopsy/desc.php

[SiLæncer]

Changelog

New PList Viewer
◦Added a new Plist viewer
◦Text foward/reverse search option.
◦For nodes that contain „data“, added quick hex preview popup dialog when field is single-clicked (double clicking will open a new file viewer window).
•NEW $UsnJrnl Viewer
◦Added support for loading $UsnJrnl files saved as a regular file (ie. not as $J alternate data stream)
◦Added support for $MFT file lookup to determine full path
◦Added support for searching for subtext
◦Added right-click menu options for viewing file, exporting records and adding records to case
◦Added progress bar when parsing USN records, loading $MFT file and searching for subtext
◦Improved loading speed by searching for records from the end of the file
◦Path is now determined using the Parent MFT# stored in the USN record, followed by the filename stored in the USN record.
◦ Paths that may not be correct are coloured in red. This occurs when the filename or the parent MFT# in the USN record does not match what is stored in the $MFT
•Analyze Shadow Volume
◦Results can now be exported in HTML and CSV format
◦Added button to export results to case
◦Added right-click menu for exporting results
•Case Manager
◦Added support for mounting file paths as a device in the case
◦Adding devices to case now supports adding local folders in addition to network paths. Renamed ‘Network Path (UNC)’ to ‘Folder / Network Path’
◦When adding an image file to case, the ‘Select partition’ dialog has been updated to reduce confusion.
◦Added option to export $UsnJrnl records to report
◦Fixed index OOB error when exporting deleted files to report
◦Added support for adding BitLocker-encrypted drives to case. The drive must have been previously added to the case.
◦Fixed error message when viewing the properties of a Case Device
◦Recent history items for case name, investigator, contact details etc are now saved to the config and will be reloaded when OSForensics is started.
•Compare Signature
◦Check if signature reports as version 3 but is actually 4 (two extra fields were added but internal version number of signature was not changed).
•Create / Verify Hash
◦Added secondary hash function to allow calculating 2 different hashes simultaneously
•Deleted Files Search
◦Added right-click menu to re-arrange columns in Details View
◦Added ‘Source’ and ‘File number’ columns to details view
◦Directory records found in $I30 slack space are now included in the results
◦Records found in $I30 attribute in deleted MFT directory records are now included in the results
◦Fixed bug with misreported quality when multiple streams exist for the deleted file
◦“Save and Open“ right-click options no longer prompt the user for the a location to save the file; it shall be saved automatically to the temp folder and immediately opened. The right-click options have also been renamed accordingly
◦When opening deleted files in the internal viewer, the initial tab that is displayed will correspond to the file extension
◦Fixed bug with saving deleted files to disk when the file fragments are greater than 64KB
◦Added *.msg to the search preset for e-mails
•Drive Imaging
◦Fixed error copying single files to logical image due to directories not being created
◦Fixed file size of single file not included when calculating VHD image size
◦When calculating VHD image size, the file size on disk is now used. This is to account for sparse/compressed files that occupy less disk space than its file size.
◦Fixed bug with drive list in ‘Create Image’ tab containing devices from previous case after switching cases
•Email Viewer
◦Fixed buffer overflow of ‘From’ field
◦Fixed heap corruption when opening .eml files with quoted printable encoded text
•File Indexer
and searching ◦New Zoom build with fixes for:
◾Fixed bug with indexing zero date as „23/04/2009 6:24:48“
◾Indexing „delivery time“ for PST emails. Only index „submit time“ if former is not available. Previously was only indexing submit time, which means Drafts/Deleted items would have no time in index but be inconsistent with EmailViewer, which would display a date/time.
◾Now supporting Win10 CompactOS compression (when used with the default XPRESS compression option). Viewing and indexing these files is now possible.
◦Fixed bug with Search Index -> Advanced settings’ Date/Time range not being applied.
◦On History tab, when choosing right-click menu’s „Display Search Results & Add to Case…“, it will now export the list of results to the case along with adding the corresponding files.
•File Name Search
◦Added right-click menu to re-arrange columns in Details View
◦Added *.msg to the search presets for e-mail
◦Fixed performance issue when searching with alternate stream criteria. Basic search criteria (eg. file name, attributes, etc.) should be checked before performing the much slower stream criteria check.
•File System Browser
◦Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the ‘n item(s) checked’ link opens a menu with a list of operations to perform.
◦Fixed text not appearing in icon/list view
◦Improved responsiveness when changing directories
◦Fixed bug with calculating folder size on disk for non-NTFS file systems
◦Fixed deadlock when multiple threads are accessing mounted devices simultaneously
◦Added right-click menu to re-arrange columns in Details View
◦When calculating folder sizes, stream sizes are now included
◦Added error messages when performing certain operations on $I30 slack items
◦Deleted artificats recovered from $I30 slack space can now be displayed.
◦Files that have reparse points are now displayed in green
•Hash Sets
◦Fixed a NSRL has set import error that could occur when the manufacturer name was greater than 100 characters
•Internal Viewer / File and Hex Viewer
◦File Viewer tab, changed volume controls to trackbar + mute button
