Thema: Forensic Software diverses

[SiLæncer]

Autopsy is a graphical interface to The Sleuth Kit and other analysis tools. It was designed to be an extensible platform so that it can be an end-to-end digital forensics solution that incorporates plug-in modules from both open and closed source projects. The application provides users with various analysis features and with the possibility of generating HTML or CSV reports as well.

License: GPL

Changelog

New Features:

Central Repository
Case Manager shows data source details
SSID, MAC address, IMEI, IMSI, and ICCID can be stored and correlated on
SSID, MAC address, IMEI, IMSI, and ICCID values from past cases are flagged if they are seen again in the current case.
File types can be specified when searching for common files with past cases.
Results from finding common files with past cases is now organized by case instead of by number of occurrences.
The Central Repository can now be searched for a specific value (hash, email, etc.)

The E01 Verifier ingest module was renamed to Data Source Integrity module and it will:

Calculate hashes if none exist for a non-E01 data source
Validate hashes if they are defined
MD5, SHA1, or SHA256 hash values of raw data sources can now be specified when they are added.
Added the ability for examiners to select the time zone for displaying dates.
Tesseract OCR text extraction for keyword search now supports languages other than English, if language packs are installed.
Custom headers and footers can now be added to HTML reports.
New report module to export basic file data in CASE/UCO format.
Ingest filter rules (for triage) can now specify a list of extensions (such as "jpg,jpeg,png") instead of needing to make a rule for each extension.

Image Gallery:

Refactored to ensure database was fully closed when case was closed.
No longer pre-populate DrawableDB database.
Added caching to reduce time required to insert files after analysis.

Bug Fixes:

Duplicate interesting item and EXIF metadata artifacts are no longer created when you run the modules that generate them more than once.
The Application content viewer now displays SQLite table column names even when the table is empty.
Assorted small bug fixes are included.

[close]

http://www.sleuthkit.org/autopsy

[SiLæncer]

Changelog

New Features:

Adding Data:

Hashes can optionally be entered when adding a disk image data source to a case.
Acquisition details can be stored when the data source is added.

Ingest Modules:

Added support for Microsoft Edge browser (cookies, history, and bookmarks)
Added support for Safari web browser (downloads, cookies, history, and bookmarks)
Expanded Chrome browser support to include cache parsing and form/auto fill.
Expanded Firefox browser support to extract form/auto fill fields.
Parse Zone.Identifier files to identify the source of files.
Added a TSK_SOURCE artifact to downloaded files to help users trace back to where it came from.
Added support for parsing vCards (virtual cards).
Extract more information about Windows user accounts (number of logins, creation date, and last login)
Detect more operating system types, which get saved as a TSK_OS_INFO artifact.
Detect Android media cards, which gets saved as a TSK_DATA_SOURCE_USAGE artifact.

UI:

The Application content viewer now displays HTML files.
Video playback now uses gstreamer on 64-bit systems, which supports more video formats.
Pictures can be rotated and zoomed in the Application content viewer.
The Other Occurrences content viewer layout was reorganized to make viewing the data easier.
New "Data Source Summary" panel shows high-level statistics and details about the data sources in the case.
Data sources are now listed in the data sources tree in alphabetical order.
The presentation of finding common properties within a case was revised to group results in a more helpful way.

Report / Export:

Portable Cases can be created based on tagged data. These cases contain a subset of the case data and can be opened anywhere.
Users can now choose tabs or commas as the delimiter for a files report.
Case notes are included in the HTML report.

Other:

Added a new file type that allows module writers to specify a file based on its byte range.
Data sources can be analyzed and have a CASE/UCO report generated using only the command line.

Bug Fixes"

Decreased the time required to execute inter-case common properties searches of the Central Repository.
Assorted small bug fixes are included.

[close]

http://www.sleuthkit.org/autopsy

[SiLæncer]

Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files and whether the deleted files have been moved out from the recycle bin since they are trashed.

BSD License

https://abelcheung.github.io/rifiuti2/

[SiLæncer]

