Recent headlines | VLC hits milestone: over 5 billion downloads 1

AfterDawn > Software downloads > System tools > System information > OSForensics > Version history

Version history for OSForensics

<<Back to software description

Changes for v7.0.1000 - v7.0.1005

Boot VM
Added option to select disk controller. If "Auto" is selected, IDE is used for Windows XP and SATA otherwise. Should improve performance for non-XP images.
Disk Image and Filesystem Support
Initial support for ISO images.
ESEDB Viewer
Added detection of MAPI property hex in column header. If so, display the property identifier string
Highlight known tables and display default columns for Win 10 Mail store.vol
Memory Viewer
Added checkboxes to list of processes
Added export of checked process details to CSV & case
Added export of list of checked process to CSV & case
Added link displaying number of checked processes
Fixed task activity LED not clearing after dumping process memory
Added right-click menu for checked items
Export checked processes memory dump to disk & case
Added right-click menu option to dump checked process memory into single file
Mismatch Search
Fixed "Identified Type" column header displaying as "Location"
Registry Viewer
Initial implementation of exporting SAM/SOFTWARE registry hive reports
Initial implementation of exporting SYSTEM/NTUSER.dat registry hive reports
Start Window
Fixed icon groups re-ordering when changing workflow
User activity
CSV export of checked items. Behaviour now matches export to text/html where if the ALL items view is currently selected it will export all checked items, but when viewing a specific item type only checked items of that item type are exported.
CSV export, fixed a bug preventing the recycle bin items from being exported correctly.
Fixed an issue with the column sorting when sorting by integer value (eg filesize) for Recycle bin, event, jumplist and shim cache items.
$UsnJrnl viewer
Changed to detection of MFT record size rather than using hardcoded 1024 bytes
Added additional debug logging when scanning MFT records

Changes for v6.1.1005 - v7.0.1000

Platform support
OSF will no longer run on Windows XP systems. (But disk images from XP machines can still be investigated). If support for installing the software on a XP system is required, then V6 will need to be used.
Add Device
Bitlocker volume details (eg. key protectors, encryption, etc) now displayed when adding a bitlocker-encrypted drive to case Removed "Forensics Dude" from the Add Device window. The formatting of the help text was changed to the same look as the other windows.
Android Logical
Fixed issue where during logical copy, some directories were not being included.
Android Artifact
Removed misleading text indicated "images" can be added to scan. Added warning if adding ".vhd" (e.g. from logical copy) that it needs to be added to device first.
Photo artifacts were only looking at the "data\\com.google.android.apps.photos\\db\\gph otos 0.db" (specified in Help File). But will now also do a quick scan for known image file extensions. Added notification to user to use File Name Search module for more advance viewing/search options.
MMS extracted with OSFExtract will show recipients on the message.
Android Copy
Copying to a Logical Image (VHD) will no longer require a full scan to calculate disk size. This should increase its responsiveness.
Updated OSFExtract to V1.0.1003. Change: App will transfer "canonical_address" table from mmssms.db database file. Which contains the addresses (recipients) for MMS threads.
Auto triage
Added configuration options for logical image creation
Moved deleted files report export to a separate thread to improve responsiveness
Moved recent activity report export to a separate thread to improve responsiveness
Disabled hashing of signature file list to improve responsiveness
Boot Virtual Machine
Added ability to boot an image as a VM from OSForensics.
Image to be booted can be read only, as the image file is never modified. Instead changes to the image are written to separate cache files.
Images format support includes E01, Raw, Split images, VMDK, VHD, etc..
Write cache files are now used in mounting when 'Restore existing disk state' is checked, so VM can be restarted were you left off
Added new menu option in Workflow navigation, "Boot Virtual machine" with 3 tabs showing running machines, and associated drives.
Added 'Boot Virtual Machine' icon to Start page
User can select number of cores to allocate to the VM, RAM size and if networking is enabled. Default values are scaled based on system specs of host.
Support for booting partition images by pre-pending an MBR image to the disk in the .vmdk file. (normally it is impossible to boot just a bare partition). This includes images that use with ntldr for booting (Windows XP) and bootmgr + BCD images (Vista and above). Machines with EFI System Partitions are also supported.
VMWare 14,15 and VirtualBox 6 are supported as hypervisors
Host machine needs to be 64bit. Guest can be 32bit or 64bit. Guest image can be Mac OS X 10.13 (High Sierra), Windows XP to Win10 and some Linux distributions.
Preliminary support for disk with multiple bootable partitions. Added warning text when multiple O/Ses are detected on the disk. Note: Not all permutations of multi-boot O/Ss will be supported (there are too many to test). Mac and Windows on the same disk is known to be problematic.
Added option to bypass Windows login by patching a Windows system file and setting automatic logon option in the registry. This method is fast, but it doesn't crack the password of the user. So any files encrypted with EFS are not decrypted. As patching of system files are required, not all releases of Windows are supported. The Win 10 releases from March 2019 (17763) is known to have a problem.
There is support for selecting which user account to auto-logon into in the case where the machine has multiple accounts.
A new version of OSFMount is included with the package. V3.0 build 1005. This allows mounting of images as (emulated) physical drives and caching of disk writes to temp files.
Case Manager
Fixed bug with trailing space characters allowed in case name (causing invalid Windows folder names to be created)
Defined new hash set flag level "major" for Project VIC
Add info dialog when adding a Bitlocker-encrypted drive to Case
Added new case item group for virtual machines
Added case details tab for customizing category definitions
Fixed an annoyance, sometimes when switching cases the OSForensics GUI will lose focus and another window will be on Top.
Fixed a bug where sometimes the status dialog window size can appear too large while generating report.
Reporting, "Extra Information" box will export and identify $FILE_NAME timestamps for applicable items and label it as such. Note: Applies to new items added to case. Existing items in cases will not have the extra timestamps.
Reporting, "Skip Empty" checkbox to do not include empty artifact categories in the generated reports.
Add button for the Case Narrative (html) editor in the main Manage Case module.
Double-clicking on virtual machine case item switches to 'Boot Virtual Machine' module and selecting the VM in the list
When deleting a device that was the case default device the default device will now be set to the first device associated with the case or the C drive if there are no more devices.
Removed "Results of forensics analysis" and "Executive Overview" headings from case narrative / auto triage report
When removing categories, all case items belonging to category shall be unassigned
Categories can now have optional "Notes" property
Added button to manage categories, when adding/editing case items, can click on 'Category' link to manage categories
When adding or editing case items, a new category can be entered in the Category dropdown
Separated "Offences" list and "Categories" list. Defined a new "Categories" list that reflects more common categorization types.
Fixed bug where downloads/attachments were not being loaded into case after OSF restart.
Removed all options other than 'Delete' when right-clicking multiple selected items
Fixed possible crash when sorting Case Item name
Added missing 'Raw Disk' exports to generated report
Create Index / Browse Index
New Indexing feature added, Optical character recognition (OCR) for PDF files. Previously this was only done on photographic images.
Updated indexing engine, with lots of more minor changes for handling different file types & performance.
Added ability to skip pre-scan when creating an index
At Step 1, have all options check-marked by default except binary executable files, which don't contain much useful text.
Fixed bug with search being prematurely truncated when indexed 0x1A character in meta data (title, description, etc.)
Fixed bug with substring searches applying within exact phrases
Fixed bug with exact phrase searches spanning across page SECTIONS. This caused some exact phrase searches (containing words which occur on the page many times but not in that sequence) to take extraordinarily long.
Fixed Check/Uncheck all buttons not affecting new file type options
Fixed buffer overflow issues & crash bugs in Browse Index (removed unnecessary dictionary counting) and when Filtering results
Fixed bug with filenames not being indexed for PDF files and other plugin formats
Improved error messages when failing to launch indexer
Fixed "Failed to add folder" bug with Create Index -> Add folder
Fixed bugs with handling multi-partition images
Fixed bug with Index names ending with "." which caused various failures
Fixed indexing unallocated clusters for entire disk images
Create Signature
File system cache is now cleared before creating a signature in Direct Access mode. This is important for live file systems where the content is changing while OSF is running.
Compare Signature
Increased number of recently selected signature comparison files (displayed in drop list when selecting a signature) from 10 to 15
When creating a hash set from a comparison there is now the option to include all files in the comparison or just new ones
Added a new difference type of "Attributes Modified"
Deleted Files / File Carving
Hashing of files will only be performed for non-empty files (0 byte files are skipped).
Improved responsiveness by not redrawing window if not visible
Fixed a lockup that could occur
Added new status tab while scanning to show number of files (grouped by extension) found/recovered.
Removed message dialog when no files are found
Checkbox added to enable/disable extensions for file carving.
Updated FileCarver to be threaded for better performance (by adding threading to several operations). Resulted in 2.6x faster carving on a test system.
Added option to look within a sector for header pattern match. Enabled by default (same as previous behaviour) OSF only looks at the bytes only at the beginning of the sector.
Added definition for HEIC/HEIF image file format to allow these types of images to be carved.
Updated JPG file header definition to decrease number of false positive when carving.
Added definition for SQLite files
Added definition and extractors for Intel based Assembly Files (.asm)
Added definition and extractors for .torrent, .nef (Nikon RAW Image), .orf (Olympus RAW Image), .arw (Sony RAW Image) and .raw (Lecia/Panasonic RAW Image) formats
Added header definition for FUJI Raw Image Format (.raf) and Mobile Video Format (.3gp).
List view in Status Window showing total files found is now sortable.
Fixed issue when "Applying Filter" was not returning (stuck in loop).
Fixed issue with double counting files with simliar header pattern.
Drive preparation
Fixed an open file handle from the Drive test that would prevent the data pattern write if the drive test was run first. This fixes a possible false report saying the drive was faulty, when in fact the drive was just locked
Email Viewer
Fixed UI issues when minimizing and restoring windows
ESEDB Viewer
Changed behaviour to load all items for selected table into data buffer so we can sort columns correctly, still only displaying 1000 entries per page. Will mean a slower initial load but much faster sorting and searching.
Columns can now be sorted by clicking on the column heading
Added SRUDB.dat to known esedb list when opening the ESEDB viewer and fixed some date display issues for the SRUDB date / time format.
File Name Search
Allow the user to enable the other four ($FILE_NAME attribute) time stamps in the File Name Search Details View.
Added ability to create a New Preset option in the Config window. Defaults are still loaded from FileNameSearchPresets.txt file in AppData directory. User defined Presets are saved in the OSF config file, config.OSFCfg.
Change the module icon from "disk" to "binocular" to be consistent with the main menu.
Config, fixed bug where hash sets were not populating in the drop down selection.
Added right-click option to show only checkmarked files.
Added ability to include additional folders and/or exclude folders from the File Name Search.
When switching cases, any previous search result previously performed will be cleared.
Fixed a bug when enabling $FILE_NAMES attributes, the horizontal scroll will disappear in the List View.
Added Right-Click menu option to "Jump to Thumbnail View" from the File Details and File List tab. And "Jump to File Details" from the Thumbnail Tab.
Started saving column ordering, visibility and size in OSF config file
Fixed default title not being updated when adding multiple files to case
File Previewer/Image viewer
Added support for single image HEIC files
File System Browser
Refreshing the current folder using the F5 now clears the file system cache and allows user to see changes to live file system.
Fixed hidden scrollbar when minimizing/restoring the window
Fixed vector Out of bounds crash
Forensic Imaging
Create a Drive Imaging queue to allow user to add other drives to image once the first imaging job is complete.
Forensic Copy
Added option to add individual files to the image list instead of just only folders.
Improved performance of looking up duplicate paths by keeping track of hashes
Fixed copy operation not aborting after pressing 'Stop'
Changed source list view to owner draw for better performance
Moved total file size calculation to a separate thread for better response
Hash Set
Added new built in hash sets for: Keyloggers, VPN Software, Peer to Peer (P2P) software, Cryptocurrency
Added feature to import folder of VIC files. "Import VIC file set" will now prompt to either "import into existing active database" or "create new database". Updated import VIC feature to ignore Category: 0 which are considered Safe files
Added support for importing V2.0 format VIC hash set.
Added support for importing SHA1, MediaSize, LastUpdated fields from V1.3 VIC file format
Fixed Bug with Right Click->Export to Text file output being corrupted. (Column Indexes to the ListView were not correct).
Fixed Bug where Right Click->View with Internal Viewer was unable to open deleted files entries.
Fixed Bug where false positive matches were being returned. (Previous result was not being cleared).
When quitting, OSF will remember the current active hashset & reselect that hashset on startup.
Made error message more descriptive on import failure. Fixed bug holding hast set open after failure to import that was preventing deletion.
Fixed a bug preventing pasting folder locations into the NSRL data set input folder when importing
Added "Delete" option from Hash Set Viewer window (right click menu)
Added confirmation message box when deleting a hash set
Added a more descriptive error message when an NSRL import fails due to errors in the file contents (eg invalid product number)
Removed warning message about selecting a non-example / new hash set when importing an NSRL hash set (a new hash set is created by default when importing a NSRL hash set)
Added more prominent highlighting when file is in hash set to highlight Project VIC hash sets
Improved error message when failing to open .OSFHashSet file which is read only
NSRL hash set import, added an error message when an operating system ID doesn't exist (eg corrupt/incomplete dataset). Will now add a dummy "unknown" entry and continue to import.
Added support for highlighting files as "PF_IN_HASHSET_MAJOR" for Category 2 files
Changed "Look up Hash Set" dialog to not close window when user cancels look up.
Install to USB
Added option to exclude password recovery dictionaries and rainbow tables from USB install
Changed out of space error message to use MB instead of bytes
Added option to include Hash Sets to be exported during install.
Internal Viewer
File Info, added text to indicate if the file does not exist at the location
Added 'Help' link. Moved 'Capture' button and 'Alt Stream' Combo box to the left
Added preservation of 'create' and 'access' times, when available
Fixed contents of certain .rar files not being displayed (RAR5)
CSVReader, fixed a possible crash opening CSV files with individual elements that contain over 512 characters (element will be truncated to 511 characters now)
Hex View, will display file slack space in internal viewer. Can enable/disable in 'Settings'.
Hex View, fixed bug where hex view would not load and return "Unable to open file: File access is denied" when a file failed to open the underlying disk in raw mode (to load slack space). Show Slack Space is not available for resident MFT files or files on devices not added in forensics mode within OSForensics.
Hex View, will extract strings in file slack space if show slack is enabled.
MemViewer
Added warning if trying to save memory dump to a filesystem that doesn't support the file size of the dump e.g. Over 4GB on FAT32.
Raw Memory Dump, added progress bar and estimated time remaining.
Updated volatility compiled executable to 2.6.1 and volatility workbench to 2.1.1000 to support new profiles for Win 10 builds 17763 and 17134
OSFDevMgr
Fixed buffer overflow when calling FindFirstFile() on a group device's root directory (eg. "group_device:")
Fixed FindFirstFile() not returning the list of subdevices for a group device's root directory (eg. "group_device:")
Fixed a crash that could occur when a badly formed system path is passed to SplitFilePath
Password Recovery
Fixed an issue where passwords from the windows credential manager were returned when running using the "scan drive" option when they are only available for the "live acquisition" option
Made some changes so the registry reading code at this point so it is now thread safe and will work better with the auto triage.
Started saving column ordering, visibility and size in OSF config file
Changed LM/NT references from "(disabled)" to "(empty)"
Added ability to add sequential decryption jobs in the Decryption & Password Recovery tab.
40-Bit Encryption, fix for parsing output of 40-bit file.
Windows Login Passwords, updated GUI so list views expand as the size of the main window expands.
Enabled debug logging for run_server.exe when OSF is ran in debug mode. Log can be found in run_server.exe directory while running and then is moved to the OSF documents folder when finished.
Fixed bug that could cause possible memory corruption issue if GPU decryption is enabled.
Fixed bug where checked item count was not being reset if "Acquire password" was clicked again
Prefetch Viewer
Added all available run times to results list and exports
Raw disk viewer
Fixed incorrect GPT 'Partition name' in Data Decode window
Added option to select where (beginning, current position, end) to jump from when jumping using bytes or sectors. (Using a negative sign will jump backwards.)
Recent Activity – Renamed to User Activity
User Activity
Addition of System Resource Usage Monitor (SRUM) database scanning, will display items from the Application Resource Usage, Network Usage, Network Connectivity and Push Notifications database tables.
Made the user activity navigation pane with the Tree view resizable.
Started encoding HTML special characters (eg <>&) in the HTML output for some items when exporting
P2P, Fixed crash when running on Ubuntu drive
Changed "Show empty activity types" checkbox to default to on so empty types are displayed
Windows search is now using the ESEDB viewer to load the windows search database, will sometimes be slower but should be more reliable (no need to repair database using esentutl which would often crash or leave database in a dirty state still).
Installed programs, added date collection using the InstallDate registry value when available and when not available uses the last write date of the registry entry
No longer stopping the windows search service when the windows search option is selected for a live system scan
Added new Recycle Bin activity. Will show items in the Recycle Bin (original file path/name and date deleted).
Added the Last-Visited and Open/Save MRU's to the MRU category: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\LastVisitedPidlMRU and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\OpenSavePIDlMRU
Added the other 7 run time stamps for Prefetch Files (for 8 total).
Fixed bug with non-ascii characters for recent activities that use a sqlite database (mostly browser - chrome, firefox, opera - activities)
Added Event Log Login Types description
Added MRU Adobe Acrobat Reader DC Artifacts
Added Office 16 and Office365 Word, Excel and Powerpoint Artifacts from desktop install
MRU, Fixed crash when parsing Window's XP Registry files for OpenSave and LastVisit MRU
Added subcategories for the various browser artifacts (Firefox, Chrome, Edge, IE, etc)
Added checkmarks besides each artifact category. Users can then deselect any artifacts they don’t want without going into the config settings.
Added +/- expand collapse for artifacts that have subcategories.
Add subcategories for Windows Event Logs (OAlerts, System, Security, Application, etc.)
Fixed bug where the number of checked items links was not being shown in the File List Tab.
Added VLC artifacts for Windows and OSX/Mac
Added Windows Media Player Last played and folders artifacts
Added Mapped Network Locations from HKCU\Network
Opera, fixed opera version being read incorrectly for new versions of opera
Opera, fixed bug stopping opera password data being read correctly
Fixed an issue seen where no Chrome information could be retrieved when doing a live scan due to not being able to get the current windows user/profile/known folders
Registry Viewer
Unknown value data types will be shown as hex data by default (previously the data was not displayed at all. Useful for looking at Windows Store App's settings.dat file which are special registry hive with non documented value data types).
System Information
Removed "Get" from the Registry Commands.
Get User Info (Registry), fixed an issue where user accounts could display "Account disabled" incorrectly
Changed error message slightly when only live acquisition tasks are in selected list when a drive letter is chosen instead of live acquisition
Added a quick search box to search the text of the current result tab.
Added full name, description and password hint to “Get user information (Registry)” output
Fix to process "Enter" key notification while using the Find Text Control.
Thumbnail View
Items found in hash set are now entirely highlighted (not just text)
Web Browser
Updated video download script to support recent changes at Youtube which broke video download feature.
Misc
Consolidated Red/Green/Yellow bookmarks into single generic bookmark
Renamed 'bookmarks' to 'tags'
Added 'tag' icon to replace previous 'flag' icon
Made some changes so OSF will start as the top most window (sometimes it would start in the background)
Updated help file
Fixed bug with unable to access Case devices as underlying drives. This caused problems reading from Bitlocker-encrypted drives
Added ClearFileSystemCache_direct() function to clear the file system cache (for live disks). Previously changes in the live file system where not reflected in File System Browser due to caching.
Updated 7zip DLL
Better reporting of SQL errors with hashset databases
Fix for bug with scroll bars in Compare Signature and Browse Index
New logging engine when using DEBUGMODE. Has more detail and has less overhead.
Changed warning message to be less severe when registry SAM permissions need changing on live system (for recent activity and password recovery)

