Autor Thema: Forensic Software diverses  (Gelesen 19342 mal)

0 Mitglieder und 1 Gast betrachten dieses Thema.

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
Forensic Software diverses
« am: 05 Oktober, 2012, 06:00 »
OSForensics will allow you to extract forensic data from computers, quicker and easier than ever. Uncover everything hidden inside a PC. Discover relevant forensic data faster with high performance file searches and indexing. Restore deleted files. Identify suspicious files and activity with hash matching, drive signature comparisons, and look into e-mails, memory, and binary data. Manage your digital investigation. Organize information and create reports about collected forensic data.

Freeware

Latest Changes

- Fixed indexing for drive root

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 2.0.1000
« Antwort #1 am: 31 Januar, 2013, 20:00 »
Latest Changes

- Support for multiple drives & folders when indexing. So an single index can now span more than drive
- Support for templates in the file indexing module. (to save re-entering data each time an index in created)
- Ability to capture pages from web sites and add them to a case (not finished in this Alpha release)
- Add support for searching multiple set of index files in a single search
- Added much improved E-mail viewer / browser
- Will open automatically if viewing an E-mail archive
- Can now add Email attachments to case
- Added the option to copy files from a case to the output directory when creating a case report (instead of just including a reference to the files)
- Changes to the Internal File Viewer
- Window can now be maximized. Minimum window size limits removed
- Minor metadata fixes
- Can now add string list to case in Hex Viewer
- Exported string list now contains string extraction settings
- Can now carve to file (and add to case) in Hex Viewer
- Can now directly open Office documents without the need for an external tool to extract the text. Should be significantly faster to open large documents in images
- The index search function in now built into OSF (so it is no longer an external .exe). This allows better persistent caching of the index which in some cases leads to much faster searches e.g. 500% times faster, for large sets of index files and search te
- Carved file can now be added to case in the raw disk viewer
- Implemented functions for reading the $I30 info file for NTFS directories. I30 data now shown in Hex View tab for NTFS directories
- WebBrowser, Added ability to add/save complete webpage to case as MHTML (.mht) file and image file. Can select region of screen to save or full screen. Free version of software will contain watermark, Pro version won't
- Changes to the raw disk viewer
- Added right-click menu to search results in raw disk viewer. In particular, users can now export the search results to disk
- 'Select Range' dialog now populates 'Start offset' with current offset
- 'Select Range' dialog shows the number of bytes between the start and end offset
- Changed UI layout to tab-based of memory viewer module. Re-organized buttons
- Bug fix when accessing zip file content on FAT16 volume using direct image access
- Fixed bug where FAT clusters were incorrectly flagged as deleted
- Several speed improvements on FAT volume with using direct image access
- Bug fix for assert errors at startup on machines with large amounts of RAM (> 32GB)
- Fixed pre-scan file counting bug relating to upper and lower case files names in the indexing module
- The last folder used for a report is now stored to avoid the need to re-enter it
- Fixed a crash on exit caused by the memviewer freeing resources that it shouldn't be freeing
- Fixed a bug that prevented case reports being generated on any drive other than the one the case resided on
- Made some changes to the Opera browser recent activity functions to prevent a possible crash
- Added toolbar for quick access to changing views in file system browser
- Fixed file name issues when exporting HFS+ files to an NTFS drive where the file name on the Mac system used characters that are illegal characters on a NTFS system
- Changed behaviour when adding emails from a search to overwrite existing ones (previously would create a second copy with a number appended to the name)
- Change behaviour so that when an email overwrites one that already exists the list view item of the old item is updated with the new title
- Added right-click function for directories in file system viewer to switch to 'Create Signature' module and automatically fill in location
- Better handling of nested e-mail/attachments in the index search function
- New indexer with fixes for index search results showing corrupted URLs for email attachments & also fixed binary string extraction skipping longer phrases
- Fixed bug in Mbox Email Reader with attachments missing characters in the filename
- Fixed progress bar for adding email and attachment to the case
- Fixed Email path issues in the file signature function
- DOS batch (.bat) files can now be run from the system information function
- Corrected an issue where the "Live system Capable" radio buttons was not checked when editing a command in system information function
- Allow right-click Copy/Copy All in the system information results tab
- Fixed buffer overflow caused by long header fields (eg. 'To:')
- More information about the index is displayed under the results window
- Changed default number of maximum search results to 1000 from 5000
- Adding logging and error conditions for searching an index
- Fixed a bug preventing FireFox recent activity history from being read when directly accessing an image file
- Fixed a bug where the location of IE & Safari recent activity entries could show uninitialised character values when directly accessing an image file
- Fixed bug when in search index function when opening a word list that contains extended ASCII characters
- Fixed bug in search index history list view when a past search query contains spaces
- Bulk searches performed via 'Browse Index' tab can now be cancelled by the user before they have completed
- Added message box after successfully carving to file in the raw disk viewer
- Fixed a bug with Chrome timestamps not being converted correctly in recent activity and new Chrome releases
- Fixed a typo in recent activity drop down (Form History)
- Fixed incorrect display of Cyrillic characters in some recent activity output (Chrome and Firefox)