Changelog

    Platform support:
    OSF will no longer run on Windows XP systems. (But disk images from XP machines can still be investigated). If support for installing the software on a XP system is required, then V6 will need to be used.
    Add Device:
    Bitlocker volume details (eg. key protectors, encryption, etc) now displayed when adding a bitlocker-encrypted drive to case Removed "Forensics Dude" from the Add Device window. The formatting of the help text was changed to the same look as the other windows.
    Android Logical:
    Fixed issue where during logical copy, some directories were not being included.
    Android Artifact:
    Removed misleading text indicated "images" can be added to scan. Added warning if adding ".vhd" (e.g. from logical copy) that it needs to be added to device first.
    Photo artifacts were only looking at the "data\com.google.android.apps.photos\db\gph otos 0.db" (specified in Help File). But will now also do a quick scan for known image file extensions. Added notification to user to use File Name Search module for more advance viewing/search options.
    MMS extracted with OSFExtract will show recipients on the message.
    Android Copy:
    Copying to a Logical Image (VHD) will no longer require a full scan to calculate disk size. This should increase its responsiveness.
    Updated OSFExtract to V1.0.1003. Change: App will transfer "canonical_address" table from mmssms.db database file. Which contains the addresses (recipients) for MMS threads.
    Auto triage:
    Added configuration options for logical image creation
    Moved deleted files report export to a separate thread to improve responsiveness
    Moved recent activity report export to a separate thread to improve responsiveness
    Disabled hashing of signature file list to improve responsiveness
    Boot Virtual Machine
    Added ability to boot an image as a VM from OSForensics.
    Image to be booted can be read only, as the image file is never modified. Instead changes to the image are written to separate cache files.
    Images format support includes E01, Raw, Split images, VMDK, VHD, etc..
    Write cache files are now used in mounting when 'Restore existing disk state' is checked, so VM can be restarted were you left off
    Added new menu option in Workflow navigation, "Boot Virtual machine" with 3 tabs showing running machines, and associated drives.
    Added 'Boot Virtual Machine' icon to Start page
    User can select number of cores to allocate to the VM, RAM size and if networking is enabled. Default values are scaled based on system specs of host.
    Support for booting partition images by pre-pending an MBR image to the disk in the .vmdk file. (normally it is impossible to boot just a bare partition). This includes images that use with ntldr for booting (Windows XP) and bootmgr + BCD images (Vista and above). Machines with EFI System Partitions are also supported.
    VMWare 14,15 and VirtualBox 6 are supported as hypervisors
    Host machine needs to be 64bit. Guest can be 32bit or 64bit. Guest image can be Mac OS X 10.13 (High Sierra), Windows XP to Win10 and some Linux distributions.
    Preliminary support for disk with multiple bootable partitions. Added warning text when multiple O/Ses are detected on the disk. Note: Not all permutations of multi-boot O/Ss will be supported (there are too many to test). Mac and Windows on the same disk is known to be problematic.
    Added option to bypass Windows login by patching a Windows system file and setting automatic logon option in the registry. This method is fast, but it doesn't crack the password of the user. So any files encrypted with EFS are not decrypted. As patching of system files are required, not all releases of Windows are supported. The Win 10 releases from March 2019 (17763) is known to have a problem.
    There is support for selecting which user account to auto-logon into in the case where the machine has multiple accounts.
    A new version of OSFMount is included with the package. V3.0 build 1005. This allows mounting of images as (emulated) physical drives and caching of disk writes to temp files.
    Case Manager
    Fixed bug with trailing space characters allowed in case name (causing invalid Windows folder names to be created)
    Defined new hash set flag level "major" for Project VIC
    Add info dialog when adding a Bitlocker-encrypted drive to Case
    Added new case item group for virtual machines
    Added case details tab for customizing category definitions
    Fixed an annoyance, sometimes when switching cases the OSForensics GUI will lose focus and another window will be on Top.
    Fixed a bug where sometimes the status dialog window size can appear too large while generating report.
    Reporting, "Extra Information" box will export and identify $FILE_NAME timestamps for applicable items and label it as such. Note: Applies to new items added to case. Existing items in cases will not have the extra timestamps.
    Reporting, "Skip Empty" checkbox to do not include empty artifact categories in the generated reports.
    Add button for the Case Narrative (html) editor in the main Manage Case module.
    Double-clicking on virtual machine case item switches to 'Boot Virtual Machine' module and selecting the VM in the list
    When deleting a device that was the case default device the default device will now be set to the first device associated with the case or the C drive if there are no more devices.
    Removed "Results of forensics analysis" and "Executive Overview" headings from case narrative / auto triage report
    When removing categories, all case items belonging to category shall be unassigned
    Categories can now have optional "Notes" property
    Added button to manage categories, when adding/editing case items, can click on 'Category' link to manage categories
    When adding or editing case items, a new category can be entered in the Category dropdown
    Separated "Offences" list and "Categories" list. Defined a new "Categories" list that reflects more common categorization types.
    Fixed bug where downloads/attachments were not being loaded into case after OSF restart.
    Removed all options other than 'Delete' when right-clicking multiple selected items
    Fixed possible crash when sorting Case Item name
    Added missing 'Raw Disk' exports to generated report
    Create Index / Browse Index
    New Indexing feature added, Optical character recognition (OCR) for PDF files. Previously this was only done on photographic images.
    Updated indexing engine, with lots of more minor changes for handling different file types & performance.
    Added ability to skip pre-scan when creating an index
    At Step 1, have all options check-marked by default except binary executable files, which don't contain much useful text.
    Fixed bug with search being prematurely truncated when indexed 0x1A character in meta data (title, description, etc.)
    Fixed bug with substring searches applying within exact phrases
    Fixed bug with exact phrase searches spanning across page SECTIONS. This caused some exact phrase searches (containing words which occur on the page many times but not in that sequence) to take extraordinarily long.
    Fixed Check/Uncheck all buttons not affecting new file type options
    Fixed buffer overflow issues & crash bugs in Browse Index (removed unnecessary dictionary counting) and when Filtering results
    Fixed bug with filenames not being indexed for PDF files and other plugin formats
    Improved error messages when failing to launch indexer
    Fixed "Failed to add folder" bug with Create Index -> Add folder
    Fixed bugs with handling multi-partition images
    Fixed bug with Index names ending with "." which caused various failures