Changes for v6.1.1004 - v6.1.1005

Android Artifacts ◦Fixed bug with incorrectly listing call type (e.g. Incoming, Missed, etc..)
◦Combined/Cleaned up contacts list. Contacts with same RawContactId are combined into a single listing (previously there was one entry per email, per phone, etc)
◦Updated OSFExtract Android App to V1.0.1002
•File Name Search ◦Fixed a crash that could occur during a search if none of the file details columns were enabled
•Misc ◦Added some sanity checks to the customised column config file save/reload prevent situations where all the columns are hidden
◦ Updated help file for Android Artifact and OSFExtract Android App

Changes for v6.1.1003 - v6.1.1004

Android Artifacts ◦Fixed possible crash when scrolling through messages. Message scrolling in general should be smoother.
◦Internal changes in preparation for collecting pictures from MMS Messages, data from call log and contacts.
•Auto Triage ◦Made auto triage tooltips a bit smaller to better fit buttons on dialog
•Create index ◦Fixed bug for Create Index Status GUI (unable to click "Save configuration" button) with high DPI setting
◦Fixed support for Win10 Bitlocker encryption
•Raw disk viewer ◦Fixed default case drive not being displayed after switching cases
•Misc ◦Fixed bug where "Entry Point Not Found : The procedure entry point CancelSynchronousIo could not be located in the dynamic link library KERNEL32.dll" could be displayed on old versions of Windows (pre Vista)