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 2.0.1001
« Antwort #2 am: 05 Februar, 2013, 06:00 »
Latest Changes

- Added Web Snapshots category to case management for exports from the web browser module
- Added additional URL meta data to Web Snapshots (viewable from case item properties window)
- Fixed index search bug causing variant words like "testing" instead of "test" to not be found
- Fixed index search bug causing exact phrases using quote characters to not return any search results

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 2.0.1002
« Antwort #3 am: 11 März, 2013, 22:00 »
v2.0.1002 - 11th of March 2013

    Fixed error when attempting to select a file in the listview with no items.
    $I30 directory entries now returned even if the MFT record does not contain a $FILE_NAME attribute.
    Fixed a bug in the report template where Web Snapshots, Notes, Emails and Bookmark tables were not being sorted when their heading columns were clicked.
    Fixed a crash when changing hex view settings.
    Changes to Forensic File Copy to better handle conflicts with 8.3 names on NTFS.
    Fixed a bug in the recent activity scan on non-live systems where USB devices were not displaying a last connected time and date.
    Fixed a bug where the scroll bar was not updating on the recent activity page when using the mousewheel.
    In File Info tab, added 'Short file name' field for NTFS/FAT 8.3 short filenames.
    Fixed a bug that was preventing the recent activity module from getting windows system event information for the live system.
    Added filename and file extension sorting to index search.
    Fixed a crash when viewing/export a download recent activity record.
    Added right-click option to save file to disk for the filepath hyperlink in the Decode Window.
    Added progress bar when saving file to disk, allowing the user to cancel if taking too long.
    Fixed a crash that could occur when scrolling on the recent activity tab.
    Fixed a bug where in the recent activity items the chrome form history items could be saved with the currently registered username for OSF not the local user.
    Fixing a bug in the recent activity CSV save to case / export where the time offset was saved in the location field for MRU items.

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 2.0.1003
« Antwort #4 am: 22 März, 2013, 22:00 »
v2.0.1003 - 22nd of March 2013

    Forensic Copy
        Fixed Forensic File Copy not copying folder 8.3 short names.
        Made change to handle setting 8.3 short file names on files that have a read-only flag.
    Added fractions of seconds to internal viewer file properties output.
    Recent Activity - Now also searches registry location for typed IE URLs.
    System information
        Changed the dialog title to reflect that a command is being edited rather than a new command.
        Fixed a bug where if the first entry in the list was editable then it wasn't loading correctly and defaulting to the new command dialog.
        Fixed a bug where if the list management dialog was closed using the X button rather than OK the current command window display was not being updated to reflect any changes.
        Added new system information functions (Get User Info, Get Timezone, Get computer name, Get network info) that can query the registry for information, these functions can be used on the local system as well as disk images and other system drives.
    Navigation Bar - Added 'Registry Viewer' button.
    Start Page - Dialog for selecting registry file now closes when the Registry Viewer is opened.
    Registry Viewer
        Correct icon is now displayed for Find/Goto windows.
        All search types now selected by default in Find window.
        and keys now work properly for Find/Goto windows.
        Cancel button now works properly for Find/Goto windows.
        Find/Goto windows stay open after search.
        Added splitter bar and fixed resizing issues.
        Added shortcut keys for searching (Ctrl+F, F3, Ctrl+G).
        Find/Find next now traverses the tree in order according to currently selected entry.
        Added support for opening multiple registry files in one viewer
        Added icons for tree view
    Email Viewer
        Fixed bug with retrieving the HTML body using the MVCOM library. Should use _bstr_t instead of BSTR
        Changed header fields to Edit controls to fix redraw issues when resizing
        Improved parsing of Data/Time strings.
    Hex View
        Added Ctrl+C (copy hex) and Ctrl+A (select all) keyboard shortcuts
        Fixed crash carving data.
        Changed string extraction so that it no longer separates URL strings into components (eg. 'http', 'www'), this was preventing the URL filter be useful.
    Password Recovery
        Changed behaviour when recovering Firefox passwords so that is a firefox install isn't found on the drive being scanned OSForensics will also check for a FireFox install on the system drive.
        If a FireFox location is not found an error message is now displayed.
        Added warning to password recovery and system information functions when running on a live system and the permissions of the SAM registry files need to be changed

