Thema: Forensic Software diverses

[SiLæncer]

Whats new:>>

Big additions are Win10 Timeline extraction and OCR on images while indexing.
Fingers crossed, this will be the final beta release.

http://www.osforensics.com/

[SiLæncer]

Changelog

Case Management
Added "Export case" feature
Added a list of reports that have been generated (in case directory or last known export directory)
When creating/editing case, user can now specify whether or not USB write-block should be enabled. Whenever the USB write-block settings are changed, a warning is displayed to the user to detach/re-attach connected USB devices for the settings to take effect.
Changed list view to allow groups (devices, reports, files etc) to be collapsible
Added last access date to case management when case is loaded
Fixed error copying files with long file paths in when a report was created and the report contained deep / long paths.
Fixed a bug when creating a case report that was leaving a file handle open
Added support for encrypting PDF report
Added predefined offenses list to 'Offense' drop down list when creating/editing case
Case Details Dialog, fixed bug that might cause case narrative text to be reset to default when editing case details.
Case Details Dialog, will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
Case Export, changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.
Re-added "E-mail Delivery Time" to report and the associated timezone
Case load window was added at startup and when a case is loaded from the Case Management window. This is useful for showing load progress for very large cases with 10,000s of files in the case.
Report production progress window was added to show some progress activity when very large reports are produced.
New Command Line Parameter to load a specific case (-C ), if path does not exists or CaseDetails.OSFCase file cannot be found, OSF will default to loading the the last case used.
Can now insert images into the case narrative text using the HTML editor. Images need to have already been added to the case. Previously images could be added, but the links where broken when a report was produced.
Added unique 'Case Item ID' attribute to each case item. This ID is displayed in the 'Manage Case' window, as well as included in the generated reports. The ID is stored within the .OSFMeta file for each case item. Case Manager maintains 'Next Case Item ID' variable that gets assigned to any new items added to the case.
Fixed special characters not being escaped when generating reports
Create index
New indexing engine (Zoom V8 with multi-threaded offline indexing)
Much better indexing performance (3x speed increase)
Updated Create Index interface with new file type selections,
New "Memory optimization / Indexing Limits" step to bypass Pre-scan
Added support for user configurable number of indexing threads (up to 10)
Added options to enable RAM drive for temporary files
Improved RAM estimations and Indexing Limits settings
Improved indexing Status interface
Updated OSF interface to show multi-threaded indexing
Updated OSF Create Index options to offer more control with file type selection
Removed unnecessary indexing warnings
Added count display for Prescan
Added thousands grouping for large numbers shown in Create Index windows
Increased sleep/wait time while starting indexer to allow for a slower initialisation which could cause an error to be displayed
Renamed indexing process. Now using "OSFIndexer32.exe" and "OSFIndexer64.exe" instead of ZoomEngine32.exe and ZoomEngine64.exe, this should make it more obvious what is running in task manager.
Added some internal checking to clean up detached instances of OSFIndexer and temporary RAM drives.
Fixed a bug with indexing the compete content of Emails in PST files that were text only EMails.
OCR (Optical Character Recognition) can now be done on photographic images while they are being indexed. Like all OCR, the results depend on the quality and resolution of the source image, how clear the text is and the level of contrast. This is only supported on Win10. Depending on the images >10 images per second are possible.
Deleted Files
Column ordering, visibility and size now saved in OSForensics config file
Configuration options now saved in OSForensics config file
Fixed a crash caused by logging a magic number incorrectly when getting deleted files
Fixed uncaught exception error when loading MFT for some OSF devices
Fix Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
Added check for buffer overrun when looking for slack $I30 entries
Errors when parsing non-resident attributes of deleted MFT records no longer causes the search to terminate and throw an error message. This is an expected case. Errors are now written to the debug log and the process continues.
Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
File Carver, added minimum file size option when carving. Changed "Reserved/Future Use" field in osf_filecarve.conf to "Min File Size"
File Carver, TIFF/CR2 extraction should be better.
Disk Imaging
Added extra check if the first read fails when verifying the image created.
Previously if the disk did not contain a valid MBR this would cause it not to show up in the list (as it would have no partitions) But the disk might be file system boot sector. These disk are now correctly shown.
There is now the option to specify primary and/or secondary hash functions for imaging disk. So the user can select SHA1 instead of just MD5. Or calculate two hashes at the same time.
Disk Preparation