Changes for v6.0.1000 - v6.0.1001

Build 1001 was made shortly after build 1000 to fix a day 1 indexing bug

Changes for v5.2.1007 - v6.0.1000

•Case Management ◦Added "Export case" feature
◦Added a list of reports that have been generated (in case directory or last known export directory)
◦When creating/editing case, user can now specify whether or not USB write-block should be enabled. Whenever the USB write-block settings are changed, a warning is displayed to the user to detach/re-attach connected USB devices for the settings to take effect.
◦Changed list view to allow groups (devices, reports, files etc) to be collapsible
◦Added last access date to case management when case is loaded
◦Fixed error copying files with long file paths in when a report was created and the report contained deep / long paths.
◦Fixed a bug when creating a case report that was leaving a file handle open
◦Added support for encrypting PDF report
◦Added predefined offenses list to 'Offense' drop down list when creating/editing case
◦Case Details Dialog, fixed bug that might cause case narrative text to be reset to default when editing case details.
◦Case Details Dialog, will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
◦Case Export, changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.
◦Re-added "E-mail Delivery Time" to report and the associated timezone
◦Case load window was added at startup and when a case is loaded from the Case Management window. This is useful for showing load progress for very large cases with 10,000s of files in the case.
◦Report production progress window was added to show some progress activity when very large reports are produced.
◦New Command Line Parameter to load a specific case (-C ), if path does not exists or CaseDetails.OSFCase file cannot be found, OSF will default to loading the the last case used.
◦Can now insert images into the case narrative text using the HTML editor. Images need to have already been added to the case. Previously images could be added, but the links where broken when a report was produced.
◦Added unique 'Case Item ID' attribute to each case item. This ID is displayed in the 'Manage Case' window, as well as included in the generated reports. The ID is stored within the .OSFMeta file for each case item. Case Manager maintains 'Next Case Item ID' variable that gets assigned to any new items added to the case.
◦Fixed special characters not being escaped when generating reports
•Create index ◦New indexing engine (Zoom V8 with multi-threaded offline indexing)
◦Much better indexing performance (3x speed increase)
◦Updated Create Index interface with new file type selections,
◦New "Memory optimization / Indexing Limits" step to bypass Pre-scan
◦Added support for user configurable number of indexing threads (up to 10)
◦Added options to enable RAM drive for temporary files
◦Improved RAM estimations and Indexing Limits settings
◦Improved indexing Status interface
◦Updated OSF interface to show multi-threaded indexing
◦Updated OSF Create Index options to offer more control with file type selection
◦Removed unnecessary indexing warnings
◦Added count display for Prescan
◦Added thousands grouping for large numbers shown in Create Index windows
◦Increased sleep/wait time while starting indexer to allow for a slower initialisation which could cause an error to be displayed
◦Renamed indexing process. Now using "OSFIndexer32.exe" and "OSFIndexer64.exe" instead of ZoomEngine32.exe and ZoomEngine64.exe, this should make it more obvious what is running in task manager.
◦Added some internal checking to clean up detached instances of OSFIndexer and temporary RAM drives.
◦Fixed a bug with indexing the compete content of Emails in PST files that were text only EMails.
◦OCR (Optical Character Recognition) can now be done on photographic images while they are being indexed. Like all OCR, the results depend on the quality and resolution of the source image, how clear the text is and the level of contrast. This is only supported on Win10. Depending on the images >10 images per second are possible.
•Deleted Files
◦Column ordering, visibility and size now saved in OSForensics config file
◦Configuration options now saved in OSForensics config file
◦Fixed a crash caused by logging a magic number incorrectly when getting deleted files
◦Fixed uncaught exception error when loading MFT for some OSF devices
◦Fix Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
◦Added check for buffer overrun when looking for slack $I30 entries
◦Errors when parsing non-resident attributes of deleted MFT records no longer causes the search to terminate and throw an error message. This is an expected case. Errors are now written to the debug log and the process continues.
◦Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
◦File Carver, added minimum file size option when carving. Changed "Reserved/Future Use" field in osf_filecarve.conf to "Min File Size"
◦File Carver, TIFF/CR2 extraction should be better.
•Disk Imaging
◦Added extra check if the first read fails when verifying the image created.
◦Previously if the disk did not contain a valid MBR this would cause it not to show up in the list (as it would have no partitions) But the disk might be file system boot sector. These disk are now correctly shown.
◦There is now the option to specify primary and/or secondary hash functions for imaging disk. So the user can select SHA1 instead of just MD5. Or calculate two hashes at the same time.
•Disk Preparation
◦Can now wipe BitLocked drives. Previously these drives appeared to be lock and could not be formatted.
◦In case of a physical drive failure, additional error codes have been added to the status window
•Disk Test
◦Fixed issue with formatting as FAT32 on small drives.
◦Fixed Crash when formatting as FAT32 fails.
•E-mail Viewer
◦E-mail times now include the timezone offset, both 'Delivery Time' and 'Client Submit Time'
◦Fixed printed e-mails missing e-mail addresses due to HTML entities not being escaped
◦Fixed bug where case item title set to '' when selecting 'Use same details for all'
•File System Browser
◦Added right-click menu option to jump to MFT record in the raw disk viewer
◦Fixed stack overflow when attempting to add device to case
•File Name Search
◦Added an "Uncheck all" menu item to uncheck currently selected items
◦Added 'Windows Shortcut Files' (ie. lnk files) to the file name search presets list
◦Column ordering, visibility and size now saved in OSForensics config file
◦Removed folders from results when filtering using hash set
◦When filtering using hash set, fixed bug with current file being added to results after cancelling search
◦'In hash set' flag is now set for results when hash set is used and made active
◦Added support for filtering by whether or not the file belongs in the hash set. This allows the user to search for files on disk that match a set of hash values
◦Re-arranged configuration dialog
•Forensic Imaging
◦Re-arranged tabs
◦Create Image, for physical disks, disk model and serial number are now saved in the info file
◦Added new 'Device and SMART Info' for displaying physical disk attributes + SMART info
◦Device & SMART Info, Added support for export and adding report to case
◦Device/SMART Info, added mouseover tooltip descriptions for SMART attributes
•Forensics Copy
◦Moved allocation of virtual disk image to thread to prevent system from being unresponsive
•Hash Set
◦Added option to create 'Quick hash set', allowing the user to quickly create a hash set by specifying a list of hashes
◦Fixed deleted hash set databases appearing in the file name search config drop down box
◦Re-organised buttons in main window
◦Added functionality for importing Project VIC JSON files with MD5 hashes & optimised the import load time.
◦Added default database name when importing VIC data set
◦Stopped navigation bar being disabled when importing hash set. User can now do other tasks in parallel to importing a large hash set.
◦Fixed hash set operation LED still "active" when there's an error
◦Fixed number display and file size formatting to be more readable for large import files (> 4GB)
◦When creating hash set databases, columns are no longer created for hashes that don't exist (eg. VIC/NSRL datasets)
•Hash set lookup
◦Added right click menu option to open files in internal viewer
◦Fixed incorrect # files hashed text due to not updating the dialog once all files are hashed
◦When performing hash set lookups, hashes are no longer checked for columns that do not exist. This reduces the query time for large hash sets. e.g. we don't check for SHA1 matches if the particular hash set doesn't have SHA1 values. Results were a significant speed up for hash lookups.
◦When performing single file hash lookups, filename matches are no longer queried. This reduces the query time for large hash sets.
•Install and run from USB
◦Added help Link
◦Added separate "temp build" directory field when using WinPEBuilder.
◦Updated WinPE builder to deal with new latest WinPE10 changes
•Internal File Viewer
◦EFS Support (encrypted file system). When an EFS file now opened in the file viewer a temp copy will be created and passed to the hex and text viewer. If the matching certificate has been installed on the system then the text should appear decrypted.
◦Hex View, added right-click option to add selected strings to case (as HTML file)
◦Fixed potential mem leak when generating video thumbnails
◦Fixed potential concurrency issues when loading videos
◦Added OCR view (Win10 only)
•Memory viewer
◦Column ordering, visibility and size now saved in OSForensics config file
◦Added button to add memory dump to case
◦Removed 'Error' text and icon from message box when process memory cannot be dumped because of access restrictions
◦Updated version of Volatility Workbench, with Mac & Linux support and ability to add your own profiles.
•Mismatch File Search
◦Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV
•NSRL Hash Import
◦Import 9x faster. While importing repeated file hashes, checks for duplicity are no longer being done using a lookup on non-indexed database (very slow). Now checks are done by comparing product code between two consecutive lines in input file.
◦Import will create new database automatically with default name based on date and time. Thus, incremental import is no longer an option.
◦New NSRL import config window to specify input and (temp) output folders
◦Temp Output folder can be specified so that user can specify RAM drive or SSD to speed up the import. Database is then moved from temp location to default hash sets location.
◦Updated help file with info about allocating enough space on a RAM drive.
◦Status now displays percentage counter during file importing
•Password Recovery
◦Added tab to allow PFX certificates to be installed on the local system, to facilitate opening EFS encrypted files when the certificate and password are available
◦Column ordering, visibility and size now saved in OSForensics config file
◦Browser passwords, made some changes to Firefox login recovery, now has a 64bit and 32bit helper executable (as FireFox have started distributing as 64bit).
◦Registry passwords, now displaying password hint value next to 'NT Password' column. Displays '(empty)' if not present.
◦Registry Passwords , added support for win10 anniversary update for live system in Forensics mode
◦Removed a "File not found" error when running the windows password search on a non system drive
•Prefetch Viewer
◦Added right-click option to export selected items to CSV
•Rainbow Tables
◦Fixed crash occurring when cracking hashes from a pwdump txt file - wrong data types were being past to format string when secure case logger was enabled
•Raw Disk Viewer
◦Added progress window when carving to file
◦Renamed 'Decode' window to 'Disk Info'
◦Renamed 'Data Interpreter' window to 'Data Decode', split windows and shuffled content between decode window.
◦Added right-click menu options to 'Data Decode' window, Jump to File and Jump to File Record.
◦Clicking on file paths now open the internal viewer
◦Clicking on LCN/offsets now jump to the offset in the raw disk viewer
◦Data Interpreter window now shows the MFT record number and filepath if the current cursor position is inside the $MFT file
◦Fixed crash issue when sector size could not be determined
◦Fixed right-click "Jump to offset" not working some of the time
◦Hexadecimal addresses copied from the Windows calculator into the search box didn't work. The calculator was inserting non printable characters into the string. Non printable characters are now being removed.
•Recent Activity
◦Added a quick filter option (text box and button) to quickly apply a text filter to recent activity items
◦"Show empty activity types" checkbox to default to on so empty types are displayed
◦Results are now sorted by Date (desc order) by default
◦Fixed possible crash when reading jumplist info
◦Added function to collect new Win10 Timeline database for artifacts
◦Added more displayed information for windows event items.
•Registry Viewer
◦Support for generating reports for known registry hives (currently only SOFTWARE hive at the moment)
◦Fixed a possible crash when processing a registry file
•SQLite Browser
◦Will checks for Skype Sqlite database files during "Scan for DB Files".
◦Resizeable Dialog/Controls
◦Option (enabled by default) to convert known timestamps to readable format
◦Scan Folder button is now more useful. Will now populate with locations of known SQLite files (e.g. Chrome and Firefox profile directories)
◦Scan Folder button will scan for known Android user data directory (where apps usually store their own data) on currently selected drive
•System Information
◦A new tab is now created for every new system information command
◦Added option to restore command lists back to default
◦Added "Recovery of Bitlocker Keys" to command list
◦Added ability to assign a name to an entered command. This name will then be displayed in the output/report.
◦Added support for Embedded Python 3.6.5
◦Removed the "Get" from the start of some item names.
◦Changed button text from 'Add...' to 'New...' when adding new commands
◦Moved 'Reset lists to default' option to dialog window. Added confirmation prompt to prevent accidental press.
◦Replaced spin control for moving items up/down due to overriding the handling of mouse wheel messages
◦Re-organized controls
◦Added command to get current clipboard contents
◦Added command to get anti malware (windows defender) software status
◦Added command to get current TPM status
◦Started encoding HTML special entities in output from tools so anything with HTML characters will display correctly
◦Fixed crash possible with getting printer info when system returns bad information.
•Triage Wizard (now renamed to Auto-Triage)
◦Changed Wizard icon to fingerprint icon & removed forensics dude. R.I.P forensics dude, we loved you, but the world just wan't ready for you.
◦Added option to create logical image with known system files
◦Added agent help text when mouse is hovering over a control
◦Added a free disk space check (for at least 1GB + memory size if memory dump selected)
◦Fixed a unhandled exception that could occur in the triage wizard when running a scan on a non system drive (eg D) and having only windows passwords selected.
◦Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found
◦Fixed a crash caused by trial limitations when running the triage wizard
•Web Browser
◦Added status bar to browser.
◦Can now select export format as Web Archive Format (.mht) when exporting webpage.
◦Can now export linked PDF, ZIP and other files. Also added check boxes to allow user to select what is downloaded.
◦There is an option to download videos (MP4 format) from sites such as YouTube and add them to the case.
◦Added a progress indicator for downloading large files.
•Misc
◦Added colour coding of encrypted files displayed in a file list
◦Added exit confirmation message
◦Added warning message on OSF shutdown whenever the USB write-protect settings are changed during the course of execution
◦Fixed a long delay at startup when not running as Admin
◦Removed agent icon from feature description text on start window
◦After successfully saving a file to disk, fixed a bug with activity monitor displaying task is still active
◦Changed how temp files are stored, each thread now has a temp folder
◦Increased a timeout (from 60 seconds to 180 seconds) when trying to repair esedb databases with esetutl as was timing out during triage runs
◦To prevent machine from sleeping when running from USB, the mouse will jiggle if the time between user input (i.e. keyboard or mouse input) surpasses 10 secs.
◦Added DLL (MSVCR120.dll) required by wkhtmltopdf.exe to installer (error seen on windows )
◦Switched debug logging to logging library g3log for thread-safe, crash-safe, faster logging

Changes for v5.2.1006 - v5.2.1007

Recent Activity
Fixed an error that could display when a jumplist was finished being processed
Registry Viewer
Fixed a crash that could occur when reading a registry file

Changes for v5.2.1005 - v5.2.1006

Case Manager
Report Fix, if the background thread copying files for report didn't exit cleanly OSF may warn of background activity when quitting.
Case Details Dialog
Fixed bug that might cause case narrative text to be reset to default when editing case details.
Will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
Case Export
Changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.