◦Added ‘IP address’ filter to Hex Viewer string extraction
◦When viewing buffers (eg. deleted files) in the „file viewer“ tab, the buffer shall first be saved to a temporary file and then loaded. Previously, a ‘Unsupported file format’ message is displayed.
◦Removed unnecessary saving of temporary files for file paths containing case devices
◦Extracting strings is now threaded so the window is no longer blocked. String extraction can also be cancelled half way.
◦Removed limit on the number of extracted strings
◦Added encryption, reparse point, sparse file, system compression attribute checkboxes
◦Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
◦Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)
•Memory Viewer
◦Added right-click menu to re-arrange columns of the process list
◦Changed encoding of memory dump VW cfg file from UTF16-BE to UTF-8
◦Changed the extension for memory dummp files from .bin to .mem
◦Added tabs for ‘Live Analysis’ and ‘Static Analysis’. Previous view has been moved to ‘Live Analysis’ tab. ‘Static Analysis’ allows the user to launch ‘Volatility Workbench’ process with the specified memory dump file.
•Passwords
◦New updated password cracking library. Improved GPU acceleration allows for faster cracking. Double the speed in some cases.
◦Find Passwords & Keys: Added right-click menu to re-arrange columns
◦Find Passwords & Keys: Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the ‘n item(s) checked’ link opens a menu with a list of operations to perform.
◦Fixed bug where Wifi profiles weren’t searching the correct location in some cases when “Live acquisition” was picked (could search incorrect drive letter)
◦Fixed bug where Wifi profiles might not search correct location in localised (non-english) version of windows
◦Fixed a crash that could occur when searching Wifi profiles
◦Fixed possible crash when getting system passwords
◦Added more info to display, client thread status, benchmark, password length and prefix.
•Prefetch Viewer
◦Fixed possible crash due to buffer overflow
•Raw Disk Viewer
◦Added a list of preset regular expressions combo box that can be used when performing a raw search
◦Improved performance of search window list view
◦Removed max search results limit in search window
◦Fixed synchronization issues potentially resulting in crash
•Recent Activity Viewer
◦Changed how the windows user directories are searched for so all operating system dependant locations (XP, Win7 etc) are searched now instead of searching the known location of the first one found. For example if an XP system contained a „Users“ folder in the root directory then it was previously only searching the (possibly empty) Users folder and then not searching the „Documents and Settings“ location.
◦Fixed a „missing column“ error for old versions of Firefox cookies
◦Made some changes when trying to repair a „dirty“ windows search database (eg from a system image of a currently running system) so that if the esentutl tool crashes OSF will attempt to run it again
◦Added P2P artifacts from BitTorrent and UTorrent resume.dat folder, also checks the User’s Download directory for .torrent extensions.
◦Fixed Bug with P2P Items not showing details on the File List Tab
◦Added Search queries artifacts for Ares Galaxy
◦Added Shareaza P2P Search Artifacts.
◦Added Emule P2P Artifacts
◦Added SABnzbd P2P Artifacts
•Report Templates
◦Combined ‘Drive Imaging’ and ‘Forensic Copy’ HTML template into a single ‘Forensic Imaging’ HTML template
•Start Window
◦Renamed “Website Passwords” to “Scan for Passwords/Keys”
◦Renamed “Removable Drive Preparation” to “Drive Preparation”
◦Added icon for launching ‘Volatility Workbench’ under ‘Viewers’ group
•System Information
◦Made some changes to the system information command dialogs, added columns to show „Live acquisition“ / „Drive acquisition“ / „Image acquisition“ differences of commands
•Web Browser
◦Fixed bug where saving the complete webpage was not working correctly
•Misc
◦Changed date/time format to 24-hour clock
◦Fixed crash when Exception filter is executed
◦Moved ‘Forensic Copy’ module to ‘Drive Imaging’ module as a new tab. Renamed ‘Drive Imaging’ to ‘Forensic Imaging’
◦Fixed ‘Forensic Copy’ and ‘Drive Imaging’ logs not appearing in generated report
◦Fixed some flickering issues when resizing
◦Updated File Name Search preset list to include Virtual Machine files
◦Fixed bug with EmailView and EmailViewer displaying 1/01/1601 when a 0 datetime value is given. Now reports „Unknown date“.
◦When selecting a directory via a popup dialog, if the entered path in the text box is valid, it will be returned. Otherwise, the directory selected in the tree view is returned.
◦Added template files for exporting $UsnJrnl records to report
◦Fixed bug with the initial directory not being set correctly in the select file dialog
◦When prompted to select a file, the last directory path is now used as the initial directory if not specified
◦Fixed bug in handling alternate data streams with multiple $DATA attributes
◦Added support for accessing bitlocker encrypted drives in raw form
◦Updated HTML Editor to show character count.
◦External Viewers (File, Registry, FS Browser, Email, Thumbcache, ESEDB, USNNRNL and Plist) will retain the size of their last viewer window closed for subsequent openings
◦Performance increase when opening registry files
◦Fixed several potential crash points when closing the OSF application while the progress window is still showing
◦Added encryption, reparse point, sparse file, system compression attribute checkboxes
◦Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
◦Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)
◦Updated help file with $UsnJrnl Viewer section
◦Fixed a bug that may cause Temp Registry Files in the function call CreateTempRegFileIfNeeded() not be created when debugmode is enabled.

