Anzeigen der neuesten Beiträge
0 Mitglieder und 1 Gast betrachten dieses Thema.
- Support for multiple drives & folders when indexing. So an single index can now span more than drive- Support for templates in the file indexing module. (to save re-entering data each time an index in created)- Ability to capture pages from web sites and add them to a case (not finished in this Alpha release)- Add support for searching multiple set of index files in a single search- Added much improved E-mail viewer / browser- Will open automatically if viewing an E-mail archive- Can now add Email attachments to case- Added the option to copy files from a case to the output directory when creating a case report (instead of just including a reference to the files)- Changes to the Internal File Viewer- Window can now be maximized. Minimum window size limits removed- Minor metadata fixes- Can now add string list to case in Hex Viewer- Exported string list now contains string extraction settings- Can now carve to file (and add to case) in Hex Viewer- Can now directly open Office documents without the need for an external tool to extract the text. Should be significantly faster to open large documents in images- The index search function in now built into OSF (so it is no longer an external .exe). This allows better persistent caching of the index which in some cases leads to much faster searches e.g. 500% times faster, for large sets of index files and search te- Carved file can now be added to case in the raw disk viewer- Implemented functions for reading the $I30 info file for NTFS directories. I30 data now shown in Hex View tab for NTFS directories- WebBrowser, Added ability to add/save complete webpage to case as MHTML (.mht) file and image file. Can select region of screen to save or full screen. Free version of software will contain watermark, Pro version won't- Changes to the raw disk viewer- Added right-click menu to search results in raw disk viewer. In particular, users can now export the search results to disk- 'Select Range' dialog now populates 'Start offset' with current offset- 'Select Range' dialog shows the number of bytes between the start and end offset- Changed UI layout to tab-based of memory viewer module. Re-organized buttons- Bug fix when accessing zip file content on FAT16 volume using direct image access- Fixed bug where FAT clusters were incorrectly flagged as deleted- Several speed improvements on FAT volume with using direct image access- Bug fix for assert errors at startup on machines with large amounts of RAM (> 32GB)- Fixed pre-scan file counting bug relating to upper and lower case files names in the indexing module- The last folder used for a report is now stored to avoid the need to re-enter it- Fixed a crash on exit caused by the memviewer freeing resources that it shouldn't be freeing- Fixed a bug that prevented case reports being generated on any drive other than the one the case resided on- Made some changes to the Opera browser recent activity functions to prevent a possible crash- Added toolbar for quick access to changing views in file system browser- Fixed file name issues when exporting HFS+ files to an NTFS drive where the file name on the Mac system used characters that are illegal characters on a NTFS system- Changed behaviour when adding emails from a search to overwrite existing ones (previously would create a second copy with a number appended to the name)- Change behaviour so that when an email overwrites one that already exists the list view item of the old item is updated with the new title- Added right-click function for directories in file system viewer to switch to 'Create Signature' module and automatically fill in location- Better handling of nested e-mail/attachments in the index search function- New indexer with fixes for index search results showing corrupted URLs for email attachments & also fixed binary string extraction skipping longer phrases- Fixed bug in Mbox Email Reader with attachments missing characters in the filename- Fixed progress bar for adding email and attachment to the case- Fixed Email path issues in the file signature function- DOS batch (.bat) files can now be run from the system information function- Corrected an issue where the "Live system Capable" radio buttons was not checked when editing a command in system information function- Allow right-click Copy/Copy All in the system information results tab- Fixed buffer overflow caused by long header fields (eg. 'To:')- More information about the index is displayed under the results window- Changed default number of maximum search results to 1000 from 5000- Adding logging and error conditions for searching an index- Fixed a bug preventing FireFox recent activity history from being read when directly accessing an image file- Fixed a bug where the location of IE & Safari recent activity entries could show uninitialised character values when directly accessing an image file- Fixed bug when in search index function when opening a word list that contains extended ASCII characters- Fixed bug in search index history list view when a past search query contains spaces- Bulk searches performed via 'Browse Index' tab can now be cancelled by the user before they have completed- Added message box after successfully carving to file in the raw disk viewer- Fixed a bug with Chrome timestamps not being converted correctly in recent activity and new Chrome releases- Fixed a typo in recent activity drop down (Form History)- Fixed incorrect display of Cyrillic characters in some recent activity output (Chrome and Firefox)