Can now wipe BitLocked drives. Previously these drives appeared to be lock and could not be formatted.
In case of a physical drive failure, additional error codes have been added to the status window
Disk Test
Fixed issue with formatting as FAT32 on small drives.
Fixed Crash when formatting as FAT32 fails.
E-mail Viewer
E-mail times now include the timezone offset, both 'Delivery Time' and 'Client Submit Time'
Fixed printed e-mails missing e-mail addresses due to HTML entities not being escaped
Fixed bug where case item title set to '' when selecting 'Use same details for all'
File System Browser
Added right-click menu option to jump to MFT record in the raw disk viewer
Fixed stack overflow when attempting to add device to case
File Name Search
Added an "Uncheck all" menu item to uncheck currently selected items
Added 'Windows Shortcut Files' (ie. lnk files) to the file name search presets list
Column ordering, visibility and size now saved in OSForensics config file
Removed folders from results when filtering using hash set
When filtering using hash set, fixed bug with current file being added to results after cancelling search
'In hash set' flag is now set for results when hash set is used and made active
Added support for filtering by whether or not the file belongs in the hash set. This allows the user to search for files on disk that match a set of hash values
Re-arranged configuration dialog
Forensic Imaging
Re-arranged tabs
Create Image, for physical disks, disk model and serial number are now saved in the info file
Added new 'Device and SMART Info' for displaying physical disk attributes + SMART info
Device & SMART Info, Added support for export and adding report to case
Device/SMART Info, added mouseover tooltip descriptions for SMART attributes
Forensics Copy
Moved allocation of virtual disk image to thread to prevent system from being unresponsive
Hash Set
Added option to create 'Quick hash set', allowing the user to quickly create a hash set by specifying a list of hashes
Fixed deleted hash set databases appearing in the file name search config drop down box
Re-organised buttons in main window
Added functionality for importing Project VIC JSON files with MD5 hashes & optimised the import load time.
Added default database name when importing VIC data set
Stopped navigation bar being disabled when importing hash set. User can now do other tasks in parallel to importing a large hash set.
Fixed hash set operation LED still "active" when there's an error
Fixed number display and file size formatting to be more readable for large import files (> 4GB)
When creating hash set databases, columns are no longer created for hashes that don't exist (eg. VIC/NSRL datasets)
Hash set lookup
Added right click menu option to open files in internal viewer
Fixed incorrect # files hashed text due to not updating the dialog once all files are hashed
When performing hash set lookups, hashes are no longer checked for columns that do not exist. This reduces the query time for large hash sets. e.g. we don't check for SHA1 matches if the particular hash set doesn't have SHA1 values. Results were a significant speed up for hash lookups.
When performing single file hash lookups, filename matches are no longer queried. This reduces the query time for large hash sets.
Install and run from USB
Added help Link
Added separate "temp build" directory field when using WinPEBuilder.
Updated WinPE builder to deal with new latest WinPE10 changes
Internal File Viewer
EFS Support (encrypted file system). When an EFS file now opened in the file viewer a temp copy will be created and passed to the hex and text viewer. If the matching certificate has been installed on the system then the text should appear decrypted.
Hex View, added right-click option to add selected strings to case (as HTML file)
Fixed potential mem leak when generating video thumbnails
Fixed potential concurrency issues when loading videos
Added OCR view (Win10 only)
Memory viewer
Column ordering, visibility and size now saved in OSForensics config file
Added button to add memory dump to case
Removed 'Error' text and icon from message box when process memory cannot be dumped because of access restrictions
Updated version of Volatility Workbench, with Mac & Linux support and ability to add your own profiles.
Mismatch File Search
Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV
NSRL Hash Import
Import 9x faster. While importing repeated file hashes, checks for duplicity are no longer being done using a lookup on non-indexed database (very slow). Now checks are done by comparing product code between two consecutive lines in input file.
Import will create new database automatically with default name based on date and time. Thus, incremental import is no longer an option.
New NSRL import config window to specify input and (temp) output folders
Temp Output folder can be specified so that user can specify RAM drive or SSD to speed up the import. Database is then moved from temp location to default hash sets location.
Updated help file with info about allocating enough space on a RAM drive.
Status now displays percentage counter during file importing
Password Recovery
Added tab to allow PFX certificates to be installed on the local system, to facilitate opening EFS encrypted files when the certificate and password are available
Column ordering, visibility and size now saved in OSForensics config file
Browser passwords, made some changes to Firefox login recovery, now has a 64bit and 32bit helper executable (as FireFox have started distributing as 64bit).