    Fixed indexing unallocated clusters for entire disk images
    Create Signature:
    File system cache is now cleared before creating a signature in Direct Access mode. This is important for live file systems where the content is changing while OSF is running.
    Compare Signature
    Increased number of recently selected signature comparison files (displayed in drop list when selecting a signature) from 10 to 15
    When creating a hash set from a comparison there is now the option to include all files in the comparison or just new ones
    Added a new difference type of "Attributes Modified"
    Deleted Files / File Carving
    Hashing of files will only be performed for non-empty files (0 byte files are skipped).
    Improved responsiveness by not redrawing window if not visible
    Fixed a lockup that could occur
    Added new status tab while scanning to show number of files (grouped by extension) found/recovered.
    Removed message dialog when no files are found
    Checkbox added to enable/disable extensions for file carving.
    Updated FileCarver to be threaded for better performance (by adding threading to several operations). Resulted in 2.6x faster carving on a test system.
    Added option to look within a sector for header pattern match. Enabled by default (same as previous behaviour) OSF only looks at the bytes only at the beginning of the sector.
    Added definition for HEIC/HEIF image file format to allow these types of images to be carved.
    Updated JPG file header definition to decrease number of false positive when carving.
    Added definition for SQLite files
    Added definition and extractors for Intel based Assembly Files (.asm)
    Added definition and extractors for .torrent, .nef (Nikon RAW Image), .orf (Olympus RAW Image), .arw (Sony RAW Image) and .raw (Lecia/Panasonic RAW Image) formats
    Added header definition for FUJI Raw Image Format (.raf) and Mobile Video Format (.3gp).
    List view in Status Window showing total files found is now sortable.
    Fixed issue when "Applying Filter" was not returning (stuck in loop).
    Fixed issue with double counting files with simliar header pattern.
    Drive preparation
    Fixed an open file handle from the Drive test that would prevent the data pattern write if the drive test was run first. This fixes a possible false report saying the drive was faulty, when in fact the drive was just locked
    Email Viewer:
    Fixed UI issues when minimizing and restoring windows
    ESEDB Viewer
    Changed behaviour to load all items for selected table into data buffer so we can sort columns correctly, still only displaying 1000 entries per page. Will mean a slower initial load but much faster sorting and searching.
    Columns can now be sorted by clicking on the column heading
    Added SRUDB.dat to known esedb list when opening the ESEDB viewer and fixed some date display issues for the SRUDB date / time format.
    File Name Search:
    Allow the user to enable the other four ($FILE_NAME attribute) time stamps in the File Name Search Details View.
    Added ability to create a New Preset option in the Config window. Defaults are still loaded from FileNameSearchPresets.txt file in AppData directory. User defined Presets are saved in the OSF config file, config.OSFCfg.
    Change the module icon from "disk" to "binocular" to be consistent with the main menu.
    Config, fixed bug where hash sets were not populating in the drop down selection.
    Added right-click option to show only checkmarked files.
    Added ability to include additional folders and/or exclude folders from the File Name Search.
    When switching cases, any previous search result previously performed will be cleared.
    Fixed a bug when enabling $FILE_NAMES attributes, the horizontal scroll will disappear in the List View.
    Added Right-Click menu option to "Jump to Thumbnail View" from the File Details and File List tab. And "Jump to File Details" from the Thumbnail Tab.
    Started saving column ordering, visibility and size in OSF config file
    Fixed default title not being updated when adding multiple files to case
    File Previewer/Image viewer:
    Added support for single image HEIC files
    File System Browser:
    Refreshing the current folder using the F5 now clears the file system cache and allows user to see changes to live file system.
    Fixed hidden scrollbar when minimizing/restoring the window
    Fixed vector Out of bounds crash
    Forensic Imaging:
    Create a Drive Imaging queue to allow user to add other drives to image once the first imaging job is complete.
    Forensic Copy:
    Added option to add individual files to the image list instead of just only folders.
    Improved performance of looking up duplicate paths by keeping track of hashes
    Fixed copy operation not aborting after pressing 'Stop'
    Changed source list view to owner draw for better performance
    Moved total file size calculation to a separate thread for better response
    Hash Set:
    Added new built in hash sets for: Keyloggers, VPN Software, Peer to Peer (P2P) software, Cryptocurrency
    Added feature to import folder of VIC files. "Import VIC file set" will now prompt to either "import into existing active database" or "create new database". Updated import VIC feature to ignore Category: 0 which are considered Safe files
    Added support for importing V2.0 format VIC hash set.
    Added support for importing SHA1, MediaSize, LastUpdated fields from V1.3 VIC file format
    Fixed Bug with Right Click->Export to Text file output being corrupted. (Column Indexes to the ListView were not correct).
    Fixed Bug where Right Click->View with Internal Viewer was unable to open deleted files entries.
    Fixed Bug where false positive matches were being returned. (Previous result was not being cleared).
    When quitting, OSF will remember the current active hashset & reselect that hashset on startup.
    Made error message more descriptive on import failure. Fixed bug holding hast set open after failure to import that was preventing deletion.
    Fixed a bug preventing pasting folder locations into the NSRL data set input folder when importing
    Added "Delete" option from Hash Set Viewer window (right click menu)
    Added confirmation message box when deleting a hash set
    Added a more descriptive error message when an NSRL import fails due to errors in the file contents (eg invalid product number)
    Removed warning message about selecting a non-example / new hash set when importing an NSRL hash set (a new hash set is created by default when importing a NSRL hash set)
    Added more prominent highlighting when file is in hash set to highlight Project VIC hash sets
    Improved error message when failing to open .OSFHashSet file which is read only
    NSRL hash set import, added an error message when an operating system ID doesn't exist (eg corrupt/incomplete dataset). Will now add a dummy "unknown" entry and continue to import.
    Added support for highlighting files as "PF_IN_HASHSET_MAJOR" for Category 2 files
    Changed "Look up Hash Set" dialog to not close window when user cancels look up.
    Install to USB:
    Added option to exclude password recovery dictionaries and rainbow tables from USB install
    Changed out of space error message to use MB instead of bytes
    Added option to include Hash Sets to be exported during install.
    Internal Viewer
    File Info, added text to indicate if the file does not exist at the location
    Added 'Help' link. Moved 'Capture' button and 'Alt Stream' Combo box to the left
    Added preservation of 'create' and 'access' times, when available
    Fixed contents of certain .rar files not being displayed (RAR5)