Changes for v5.2.1004 - v5.2.1005

Disk test
Fixed a crash when formatting as FAT32 fails.
Fixed an issue with formatting as FAT32 on small drives.
Deleted Files
Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
Fixed an uncaught exception error when loading MFT for some OSF devices.
Fix a Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
Fixed error box appearing when failing to read non-resident MFT attributes (eg. LCN is invalid as the MFT attribute has been overwritten). Instead, the error is logged and the search silently continues
When parsing $ATTRIBUTE_LIST, buffer is now properly allocated according to the size of the attribute. Previously, this caused an assert error to occur due to the buffer size being too small
Internal Viewer
Fixed potential memory leak when generating video thumbnails
Fixed potential concurrency issues when loading videos
Mismatch File Search
Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV
Password recovery
Removed a "File not found" error when running the windows password search on a non system drive
System Information
Fixed a possible crash when getting printer information
Triage Wizard
Fixed an uncaught exception error that could occur when running a scan on a non system drive (eg D) and having only windows passwords selected.
Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found

Changes for v5.2.1003 - v5.2.1004

Case Report
Added dll required by wkhtmltopdf.exe to installer to prevent an export to PDF error error seen on windows 8
Rainbow Tables
Fixed crash occuring when cracking hashes from a pwdump txt file when secure case logger was enabled
Recent ACtivity
Fixed a crash that could be caused by 0 length entries when processing Jump lists items
Triage Wizard
Fixed a crash caused by trial limitations when running the triage wizard
Misc
Improved how temp files are stored to make it more threadsafe (eg when running multiple tasks using the Triage Wizard)

Changes for v5.2.1002 - v5.2.1003

•Browser Passwords ◦Fixed a crash that could occur when there was more than 50 Firefox username/passwords
•Disk Imaging ◦Allow continuation of imaging after encountering too many bad blocks (1000).
◦Added extra check if the first read fails when verifying the image created.
•System Information ◦Fixed crash possible with getting printer info when system returns bad information.
◦Fixed a crash in some cases when getting the computer name from the registry
• Misc ◦Fixed bug where navigation bar icons were incorrect for items near the end/bottom.

Changes for v5.2.1001 - v5.2.1002

•Deleted File Search ◦Fixed a stack corruption crash
•SQLite Browser ◦Fixed issue where OSF wasn't able to extract blob contents for sqlite tables created using WITHOUT ROWID.
•Forensic Imaging ◦Fixed error when attempting to image a locked Bitlocker-encrypted drive. Instead of opening the drive letter (eg. 'C:'), the underlying physical disk (eg. \\.\PhysicalDrive0) is opened instead
•File Index ◦New Zoom indexer build with added support for indexing .sqlite, .sqlite2, .sqlite3 and and identifying SQLite files with no extensions
•Misc ◦Made some changes to how temporary files are created to make them thread safe (to prevent multi threading issues when using the triage function)

Changes for v5.2.1000 - v5.2.1001

•Recent Activity ◦Fixed a crash that could occur when adding a filter when something other than "All" was selected in the treeview
•Triage wizard ◦Added "Manually carve files in unallocated clusters" suggested action
◦Added "Generate new HTML report" and "Generate new PDF report" suggested actions.
◦Fixed SysInfo "# commands completed" not updated properly on completion
◦Fixed wording of several "Suggested Actions"
◦Fixed BitLocker detection results appearing in System Information results
◦'Manually search' suggested actions now automatically start the corresponding search
◦Auto-generated HTML/PDF reports are now saved in separate "Triage PDF Report" and "Triage HTML Report" folders respectively
◦Fixed underline/cursor/text colour confusion for list view text that are not links

Changes for v5.1.1003 - v5.2.1000

NEW Triage wizard
Wizard launch icon on Start page. Huge amount of data can now be rapidly collected by inexperienced users with single click.
Customize workflow
Now also removes icons from the Start page (and the menu)
It is possible to lock down the workflow with a password so inexperienced users can’t re-enable all the features so easily.
Case Manager
Items added to a case can now be categorized into a type of Crime, this list can be customised by editing the "Categories.txt" file in the ProgramData folder.
On the "add to case" dialog when using the "Use same details for all" option if the title has not been changed by the user a special flag will be displayed. This will then be replaced by each item's name when added to the case.
PDF reporting bug fix.
Fixed sorting by clicking on title in Case Management window.
Added new tag to customisable reports for generating Case Info table. Only non-blank fields shall be outputted
File Index
Fixed a buffer overflow bug due to illegally long filenames in ZIP files
Recent Activity
Started sanitising the HTML output for some items when exporting to HTML so that HTML special characters (eg <>&) are safely encoded.
Thumbnail Viewer
Now has a faster option to switch between the various thumbnail files found on drive via a drop down list.
Drive preparation
1 click drive preparation function. Can wipe, verify, format drive with 1 click. A log file is also now written to the drive recording the preparation steps.
Hash Set Lookup
Added check if SHA256 hash is stored in the hash set. If not, SHA256 is not calculated. This saves a small amount of CPU time.
Email viewer
A bug fix for parsing some rare corrupted PST flies
Misc
Correction of various multi-threading bugs, which came to light when running a large number of tasks simultaneously.
Registry access code wasn’t thread safe & could crash if multiple tasks were reading registry entries at same time, especially password recovery.
Caching of disk’s MFT into RAM didn’t work well with multiple threads. Solution was to enlarged cache slightly and unified it into a shared cache. Multiple threads should run significantly faster than before.
Some handles to various internal resources were not being free. Resulting in memory leaks and possible crashes.
Even larger cache sizes and more advanced cache lookup algorithm to speed up various operation that involve reading MFT (is a RAM usage / speed trade off). Slightly more RAM is used, but disk operations are faster. For example file name searches are now 33% faster.
Some help file updates
Fixed up the opening of the Help file to get the navigation menu showing again. The Edge browser in Win10 unexpectedly broke some of the help functions.
Fixed a crash in the 32bit version when trying to start a filename search

Changes for v5.1.1002 - v5.1.1003

•File Index
◦New Zoom indexer build, fixed bug that was failing to index particular .OST and .PST files with compression.
•File Name Search
◦Fixed a crash which could occur in the hash set lookup function when the hash set being searched contained very long string lengths.
◦Thumbnail View, flags are now custom drawn to increase the speed when updating path flags, for example when doing hash matching.
•Hash Lookup
◦Added support for 'Modeless' dialogs for hash lookup for multiple files. This allows other modules in OSF to be used simultenously with hashing in background.
◦Fixed dialog resizing screen corruption issues in the hashset lookup window
◦Reduced the frequency of update to the user interface when hash operation is running to improve speed. It looks slower, but is actually much much faster.
◦When performing a hash set lookup for multiple files, 4 threads and a larger block sizes for disk reads are now used in order to increase performance. For large hashsets, with a fast SSD, performance improved 5 fold.
◦Added a limit of 1000 file set matches returned for a single file hash lookup. So 1 file on disk can now not match more than 1000 applications. Previously a zero length file would match 500,000 applications in NSRL list.
◦Added a limit of 5 file set matches returned for multiple file hash lookups file set results a hash set lookup for a single file will return which improves speed dramatically when hash set or files being looked up contain matches in multiple files sets (eg when searching for file hashes in a set containing millions of records such as NSRL hash sets)
◦Added caching of 0 byte / empty (contains only 0's) files to speed up multiple hash set lookups. Zero length files appear around 5000 times on a typical hard drive. So this can save 5000 slow database queries.
•Hash Sets
◦Added a "Properties" right click menu item to display a dialog with some information about the hash set (disk location, number of product types, file sets, files).
•Password recovery
◦ Fixed a CSV formatting error when using the Copy row(s) to clipboard function if an item contained a ',' character
•Recent Activity
◦Fixed a bug where shellbag information was not being retrieved correctly when using “Scan drive” C: instead of live acquisition.
◦Fixed a CSV formatting error when using the Copy row(s) to clipboard function if an item contained a ',' character
◦Fixed a bug where the last connected date of a USB item could be different in Live search when compared to a C:\ search

Changes for v5.1.1001 - v5.1.1002

Add File To Case function
The copied files in the case folder should now have the same filetimes as the original source file.
Case Manager
Fixed Accessed & Attribute Modified file times not being stored in the OSFMeta file
Case meta item file, added two additional fields (where available): Last Access Date, MFT Modified Date
Deleted Files Search
Fixed changing of 'Date filter' combo box in Timeline view not updating the chart
File Indexer and searching
New Zoom builds fixed crash bug with indexing EML/MBOX file containing attachments of EML/MBOX files
Internal Viewer
Fixed info text for files that belong to the case
When opening a file added to a case, the original folder and file times are now displayed (obtained from the OSFMeta file). These attributes are highlighted in a different colour along with an information text.
For image files, size and file times have been removed
Internal Viewer - Hex View
Split IP address regular expression into IPv4, IPv6 standard notation, IPv6 standard + compressed notation
Recent Activity
Updated installer to include an alternate version of esentutl to use in the case of "Dirty shutdown (-550)" errors for ESEDB databases (eg from Windows search, Edge) that could sometimes cause the esentutl version installed locally to crash leaving the files in an unreadable state
Misc
Updated help file with internal viewer changes

