Video tutorial & screenshots
OSForensics is a program that allows you to identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory and binary data. The program lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively.
What's new in version 2.2
- Added support for creating a self booting USB solution from the "Install to USB" section, this is a new tool called "WinPE builder" that can be launched after the "Install to USB" process.
What's new in version 2.0
-Fixed Forensic File Copy not copying folder 8.3 short names.
-Made change to handle setting 8.3 short file names on files that have a read-only flag.
-Added fractions of seconds to internal viewer file properties output.
-Recent Activity - Now also searches registry location for typed IE URLs.
-Changed the dialog title to reflect that a command is being edited rather than a new command.
-Fixed a bug where if the first entry in the list was editable then it wasn't loading correctly and defaulting to the new command dialog.
-Fixed a bug where if the list management dialog was closed using the X button rather than OK the current command window display was not being updated to reflect any changes.
-Added new system information functions (Get User Info, Get Timezone, Get computer name, Get network info) that can query the registry for information, these functions can be used on the local system as well as disk images and other system drives.
-Navigation Bar - Added 'Registry Viewer' button.
-Start Page - Dialog for selecting registry file now closes when the Registry Viewer is opened.
-Correct icon is now displayed for Find/Goto windows.
-All search types now selected by default in Find window.
-and keys now work properly for Find/Goto windows.
-Cancel button now works properly for Find/Goto windows.
-Find/Goto windows stay open after search.
-Added splitter bar and fixed resizing issues.
-Added shortcut keys for searching (Ctrl F, F3, Ctrl G).
-Find/Find next now traverses the tree in order according to currently selected entry.
-Added support for opening multiple registry files in one viewer.
-Added icons for tree view.
-Fixed bug with retrieving the HTML body using the MVCOM library. Should use _bstr_t instead of BSTR.
-Changed header fields to Edit controls to fix redraw issues when resizing.
-Improved parsing of Data/Time strings.
-Added Ctrl C (copy hex) and Ctrl A (select all) keyboard shortcuts.
-Fixed crash carving data.
-Changed string extraction so that it no longer separates URL strings into components (eg. 'http', 'www'), this was preventing the URL filter be useful.
-Changed behaviour when recovering Firefox passwords so that is a firefox install isn't found on the drive being scanned OSForensics will also check for a FireFox install on the system drive.
-If a FireFox location is not found an error message is now displayed.,
-Added warning to password recovery and system information functions when running on a live system and the permissions of the SAM registry files need to be changed.
What's new in version 1.2
Fixed indexing for drive root.
Fixed bug causing certain case items to not load correctly.
Fixed bug where NTFS file data reads were not sector aligned.
Fixed error loading DirectIo Driver.
Added warning message that search reuslts are limited to 1,000,000
Added cancel button to stop drive scanning in the raw disk viewer
Added ability to jump to disk offset of deleted files in the deleted files search
The device name is now displayed for deleted ext2 files in the deleted files search
Fixed artifact issue when panning images in the internal file viewer
Fixed cancel functionality for FAT/ext2 in the deleted files search
Fixed a bug where if there were no hash databases then the "New DB" button was disabled at startup and no new databases could be created
Fixed a bug preventing the recent activity scan from searching the root directory of a drive
Fixed a crash when retrieving MFT values
File carving of physical disks bug fixes
Image restore now allows image files that are smaller than the disk size.
Added support for FAT12 file system.
Fixed a bug when recoving file when carving via partition number.
Changed create index progress bar to not complete when indexing was manually cancelled.
Added new "Max results" option to search index options.
Added "Display search results" and "Display search results & add to case" right click options for the history tab of search index.
Significantly reduced memory usage of open cases with a large number of items.
What's new in version 1.0
Fixed XP compatibility issue caused by missing SHGetStockIconInfo function in SHELL32.dll
Fixed crash bug when opening the live registry or creating volume drive images via shadowcopy on Vista
Added support for multiple instances of registry viewer
Added "Export to text" function to registry viewer
Added "Save to case" right click menu option for keys and values in registry viewer
Added "Search" menu for registry viewer
Fixed a bug where REG_QWORD types were not being converted for display correctly
Fixed bug where registry viewer right click menu could be displayed when not clicking on the value list
What's new in version 0.9
- Moved beta expiry to 15th of October
- Fixed crash in sig creation when creating hashes and first file hashed is 0 length.
- Fixed potential infinite loop in sig creation when creating hashes.
- Fixed possible buffer overflow issue in signature creation when trying to hash a file that is inaccessible.
- Added ability to change color of bookmarks in case management window.
- Added file name search presets for video and audio files.
- Fixed a crash when comparing signatures that had extermely long registry key paths.
- Fixed a index search crash relating to certain exact phrase searches.
- Several fixes and improvements to Rainbow Table generation and recovery.
- Rainbow Table changes have rendered any previously generated tables unusable. Tables will have to be re-generated.
- Fixed problems with not extracting From: and To: for some emails during indexing.
- Added button to minimise/maximise navigation buttons to make low resolution use easier.
- Added right click menu to navigation bar to make the buttons thinner.
- Can now use the raw disk viewer on unpartitioned or corrupted drive images.
- Added a second check for locked chrome database.
- Added a way of remembering the copy on locked choice so user doesn't have to sit though multiple dialogs.
- Renamed "Get Network drive Info" to "Get Network Info".
- Added Edit option to command list management to edit customised (not default) commands.
- Internal viewer can now view office documents and pdf files.
- Fixed keyboard shortcuts in email list of index search.
- Fixed a thumbnail bug in index search lists.
- Fixed a bug where bookmarks would not be removed from case management window when they were removed elsewhere in OSF.
- Fixed a bug preventing the creation of a new case.
- New file bookmarking functionality.
- Can now see which files have already been viewed for a particular case.
- Can now brute force passwords using random passwords and specify the randok pattern.
- Can get Chrome and Firefox password even if the browsers are still open.
- Updated a few of the password dictionaries.
- Updated indexer executable with some minor bug fixes. Most noteably fixed a crash that occured indexing emails on Windows XP.
- Fixed a bug preventing overwriting USB installs with more recent versions of OSF
Leave a comment