    CSVReader, fixed a possible crash opening CSV files with individual elements that contain over 512 characters (element will be truncated to 511 characters now)
    Hex View, will display file slack space in internal viewer. Can enable/disable in 'Settings'.
    Hex View, fixed bug where hex view would not load and return "Unable to open file: File access is denied" when a file failed to open the underlying disk in raw mode (to load slack space). Show Slack Space is not available for resident MFT files or files on devices not added in forensics mode within OSForensics.
    Hex View, will extract strings in file slack space if show slack is enabled.
    MemViewer:
    Added warning if trying to save memory dump to a filesystem that doesn't support the file size of the dump e.g. Over 4GB on FAT32.
    Raw Memory Dump, added progress bar and estimated time remaining.
    Updated volatility compiled executable to 2.6.1 and volatility workbench to 2.1.1000 to support new profiles for Win 10 builds 17763 and 17134
    OSFDevMgr:
    Fixed buffer overflow when calling FindFirstFile() on a group device's root directory (eg. "group_device:")
    Fixed FindFirstFile() not returning the list of subdevices for a group device's root directory (eg. "group_device:")
    Fixed a crash that could occur when a badly formed system path is passed to SplitFilePath
    Password Recovery:
    Fixed an issue where passwords from the windows credential manager were returned when running using the "scan drive" option when they are only available for the "live acquisition" option
    Made some changes so the registry reading code at this point so it is now thread safe and will work better with the auto triage.
    Started saving column ordering, visibility and size in OSF config file
    Changed LM/NT references from "(disabled)" to "(empty)"
    Added ability to add sequential decryption jobs in the Decryption & Password Recovery tab.
    40-Bit Encryption, fix for parsing output of 40-bit file.
    Windows Login Passwords, updated GUI so list views expand as the size of the main window expands.
    Enabled debug logging for run_server.exe when OSF is ran in debug mode. Log can be found in run_server.exe directory while running and then is moved to the OSF documents folder when finished.
    Fixed bug that could cause possible memory corruption issue if GPU decryption is enabled.
    Fixed bug where checked item count was not being reset if "Acquire password" was clicked again
    Prefetch Viewer:
    Added all available run times to results list and exports
    Raw disk viewer:
    Fixed incorrect GPT 'Partition name' in Data Decode window
    Added option to select where (beginning, current position, end) to jump from when jumping using bytes or sectors. (Using a negative sign will jump backwards.)
    Recent Activity – Renamed to User Activity
    User Activity:
    Addition of System Resource Usage Monitor (SRUM) database scanning, will display items from the Application Resource Usage, Network Usage, Network Connectivity and Push Notifications database tables.
    Made the user activity navigation pane with the Tree view resizable.
    Started encoding HTML special characters (eg <>&) in the HTML output for some items when exporting
    P2P, Fixed crash when running on Ubuntu drive
    Changed "Show empty activity types" checkbox to default to on so empty types are displayed
    Windows search is now using the ESEDB viewer to load the windows search database, will sometimes be slower but should be more reliable (no need to repair database using esentutl which would often crash or leave database in a dirty state still).
    Installed programs, added date collection using the InstallDate registry value when available and when not available uses the last write date of the registry entry
    No longer stopping the windows search service when the windows search optoin is selected for a live system scan
    Added new Recycle Bin activity. Will show items in the Recycle Bin (original file path/name and date deleted).
    Added the Last-Visited and Open/Save MRU's to the MRU category: NTUSER.DATSoftwareMicrosoftWindowsCurrentVersi onExplorerComDlg32LastVisitedPidlMRU and NTUSER.DATSoftwareMicrosoftWindowsCurrentVersi onExplorerComDlg32OpenSavePIDlMRU
    Added the other 7 run time stamps for Prefetch Files (for 8 total).
    Fixed bug with non-ascii characters for recent activities that use a sqlite database (mostly browser - chrome, firefox, opera - activities)
    Added Event Log Login Types description
    Added MRU Adobe Acrobat Reader DC Artifacts
    Added Office 16 and Office365 Word, Excel and Powerpoint Artifacts from desktop install
    MRU, Fixed crash when parsing Window's XP Registry files for OpenSave and LastVisit MRU
    Added subcategories for the various browser artifacts (Firefox, Chrome, Edge, IE, etc)
    Added checkmarks besides each artifact category. Users can then deselect any artifacts they don’t want without going into the config settings.
    Added +/- expand collapse for artifacts that have subcategories.
    Add subcategories for Windows Event Logs (OAlerts, System, Security, Application, etc.)
    Fixed bug where the number of checked items links was not being shown in the File List Tab.
    Added VLC artifacts for Windows and OSX/Mac
    Added Windows Media Player Last played and folders artifacts
    Opera, fixed opera version being read incorrectly for new versions of opera
    Opera, fixed bug stopping opera password data being read correctly
    Fixed an issue seen where no Chrome information could be retrieved when doing a live scan due to not being able to get the current windows user/profile/known folders
    Registry Viewer:
    Unknown value data types will be shown as hex data by default (previously the data was not displayed at all. Useful for looking at Windows Store App's settings.dat file which are special registry hive with non documented value data types).
    System Information:
    Removed "Get" from the Registry Commands.
    Get User Info (Registry), fixed an issue where user accounts could display "Account disabled" incorrectly
    Changed error message slightly when only live acquisition tasks are in selected list when a drive letter is chosen instead of live acquisition
    Added a quick search box to search the text of the current result tab.
    Added full name, description and password hint to “Get user information (Registry)” output
    Fix to process "Enter" key notification while using the Find Text Control.
    Thumbnail View:
    Items found in hash set are now entirely highlighted (not just text)
    Web Browser:
    Updated video download script to support recent changes at Youtube which broke video download feature.
    Misc:
    Consolidated Red/Green/Yellow bookmarks into single generic bookmark
    Renamed 'bookmarks' to 'tags'
    Added 'tag' icon to replace previous 'flag' icon
    Made some changes so OSF will start as the top most window (sometimes it would start in the background)
    Updated help file:
    Fixed bug with unable to access Case devices as underlying drives. This caused problems reading from Bitlocker-encrypted drives
    Added ClearFileSystemCache_direct() function to clear the file system cache (for live disks). Previously changes in the live file system where not reflected in File System Browser due to caching.
    Updated 7zip DLL
    Better reporting of SQL errors with hashset databases
    Fix for bug with scroll bars in Compare Signature and Browse Index
    New logging engine when using DEBUGMODE. Has more detail and has less overhead.
    Changed warning message to be less severe when registry SAM permissions need changing on live system (for recent activity and password recovery)

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

    New Features:

    Initial logical imager feature
    Changed file type detection so that Tika does not rely only on extension.

    Communications:

    Emails are threaded
    Added Account Summary view
    Added Contacts panel to show all contacts associated with an account.
    Added Media panel to show media attachments associated with an account
    Added filter to show accounts if they involved with the most recent messages.
    Added ability to draw a box on a picture while tagging it.
    Improved speed of displaying results when a column was sorted.
    Portable cases can contain files marked as Interesting Items and be compressed.
    New “Text” viewer that consolidates previous Strings and “Indexed Text” viewers.
    New “Translation” panel with integrations for Google and Bing (credentials required)
    Added Willi Ballentin’s “Registry Hive Viewer” panel to the “Application” viewer.
    Improved HTML viewer to use style sheets and better layout.
    Added paging to all views for faster loading of large data sets.

[close]

http://www.sleuthkit.org/autopsy

[SiLæncer]

Changelog

    Create/Search Index
        Fixed file extension count at end of summary. Previously the count of files indexed, per file type, wasn't always accurate when files where found in container files, like ZIP and CHM files.
        Fixed crash bug in Create Index Log window stack corruption, when there was very long lines in the log.
        Fixed bug in "Search Index" stopping search prematurely, not returning the full set of search results for large datasets
    Create Signature
        Support for counting NTFS hard links for OSF devices using direct access. This avoids double counting of hard linked files.
    Deleted Files
        Apply Filter button will be enabled as long as MFT has been scanned even if Search was cancelled during carving (a warning message will be visible that results are incomplete).
    File viewer
        Fixed crash that could occur when rebuilding thumbnails (triggered by using an "Open file location" right click menu item in recent activity items)
    User Activity
        Rewrote export to CSV function to export data as seen in each item's list rather than trying to have each item match a preformatted output. The new CSV file will have a section for each item type with a heading row and will be separated with a blank line (eg MRU item headings, MRU items, blank line, USB item headings, usb items etc). This means a lot more data will now be exported to CSV.
        USB, Fixed parsing of Unknown USB device in registry
        USB, Added parsing of "Properties\\{83DA6326-97A6-4088-9453-A1923F573B29}" registry key to determine USB first installed, last connected, and removal times
        USB, Added parsing of Microsoft-Windows-Partition/Diagnostic.evtx event log for USB connection/disconnection events
        USB, Added parsing of archived setupapi.dev.xxxxxxxx_xxxxxx.log
        USB, Added scanning of SYSTEM\CurrentControlSet\Enum\SCSI for USB connected SCSI disks
        Added scanning for files in "Downloads" folder and scanning drive for "Zone.Identifier" alternate stream and reading the "ReferrerUrl" and "HostUrl" fields. This can help identify files that were downloaded but moved to a new folder.
        Shellbags, started processing some more item types to retrieve more information when available
        Shellbags, fixed a bug where the top level of the disk path wasn't being cleared correctly in some cases when recursively processing the ShellBagMRU leading to malformed disk path such as Desktop\A:\B\C:\ instead of Desktop\C:\
        Windows search, fixed a crash that could occur in some older versions of the windows.edb database
        Windows search, stopped directory entries from being filtered out automatically, will now be displayed in the "directory" sub type
    Misc
        Reduced program start-up time by deferring window initialization for each module to when they are first opened. OSF should launch around 3x quicker now.
        Fixed default drive not set properly on startup
        Fixed handling split image files, where the number of split file parts was > 1000 (.999 -> .1000 or .999 -> .A00). It really doesn't make sense to create split files with this many parts, but someone did it.

[close]

http://www.osforensics.com/

[SiLæncer]

Whats new:>>

    Create/Search Index
        Fixed error reporting when indexer run out of memory, max pages exceeded or max words exceeded.
    Misc
        Fixed a performance issue with direct access of hard drives / images from OSForensics. This was particularly apparent when looking up multiple results from a file search in a hash set or when creating a search index.

http://www.osforensics.com/

[SiLæncer]

Changelog

    Case Logging:

    Only the first 100 characters of the case narrative will be written to the case log entry.
    Fixed bug. If Case Logging is enabled and a new log text entry was greater than 65536 characters, it could lead to crash and/or corrupt the log file. If entry is larger than allowed, the log entry (not actual contents) will now be truncated to fit.

    Create/Search Index:

    Added feature to increase Create Index threads up to 20 maximum
    Changed default indexing threads to 4 (based on benchmark results)

    Deleted Files:

    File Carving bug fix, some non-threadsafe functions could cause a crash during file carving due to multiple threads running at the same time which has now been fixed.

    Registry Viewer:

    Fixed issue with RegViewer displaying incorrect data for "Big Data" entries (were data was over 16KB for a single key).

    User Activity:

    Added MuiCache to "Installed Programs" artifact list. NOTE: working for live acquisition only currently.
    Added new artifact type “Shim Cache”

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

    NEW Clipboard Viewer
        Added clipboard viewer to view current, historical clipboard items (where available) and pinned items
    NEW AmCache Viewer
        Added AmCache viewer
    Auto triage
        Added option to collect clipboard contents
    Boot Virtual Machine
        Fixed unable to boot disk image located on network
        Added debug logging when querying mounted disks
    Case Manager
        Added export clipboard contents to report
        Partitions encrypted with Bitlocker now shows "Bitlocker" instead of "Empty"
    Create Index
        New indexer builds, fixed thread safety bugs with DOCX, PPTX, XLSX indexing with timing issues causing occasional "cannot open file" error on files when multiple threads are in use.
    Disk Image and Filesystem Support
        Added support for the Stream Optimized sub-format for VMDK images
        Fixed possible crash when accessing invalid cache entries for for Linux EXT drives
        Added detection of sector size when reading GPT header rather than using default 512 bytes. 4K native (4Kn) sector sizes should now be detected for disk images. This resolves an issue where partition were not being detected in some E01 images. Background info: Since about 2012 most hard drives use 4K physical sectors, but nearly universally implemented 512 byte enumlation (512e). There are a tiny number of enterprise drives that are native 4K however without emulation. OSF now supports this 4Kn format.
    Deleted Files
        Fixed Crash when OSF Terminates and the background Deleted Files cache thread is still processing items.
    Prefetch Viewer (Program Artifacts)
        Renamed Prefetch Viewer on Start page to Program Artifacts and changed icon.
    Registry Viewer
        Internal viewer should now handle large LI/RI Key Types. Should help open some registry files and display previously missing keys.
        Fixed crash when decrypting Windows Passwords (Key ClassName value was incorrect)
    User Activity
        Added clipboard item collection
        Shimcache, fixed issue with Shimcache not showing details under File List tab and also when exporting to CSV, HTML, TXT.
        Added MuiCache to "Installed Programs" artifact list for non-live acq (i.e. drive images).
        Installed Programs , added programs and drivers found in AmCache.hve. (Initial support AmCache format of Windows 10 V1607 and up).
        Added right-click option to open system event viewer for event records, fixed double-click/right-click options for other activity types
        Fixed bug in MRU recent items file paths
        Support adding files from Downloads, Jump List, Recycle Bin, Shim Cache to Case
        Updates for adding items to Case and for tagging items
        Added some extra error message details if a shadow copy of a locked system file fails

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

    Boot VM:

    Added option to select disk controller. If "Auto" is selected, IDE is used for Windows XP and SATA otherwise. Should improve performance for non-XP images.

    Disk Image and Filesystem Support:

    Initial support for ISO images.

    ESEDB Viewer:

    Added detection of MAPI property hex in column header. If so, display the property identifier string
    Highlight known tables and display default columns for Win 10 Mail store.vol

    Memory Viewer:

    Added checkboxes to list of processes
    Added export of checked process details to CSV & case
    Added export of list of checked process to CSV & case
    Added link displaying number of checked processes
    Fixed task activity LED not clearing after dumping process memory
    Added right-click menu for checked items
    Export checked processes memory dump to disk & case
    Added right-click menu option to dump checked process memory into single file

    Mismatch Search:

    Fixed "Identified Type" column header displaying as "Location"

    Registry Viewer:

    Initial implementation of exporting SAM/SOFTWARE registry hive reports
    Initial implementation of exporting SYSTEM/NTUSER.dat registry hive reports

    Start Window:

    Fixed icon groups re-ordering when changing workflow

    User activity:

    CSV export of checked items. Behaviour now matches export to text/html where if the ALL items view is currently selected it will export all checked items, but when viewing a specific item type only checked items of that item type are exported.
    CSV export, fixed a bug preventing the recycle bin items from being exported correctly.
    Fixed an issue with the column sorting when sorting by integer value (eg filesize) for Recycle bin, event, jumplist and shim cache items.

    $UsnJrnl viewer:

    Changed to detection of MFT record size rather than using hardcoded 1024 bytes
    Added additional debug logging when scanning MFT records

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

    General:

    Switch from Oracle JDK to OpenJDK.
    Full command line support (case creation, adding of data sources, running ingest, and generating reports).

    Logical Imager:

    Output can be individual files instead of VHD image (uses less space).
    More fine grained progress during collection and importing.
    Log of files and make artifacts.
    All console messages are saved to a log file too.
    Improved handling of cancellation when adding results into a case.

    Ingest Modules:

    Added Android support as Python modules for: Android installed apps, Android browser, Facebook Messenger, IMO, LINE, Opera, ORUX Maps, Samsung SBrowser, Skype, ShareIt, TextNow, Viber, WhatsApp, Xender, Zapya.
    Recycle Bin files are parsed in Recent Activity module, new artifacts are created, and deleted file entries are created at the original location of the deleted files. Code is based on Mark McKinnon’s RecycleBin module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Recycle_Bin).
    ShellBag registry data is extracted from RegRipper in the Recent Activity module. New artifacts are recreated for the data. Based on Mark McKinnon’s “Parse ShellBags” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_Shellbags).
    Additional data is extracted about users from SAM hive in Recent Activity module. Data includes password dates, permissions, groups, and full name. Based on Mark McKinnon’s “Parse SAM” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/Parse_SAM).
    Email ingest module parses EML files. Based on Mark McKinnon’s “EML Parser” module (https://github.com/markmckinnon/Autopsy-Plugins/tree/master/EML_Parser).
    Fixed bug in MBOX module that caused attachments to have a “_” in the name.
    New Plaso ingest module that runs Plaso and generates events for the timeline.
    Fixed bug in Email module for VCard files to better parse phone number types.
    Keyword Search module waits longer for Solr to start to prevent incorrectly reporting a problem and disabling the feature.
    Embedded file extractor module was updated to not report compression bombs for GZIP files.

    Timeline:

    New approach for storing event data. A dedicated events table exists and is populated as files and artifacts are added to the database. No longer requires an explicit step of populating a local events table.
    Users can create their own events from the Timeline UI.
    Filtering was simplified based or existence of tag or hash set hit versus a specific name.
    Communications:

    Fixed bug that hid contact book entries with duplicate numbers.

    Image Gallery:

    Fixed bug in schema that caused errors with very long file names.

    Report:

    CASE report is included in a portable case.
    Image tags are included in portable case.
    More size options for a packaged portable case.
    New Infrastructure to support command line-based generation.

    Backend:

    Developers should use new new Blackboard.postArtifact() method to ensure artifact is indexed and added to the timeline.
    New classes were created to make it easier to write modules for apps.

[close]

http://www.sleuthkit.org/autopsy

[SiLæncer]

Changelog

    NEW Event Log Viewer:

    New viewer to display windows event log files. Open logs in E01 images, filter logs, add log entries to the case, etc..

    Android Logical Copy:

    At completion, log will show the count of files copied by file extension.

    Case Manager:

    Fixed empty partitions being displayed in drop down list when adding physical drives to case
    Minor fix for BitLocker encrypted volume detection

    Clipboard viewer:

    Added some checks when ComBase.dll functions are being called that they exist to prevent a possible crash in Win7 when attempting to collect extended clipboard data

    Create/Search Index:

    New indexer build that adds XFS file system support
    Updated indexer fixed bug with search results from email attachments of ZIP files appearing under the Files tab instead of

    Email attachments:

    Added 'Export Search Results to CSV' feature on the 'History' tab, which allows user to export results from multiple search queries and multiple indexes at once.