Changes for v5.0.1002 - v5.1.1001

Case Manager
Fixed bug when specifying a custom location for a case.
V5.1.1000 - 6th of July 2017
Case Manager
Added ".mem" extension when selecting image file to add to case
Chain of Custody Report Template - Rearranged template fields, added signature field.
Generate Report - Allow option to generate Chain of Custody report along side Case Report.
Overhauled Chain of Custody reporting. Expanded the Edit Case dialog window with tabs to allow additional case data, such as Offense type, Legal Authority & Suspects Name to be entered.
Create Index
Added '.qbb' (Quickbooks) file type to the list of 'Other supported file types' category. Note that only file name will be indexed.
Create Signature
Deleted files can now be included in the signature from the config window. Hashing is also supported for deleted files (but not for $I30 slack entries)
Compare Signature
File attribute string now includes custom attributes (eg. 'deleted', '$I30 slack entry')
File icon is now included in the comparison results
Signature info now includes whether deleted files were scanned or not
Deleted Files
Fixed Bug where saving multiple files would fail to save files to destination.
File Carver - Unallocated Cluster code would not read from the disk when the cluster offsets did not reside on sector boundaries. File Carving initialization will check to see if start cluster offset is a factor of cluster size, if not, file carving will switch to raw carve mode.
File Carver - Addressed bug which might cause carving unallocated clusters to not to progress.
DirectAccess – NTFS
Added buffer overflow check when decompressing CompactOS files
Improved performance of checking for valid $ATTR_FILENAME attribute when looking for $I30 slack entries
Improved performance of FindFirstDel/FirstNextDel functions
Fixed bug with not resetting the file pointer when detecting imageUSB image file. This could result in volume hashes returning the wrong value when verify the hash of a volume (a few bytes that the start of the file were not included in the hash calculation).
Email Viewer
Fixed HTML/RTF message body not being searched
File Name Search
Added config option to 'Search deleted files'. If enabled, deleted and $I30 slack files are included in the search results.
Deleted files are now shown in different text colour and with a deleted icon overlay in 'File List' view. Right click options for viewing files was also added.
Deleted files are now shown as a separate group in 'Timeline' view
Added more file details when exporting the file list to txt/html/csv file
Added support for adding/removing deleted files to/from case
Added support for looking up deleted files in hash set
Added support for saving deleted files to disk from File Name Search module.
File System Browser
Fixed 'n item(s) checked' still appearing after changing the folder
Added right-click menu option to export list of checked files to Case
File times now include decimal precision
Removed checkboxes in 'File Select' dialog
'File Select' dialog window size is now saved
Fixed auto-scrolling when sorting items
Internal Viewer - Hex View
Improved performance of string extraction by using parallel processing. Approximately a 60% speed improvement
Improved performance of filtering strings by using boyer-moore search & parallel processing. Can be more than twice as fast, depending on hardware
If using word list, included matched expression in status bar of selected string
When filtering the string list, the # of strings that have been processed is now displayed
Added option to save to .dic file for use with dictionary based password cracking
Moved filtering operation to thread due to length of operation. User may cancel the filtering operation at any time.
Changed preset filter combo box to a link which brings up a menu when clicked. The menu provides several preset filters, as well as an option to select a word list
Added 'Use RegEx' checkbox to allow user-specified regular expressions
MemViewer - Static Analysis
'Memory dump file' filter now includes .bin, .img, .dmp extensions
Added 'View & Extract Strings' button to open the dump file in internal viewer in hex view
Thumbnail View
Fixed text colouring for Deleted/$I30 slack/Reparse point files
Misc
Updated help file
Improved performance of list classes by using multi reader single writer lock. Fixed some synchronization issues.
When selecting image files, the 'All Images' filter now shows all supported image files rather than all files

Changes for v5.0.1000 - v5.0.1002

Internal Viewer
Fixed a bug where attempting to open an archive (zip etc) file could result in a missing DLL message being displayed on older versions of Windows.
File Name Search
Fixed a buffer overflow that could sometimes cause a crash when displaying file names longer than 512 characters in the "Current folder" field. Crash can be appear randomly as field was only updated occasionally while a search was in progress.
Memory Viewer
Included updated version of Volatility Workbench into the install package. Volatility Workbench is a graphical user interface (GUI) for the Volatility tool.

Changes for v4.0.1002 - v5.0.1000

New PList Viewer
Added a new Plist viewer
Text foward/reverse search option.
For nodes that contain "data", added quick hex preview popup dialog when field is single-clicked (double clicking will open a new file viewer window).
NEW $UsnJrnl Viewer
Added support for loading $UsnJrnl files saved as a regular file (ie. not as $J alternate data stream)
Added support for $MFT file lookup to determine full path
Added support for searching for subtext
Added right-click menu options for viewing file, exporting records and adding records to case
Added progress bar when parsing USN records, loading $MFT file and searching for subtext
Improved loading speed by searching for records from the end of the file
Path is now determined using the Parent MFT# stored in the USN record, followed by the filename stored in the USN record.
Paths that may not be correct are coloured in red. This occurs when the filename or the parent MFT# in the USN record does not match what is stored in the $MFT
Analyze Shadow Volume
Results can now be exported in HTML and CSV format
Added button to export results to case
Added right-click menu for exporting results
Case Manager
Added support for mounting file paths as a device in the case
Adding devices to case now supports adding local folders in addition to network paths. Renamed 'Network Path (UNC)' to 'Folder / Network Path'
When adding an image file to case, the 'Select partition' dialog has been updated to reduce confusion.
Added option to export $UsnJrnl records to report
Fixed index OOB error when exporting deleted files to report
Added support for adding BitLocker-encrypted drives to case. The drive must have been previously added to the case.
Fixed error message when viewing the properties of a Case Device
Recent history items for case name, investigator, contact details etc are now saved to the config and will be reloaded when OSForensics is started.
Compare Signature
Check if signature reports as version 3 but is actually 4 (two extra fields were added but internal version number of signature was not changed).
Create / Verify Hash
Added secondary hash function to allow calculating 2 different hashes simultaneously
Deleted Files Search
Added right-click menu to re-arrange columns in Details View
Added 'Source' and 'File number' columns to details view
Directory records found in $I30 slack space are now included in the results
Records found in $I30 attribute in deleted MFT directory records are now included in the results
Fixed bug with misreported quality when multiple streams exist for the deleted file
"Save and Open" right-click options no longer prompt the user for the a location to save the file; it shall be saved automatically to the temp folder and immediately opened. The right-click options have also been renamed accordingly
When opening deleted files in the internal viewer, the initial tab that is displayed will correspond to the file extension
Fixed bug with saving deleted files to disk when the file fragments are greater than 64KB
Added *.msg to the search preset for e-mails
Drive Imaging
Fixed error copying single files to logical image due to directories not being created
Fixed file size of single file not included when calculating VHD image size
When calculating VHD image size, the file size on disk is now used. This is to account for sparse/compressed files that occupy less disk space than its file size.
Fixed bug with drive list in 'Create Image' tab containing devices from previous case after switching cases
Email Viewer
Fixed buffer overflow of 'From' field
Fixed heap corruption when opening .eml files with quoted printable encoded text
File Indexer and searching
New Zoom build with fixes for:
Fixed bug with indexing zero date as "23/04/2009 6:24:48"
Indexing "delivery time" for PST emails. Only index "submit time" if former is not available. Previously was only indexing submit time, which means Drafts/Deleted items would have no time in index but be inconsistent with EmailViewer, which would display a date/time.
Now supporting Win10 CompactOS compression (when used with the default XPRESS compression option). Viewing and indexing these files is now possible.
Fixed bug with Search Index -> Advanced settings' Date/Time range not being applied.
On History tab, when choosing right-click menu's "Display Search Results & Add to Case...", it will now export the list of results to the case along with adding the corresponding files.
File Name Search
Added right-click menu to re-arrange columns in Details View
Added *.msg to the search presets for e-mail
Fixed performance issue when searching with alternate stream criteria. Basic search criteria (eg. file name, attributes, etc.) should be checked before performing the much slower stream criteria check.
File System Browser
Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the 'n item(s) checked' link opens a menu with a list of operations to perform.
Fixed text not appearing in icon/list view
Improved responsiveness when changing directories
Fixed bug with calculating folder size on disk for non-NTFS file systems
Fixed deadlock when multiple threads are accessing mounted devices simultaneously
Added right-click menu to re-arrange columns in Details View
When calculating folder sizes, stream sizes are now included
Added error messages when performing certain operations on $I30 slack items
Deleted artificats recovered from $I30 slack space can now be displayed.
Files that have reparse points are now displayed in green
Hash Sets
Fixed a NSRL has set import error that could occur when the manufacturer name was greater than 100 characters
Internal Viewer / File and Hex Viewer
File Viewer tab, changed volume controls to trackbar + mute button
Added 'IP address' filter to Hex Viewer string extraction
When viewing buffers (eg. deleted files) in the "file viewer" tab, the buffer shall first be saved to a temporary file and then loaded. Previously, a 'Unsupported file format' message is displayed.
Removed unnecessary saving of temporary files for file paths containing case devices
Extracting strings is now threaded so the window is no longer blocked. String extraction can also be cancelled half way.
Removed limit on the number of extracted strings
Added encryption, reparse point, sparse file, system compression attribute checkboxes
Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)
Memory Viewer
Added right-click menu to re-arrange columns of the process list
Changed encoding of memory dump VW cfg file from UTF16-BE to UTF-8
Changed the extension for memory dummp files from .bin to .mem
Added tabs for 'Live Analysis' and 'Static Analysis'. Previous view has been moved to 'Live Analysis' tab. 'Static Analysis' allows the user to launch 'Volatility Workbench' process with the specified memory dump file.
Passwords
New updated password cracking library. Improved GPU acceleration allows for faster cracking. Double the speed in some cases.
Find Passwords & Keys: Added right-click menu to re-arrange columns
Find Passwords & Keys: Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the 'n item(s) checked' link opens a menu with a list of operations to perform.
Fixed bug where Wifi profiles weren’t searching the correct location in some cases when “Live acquisition” was picked (could search incorrect drive letter)
Fixed bug where Wifi profiles might not search correct location in localised (non-english) version of windows
Fixed a crash that could occur when searching Wifi profiles
Fixed possible crash when getting system passwords
Added more info to display, client thread status, benchmark, password length and prefix.
Prefetch Viewer
Fixed possible crash due to buffer overflow
Raw Disk Viewer
Added a list of preset regular expressions combo box that can be used when performing a raw search
Improved performance of search window list view
Removed max search results limit in search window
Fixed synchronization issues potentially resulting in crash
Recent Activity Viewer
Changed how the windows user directories are searched for so all operating system dependant locations (XP, Win7 etc) are searched now instead of searching the known location of the first one found. For example if an XP system contained a "Users" folder in the root directory then it was previously only searching the (possibly empty) Users folder and then not searching the "Documents and Settings" location.
Fixed a "missing column" error for old versions of Firefox cookies
Made some changes when trying to repair a "dirty" windows search database (eg from a system image of a currently running system) so that if the esentutl tool crashes OSF will attempt to run it again
Added P2P artifacts from BitTorrent and UTorrent resume.dat folder, also checks the User's Download directory for .torrent extensions.
Fixed Bug with P2P Items not showing details on the File List Tab
Added Search queries artifacts for Ares Galaxy
Added Shareaza P2P Search Artifacts.
Added Emule P2P Artifacts
Added SABnzbd P2P Artifacts
Report Templates
Combined 'Drive Imaging' and 'Forensic Copy' HTML template into a single 'Forensic Imaging' HTML template
Start Window
Renamed “Website Passwords” to “Scan for Passwords/Keys”
Renamed “Removable Drive Preparation” to “Drive Preparation”
Added icon for launching 'Volatility Workbench' under 'Viewers' group
System Information
Made some changes to the system information command dialogs, added columns to show "Live acquisition" / "Drive acquisition" / "Image acquisition" differences of commands
Web Browser
Fixed bug where saving the complete webpage was not working correctly
Misc
Changed date/time format to 24-hour clock
Fixed crash when Exception filter is executed
Moved 'Forensic Copy' module to 'Drive Imaging' module as a new tab. Renamed 'Drive Imaging' to 'Forensic Imaging'
Fixed 'Forensic Copy' and 'Drive Imaging' logs not appearing in generated report
Fixed some flickering issues when resizing
Updated File Name Search preset list to include Virtual Machine files
Fixed bug with EmailView and EmailViewer displaying 1/01/1601 when a 0 datetime value is given. Now reports "Unknown date".
When selecting a directory via a popup dialog, if the entered path in the text box is valid, it will be returned. Otherwise, the directory selected in the tree view is returned.
Added template files for exporting $UsnJrnl records to report
Fixed bug with the initial directory not being set correctly in the select file dialog
When prompted to select a file, the last directory path is now used as the initial directory if not specified
Fixed bug in handling alternate data streams with multiple $DATA attributes
Added support for accessing bitlocker encrypted drives in raw form
Updated HTML Editor to show character count.
External Viewers (File, Registry, FS Browser, Email, Thumbcache, ESEDB, USNNRNL and Plist) will retain the size of their last viewer window closed for subsequent openings
Performance increase when opening registry files
Fixed several potential crash points when closing the OSF application while the progress window is still showing
Added encryption, reparse point, sparse file, system compression attribute checkboxes
Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)
Updated help file with $UsnJrnl Viewer section
Fixed a bug that may cause Temp Registry Files in the function call CreateTempRegFileIfNeeded() not be created when debugmode is enabled.