Registry passwords, now displaying password hint value next to 'NT Password' column. Displays '(empty)' if not present.
Registry Passwords , added support for win10 anniversary update for live system in Forensics mode
Removed a "File not found" error when running the windows password search on a non system drive
Prefetch Viewer
Added right-click option to export selected items to CSV
Rainbow Tables
Fixed crash occurring when cracking hashes from a pwdump txt file - wrong data types were being past to format string when secure case logger was enabled
Raw Disk Viewer
Added progress window when carving to file
Renamed 'Decode' window to 'Disk Info'
Renamed 'Data Interpreter' window to 'Data Decode', split windows and shuffled content between decode window.
Added right-click menu options to 'Data Decode' window, Jump to File and Jump to File Record.
Clicking on file paths now open the internal viewer
Clicking on LCN/offsets now jump to the offset in the raw disk viewer
Data Interpreter window now shows the MFT record number and filepath if the current cursor position is inside the $MFT file
Fixed crash issue when sector size could not be determined
Fixed right-click "Jump to offset" not working some of the time
Hexadecimal addresses copied from the Windows calculator into the search box didn't work. The calculator was inserting non printable characters into the string. Non printable characters are now being removed.
Recent Activity
Added a quick filter option (text box and button) to quickly apply a text filter to recent activity items
"Show empty activity types" checkbox to default to on so empty types are displayed
Results are now sorted by Date (desc order) by default
Fixed possible crash when reading jumplist info
Added function to collect new Win10 Timeline database for artifacts
Added more displayed information for windows event items.
Registry Viewer
Support for generating reports for known registry hives (currently only SOFTWARE hive at the moment)
Fixed a possible crash when processing a registry file
SQLite Browser
Will checks for Skype Sqlite database files during "Scan for DB Files".
Resizeable Dialog/Controls
Option (enabled by default) to convert known timestamps to readable format
Scan Folder button is now more useful. Will now populate with locations of known SQLite files (e.g. Chrome and Firefox profile directories)
Scan Folder button will scan for known Android user data directory (where apps usually store their own data) on currently selected drive
System Information
A new tab is now created for every new system information command
Added option to restore command lists back to default
Added "Recovery of Bitlocker Keys" to command list
Added ability to assign a name to an entered command. This name will then be displayed in the output/report.
Added support for Embedded Python 3.6.5
Removed the "Get" from the start of some item names.
Changed button text from 'Add...' to 'New...' when adding new commands
Moved 'Reset lists to default' option to dialog window. Added confirmation prompt to prevent accidental press.
Replaced spin control for moving items up/down due to overriding the handling of mouse wheel messages
Re-organized controls
Added command to get current clipboard contents
Added command to get anti malware (windows defender) software status
Added command to get current TPM status
Started encoding HTML special entities in output from tools so anything with HTML characters will display correctly
Fixed crash possible with getting printer info when system returns bad information.
Triage Wizard (now renamed to Auto-Triage)
Changed Wizard icon to fingerprint icon & removed forensics dude. R.I.P forensics dude, we loved you, but the world just wan't ready for you.
Added option to create logical image with known system files
Added agent help text when mouse is hovering over a control
Added a free disk space check (for at least 1GB + memory size if memory dump selected)
Fixed a unhandled exception that could occur in the triage wizard when running a scan on a non system drive (eg D) and having only windows passwords selected.
Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found
Fixed a crash caused by trial limitations when running the triage wizard
Web Browser
Added status bar to browser.
Can now select export format as Web Archive Format (.mht) when exporting webpage.
Can now export linked PDF, ZIP and other files. Also added check boxes to allow user to select what is downloaded.
There is an option to download videos (MP4 format) from sites such as YouTube and add them to the case.
Added a progress indicator for downloading large files.
Misc
Added colour coding of encrypted files displayed in a file list
Added exit confirmation message
Added warning message on OSF shutdown whenever the USB write-protect settings are changed during the course of execution
Fixed a long delay at startup when not running as Admin
Removed agent icon from feature description text on start window
After successfully saving a file to disk, fixed a bug with activity monitor displaying task is still active
Changed how temp files are stored, each thread now has a temp folder
Increased a timeout (from 60 seconds to 180 seconds) when trying to repair esedb databases with esetutl as was timing out during triage runs
To prevent machine from sleeping when running from USB, the mouse will jiggle if the time between user input (i.e. keyboard or mouse input) surpasses 10 secs.
Added DLL (MSVCR120.dll) required by wkhtmltopdf.exe to installer (error seen on windows )
Switched debug logging to logging library g3log for thread-safe, crash-safe, faster logging