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 2.1.1000
« Antwort #5 am: 10 August, 2013, 08:00 »
Release Notes : >>

v2.1.1000 - 9th of August 2013

    Indexing changes;
        Will now process e-mail headers
        Added .zipx extension in filetypes to be recognized, handled as "Binary (filename only)"
        Added handling of ZIPX as "Binary (filename only)"
        Added checkbox to scan attachments in e-mails to advanced template configuration window
    Added Volume shadow copies support to the File System Browser. Currently considers a file is a shadow if the modified time of file is different from the current volume file. Steps to use this feature are,
        Add Disk Image OR Drive in forensics mode OR Disk to case
        Add subsequent Volume Shadows for just added device.
        Load File system browser and enable Show shadows under options menu.
        Browse (the shadow copy files text/label will be a shade of grey).
    Added "Add All" Volume Shadow Copies option to Add Device dialog window.
    Added "loading" dialog box when parsing shadow copies.
    Shadow copies can now only be loaded for devices that are already added to case.
    Improved performance when using shadow copies as a result of caching data in RAM. This should also allow larger drives to be examined in a reasonable amount of time.
    Added button to FSB Toolbar that launches a module to perform volume "diffs" for shadow copies, it behaves similarly to the Create/Compare signature function.
    Added keyboard shortcuts to Internal file and email viewers.
    Raw disk viewer searches are no longer aborted when the search window is hidden.
    Made some change to the Chrome download section in recent activity to work with newer chrome versions (26.0.1410.64) as the database structure has changed.
    Can now select 'Use entire image file' when selecting a partition from an image file.
    Added Loading progress indicator for the advanced EmailViewer
    When an error occurs when adding multiple items to case, added a Message Box to prompt if user wants to continue (or quit). This avoids a situation where hundreds of error boxes might otherwise be displayed in a loop.
    Raw disk viewer decode window can now identify a dynamic volume as "Windows dynamic volume (LDM)
    Can now detect dynamic volumes in dynamic disks (LDM)
    In the 'Drive imaging' module, added 'Rebuild RAID' tab for rebuilding a single RAID image from multiple source disk images. Support for auto-detecting Intel Matrix RAID (IMSM) & software RAID was included. Additional auto-detecting features for other RAID formats are expected to be supported in future releases. Added support for manually changing image file offset/size for RAID rebuilding.
    Rebuilding RAID images for the following RAID metadata types
        SNIA DDFv1
        Highpoint v2 RocketRAID
        Highpoint v3 RocketRAID
        Adaptec HostRAID
        Integrated Technology Express RAID
        JMicron RAID
        LSILogic V2 MegaRAID
        LSILogic V3 MegaRAID
        nVidia MediaShield
        Promise FastTrak
        Silicon Image Medley RAID
        Silicon Integrated Systems RAID
        VIA Tech V-RAID
        (Note that not all permutations have been tested)
    Added RAID 0+1, RAID1+0, RAID 3, SPANNED rebuilding support
    RAID "Info" dialog now shows the metadata for all matching RAID formats
    Can select between multiple RAID metadata types if multiple formats detected
    Added HPA/DCO imaging. This allows hidden area on the disk to be made accessible for copying. HPA = Host protected area. DCO = Device configuration overlay. Note that on some drives there is locking that will prevent changing the HPA/DCO disk extent limits.
    Carved files will now have FILETIME set to Jan 1, 1601 12:00 PM when the real date information is not recoverable.
    File Carving percent complete display bug fix.
    File Carving put more safety checks when carving Zip / OfficeXML files to prevent crash.
    Thumbnail Viewer, fixed a problem with thumbnails without a visible size being drawn as black box
    Fixed some potential memory allocation in the internal file viewer issues when viewing buffers. (Which is how deleted files are viewed).
    Fixed a crash that could occur in recent activity during the IE URL scan, some URL paths were longer than expected
    Added 'Info' button to retrieve and display the RAID metadata from an image file in the Disk Imaging module.
    Added ability to open Internet Explorer IE10 history databases and retrieve visited URLs (Vista and newer only). IE10 has a new internal format for storing this data compared to previous releases.
    Updated document indexer to handle indexing recursive PST files (PST and MSG files attached to E-mails inside PST files).
    Fixed issue where "Add to Case" menu item was enabled when a case is not yet opened.
    Fixed some memory leaks when indexing emails and attachments.
    Fixed Email Viewer appearing (with no error messages and no emails) when PST file cannot be opened (e.g. because Outlook is open and holding access). It now shows an error message and destroys the Email Viewer window before it displays.
    Fixed EmailViewer appearing (with truncated email contents) when user hits "Cancel" during PST loading
    Fixed the EMail viewer's handling of embedded emails (.msg files attached to a .msg file) in the EmailViewer.
    Made some changes to stop a reported crash in the registry viewer.
    Fixed a bug with the Windows Login Password when using "Live acquisition of current machine", a required registry permissions was failing to be set correctly
    Old/simple PSTViewer is now restored in project and used when PST file is > 10GB
    Changes to try and stop the recent activity/registry viewing crashing in invalid data circumstances (causes by null records in the registry).
    Added help context for Volume Shadow Copies.
    Help file updates for HPA / DCO hidden areas in Disk Imaging and 'RAID Rebuild' functionality.