Changes for v4.0.1001 - v4.0.1002

•Activity Monitor ◦Added separate tasks for adding files to case
•Case Manager ◦ Fixed synchronization issues with hash table causing an exception to be thrown
◦ Add file to case dialog has been changed to modeless, allowing the user to switch to another module while files are being added.
◦ Added synchronization to CaseManager class to support concurrent access to case items
◦ Added error message when creating/importing/loading/deleting a case while a task is still running
◦ When closing the program, a warning dialog is displayed when any task is still running (as opposed to a select few tasks)
◦ Fixed scroll bar being reset every time case items are added/removed
◦ Adjusted the maximum text to 245K characters in the rich edit box for case narrative
◦ Changed the case item list view to owner draw to improve performance
◦ Decreased the time required to delete a large number of items from case
◦ Fixed 're-use input' checkbox not working when adding bookmarked files to case
◦ Added error message when attempting to add bookmarked folders to case
◦ Increased the frequency of progress updates when adding multiple files to case
◦ Case items are now sorted by date in ascending order by default
◦ Fixed bug when attempting to overwrite an existing external report in case
◦ Fixed non-existent case default drive appearing in drop down box when editing case
◦ Improved performance of updating list items (eg. in File Search, Mismatch Search, Deleted Search) when case flags are updated
◦ Fixed memory leaks in case log
•Decryption & Password Recovery ◦Added more info to display, client thread status, benchmark, password length and prefix. Adjusted job size for CPU clients.
•Deleted Files Search ◦Fixed junk characters showing up in error message when prompting to overwrite a file
◦ Fixed case flags not being updated in thumbnail view
•Email Viewer ◦Fixed unhandled exception when failing to load e-mail file
•File indexing and searching ◦Fixed bug with Doc/Ppt/Xls indexing "last modified" as "Author". Will now prioritize "Author" and only index "Last modified" if "Author" is not available.
◦ Added support for Comments property (appended to KEYWORDS meta tag) in DOC files, and support for "Category" property (as "ZOOMCATEGORY" meta tag) in PPT and XLS files
•Raw Disk Viewer ◦Fixed bookmarks showing up twice when reloading a case
•ThumbCache Viewer ◦ Fixed 'use same details for all' checkbox not working when adding to case
◦ Due to changes in Win10, the 'name' column should now show the thumbnail cache ID in hex format (instead of a cryptic string)
•Misc ◦ Updated HTML Editor to show character count

Changes for v4.0.1000 - v4.0.1001

Case Manager
When generating report, fixed incorrect links being generated when 'Copy files' is checked
Improved the performance of adding items to case by performing the hash calculations all at once (rather than separately)
Improved the performance of updating case flags by not re-drawing the lists for File Name Search, Mismatch Search, Deleted File Search, Index Search, File System Browser
Allowed the HTMLeditor to be left opened from the "Edit Case Detail" dialog window. However, as a result, the case narrative is prevented from being edited from the New Case dialog procedure.
Case Log Viewer
Improved the performance of adding new log entries
Decryption & Password Recovery
Added Openoffice (LibreOffice) extensions to select file dialog
Removed bell sound from gpu client, cpu client, and server and replaced with a different (chime) sound
Fixed typo in default definition file
Forensic Copy
Added a clear log button and started displaying the number of files copied
Reduced the amount of memory used substantially during the forensic copy process
Recent Activity
Added Time Source Column for 'All'

Changes for v3.3.1004 - v4.0.1000

Licence changes
Free version has been replaced by a 30 day trial
USB installation is now available only in the Pro version.
Changed the maximum number of items that can be indexed (in create index) to 2500 for the Trial version
Recent activity exported list is now limited to 10 items in the Trial version.
Changed the maxium number of browser passwords displayed to 5 per browser for the Trial version.
Password recovery
Wifi passwords are now recovered & decrypted from the registry and file system.
Windows auto-logon password are now recovered & decrypted from registry.
Outlook & Windows live mail passwords are now recovered & decrypted.
Microsoft product keys are extracted from the Windows registry
New Configuration window has been added to allow the user to select what items are recovered, enter in an account password for offline decryption & select a dictionary for brute force attacks on the account password.
Specific rows in the password report can now be selected for export or adding to the case.
GPU accelerated hardware support for brute force password recovery on Office documents, PDF, Zip & RAR file. (Work in progress)
Support for new MS Office 2013 encryption standards for DOCX, PPTX, etc... (SHA512 hashing has been implemented in addition to SHA-1).
New columns in the report have been added for password strength & length, which can be useful when checking for compliance with password policies.
Added NTLM hash cracking to the common password check for the Windows login password
Added NTLM hash rainbow table generation.
User interface & work flow
It is now possible to change the order of buttons in the left menu. Now called the Work Flow menu. This can allow the button order to reflect the chronological order of specific forensics processed.
Checkboxes in several windows rather than multi-select with having to continuously hold select/ctrl.
New 'File Details' tab in several windows that displays the search results in a list view.
Recent activity artifacts
Added OS X artefacts to Recent Activity feature for Mac drives
Added mobile backups, lists the backups found from iTunes (e.g. iPod, iPad, and iPhone).
Updates in Recent Activity for newer browsers (including Edge)
Faster collection of Window Search terms in recent activity (reducing hours to minutes for the worst case)
Added additional USB devices from SYSTEM\CurrentControlSet\Enum\USB in Recent activity
Added USB first connected time from parsing setupapi.dev.log
The ability to reorganize and/or hide show certain columns by right clicking on the column title area to configure it on the File Details tab was added.
GUI will show incrementing artefact count during the scan
File system support & imaging
exFAT is now a supported
Added read-support for .Ex01, .Lx01, and .L01 image formats
Improvements to HFS+ support for Macs.
Added the ability for users to create Logical images from the Forensic Copy feature. Logical images are created as a .VHD virtual disk & can be remounted back into OSF or manipulated with 3rd party tools.
Added a log option for Forensics Copy
Added ability to supply multiple source paths when performing Forensic Copy
Owner/group/permissions are now preserved in Forensic Copy
Better exposed the function to compare shadow copies.
Memory viewer
The Memory Viewer has been overhauled. Now has 47 columns of metadata for all processes.
Handles and loaded Modules are displayed per process when available
Users can create Process Specific binary dumps through right click options and add to the case.
ESEDB Viewer
Dialog to select from a list of known files now shows the file size
Added right-click option to copy values (ie. cells) to clipboard
Added right-click option to view values (ie. cells) as binary data in the internal viewer
Added right-click option to export values (ie. cells) as binary data to file
Added right-click option to export values (ie. cells) as binary data to case
Added right-click option to export tables to case
Fixed some memory allocation issues when exporting tables that can cause a crash
Fixed horizontal scroll bar not appearing for some tables
Binary data is now displayed in byte groupings
Fixed a bug when retrieving a record multi-value
File name search
The user can now edit the list of pre-sets by editing the FileNameSearchPresets.txt file (in the C:\ProgramData\Passmark\OSForensics folder).
Peer to peer file types have been added as a new pre-set search selection.
The number of characters allowed in the search string field has been increased from 256 characters to 1023 characters.
Improved the default settings
Ability to group the search results by file type in 'File Details' view
When grouping the results by file type, the groups are collapsed by default
File indexing and searching
Added image file EXIF header indexing for Camera Make Model, GPS date/time, GPS Latitude, and GPS Longitude
Improved relevance scoring when hundreds of matches are found within the same file
Restored torrent file indexing which got accidentally broken in a past release.
Fixed bug when indexing invalid file types (e.g. misnamed or corrupt files) causing incorrect content to be indexed.
Improved search results layout
Fixed bugs when indexing meta data (title, keywords, etc) from DOC files
Reporting & Case Management
PDF output added.
New streamlined report layout, including a sidebar for quick access to specific forensic artifacts
Added option to include file EXIF metadata in the report
Custom Logos are now easier to added
Added two custom fields to Case Information (The Edit Case and New Case windows) & allow the user to rename the fields
Added and Add External report feature in case management will support adding an external HTML report directory to properly display other tools report.
Reduced the time required to populate the list of log entries
Index search history is now loaded on demand to reduce case load time.
File size of the case item is no longer retrieved to reduce case load time
The default mount name for volume shadows now contains the index number
When mounting devices, there is no longer an attempt to open a handle to the drive to reduce case load time.
When adding device to case, 'Case default device' checkbox is set by default
Improved error message when generating a report in a location that already contains an existing report
Fixed error when generating links in a report to a file that contains > 260 characters
Fixed forward slashes in links being escaped causing problems in some browsers (eg. Chrome)
Fixed error when deleting a read-only file from case
Fixed error when deleting a file with long file name from case
Added retry mechanism when attempting to add a file to case that is being used
When automatically adding files to case, added option to ignore future errors
Updated Report Templates to include the 'Case Activity Log' section in the main report
Added checkbox option to include 'Case Activity Log' into the main report
When generating a Case Log report, the exported log entries are exactly as displayed in the Case Log Viewer (ie. Verbosity, filters, sorting, etc applied)
Added a HTML Editor to allow user to modify case summary narrative. Can be located under "Edit Case Details".
Added progress bar when saving the case files to a folder before the case is deleted.
Added new report type 'Log Report' for Case Log reports
Shadow copies
Fixed an issue when adding shadow copies to a case, if selecting an individual shadow copy it would store an incorrect Device path (eg Drive-C instead of Drive-C:\) which would lead to it not being displayed on the analyze shadow copy dialog.
Added an Shadow Copy Analyze icon to start page
Stopped a shadow copy entities being compared against itself as it only makes sense to compare different shadows.
Added a warning message when opening the analyze dialog if no shadow copies were added to the case.
System information
BitLocker Detection preset added to System Information
Updates to System information to detect new CPU types
Added Printer Info from registry for live/scan drive and Printer Info from (WinSpool) for Live Systems in the System Information module.
Registry Hive viewer
Fixed a bug when opening a backup hive that was locked and a shadow copy was required to provide access.
Dialog to select from a list of known files now shows the file size
Hashing
Button to add Hash results to case
Thumbnail database viewer
Fixed large memory usage when reading Win10 thumbcache files.
Added support for Win10 thumbcache files. The Win10 thumbcache header uses a different format than previous versions
Added to list of known thumbnail cache files
Replaced thumbnail size radio buttons with combo box
Dialog to select from a list of known files now shows the file size
Internal file viewer
Updated video previewer to support more video formats. Including video in these formats. 3GP, ASF, ADTS, MPEG-4, SAMI, AAC, WMA, DV Video, H.264/H.263, WMV
Can do screen capture from the File Viewer.
Email searching
Added BCC searching for Emails.
Additional details are indexed when indexing Emails (for some formats).
Support for MIME UTF8 encoded FROM, TO, CC, BCC, SUBJECT fields in MBOX files
Deleted files
Added a new checkbox for full disk / unallocated space carving. Previously only unallocated space was used for caving, as it is usually much faster. But in rare situations the full disk option can be useful (e.g. file slack space examination).
Added a new window showing the list of File Types that are carved (opened from within the config window). This list can be modified to add custom signatures by the user by editing the osf_filecarve.conf file.
Ability to group the search results by file type in 'File Details' view
When grouping the results by file type, the groups are collapsed by default
Other changes
Added better time resolution, now fractions of seconds, in File Name Search/Mismatch Search/Deleted Search
Added support for Win10 prefetch files, which are compressed using lzxpress huffman stream encoding
Compare signatures can now display identical files. This is useful for duplicate file detection. There is a configuration dialog for specifying folders to exclude and file extensions to include.
Dozens of other bug fixes and minor usability improvements, including fixing a couple of crash bugs
Fixed up broken XP compatibility. This is very likely the last release we do that has any support for running on Window XP.
Populating the drive list (for drive preparation) is no longer performed on program startup to speed up load time
Loading of Magic config file (for mismatch search)is now performed on demand to speed up program load time
Populating the device list (for raw disk viewer) is no longer performed on program startup to speed up load time
When loading the log file (secure log), a buffer is now used to speed up load time