    Debug mode - (Start Window):

    Added 'Restart OSF in Debug Mode' icon under 'Housekeeping' to restart OSF with 'DEBUGMODE' parameter set

    ESEDB Viewer:

    Updated libesedb library to libesedb-20181229
    Fixed major performance issue with very large ESEDB files (4GB+). Achieved roughly 40x speed improvement. Previously large files would be so slow to process that User Activity module looked like it had locked up. This should resolve this issue

    File system support:

    Added support for Linux XFS file system

    Logical Imaging:

    Fixed bug where root paths added from "Other Available Devices" were not being copied.

    Registry Viewer:

    Added right-click menu for exporting report to disk/case

    User activity:

    Added a new option in the config "Moved Downloads (Slow)" to control weather the drive is scanned for downloads that have been moved (Zone.Identifier streams), this is now off by default as it can be a slow process
    Replaced Jetblue API use with ESEDB library (libesedb) use when getting EDGE/IE10 history
    Added some more status messages for registry and browser processes
    Fixed sorting of columns for SRUM DB information

    Misc:

    Physical drive scanning for partitions at startup was updated so that OSF startup speed should be quicker and use less RAM.
    Fixed a bug in the disk partition detection code, it was not thread safe when running in debug mode, which could result in a rare crash at startup
    Help file updates

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

Create / Search Index:

Fixed bug with Custom limit for Max File Size and Max Pages not applying when creating an index
Added ability to "Display Search Results" for multiple selected items in the "History" tab
Added "Path hash" column for "Export Search Results to CSV" to locate files that have been added to case (and stored in the "Files" folder)

Disk Imaging:

Read/Write/Hash threads now use their own I/O buffers to prevent memory access errors when a disk timeout occurs. This typically only happens when disk has a hardware fault. But it could result in a crash when it does happen.

ESEDB Viewer:

Fixed possible crash when loading a table in the ESEDB viewer

Event Log Viewer:

Reorganized elements in the main dialog and top menu.
Updated filter options in the Advanced Filter.
Added tree-view right-click menu.
Added Presets combo box for quick filtering. The user can also add their own preset filters by editing the test file, ProgramDataPassMarkOSForensicsEventLogPresets.txt
Updated list-view item selection to allow multiple item selection using mouse drag and right click menu Toggle Check to select them.

Internal viewer:

Metadata, Improved UI responsiveness by launching metadata collection process in a seperate thread.
Fixed bug in loading NTFS alternate streams when there is no file list

Raw disk viewer:

Added file system scanning for Linux XFS disks. XFS files, directories, and internal structures should be identified and highlighted.
Fixed bug in partition size for XFS disks

User Activity:

Allowed tagging of activity items that are not file paths (eg. registry keys, URLs, DB records, etc.)
Added an option in the list-view right-click menu for Event Log to allow users to open Event Log Viewer and locate the selected event.
Added 'Flags' column to identify 'tagged' items
Fixed Ctrl+T shortcut not working
Fixed memory allocation error due to invalid jump list entries
Fixed Web Browser tab not being highlighted when opening URL
Improved options to export to CSV and copy to clipboard from SRUM Database entries

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

    Android Logical Copy:

    Fixed possible crash due to corrupted stack

    Event Log Viewer:

    Added Scan Folder button, this allow multiple event logs to be added to the viewer even when the event logs are found in a non-standard folder
    Added ability to add and delete multiple drives and folders in tree-view. Previously only files from one drive at a time could be added.
    Changed presets filtering configuration file, allowing more complicated filter conditions. Also added some additional preset fitlers
    Added a must "Not Contain" option to the event log filter conditions.

    User Activity:

    Results can now be sorted by tagged state by clicking on the "Flags" column
    Fixed crash when sorting by column that we accidentally introduced in last patch, opps.
    Added filtering of results by "Flags"
    USB, Opening USB device entries obtained from setupapi.dev.log or event log now opens the correct viewer
    WLN, Opening WLAN entries obtained from .xml file now opens the correct viewer
    Fixed right-click menu for USB/WLAN activity
    Fixed a crash that could occur if a scanned ESEDB database was corrupt. Seems to be rare as we have only

[close]

http://www.osforensics.com/

[SiLæncer]

Changelog

    Create Index/Search Index
        Fixed bugs with indexing and searching large indexes containing more than 2million unique words. Also improved error reporting.
        Indexer now reports number of threads in log
        Added debug mode for OSFIndexer
    File System Browser
        Fixed jumping to disk offset when selected disk in raw disk viewer does not match
    Logical Imaging
        Fixed copying sparse files, were not being set as sparse on destination (if filesystem supports it)
    Raw disk viewer
        Support for jumping to XFS inode record
        Support for jumping to ext[2|3|4] inode record
        Added file system scanning for APFS disks. APFS files should be identified and highlighted.
        Added jump to APFS file offset
    SQLite Viewer
        Fixed "begins with" and "end with" query strings generating reversed queries
    Start Window
        Added "Check for Updates" icon under "Help and Information" for checking the most up-to-date OSF version
    User Activity
        Warn user if contents copied to clipboard exceeded limit and will be truncated.
    Misc
        Fixed disk dropdown box incorrectly display "Unknown/Empty partition" for all case devices

[close]

http://www.osforensics.com/