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 2.2.1000
« Antwort #6 am: 10 September, 2013, 22:00 »
Whats new: >>

· Added support for creating a self booting USB solution from the "Install to USB" section, this is a new tool called "WinPE builder" that can be launched after the "Install to USB" process.

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 2.3 Build 1 Beta
« Antwort #7 am: 05 November, 2013, 14:30 »
Whats new: >>

Increased copy to clipboard limit from 100 to 10,000 files

Password Recovery:

Added "a-z A-Z 0-9" Alphanumeric option to password recovery random character options
Added scanning of windows credential manager for browser passwords as part of the recent activity function.
Updated the Firefox password recovery feature to work with the latest version of Firefox (24)
Fixed a bug where if there was only one password entry stored in the Firefox database it was not displayed

File System Browser:

Added extra metadata column for the LCN of the first cluster of the file. This is useful for seeing if files are grouped together on the disk.

Drive Preparation:

The Write pattern function, could incorrectly report a write error near the very end of the drive for some USB flash drives, this has been corrected.
Changed the error message when adding an image file to a case to include the image name.
Updated "Print" features for EmailViewer and PstViewer
Fixed a bug with HTML email printing not having any header
Fixed a bug with not printing full headers, RTF, and plain text mail

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 3.0.1000
« Antwort #8 am: 16 Juli, 2014, 22:00 »
Release Notes

New Modules:

    ThumbCache viewer for viewing cached thumbnails stored in the Windows thumbnail cache database (Windows Vista and later only)
    ESE database viewer for viewing the records stored in ESE database files (.edb). ESE database format is used by a variety of Microsoft applications and can often contain data of forensics value.
    Prefetch Viewer for viewing the application prefech data stored by the operating system's prefetcher. This data includes when the application was last run and how frequently it has been run.

Case Management

    Added option to "Make case default" when adding a device to a case so it is selected by default for future actions
    When deleting cases, added prompt to allow the case files to be saved to another location before deleting
    Adding attachments from case devices now supported
    Multiple image partitions can now be mounted at the same time
    VHD image files can now be mounted
    Added 'Repeat action' checkbox to message box when adding a file already existing in case
    Fixed a bug that was preventing undeleted files from being exported as part of a report
    Fixed bug with selecting default drive when creating case. Also removed current case's devices from default drive dropdown list.
    Fixed issue with setting newly mounted drives as default drive
    Fixed bug with condensing white space when reading .OSFCfg files
    When adding shadow drives, fixed combo box not being reset when changing drive selection
    Changed the error message when adding an image file to a case to include the image name.
    Fixed a bug preventing bookmark tables in reports from being sorted

Deleted Files Search

    Searching for deleted files in HFS+ drives now supported
    Results can now be displayed in 'thumbnail' and 'timeline' view
    Timeline view now shows stacked bars grouped by file extension
    Fixed overall system slowdown caused by large blocking file reads when file carving
    Removed right click menu options that aren't unsupported by the file system
    Fixed a crash when pressing a key with nothing selected
    Fixed deleted directory icon not being displayed for non-NTFS file systems
    Fixed deleted file fragmentation info not displaying for NTFS case devices
    Fixed crash with invalid memory access when searching for ext2 deleted files

File System Browser

    Added extra metadata column for the LCN of the first cluster of the file. This is useful for seeing if files are grouped together on the disk.
    Deleted files/directories can now be displayed (in red text). Added menu option to enable deleted files to be displayed.
    Added right-click menu option to attach selected files to case
    Attribute modify date is now displayed for ext2 file systems
    Fixed deleted icon overlay so that it displays correctly on XP

File Indexing

    Indexer updated to the new Zoom Engine, which includes support for real-time logging
    Indexing now supported for Shadow Volumes
    Timeline view now shows stacked bars grouped by file type
    Multiple history items can now be added to case
    Multiple history items can now be deleted
    Changed indexing/searching limit to 25000 items for Free version
    Optimized index search by not reloading dictionary for every search
    Fixed a crash when indexing multiple partitions mounted from image files
    Fixed potential Thumbnail view crash due to lists being deleted while thumbnails are loading
    Fixed bug with DBX message count not being included in total e-mail count
    Fixed Custom Limits not being saved/applied in Edit Template.
    Fixed 'default' button not deselecting non-default filters in log window
    Fixed unallocated cluster indexing not working for drives mounted in Standard mode
    Fixed timeline date filter not filtering items correctly
    Fixed regex filter combo box in 'Browse Index' tab showing invalid characters
    Fixed invalid characters showing up in 'History' under the 'Settings' column