[close]

http://www.osforensics.com/

[SiLæncer]

Whats new:>>

Build 1001 was made shortly after build 1000 to fix a day 1 indexing bug

http://www.osforensics.com/

[SiLæncer]

Changelog

Case Manager
Reduced memory usage of path flags structure
Case logging now enabled by Default
Create Index
Fixed memory (handle) leak in Win10 caused by bug in ShellExecuteEx() in certain builds of Win10. Replaced with CreateProcess() calls.
Improved error messages regarding "Maximum file size limit exceeded..." to show file size.
Improved various error messages to show both actual temp file path and file being indexed
Fixed bug with Pre-Scan count displayed being much bigger than the actual count used. Did not affect pre-scan result.
Minor changes to fix "(Win10 only)" text for the "Use OCR" checkbox appearing in Win10 builds
Improved accuracy of URLs being reported in the Create Index Status
Deleted Files
Added sort By FG and BG color.
File Name Search
Improved performance by doing fewer string compares/copies if wildcard '*' is used
Hash Set
Added a "skip files smaller than" option when creating a new hash set to avoid creating hash sets which match the large amount of small byte files on a system
Image Viewer
Initial Support for Non Password protected logical Android Backup files (.ab) allowing Image Viewer to be able to browse contents of Android Backup Files (.ab).
Internal Viewer
Added BitLocker Recovery Key RegEx pattern to Filter Presets for Hex File Viewer

[close]

http://www.osforensics.com/

[SiLæncer]

Whats new:>>

Create Index Added RAM check before proceeding with user specified Create Index Size Settings. Without this, users may have proceeded with size settings that led to exhausting their RAM and the indexer crashing.
Search Index Fixed bug when searching index containing file types: binary files, recycle bin meta, or email attachments.

http://www.osforensics.com/

[SiLæncer]

Changelog

Create Index:

Fixed out of bounds exception
New indexer build to address issues with multi-threaded indexing from ext2 image (and possibly other filesystems)

Volatility Workbench:

Fixed issue with edit boxes.

Misc:

Fixed a bug preventing the workflow from being customised correctly

[close]

http://www.osforensics.com/

[SiLæncer]

Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

New Features:

Data Source Grouping:

The case tree view can now be grouped by data source.
Keyword and file search can now be restricted to a data source.

Central Repository / Correlation:

New common files search feature that finds files that exist in multiple devices in the same case.
The Other Occurrences content viewer now shows matches in the current case (in addition to central repository).
Central repository options panel now shows cases that are in repo.
A comment about a file can be created and saved in the central repository so that future cases and see it.

Keyword Search:

Can enable OCR text extraction of PDF and JPG files using Tesseract.
Keyword search module normalizes Unicode text.
Keyword search module uses ICU to convert text files that do not have a BOM.

Tagging:

Tagging menu changed to have user defined tags at top and "quick tag" removed one level of menus.
New "Replace Tag" feature to change the tag on an item.

Other:

SQLite tables can be now be exported to CSV files.
An interesting file artifact is now created when a "zip bomb" is detected.
An object detection ingest module was added to the Experimental module. It requires an OpenCV trained model.

Bug Fixes:

Expanding the case tree is more efficient.
Improved "zip bomb" detection.
Assorted small bug fixes are included.

[close]

http://www.sleuthkit.org/autopsy

[SiLæncer]

Changelog

Changes since 6.1 beta 7

File system support
- Several fixes for APFS support in OSF modules
- Support for compressed files (zlib & lzvn) in APFS

Mobile Artifacts / Android Artifacts
- Renamed "Mobile Artifacts" to "Android Artifacts" to reflect current ability of module (iOS is not currently supported).

Raw Disk Viewer
- Regular expression searching, made a change to prevent an infinite loop when a partial match was found

SQLite Browser
-Fixed bug that prevented additional sqlite viewers to be open even after closing opened sqlite viewers.
- Fixed bug with "View Cell with internal viewer" returning "Not an Error" message.

Start/Navigation
- File and Hex Viewer, will now open File Preview Tab as default.

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Case Manager:
New feature: Paste Clipboard to Case. Can now add external BITMAP (e.g. screenshots) and Copy/Paste Text to case. This provide an additional method of capturing web pages.
Added support for mounting an image file as a "group" device. Partitions are listed as a folder of the top device.
When displaying the volume shadow info to add to case, the creation time now includes the GMT offset
Create Index:
Updates to handle indexing Apple's APFS file system (indexing encrypted volumes is not supported, but coming soon).
Fixed multi-threaded indexing problems with some image filesystems such as EXT2
Improved memory estimation (was previously not including some offline buffers)
New "broad numeric matching" feature. Allows for better searching of currency values and part numbers with hashes in the number.
Added Precognitive Search feature, return matches for trigger keywords during the "Create Index" process. So you don't need to wait for the indexing process to be completed before seeing the search results. It is also possible to use pre-made word lists with the Precog search.
The concept of a template has been removed, instead you can now save and load previously used configurations. Some of the advanced template options, like extreme binary string extraction and stemming are now on Step 2 of the create index process.
Deleted Files:
Fixed NTFS MFT record size calculation, which can prevent parsing of the MFT in the raw disk viewer and in deleted files module.
Partial support for scanning "group" devices for deleted files
Fixed buffer overrun crash when parsing slack space for $I30 record
Email Viewer:
Single Email Viewer can view Gmail email stored within Android mailstore.username@gmail.com.db.
File Name Search:
Fixed a bug when searching for deleted files
File System Browser:
Fixed crash with internal viewer when clicking prev/next after file system browser is closed
File system support:
Apple's APFS file system is now supported. Including support for compression (zlib & lzvn) and encryption. So you can browse and search files from a Mac machine in Windows.
Forensic Imaging:
Made some changes to how Encase format images (.E01 and .Ex01) are created to work around an issue that limited the final image creation to a maximum of 64 .E01/.Ex01 files, which resulted in images larger than 100GB in size and more than 64 files being unreadable.
Added copy Logical Android Image. Will obtain files off Android device using 'adb pull' command over a USB connection. To use this with a device connected over USB, you must enable USB debugging in the Android device system settings, under Developer options. So the device needs to be unlocked to do this.
Fixed image type not displaying correctly for unicode filenames
Hash lookup:
Fixed hang when error occurs while attempting to read from deleted files
Install to USB:
Updated WinPEBuilder used for self boot USB, added option under Program Tab to allow selection of Storage Area Network (SAN) Policy. The recommend setting for OSForensics is, 3 - Doesn't mount storage devices, to prevent introduction of artifacts. However, if you need access to disks, e.g. external disk drive to image to, you can change it accordingly
Internal Viewers:
Started saving viewer x,y positions (previously was just size) in config file and will restore them to the last position on next open
Internal Viewer - File Info
When viewing compress archived (e.g. .7z or .ab), added right-click option to save file to disk.
Show the total/used/free space for "partition" folders. Show the disk size for devices/partitions