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

File Indexer and searching:

Added a missing DLL (MSVCR100.DLL) to the installer that could prevent ZIP files from being indexed correctly

Internal Viewer - Hex View:

Fixed string extraction function failing to return correct offset due to using 32-bit variables

Memory Viewer:

Fixed an issue where the process refresh timer was running even when the memory viewer window was hidden.

Passwords - Windows Login:

Added right-click menu to tables

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

•Internal Viewer
◦Fixed a bug where attempting to open an archive (zip etc) file could result in a missing DLL message being displayed on older versions of Windows.
•File Name Search
◦Fixed a buffer overflow that could sometimes cause a crash when displaying file names longer than 512 characters in the „Current folder“ field. Crash can be appear randomly as field was only updated occasionally while a search was in progress.

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Case Manager:

Added ".mem" extension when selecting image file to add to case
Chain of Custody Report Template - Rearranged template fields, added signature field.
Generate Report - Allow option to generate Chain of Custody report along side Case Report.
Overhauled Chain of Custody reporting. Expanded the Edit Case dialog window with tabs to allow additional case data, such as Offense type, Legal Authority & Suspects Name to be entered.

Create Index:

Added '.qbb' (Quickbooks) file type to the list of 'Other supported file types' category. Note that only file name will be indexed.

Create Signature:

Deleted files can now be included in the signature from the config window. Hashing is also supported for deleted files (but not for $I30 slack entries)

Compare Signature:

File attribute string now includes custom attributes (eg. 'deleted', '$I30 slack entry')
File icon is now included in the comparison results
Signature info now includes whether deleted files were scanned or not

Deleted Files:

Fixed Bug where saving multiple files would fail to save files to destination.
File Carver - Unallocated Cluster code would not read from the disk when the cluster offsets did not reside on sector boundaries. File Carving initialization will check to see if start cluster offset is a factor of cluster size, if not, file carving will switch to raw carve mode.
File Carver - Addressed bug which might cause carving unallocated clusters to not to progress.

DirectAccess – NTFS:

Added buffer overflow check when decompressing CompactOS files
Improved performance of checking for valid $ATTR_FILENAME attribute when looking for $I30 slack entries
Improved performance of FindFirstDel/FirstNextDel functions
Fixed bug with not resetting the file pointer when detecting imageUSB image file. This could result in volume hashes returning the wrong value when verify the hash of a volume (a few bytes that the start of the file were not included in the hash calculation).

Email Viewer:

Fixed HTML/RTF message body not being searched

File Name Search:

Added config option to 'Search deleted files'. If enabled, deleted and $I30 slack files are included in the search results.
Deleted files are now shown in different text colour and with a deleted icon overlay in 'File List' view. Right click options for viewing files was also added.
Deleted files are now shown as a separate group in 'Timeline' view
Added more file details when exporting the file list to txt/html/csv file
Added support for adding/removing deleted files to/from case
Added support for looking up deleted files in hash set
Added support for saving deleted files to disk from File Name Search module.

File System Browser:

Fixed 'n item(s) checked' still appearing after changing the folder
Added right-click menu option to export list of checked files to Case
File times now include decimal precision
Removed checkboxes in 'File Select' dialog
'File Select' dialog window size is now saved
Fixed auto-scrolling when sorting items

Internal Viewer - Hex View:

Improved performance of string extraction by using parallel processing. Approximately a 60% speed improvement
Improved performance of filtering strings by using boyer-moore search & parallel processing. Can be more than twice as fast, depending on hardware
If using word list, included matched expression in status bar of selected string
When filtering the string list, the # of strings that have been processed is now displayed
Added option to save to .dic file for use with dictionary based password cracking
Moved filtering operation to thread due to length of operation. User may cancel the filtering operation at any time.
Changed preset filter combo box to a link which brings up a menu when clicked. The menu provides several preset filters, as well as an option to select a word list
Added 'Use RegEx' checkbox to allow user-specified regular expressions

MemViewer - Static Analysis:

'Memory dump file' filter now includes .bin, .img, .dmp extensions
Added 'View & Extract Strings' button to open the dump file in internal viewer in hex view

Thumbnail View:

Fixed text colouring for Deleted/$I30 slack/Reparse point files

Misc:

Updated help file
Improved performance of list classes by using multi reader single writer lock. Fixed some synchronization issues.
When selecting image files, the 'All Images' filter now shows all supported image files rather than all files

[close]

http://www.osforensics.com/

[SiLæncer]

Whats new:>>

Case Manager

Fixed bug when specifying a custom location for a case.

http://www.osforensics.com/

[SiLæncer]

OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.

In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF). AFF is an open and extensible format to store disk images and associated metadata. An open standard enables investigators to use quickly and efficiently their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis with PassMark OSForensics™.

OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard drive. Boot into OSFClone and create disk clones of FAT, NTFS, and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.

Freeware

Whats new:>>

Added option to write acquired dd or ewf image back to a drive. Image must reside on root of partition.

http://osforensics.com/tools/create-disk-images.html

[SiLæncer]

Changelog

Add File To Case function
The copied files in the case folder should now have the same filetimes as the original source file.
Case Manager
Fixed Accessed & Attribute Modified file times not being stored in the OSFMeta file
Case meta item file, added two additional fields (where available): Last Access Date, MFT Modified Date
Deleted Files Search
Fixed changing of ‘Date filter’ combo box in Timeline view not updating the chart
File Indexer and searching
New Zoom builds fixed crash bug with indexing EML/MBOX file containing attachments of EML/MBOX files
Internal Viewer
Fixed info text for files that belong to the case
When opening a file added to a case, the original folder and file times are now displayed (obtained from the OSFMeta file). These attributes are highlighted in a different colour along with an information text.
For image files, size and file times have been removed
Internal Viewer – Hex View
Split IP address regular expression into IPv4, IPv6 standard notation, IPv6 standard + compressed notation
Recent Activity
Updated installer to include an alternate version of esentutl to use in the case of „Dirty shutdown (-550)“ errors for ESEDB databases (eg from Windows search, Edge) that could sometimes cause the esentutl version installed locally to crash leaving the files in an unreadable state
Misc
Updated help file with internal viewer changes

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Beta version of new central repository feature has been added for correlating artifacts across cases; results are displayed using an Interesting Artifacts branch of the Interesting Items tree and an Other Data Sources content viewer.
Results viewer (top right area of desktop application) sorts are persistent and can be applied to either the table viewer or the thumbnail viewer.
The View Source File in Directory context menu item now works correctly.
Tagged image files in the HTML report are now displayed full-size.
Case deletion is now done using a Case menu item and both single-user and general (not auto ingest) multi-user cases can be deleted.
Content viewers (bottom right area of desktop application) now resize correctly.
Some potential deadlocks during ingest have been eliminated.
Assorted performance improvements, enhancements, and bug fixes.

[close]

http://www.sleuthkit.org/autopsy/desc.php