File Name Search

    Timeline view now shows stacked bars grouped by file extension
    Deleted files/directories can now be displayed (in red text). Added menu option to enable deleted files to be displayed.
    Attribute modify date now displayed for ext2/hfs file systems
    Fixed a memory leak when closing window

Hash set lookup

    Added list of matched files when performing hash set look up of more than 1 items. The list view contains a list of files that are found in the hash set. Previously, only the number of matches are displayed without any information on the files that matched.
    Added support for deleted files hash lookup

Internal Viewer

    Metadata viewer tab now displays $I30 entries (normal + deleted) for NTFS directories
    Metadata View tab now displays EXIFTool metadata for deleted files
    Metadata View tab now displays carved $I30 records for deleted directories
    Added jump to index right-click menu option
    Deleted files opened from the file system browser can now be viewed
    Thumbnail cache data opened from the ThumbCache viewer can now be viewed
    File Info tab now shows the file's starting LCN
    Increased the default number of strings limit in Hex view tab to 50,000. Increased the max number of strings limit to 1,000,000
    Improved loading and caching of files
    Reduced file loading time by optimizing file system accesses
    Ctrl-C (copy)/Ctrl-A (select all) keyboard shortcuts now work in Text View
    Fixed minor issue in File Info tab with short filenames appearing incorrectly
    Fixed bug with hex viewer string extraction not stopping when max # results reached
    Fixed viewer string extraction omitting words in results
    Fixed 'Copy ASCII' in Hew view tab to copy all characters other than '\0' to clipboard
    Fixed icon transparency not displaying correctly in Windows 8
    Fixed metadata view tab showing icons when displaying EXIF metadata
    'Unsupported file type' text is now displayed when failing to convert document files to text
    'Fixed crash due to buffer overflow bug with handling Excel document conversions

Email Viewer

    Added support for searching message body
    Added support for date filtering
    Updated "Print" functionality
    Fixed a bug with HTML email printing not having any headers
    Fixed a bug with not printing full headers, RTF, and plain text mail

Recent Activity

    Added scanning of Windows search database (Windows.edb) index records
    Added scanning of prefetch items
    Added scanning of windows credential manager for browser passwords
    Added 'Config' window for configuring scan options (date range, items to scan)
    Added additional filter for MRU sub-categories when filtering by 'MRU'
    Timeline view now shows the breakdown of activity types via stacked bar graph
    Changed behaviour when using the right click "Export to" options in the timeline so only the items from the active timeline section are included (previously all the found items were exported)
    Timeline view is now synchronized with File List view
    Removed 'Summary' button. Summary dialog now appears when clicking the 'Total Items' hyperlink
    Fixed crash when pressing 'Enter' with nothing selected
    Fixed item selection when 'End' is pressed
    Fixed stack overflow bug
    Fixed error when opening the selected item with the registry viewer
    For Chrome downloads, results now show filename from source URL if destination download path unavailable
    Fixed scanning of IE history not working for certain versions of IE
    Fixed a bug preventing the name of items from being output correctly for CSV export

Mismatch search

    Added text colour to "Identified Type:" field for emphasis
    Fixed a bug that was causing a crash when adding a file to a case

SQLite Browser

    Files saved in temp folder are removed when exiting
    Fixed unitialized pointer bug when exiting program

Password Recovery

    Added "a-z A-Z 0-9" Alphanumeric option to password recovery random character options
    Updated the Firefox password recovery feature to work with the latest version of Firefox (24)
    Fixed a bug where the password was not displayed if there was only one password entry stored in the Firefox database
    Updated error message to show correct error code when permissions prevented some registry changes
    Fixed crash when adding .rti rainbow tables without valid file segments
    Under 'Generate Rainbow Table' tab, moved the character set definition in the combo box to an edit control due to length
    Under 'Generate Rainbow Table' tab, changed character set combo box to non-editable

Drive Preparation

    Fixed Write pattern function incorrectly reporting a write error near the very end of the drive for some USB flash drives

Drive Imaging

    Restoring VHD image files now supported
    Disk image name and type is now maintained when using the browse button (if already entered)
    Fixed bug with imaging drives as Encase files

Install to USB

    Added window message processing during the USB installation process so the application doesn't display as "Not responding"
    Disabled Install/Exit/Browse buttons when install process starts
    Stopped "Install to USB" function from working when not installing to a USB/removable drive

Web Browser

    No longer creates a web browser temporary dir as it was not being used and was not being cleaned up properly after program exit.

Misc

    Deleted files are now supported in thumbnail view
    Various performance improvements when loading thumbnails in thumbnail view
    Fixed display of files without high resolution icons in thumbnail view. Previously this meant a tiny icon was drawn
    Deleted file thumbnails now show the proper icon/thumbnail with a deleted overlay flag in thumbnail view
    Fixed crash caused by bug with retrieving the file icon in thumbnail view
    Fixed crash caused by overflow of the label exceeding 260 characters in thumbnail view
    Added support for stacked bar graphs via groups in timeline view
    Fixed bug when the data spans greater than 30 years in timeline view
    Increased copy to clipboard limit from 100 to 10,000 files
    Fixed a crash when handling compressed files on NTFS for cluster sizes <4KB
    Redirected stdout containing Unicode characters should now work correctly (eg from System information tools)
    Fixed some flickering when adding files to case
    Updated OSFMount to v1.5.1015
    Fixed several crashes that could occur when closing OSF
    Fixed crash when attempting to shadow copy files from a drive mounted in standard mode
    Non-raw image files that cannot be opened properly will be opened as raw
    Reduced flickering when resizing window
    Fixed copying of shadow copies of locked files into temporary directory

[close]

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 3.0.1001
« Antwort #9 am: 20 August, 2014, 12:17 »
Release Notes
v3.0.1001 - 19 of Aug 2014

    Case Management
        Images/drives without valid partition/file system info (ie. boot sector) can now be added to the case. This allows the drive to be viewable using the Raw Disk Viewer.
    File Indexing
        Added support for indexing extracted binary text from "hiberfil.sys" and "pagefile.sys" (not limited by max file size limit)
        Fixed stemming problems during indexing
        Fixed bug with updating indexing status causing small indexing jobs to report no files being indexed
        Fixed bugs with identifying misnamed ZIP files during indexing
        Updated Engine/CGIs to V7 build 1008
        Image search results that are nested in archives are now displayed in the 'Images' tab
        Image search results that are nested in archives are now displayed with an 'archive' overlay on the top left corner of the icon
        Fixed bugs with accented characters in search result URLs
        Fixed bug with opening search results in the Internal Viewer
    Deleted Files Search
        Fixed bug in file carving of .mov files (was including 4 additional bytes in the end, now removed)
        Fixed file carving of .pdf files. Will now check buffer for four known combination for end markers. If not found, will default to look for %EOF.
        Fixed scanning of deleted files on mounted drives without partition information
    Raw Disk Viewer
        Fixed divide by error bug when performing a raw disk search on a disk with sector size = 0
        Fixed partition info in the Decode window not being updated correctly when a new disk is loaded
    Web Browser
        Module Will now load on first use instead of loading on startup. Starting Page is now set to about:blank (was set http://www.osforensics.com ). This minmises the impact on a live target system when running OSF from a USB drive.
    Internal Viewer
        Fixed image stored in the alternate stream of a file not being displayed
    Misc
        Fixed bug with FAT file system parsing caused by truncating errors when calculating cluster offset. This could prevent some FAT partitions from being mounted when the FAT partition's starting offset was a long way from the start of the disk.
        Added debug statements to FAT file system parsing (when DEBUGMODE mode is enabled)
        Added debug statements when there are NTFS file system parsing errors in applying fixup values to MFT and index records (when DEBUGMODE mode is enabled)
        Updated WinPEBuilder.exe to include more debug messages.
[close]

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 3.1 Build 1000
« Antwort #10 am: 19 November, 2014, 13:30 »
Release Notes

Email Viewer:

Only one instance of the e-mail viewer window is now available and shared amongst all modules. This allows e-mail messages to be opened instantly without having to reload the e-mail file if it was previously opened.
Partially loaded e-mail files (ie. cancelled halfway during loading) are no longer allowed and removed from the tree view
Added support for recovering deleted and orphaned e-mails in PST files
Added status bar on the bottom of the window to indicate the number of items in the current folder
Fixed header field (From, To, Cc) text not showing when text length is too long
Fixed saving attachments with invalid filename characters
Added implementation to save PST emails with embedded message attachments in MSG format.
Removed storage of e-mail file path for each mail item to reduce memory usage
Fixed a crash when closing e-mail viewer while still loading e-mail/searching

Direct Access:

Reduced the memory usage for VMDK, VHDI and raw images
Cache data is now share globally per device rather than per device/thread. This reduces memory usage and increases performance

NTFS:

Fixed loading of $MFT file split into multiple MFT records
Added caching of ATTRIBUTE_LIST to improve performance
Fixed a possible crash when saving to disk