Changes for v3.3.1003 - v3.3.1004

•Case Manager ◦Added warning when attempting to add the entire image to case when there is a partition table
◦Allow the option to select the "entire image file" when adding images to case
•File Indexer ◦New Zoom builds with added recognition for extensions .plt and .dxf to index filename only
◦Fixed stack/buffer overflow issue when indexing PST emails.
• Raw disk viewer ◦ When viewing the raw sectors of entire images, the partition table info is now decoded
•Search Index ◦Fixed special characters such as '&' in the filepath from the search results not being decoded properly
•Misc ◦Device dropdown list now includes the image file's partition (or "Entire image")
◦Fixed bug with not being able to read the raw bytes of image files using UNC paths
◦Accessing the entire image file with a valid partition table (ie. without specifying a partition) no longer returns error

Changes for v3.3.1002 - v3.3.1003

Email Viewer
Fixed stack overflow crash bug when saving MSG attachment with multiple levels of nesting
File Indexer
New Zoom indexer build, fixed a crash bug for nested MSG files within PST files

Changes for v3.3.1001 - v3.3.1002

Deleted Files - FileCarving
Fixed Crash. TIF file format has internal pointers to location within the file, when these pointer contains a corrupted/invalid value, it would possibly cause OSForensics to crash.
Added slider to configuration to allow selection of start and end percent/location of drive to carve.
Fixed possible crash when searching for HFS+ deleted files.
File Indexer
New Zoom build, fixed issues with not starting indexing on HFS image with "Invalid folder" errors.
Misc
Fixed retrieving file attributes on non-ntfs file systems
Fixed possible crash when access HFS+ filesystem
Added detection of file system for MBR partitions due to possible differences in reported partition type and actual file system

Changes for v3.3.1000 - v3.3.1001

Deleted Files Search
File Carving, naming of recovered carved files has been changed to "Carved (type) file (Sector Location in HEX).extention" e.g. Carved 'jpg' file 0x00001F2B.jpg
File name search
Fixed a bug that was preventing sort by foreground/background colour working correctly on results when OSForensics was using direct access (eg direct access of an image file)
Hash Sets
Fixed a crash when first trying to open the hash sets tab
Misc
Some help file updates

Changes for v3.2.1003 - v3.3.1000

Case Management
Increased Notes character limit to 64000 characters
Can now remove file from case in right-click menu
When adding an attachment to case that already exists, prompt the user to overwrite
Create Signature
E-mail files are no longer saved as temporary files when creating a hash of the file. This improves the speed when creating a signature.
Fixed wrong directory path being displayed especially when hashing large files.
Fixed performance bug when hashing NTFS compressed files. Caused a 20x slowdown reading compressed files.
Compare Signature
When comparing file attributes, mask out the extra attributes used by OSForensics Forensics mode (eg. FILE_ATTRIBUTE_ATTR_MODIFY). This gives a more accurate list of modified files.
Deleted File Search
Added 'Remove deleted file from case' right-click menu option
Fixed search results clearing when flags are updated
Drive Preparation
Added WAIT icon to drive refresh, so user can see when refresh is complete.
Fixed physical drives are now supported, including system drive. However, if the system drive is selected, an error message is displayed
Drive Imaging
By default, 'Verify Image File' and 'Disable Shadow Copy' checkboxes are now checked.
Added option to attach Image metadata (.info) file to case on completion
Changed extension of Image metadata file from .info to .info.txt
Email Viewer
When parsing DBX e-mail files in forensics mode, a temporary copy of the file is no longer created. This saves some time opening the file.
ESEDB viewer
Updated the Extensible Storage Engine database (ESEDB) viewer to support the new Win10 file structure.
Fixed list of records being cleared when attempting to access a page that is out of bounds
Fixed bug with non NULL-terminated string
Added sanity check for endianness for Vista DBs due to possibility of fields being either big or little endian
File Indexer
12x increased unique words capacity (from 16 million base words to 200 million). Allows more documents to be indexed in a single index.
Approximate 5x faster Forensics Mode indexing. This resulted from better caching, better parsing of the MFT and new low overhead methods of getting file attributes.
Improved JPG, PNG image indexing speed with new methods of calling exiftool. Performance is approximately 5x faster on photographic images.
Fixed bugs with indexing of archives (zip, tar, 7z, etc.) in Forensics Mode.
Added support for ZIP files using non-DEFLATE methods (e.g. IMPLODE)
Improved file type identifications and attempted indexing methods. At lot fewer warnings and errors should now be logged when indexing.
Fixed 64-bit bugs with 7z64.dll
Fixed corrupt messages e.g. "Error: Cannot delete output file: ... ". Sometimes this error was caused by indexing E-mails that contained malware. The antivirus (AV) solutions running on machines would detect the malware on extraction of attachments from the E-mail and unexpectedly delete the temporary file, causing a cascade of errors. We have a work around for the errors, but active AV solutions can still prevent indexing of files containing malware. Which can be a good or bad thing depending on your point of view.
Fixed failing to open .gz and .tar.gz files from forensic mode mounted drive
Fixed bugs with failing to extract files from certain problematic ZIPs and attempting every file (with magic and extraction and indexing) causing 3 error messages per file in the Zip file. Corrupted Zip files should no longer produce this cascade of errors.
Fixed crash bug with truncated MP3 files
Fixed OLE parsing bug when loading corrupted MSG Email file
Improved memory estimation of indexing, to better judge if there is sufficient RAM available to start the indexing job. No point starting an indexing job only to die half way through it.
File Name Search
Fixed 'Current Folder' not being correctly displayed
Fixed search results clearing when flags are updated
File System Browser
Display "(Sparse)" for the "Starting LCN" column of sparse files
Fixed incomplete folder size being displayed when folder size calculation is cancelled midway (eg. when items are being sorted)
Speed improvement when calculating folder sizes in forensics mode. Approx 3x faster depending on collection of files.
Internal Viewer
File info: For reparse points the linked path is now displayed
No longer displays message box when failing to open file
Hex viewer, Display error message in the status bar when failing to open file
Mismatch Search
Fixed 'Current Folder' not being correctly displayed
Password Recovery
Fixed crash when writing an entry to the log
Windows Login - List views are now resized
Windows Login - Added 'Password Required' column to 'Local Users' table to indicate whether a password is required for login
Windows Login - Fixed crash when saving local users/domain users to file
Recent Activity
Added file type sub classification for Windows Search Items. Files are classified using the MIME type and extensions
Removed directories from Windows Search Items
Fixed Security event log entries not appearing in the results
Selected items in 'File Details' and 'File List' tabs are now independent of each other. This caused problems when the exported list of selected items contain items that were not selected
Re-arranged the order of tabs so that 'File Details' is the default tab.
Fixed scan status not displaying in 'File Details' view
Fixed sorting of items in 'File Details' view
flickering of tree view
Fixed error message appearing when JumpList is not selected in the scan
Fixed a shellbag retrieval crash in Windows 10
Fixed a jumplist crash in Windows 10
Fixed a bug preventing some jumplist items from being retrieved
Changed "Stream Number" jumplist item name to "Entry ID"
Fixed an offset bug when getting the name of a shellbag item in Windows 10 which caused names with invalid characters to appear
Updated function that retrieves Windows desktop search terms. The database format recently changed in Win10 and broke older releases of OSF.
Registry Viewer
Can switch between Hex, ASCII, Unicode in right-click menu
Hives under \Windows\System32\config\RegBack are now listed when selecting a registry hive to open
Added buttons for common operations (Add file, Add to case, Export, Find)
Fixed a crash when trying to view/open the SAM file in Windows 10
Search Index
Updated search engine code to support new increased capacity index format with extended unique words.
Added 'Remove item from case' right-click menu option
Fixed search results clearing when flags are updated
Thumbnail View
Improved performance of loading photographic image thumbnails in forensics mode. Is approx 10x faster.
Improved speed + memory usage when drawing thumbnails. Especially noticeable when scrolling the display, which should now be smoother.
Drive imaging
Fixed error "Unable to read end of drive". This occurred when imaging a volume (e.g. Drive F:), when the size of the file system (e.g. NTFS) is smaller than the volume size. The imaging process will now continue beyond the end of the file system to read the entire volume.
Misc
Fixed some memory leaks found by the leak checker
Licensing
In the free edition of the software,
The indexing process will be restricted to 10,000 files or E-mails.
The search results from an index will be limited to 250 files per search.
Only 10 items to be added to each Case file.
Only the first 10 passwords from each browser type will be listed in the passwords function
Installer
The installer package is now signed with an Extended Validation coding signing certificate. This avoids some SmartScreen installation warnings in Windows 10, like Windows "prevented an unrecognised app from starting".

Changes for v3.2.1002 - v3.2.1003

Create Index
Added support for zipx, 7z, rar, .arj, .dmg, .iso, .chm, .cab, .bz2, .lzo
Fixed indexing bug with repeated "Core engine not responding" messages
Disk Imaging
Reduced the vertical space used by the controls to support lower resolutions
EmailViewer
Can now re-scan for recovered e-mails after cancelling a previously started scan
Removed 'Tools' menu
Misc
Help updates for system information

Changes for v3.2.1001 - v3.2.1002

Create Index
Improved MSG/EML/MBOX indexing support. Now using MIMETIC.
Fixed many common errors and warning messages and file recognition
Fixed many issues with .zip, .gz, and .tar.gz archives. And recursive archives.
Fixed filter buttons/checkboxes not working when viewing a failed/cancelled index
Added fix for "Core engine is not responding" when indexer was stuck in "Finishing" stage due to large index or slow disk write
Email Viewer
Added right-click option to jump to the message ID of an e-mail file
Added progress details when scanning for deleted e-mails
fixed bug with deleted e-mails not being displayed in the EmailViewer
Fixed 'assert' error appearing when Subject field is missing in MIME headers
Index Log Viewer
Fixed crash when trying to view a previous index log while an indexing job is running.
Recent activity
Fixed an issue when trying to get IE10+ URLs from a read only drive
Fixed an issue with "dirty" IE10+ databases that were displaying a "Failed to attach IE10 database" error in some cases
Fixed an "autofill_dates" missing error caused by a Chrome update removing this table
Fixed a "malformed" database error when getting Chrome cookie information
Fixed some display and sorting issues with shellbag items on the file details tab
Registry Viewer
Fixed a crash when opening a corrupt registry file
Misc
exFAT partitions are now properly detected as opposed to being identified as "Unknown"

Changes for v3.2.1000 - v3.2.1001

Case Manager
E-mail attachment paths now include the attachment index number following the file name (eg. c:\email.pst*990*attach.txt:2). This is to distinguish multiple attachments with the same name.
Create Index
Fixed some bugs relating to email attachments
New URL format for attachments
Fixed bugs with indexing attachments from mbox (.eml) in nested format
Fixed bug with not indexing From/To details for Mbox attachments
Fixed bug with indexing attachment titles incorrectly
Fixed a bug that was causing "Failed to rename file zoom_pagedata.tmp to ..." appear at end of indexing
Email Viewer
When extracting e-mail details, if FILETYPE_UNKNOWN is specified as the e-mail file type, the function will try opening the file with each format until successful
Fixed potential heap corruption when exporting an e-mail with a large text body
Fixed possible memory leak
Recent Activity
Added shellbag item from registry files collection and display
Fixed a date conversion issue with Google chrome downloads date
Search Index
Fixed some results not being filtered into the correct tab (eg. images in e-mail attachments)
E-mail attachments with the same name can now be distinguished properly
When doing bulk adding of items to case, user is no longer prompted when the item already exists in the case after checking the 'Repeat action' checkbox.
Fixed various problems related to adding nested attachments/e-mails/archives to case.
For E-mail paths that do not have a message ID in the path, a message ID of "0" is assigned
Fixed issues with the case flags not appearing for some items
Misc
Fixed some date formatting bugs introduced in the previous build that were causing dates to appear blank