Fixed multithreading issues with sharing a handle to a video file. This potentially can cause a crash.
Added checkbox to link the selected file in the list (file name search, mismatch search, etc...), and the current file in the internal viewer. This allows for faster selecting and previewing of pictures.
Android Artifacts:
Addition of new module to scan for android mobile device information. A limited number of artifacts are supported in this release. Additional data will be extracted in future releases.
Currently only supports Android disk image (looks for items in data folder) and/or backup (apps folder)
Initial support for password encrypted android backups. When opening file in FileViewer, OSF will prompt for password and attempt to decrypt the backup.
Password Recovery:
Fixed crash when running windows login / password search simultaneously due to shared global variable
Fixed bug with list view column widths not being saved correctly, could cause URL column to be incorrectly hidden and column widths to be reset each time OSF was started.
Now displays available dictionaries before file is selected, will display an info message when a 40bit encrypted file selected (which don't use the dictionaries).
Added a "Add Dictionary" button that will copy a selected text file to the OSF dictionaries folder and create a simple default definition file to use the dictionary
Renamed folder where pre-installed and user dictionaries are stored (from PDF to Dictionaries)
Raw disk viewer:
Regular expression searching, made a change to prevent an infinite loop when a partial match was found
Added clickable link for File Rec#
Fixed bug with jumping to an LBA from the MBR/GPT
Added option to jump to MFT record
Added decoding of $FILE_NAME attribute
Added decoding of NTFS attribute common header
Added support for parsing MFT attributes SECURITY_DESCRIPTOR, OBJECT_ID, VOLUME_NAME, VOLUME_INFORMATION, INDEX_ROOT
APFS GPT partition GUID now detected and displayed in Data Decode window
APFS file system string now properly displayed in Disk Info window
Fixed excessive quotes for 'Context' field in exported CSV
Replace unprintable characters with '.' when displaying context
Recent Activity:
Now collects more information from LNK files (Windows Explorer - Recent Items) such as volume name, volume serial and link target create/access/modified dates
Fixed a bug where subitems counts in the treeview was not actively reflecting the actual filtered counts.
Made a change so windows timeline entries always display the same amount of lines in the file list tab for consistency
Report Templates:
Updated report templates to include Mobile Artifacts
SQLite Browser
Changed SQLite Browser into a viewer so users can have multiple instances open (Up to 10).
Fixed bug that prevented additional sqlite viewers to be open even after closing opened sqlite viewers.
Fixed bug with "View Cell with internal viewer" returning "Not an Error" message.
Start/Navigation:
Added "Add to case" action on start screen and left hand menu button to allow quick access to add a device to a case
File and Hex Viewer, will now open File Preview Tab as default.
Reordered the left side buttons. Removed Android Artifact and About button from the Navigation Menu, but still accessible from the Start page. User Workflow configuration setting will reset to defaults with changes upon first starting V6.1.1000
System Information:
Added new commands to get Windows information (product name, build and install date) and last shutdown time from the registry
Fixed crash bug due to buffer overflow with long case device names. Device names over 12 characters caused problems in the system information module
UsnJrnl Viewer
Fixed incorrect filenames due to incorrect length truncation
Web Browser:
Export Webpage Dialog can be resized vertically to fit smaller screens.
Misc:
Added support for mounting "group" devices such as entire physical disks. Contained partitions are mounted as "subdevices" and appears as folders under the parent device
Changed timezone drop down for GMT/UTC 0 from "GMT +0:00" to "GMT 0:00" to visually stand out more in list
Made some changes so that the logo and version text on the main start page are now next to the help / mouse over text area to save some vertical space

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Raw disk viewer:

Added right-click menu to export/add decoded master file table (MFT) to case

Internal viewer:

An error message is now shown when there is not enough memory to extract strings. Previously it would silently stop the extraction process in a low memory situation.
Added, File load in progress, status text when loading large text files
Fixed slow load when attempting to open a large file in the File Viewer tab

File system browser:

Added new columns for NTFS $FILE_NAME dates. Added checkbox under Tools->Options to show/hide $FILE_NAME dates. So up to 8 dates per file are now displayed. This is useful for detecting fake time stamps.

File Name Search:

Files found in file name search can now be added to a logical image (VHD) via check boxes and right click options. This provides a fast method to, for example, dump all JPG files to a logical image.

Create Index:

Updates to handle indexing Apple's APFS file system - now with support for encrypted volumes.
Bug fix - PST EMails with long headers didn't get all the text in the header indexed. This was a regression, but is now fixed
Thread status now updates more often when indexing inside containers (like Zip files). So progress is more obvious and the indexer doesn't appear to be stuck on large container files.
Improved handling for hidden $ system files, like $BadClus, $Extend when indexing.

Misc:

It is now possible to export timeline graph to a PNG image file or copy to clipboard via right click on the graph.

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Create Index Fixed bug with indexing BitLocker encrypted drive
Disk Test GUI High DPI Scaling issue fixes (when user sets Application High DPI Override)
Forensic Imaging – Logical Removed CREATE_VIRTUAL_DISK_FLAG_FULL_PHYSICAL_ALLOCATION flag when creating virtual disk file. Pre-allocating disk space may cause the system to stall especially for large disk images.
Fixed progress bar shifting backwards after a file copy is complete
Recent activity Changed file list output of Windows explorer – recent items type so it no longer overlaps the next entry
Fixed a bug where the vertical scrollbar was not refreshed correctly when switching between the file details and file list tabs
Added location of „Windows Event Log“ for windows event items retrieved from a live scan
Timeline Restored ‘Show these files’ option in right-click menu
WinPEBuilder Updated to V1.2.105, fixed issue where the build process would fail if there was a space in the Temp work directory.

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Auto triage:

Fixed a crash that could occur when collecting recent activity items

Case management:

Added debug output when attempting to load a bitlocker encrypted drive
Fixed a scaling issue with the generate report dialog not displaying correctly when high DPI scaling override settings were in use

Recent activity:

Fixed a crash that could occur when collecting Opera form history
Fixed a crash that could occur when collecting USB information in windows 7 for live acquisition
Fixed a bug where filters weren't applying correctly to URL history and downloads.

Misc:

Added support for newer versions of BitLocker. XTS-AES 128 support was added. This became available in Windows 10 (build 1511)

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Bug Fixes:

Fixed possible ingest deadlock from Image Gallery database inserts.
Image Gallery does not need lock on Case DB during pre-population, which makes UI more responsive.
Other misc Image Gallery fixes.

[close]

http://www.sleuthkit.org/autopsy

[SiLæncer]

Changelog

Android Artifacts:

Fixed possible crash when scrolling through messages. Message scrolling in general should be smoother.
Pictures from MMS Messages (acquired through Android Extract App) now visible in preview window of MMS
Tab.
Updated to include data from call log and contacts.

Auto Triage:

Made auto triage tooltips a bit smaller to better fit buttons on dialog

Create index:

Fixed bug for Create Index Status GUI (unable to click "Save configuration" button) with high DPI setting
Fixed support for Win10 Bitlocker encryption

Raw disk viewer:

Fixed default case drive not being displayed after switching cases

Misc:

Fixed bug where "Entry Point Not Found : The procedure entry point CancelSynchronousIo could not be located in the dynamic link library KERNEL32.dll" could be displayed on old versions of Windows (pre Vista)

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Android Artifacts:

Fixed bug with incorrectly listing call type (e.g. Incoming, Missed, etc..)
Combined/Cleaned up contacts list. Contacts with same RawContactId are combined into a single listing (previously there was one entry per email, per phone, etc)
Updated OSFExtract Android App to V1.0.1002

File Name Search:

Fixed a crash that could occur during a search if none of the file details columns were enabled

Misc:

Added some sanity checks to the customised column config file save/reload prevent situations where all the columns are hidden
Updated help file for Android Artifact and OSFExtract Android App

[close]

http://www.osforensics.com/