Internal viewer:

Fixed a crash related to merged cells when converting excel document to html
Fixed a bug with POLE library causing large files to be saved improperly
Fixed hex view showing incorrect bytes while performing search

Forensic Copy:

Fixed error message preventing files to be copied to a windows drive destination

File Indexing:

Added support for indexing .tar, .gz, .tar.gz, etc.
Added BinStringsUseBigram option for create index binary string extraction settings, Code words and Extreme
Added options to index "System hibernation and paging files"
Changed email prescan estimate to handle more cases
Added a MAXPAGES min. cap of 100,000 pages when scanning attachments
Fixed a bug with not detecting if wordmap merging failed mid write due to out of space or other causes.
Fixed a bug with free edition not indexing PDF files properly (indexed as html)
Fixed a bug with not being able to perform searches on indexes created within a folder path that contains Unicode character (e.g. unicode characters in user name or in case name)
Fixed an issue with not scanning text files (non plugin files) when scan .sys files is enabled.
Fixed a bug with an infinite loop when indexing a file misnamed as DOC (e.g. a RTF file)
Fixed several bugs when indexing emails

Recent Activity:

New user interface, summary of items shown in left hand treeview side, added filters, new sortable list
Updated to work with latest version of opera (23)
Now searching localised folder names so should return more results on non-english installs of Windows
Now searching more registry locations for installed programs so far more results should be returned
Fixed a bug where registry locations of some installed programs weren’t displayed fully
Fixed some issues when trying to get recent activity from non-system drives

Drive Preparation:

Improvements to Disk preparation error messages.
Improvement to the Drive preparation progress update.

Disk Imaging:

Raid rebuilding, fixed detection of RAID metadata for Promise RAID controllers

[close]

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 3.1.1001
« Antwort #11 am: 16 Dezember, 2014, 13:00 »
Release Notes

Case Management

Fixed potential deadlock after clicking 'Cancel' when items are being added to the case
Fixed 'To' field missing in e-mail case properties
Fixed 'From', 'To', 'Subject' fields missing in case report
Removed check for empty e-mail headers (From, To, Subject, etc...) when adding e-mail to case. Adding warning to log file instead.

Email Viewer

When exporting e-mails to file/case, 'Print-friendly' HTML file is now generated. Currently, only HTML/text is supported.

File Indexing

Indexer updated to the latest Zoom Engine
Fixed a bug when indexing email attachments with accent characters in the folder path
Fixed infinite loop bug when indexing corrupted ZIP files
Fixed a crash bug with indexing MSI files (and any other files that can be misidentified as DOC)
Added error message when handling bad ZIP files./li>
Added default handling of .msi files as binary (filename only) format.

Recent Activity

Will now return files/folder from user's Recent Item folder (shell folder)
Added Support for Word 2013 Reading Locations to Recent File List Item
Added Support for Office 2013 (Word, PowerPoint, Excel) Recent File List
Added Adobe Acrobat Reader MRU locations
Now also parsing the subkeys to Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.xxx, where .xxx is file extension to retrieve more information
Added Right Click Menu Option - Copy Row to Clipboard
GUI Fixes, Help File Link Update
Added Filter for text search of all fields for an activity type
Installed Programs, if there is no program name, will return registry location as the title.

Registry Viewer

When opening key paths containing SYSTEM\CurrentControlSet which is a volatile symbolic link, replaced with 'ControlSet00n' where n is the current control set

Search Index

Improved performance of adding PST e-mail/attachments to case by using the same e-mail file handle, instead of opening and closing for every e-mail message

[close]

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 3.1.1004
« Antwort #12 am: 16 Januar, 2015, 12:24 »
Changelog
V3.1.1004 - 16th of Jan 2015

    Email Viewer
        Added handling of rfc2047 encoding in subject/address fields of MIME headers
        Fixed buffer overflow in status message while recovering deleted e-mails in PST files
        Fixed 'S' shortcut key being processed instead of 'Ctrl+S' to add attachments to case
        Fixed a bug with saving embedded message in PST/OST files as .msg. LIBPFF_ENTRY_TYPE_ATTACHMENT_DATA_OBJECT property was being saved as a stream instead of storage
    ESEDB Viewer
        Fixed population of known ESEDB files to use localised folder names instead of hard-coded locations
    File Indexing
        Pre-scanning can now be cancelled while scanning PST messages
        Updated Zoom indexer to fix some crash issues
        Updated Zoom Office XML plugin
        Improved length limit for meta fields in email files (used for FROM/TO/CC/BCC) from 255 characters to 65,535 characters.
        During indexing, fixed Total Bytes/Peak Physical Memory/Peak Virtual Memory not updating properly when > 2GB
        Fixed crash bug with buffer overflow and infinite add URL when indexing .MSG file with many attachments
        Fixed bug with only using last filename for all attachments of the same .MSG file
        Fixed bug with losing generated body text with attachment filenames "Attachment(s): ... , ..." for .MSG file indexed.
        Fixed bugs with indexing plain text emails in .MSG files
        Fixed bugs with indexing Chinese PST files (metafield length limit caused Unicode corruption)
        Fixed bug with possible Unicode string corruption when longer than available buffer (with languages such as Chinese with 4 char MB UTF-8 characters)
        Fixed a bug with files sizes not being indexed in offline mode
        Fixed a potential crash caused by long URLS
        Fixed a crash during pre-scanning when indexing unallocated clusters
        Fixed bug with search index failing on old format index files after a search with new format index files.
        Fixed DOCX plugin that split words incorrectly due to revision history
        Fixed crash bug with XLS files with invalid cell.templateID values
    Import Hash
        Fixed String/Buffer overflow during import progress updates (if import folder name is too long) by increasing string size
    Internal Viewer
        If viewing an excel document that is password protected it will now display a relevant error message
    Password Recovery
        Shadow copy now used if registry file is locked
    Recent Activity
        Now attempting to get the localised name for the "Documents and Settings" folder from the registry when starting a recent activity scan so more information will be retrieved on non-english Windows installations.
        Shadow copy now used if registry file is locked
        Should now resolve shortcut (.lnk) files in User's Recent Items folder (when not using live acquisition scan option).
        Fixed scanning of system registry hives when no user hives are found
    Search Index
        Fixed processing of FILETYPE_MSG and FILETYPE_ATTACHMENT_MSG index results
    System Information
        Shadow copy now used if registry file is locked
    ThumbCache Viewer
        When looking up default Windows.edb location, now using localised folder names instead of hard-coded locations
    WinPE Builder
        Updated build of WinPE Builder. (Allows user to set NTFS filesystem with command line argument '-f'. Not enabled by default, since FAT32 supports booting both BIOS-based and UEFI-based PCs. UEFI based systems require that the boot files reside on FAT32 partition. If they are not on FAT32 the system may not see the device as bootable.)
    Misc
        Fixed bug with handling of NTFS files with mix of compressed/non-compressed fragments
        Help file updates
[close]

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 3.1.1005
« Antwort #13 am: 18 Februar, 2015, 12:24 »
Changelog

File Indexing

    Updated Zoom indexer to fix some crash issues
    Bug fixes when indexing DOC and XLS files inside ZIP files

Install to USB

    WinPEBuilder will launch with option to format USB drive filesystem as NTFS.

Password Recovery (Browser Passwords)

    Fixed a bug with chrome and opera password recovery where the wrong password could be displayed in some cases (out by 1 place in the list) or no password might be displayed despite not being blacklisted

System Information

    Fixed a bug that was displaying an error message when trying to run a custom command on the system information tab when using a selected drive

[close]

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )

Offline SiLæncer

  • Cheff-Cubie
  • *****
  • Beiträge: 191383
  • Ohne Input kein Output
    • DVB-Cube
OSForensics 3.1 Build 1006
« Antwort #14 am: 05 März, 2015, 09:13 »
Changelog

Case Manager:

Before deleting search indexes they will now be unloaded if currently in use rather than displaying an error message

Email Viewer:

Added check for if the recipient address is in X400 format. If so, try to obtain the SMTP Address instead.

File Indexing:

Fixed a crash caused by partially compressed NTFS drives
Fixed bug with missing title and from addresses from index
Fixed bug with PST files not opening from search results due to incorrect/corrupt path
Fixed bug with x400 email address format when smtp format available for recipients.

Password Recovery:

Windows login passwords: Added recovery of cached domain users, updated help file to match new UI and functions.

Install to USB:

Fixed a bug where if the initial start failed (eg invalid target directory) the disabled buttons were not re-enabled, causing OSF to become un-usable
Misc:

Updated error message when trying to copy files to clipboard from non supported devices

[close]

http://www.osforensics.com/

Arbeits.- Testrechner :

Intel® Core™ i7-6700 (4 x 3.40 GHz / 4.00 GHz)
16 GB (2 x 8 GB) DDR4 SDRAM 2133 MHz
250 GB SSD Samsung 750 EVO / 1 TB HDD
ZOTAC Geforce GTX 1080TI AMPExtreme Core Edition 11GB GDDR5
MSI Z170A PC Mate Mainboard
DVD-Brenner Laufwerk
Microsoft Windows 10 Home 64Bit

TT S2 3200 ( BDA Treiber 5.0.1.8 ) + Terratec Cinergy 1200 C ( BDA Treiber 4.8.3.1.8 )