v2.1.1000 - 9th of August 2013 Indexing changes; Will now process e-mail headers Added .zipx extension in filetypes to be recognized, handled as "Binary (filename only)" Added handling of ZIPX as "Binary (filename only)" Added checkbox to scan attachments in e-mails to advanced template configuration window Added Volume shadow copies support to the File System Browser. Currently considers a file is a shadow if the modified time of file is different from the current volume file. Steps to use this feature are, Add Disk Image OR Drive in forensics mode OR Disk to case Add subsequent Volume Shadows for just added device. Load File system browser and enable Show shadows under options menu. Browse (the shadow copy files text/label will be a shade of grey). Added "Add All" Volume Shadow Copies option to Add Device dialog window. Added "loading" dialog box when parsing shadow copies. Shadow copies can now only be loaded for devices that are already added to case. Improved performance when using shadow copies as a result of caching data in RAM. This should also allow larger drives to be examined in a reasonable amount of time. Added button to FSB Toolbar that launches a module to perform volume "diffs" for shadow copies, it behaves similarly to the Create/Compare signature function. Added keyboard shortcuts to Internal file and email viewers. Raw disk viewer searches are no longer aborted when the search window is hidden. Made some change to the Chrome download section in recent activity to work with newer chrome versions (26.0.1410.64) as the database structure has changed. Can now select 'Use entire image file' when selecting a partition from an image file. Added Loading progress indicator for the advanced EmailViewer When an error occurs when adding multiple items to case, added a Message Box to prompt if user wants to continue (or quit). This avoids a situation where hundreds of error boxes might otherwise be displayed in a loop. Raw disk viewer decode window can now identify a dynamic volume as "Windows dynamic volume (LDM) Can now detect dynamic volumes in dynamic disks (LDM) In the 'Drive imaging' module, added 'Rebuild RAID' tab for rebuilding a single RAID image from multiple source disk images. Support for auto-detecting Intel Matrix RAID (IMSM) & software RAID was included. Additional auto-detecting features for other RAID formats are expected to be supported in future releases. Added support for manually changing image file offset/size for RAID rebuilding. Rebuilding RAID images for the following RAID metadata types SNIA DDFv1 Highpoint v2 RocketRAID Highpoint v3 RocketRAID Adaptec HostRAID Integrated Technology Express RAID JMicron RAID LSILogic V2 MegaRAID LSILogic V3 MegaRAID nVidia MediaShield Promise FastTrak Silicon Image Medley RAID Silicon Integrated Systems RAID VIA Tech V-RAID (Note that not all permutations have been tested) Added RAID 0+1, RAID1+0, RAID 3, SPANNED rebuilding support RAID "Info" dialog now shows the metadata for all matching RAID formats Can select between multiple RAID metadata types if multiple formats detected Added HPA/DCO imaging. This allows hidden area on the disk to be made accessible for copying. HPA = Host protected area. DCO = Device configuration overlay. Note that on some drives there is locking that will prevent changing the HPA/DCO disk extent limits. Carved files will now have FILETIME set to Jan 1, 1601 12:00 PM when the real date information is not recoverable. File Carving percent complete display bug fix. File Carving put more safety checks when carving Zip / OfficeXML files to prevent crash. Thumbnail Viewer, fixed a problem with thumbnails without a visible size being drawn as black box Fixed some potential memory allocation in the internal file viewer issues when viewing buffers. (Which is how deleted files are viewed). Fixed a crash that could occur in recent activity during the IE URL scan, some URL paths were longer than expected Added 'Info' button to retrieve and display the RAID metadata from an image file in the Disk Imaging module. Added ability to open Internet Explorer IE10 history databases and retrieve visited URLs (Vista and newer only). IE10 has a new internal format for storing this data compared to previous releases. Updated document indexer to handle indexing recursive PST files (PST and MSG files attached to E-mails inside PST files). Fixed issue where "Add to Case" menu item was enabled when a case is not yet opened. Fixed some memory leaks when indexing emails and attachments. Fixed Email Viewer appearing (with no error messages and no emails) when PST file cannot be opened (e.g. because Outlook is open and holding access). It now shows an error message and destroys the Email Viewer window before it displays. Fixed EmailViewer appearing (with truncated email contents) when user hits "Cancel" during PST loading Fixed the EMail viewer's handling of embedded emails (.msg files attached to a .msg file) in the EmailViewer. Made some changes to stop a reported crash in the registry viewer. Fixed a bug with the Windows Login Password when using "Live acquisition of current machine", a required registry permissions was failing to be set correctly Old/simple PSTViewer is now restored in project and used when PST file is > 10GB Changes to try and stop the recent activity/registry viewing crashing in invalid data circumstances (causes by null records in the registry). Added help context for Volume Shadow Copies. Help file updates for HPA / DCO hidden areas in Disk Imaging and 'RAID Rebuild' functionality.