Changes for v3.1.1007 - v3.2.1000

Create Index
Added indexing of From, To, CC, BCC, etc. fields for PST attachments.
Added indexing of From/CC/To etc. addresses from MSG attachments.
Added missing support for indexing headers for MSG files
The start and end dates for the advanced search options are now correctly using the current case timezone setting when a search is performed
Fixed bug in Create Index -> Edit Template -> "Scan system paging and hibernation files" setting being lost.
Fixed bug with Search Index -> Email Attachments -> Export ... results carrying incorrect From/To/CC information from previous results.
Fixed bug with indexing attachments from MSG files (failing to recognize file type properly)
Fixes for crashes and infinite loops when indexing corrupt DOC, XLS and PPT files.
Fixed bug with empty emails in PST files causing previous buffer to be used for content and custom meta.
Case Manager
User can now specify whether logging is enabled/disabled when creating or editing a case
Error message is displayed if the log file is corrupted or tampered with
When generating a report Added "No title" to when there was no title for an item so the link to the file is visibly created
When renaming (moving) cases, case items still used the old metafile path causing issues with non-existant paths. Fixed by reloading case after moving.
E-mail attachment paths now include the attachment index number, due to the possibility of having multiple attachments with the same name
Case Log
Supplemental log entries added across all modules
When logging is disabled, controls are now disabled and message is shown to the user
Create/Verify Hash
Fixed drive drop down list to include Case devices
CSV Exports
Removed "," separator between date and times for CSV exports so that Excel will automatically pick them up as dates
Deleted Files
Fixed bug with retrieving the clusters of a deleted NTFS file. This bug can potential cause an invalid memory access crash
Unallocated cluster information now being used for mounted devices
Fixed bug with unable to save multiple deleted files from a partition without a drive letter (due to invalid characters in the device path)
The number of files that were not saved due to reallocation now displayed
Improved performance of saving deleted NTFS files
Deleted files stored in multiple MFT records are now being handled
Proper stream names are being used when restoring a deleted NTFS file
Disk Imaging
Fixed no default drive being selected in 'Hidden Areas - HPA/DCO' tab
Added check for no physical disk selected
The sizes of each respective max LBA are now displayed in the log after detecting HPA/DCO
Event Info
Bug fix, stripped trailing space character from event title.
Email Viewer
A dotted border is now custom drawn on the selected folder/e-mail so that even when the control loses focus, the selection is still apparent
Fixed not being able to add multiple e-mail attachments with the same name. Each attachment now has a unique path.
File Name Search
Added 'Save to disk' right-click option. Re-arranged right-click menu to be more readable
Hash sets
Files less than 5 bytes in size are now excluded from hash set lookups (this is to prevent tiny file (eg 0 byte files always appearing in a hash set where there was a 0 byte file on creation)
Password Recovery (Windows Login Passwords)
Added cached domain users to recovery for local drives
Fixed a crash that could happen when recovering cached domain users
Recent Activity
Added timestamps to WLAN items for the associated XML profile or registry key (where available)
Bug fix, export event to CSV will now include the item's title.
Columns will remember their widths when filtering, sorting and navigating to different activity types.
Search Index
Added To/From/CC information to attachment output when searching an index
Removed the from/to/cc fields from the CSV export of an search for items that aren't emails/attachments
Fixed bug with broken links in search index results for files containing percent encoding in filename
System Information
Added cached domain users to "Get User Info (registry)"
ThumbCache Viewer
Fixed 'In Case' flag incorrectly displayed for all items in thumbnail view
User Interface
List/tree views across OSF now shows the selected item regardless of when the control loses focus
Fixed drawing issues when minimizing navigation buttons
Removed flickering when resizing window
Fixed buttons not being displayed when resizing window
Fixed drawing issues when resizing file/folder popup dialog
WinPEBuilder
Bug Fix. Selecting OSForensics or BurnInTest as the selected program in WinPEBuilder will now add the required WinPE packages on the WinPE/Packages tab.
Misc
Updated help for new Case Activity Log section to describe logging feature
Updated help with info on user editable file carving configuration file, osf_filecarve.conf
Updated help to mention timezone in case management
Updated System information library

Changes for v3.1.1006 - v3.1.1007

Case Log
Added preliminary implementation of Case activity logging
Case Management
Made add note window resizable
Added veritcal and horizontal scrollbars to Add note dialog, allowing more data to be saved and making it easier to format the notes.
Deleted files
Fixed crash when displaying deleted file thumbnails on ext2/HFS+ drives (due to different threads sharing same drive handle)
Hash Sets
Fixed bug in deleting hash set from Tree View
Web Browser
Fixed missing URL info when adding web snapshot to case
WinPEBuilder
Can pass in .cfg file to preload some values of WinPEBuilder.exe
Install to USB
Updated GUI. If installing to USB Drive, then only USB location will be allowed. If creating a bootable device, then any folder is allowed. OSForensics will prefill the output destination of OSForensics (via WinPE Builder config file) when launching WinPE Builder (Requires WinPE Builder 1.0.107 and up).
Misc
Updated System information library

Changes for v3.1.1005 - v3.1.1006

Case Manager
Before deleting search indexes they will now be unloaded if currently in use rather than displaying an error message
Email Viewer
Added check for if the recipient address is in X400 format. If so, try to obtain the SMTP Address instead.
File Indexing
Fixed a crash caused by partially compressed NTFS drives
Fixed bug with missing title and from addresses from index
Fixed bug with PST files not opening from search results due to incorrect/corrupt path
Fixed bug with x400 email address format when smtp format available for recipients.
Password Recovery
Windows login passwords: Added recovery of cached domain users, updated help file to match new UI and functions.
Install to USB
Fixed a bug where if the initial start failed (eg invalid target directory) the disabled buttons were not re-enabled, causing OSF to become un-usable
Misc
Updated error message when trying to copy files to clipboard from non supported devices

Changes for v3.1.1004 - v3.1.1005

File Indexing
Updated Zoom indexer to fix some crash issues
Bug fixes when indexing DOC and XLS files inside ZIP files
Install to USB
WinPEBuilder will launch with option to format USB drive filesystem as NTFS.
Password Recovery (Browser Passwords)
Fixed a bug with chrome and opera password recovery where the wrong password could be displayed in some cases (out by 1 place in the list) or no password might be displayed despite not being blacklisted
System Information
Fixed a bug that was displaying an error message when trying to run a custom command on the system information tab when using a selected drive

Changes for v3.1.1001 - v3.1.1004

Email Viewer
Added handling of rfc2047 encoding in subject/address fields of MIME headers
Fixed buffer overflow in status message while recovering deleted e-mails in PST files
Fixed 'S' shortcut key being processed instead of 'Ctrl+S' to add attachments to case
Fixed a bug with saving embedded message in PST/OST files as .msg. LIBPFF_ENTRY_TYPE_ATTACHMENT_DATA_OBJECT property was being saved as a stream instead of storage
ESEDB Viewer
Fixed population of known ESEDB files to use localised folder names instead of hard-coded locations
File Indexing
Pre-scanning can now be cancelled while scanning PST messages
Updated Zoom indexer to fix some crash issues
Updated Zoom Office XML plugin
Improved length limit for meta fields in email files (used for FROM/TO/CC/BCC) from 255 characters to 65,535 characters.
During indexing, fixed Total Bytes/Peak Physical Memory/Peak Virtual Memory not updating properly when > 2GB
Fixed crash bug with buffer overflow and infinite add URL when indexing .MSG file with many attachments
Fixed bug with only using last filename for all attachments of the same .MSG file
Fixed bug with losing generated body text with attachment filenames "Attachment(s): ... , ..." for .MSG file indexed.
Fixed bugs with indexing plain text emails in .MSG files
Fixed bugs with indexing Chinese PST files (metafield length limit caused Unicode corruption)
Fixed bug with possible Unicode string corruption when longer than available buffer (with languages such as Chinese with 4 char MB UTF-8 characters)
Fixed a bug with files sizes not being indexed in offline mode
Fixed a potential crash caused by long URLS
Fixed a crash during pre-scanning when indexing unallocated clusters
Fixed bug with search index failing on old format index files after a search with new format index files.
Fixed DOCX plugin that split words incorrectly due to revision history
Fixed crash bug with XLS files with invalid cell.templateID values
Import Hash
Fixed String/Buffer overflow during import progress updates (if import folder name is too long) by increasing string size
Internal Viewer
If viewing an excel document that is password protected it will now display a relevant error message
Password Recovery
Shadow copy now used if registry file is locked
Recent Activity
Now attempting to get the localised name for the "Documents and Settings" folder from the registry when starting a recent activity scan so more information will be retrieved on non-english Windows installations.
Shadow copy now used if registry file is locked
Should now resolve shortcut (.lnk) files in User's Recent Items folder (when not using live acquisition scan option).
Fixed scanning of system registry hives when no user hives are found
Search Index
Fixed processing of FILETYPE_MSG and FILETYPE_ATTACHMENT_MSG index results
System Information
Shadow copy now used if registry file is locked
ThumbCache Viewer
When looking up default Windows.edb location, now using localised folder names instead of hard-coded locations
WinPE Builder
Updated build of WinPE Builder. (Allows user to set NTFS filesystem with command line argument '-f'. Not enabled by default, since FAT32 supports booting both BIOS-based and UEFI-based PCs. UEFI based systems require that the boot files reside on FAT32 partition. If they are not on FAT32 the system may not see the device as bootable.)
Misc
Fixed bug with handling of NTFS files with mix of compressed/non-compressed fragments
Help file updates

Changes for v3.1.1000 - v3.1.1001

Case Management
Fixed potential deadlock after clicking 'Cancel' when items are being added to the case
Fixed 'To' field missing in e-mail case properties
Fixed 'From', 'To', 'Subject' fields missing in case report
Removed check for empty e-mail headers (From, To, Subject, etc...) when adding e-mail to case. Adding warning to log file instead.
Email Viewer
When exporting e-mails to file/case, 'Print-friendly' HTML file is now generated. Currently, only HTML/text is supported.
File Indexing
Indexer updated to the latest Zoom Engine
Fixed a bug when indexing email attachments with accent characters in the folder path
Fixed infinite loop bug when indexing corrupted ZIP files
Fixed a crash bug with indexing MSI files (and any other files that can be misidentified as DOC)
Added error message when handling bad ZIP files./li>
Added default handling of .msi files as binary (filename only) format.
Recent Activity
Will now return files/folder from user's Recent Item folder (shell folder)
Added Support for Word 2013 Reading Locations to Recent File List Item
Added Support for Office 2013 (Word, PowerPoint, Excel) Recent File List
Added Adobe Acrobat Reader MRU locations
Now also parsing the subkeys to Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.xxx, where .xxx is file extension to retrieve more information
Added Right Click Menu Option - Copy Row to Clipboard
GUI Fixes, Help File Link Update
Added Filter for text search of all fields for an activity type
Installed Programs, if there is no program name, will return registry location as the title.
Registry Viewer
When opening key paths containing SYSTEM\CurrentControlSet which is a volatile symbolic link, replaced with 'ControlSet00n' where n is the current control set
Search Index
Improved performance of adding PST e-mail/attachments to case by using the same e-mail file handle, instead of opening and closing for every e-mail message

Version history for OSForensics

Top downloads

Latest updates

Help us

Sections:

Follow us: