OSForensics is a new digital investigation tool which lets you extract forensic data or uncover hidden information from computers. OSForensics has a number of unique features which make the discovery of relevant forensic data even faster, such as high-performance deep file searching and indexing, e-mail and e-mail archive searching and the ability to analyze recent system activity and active memory. OSForensics can build and let you view an events timeline which shows you the context and time of activities. You can even recover data and files that have been deleted by users. OSForensics comes with a built-in file viewer which lets you examine a file contents, properties and meta-data, as well as an e-mail viewer which is compatible with most popular mail client formats.
Search within Files
If the basic file search functionality is not enough, OSForensics can also create an index of the files on a hard disk. This allows for lightning fast searches for text contained inside the documents. Powered by the technology behind Wrensoft's acclaimed Zoom Search Engine.
Search for Emails
An additional feature of being able to search within files is the ability to search email archives. The indexing process can open and read most popular email file formats (including pst) and identify the individual messages.
This allows for a fast text content search of any emails found on a system
Recover Deleted Files
After a file has been deleted, even once removed from the recycling bin, it often still exists until another new file takes its place on the hard drive. OSForensics can track down this ghost file data and attempt to restore it back to useable state on the hard drive.
Uncover Recent Activity
Find out what users have been up to. OSForensics can uncover the user actions performed recently on the system, including but not limited to:
Opened Documents
Web Browsing History
Connected USB Devices
Connected Network Shares
Collect System Information
Find out what's inside the computer. Detailed information about the hardware a system is running on:
CPU type and number of CPUs
Amount and type of RAM
Installed Hard Drives
Connected USB devices
and much more.
View Active Memory
Look directly at what is currently in the systems main memory. Attempt to uncover passwords and other sensitive information that would otherwise be inaccessible.
Select from a list of active processes on the system to inspect. OSF can also dump their memory to a file on disk for later inspection.
Extract Logins and Passwords
Recover usernames and passwords from recently accessed websites in common web browsers, including Internet Explorer, Firefox, Chrome and Opera.
v3.0.1000 - 14 of July 2014
New Modules:
ThumbCache viewer for viewing cached thumbnails stored in the Windows thumbnail cache database (Windows Vista and later only)
ESE database viewer for viewing the records stored in ESE database files (.edb). ESE database format is used by a variety of Microsoft applications and can often contain data of forensics value.
Prefetch Viewer for viewing the application prefech data stored by the operating system's prefetcher. This data includes when the application was last run and how frequently it has been run.
Case Management
Added option to "Make case default" when adding a device to a case so it is selected by default for future actions
When deleting cases, added prompt to allow the case files to be saved to another location before deleting
Adding attachments from case devices now supported
Multiple image partitions can now be mounted at the same time
VHD image files can now be mounted
Added 'Repeat action' checkbox to message box when adding a file already existing in case
Fixed a bug that was preventing undeleted files from being exported as part of a report
Fixed bug with selecting default drive when creating case. Also removed current case's devices from default drive dropdown list.
Fixed issue with setting newly mounted drives as default drive
Fixed bug with condensing white space when reading .OSFCfg files
When adding shadow drives, fixed combo box not being reset when changing drive selection
Changed the error message when adding an image file to a case to include the image name.
Fixed a bug preventing bookmark tables in reports from being sorted
Deleted Files Search
Searching for deleted files in HFS+ drives now supported
Results can now be displayed in 'thumbnail' and 'timeline' view
Timeline view now shows stacked bars grouped by file extension
Fixed overall system slowdown caused by large blocking file reads when file carving
Removed right click menu options that aren't unsupported by the file system
Fixed a crash when pressing a key with nothing selected
Fixed deleted directory icon not being displayed for non-NTFS file systems
Fixed deleted file fragmentation info not displaying for NTFS case devices
Fixed crash with invalid memory access when searching for ext2 deleted files
File System Browser
Added extra metadata column for the LCN of the first cluster of the file. This is useful for seeing if files are grouped together on the disk.
Deleted files/directories can now be displayed (in red text). Added menu option to enable deleted files to be displayed.
Added right-click menu option to attach selected files to case
Attribute modify date is now displayed for ext2 file systems
Fixed deleted icon overlay so that it displays correctly on XP
File Indexing
Indexer updated to the new Zoom Engine, which includes support for real-time logging
Indexing now supported for Shadow Volumes
Timeline view now shows stacked bars grouped by file type
Multiple history items can now be added to case
Multiple history items can now be deleted
Changed indexing/searching limit to 25000 items for Free version
Optimized index search by not reloading dictionary for every search
Fixed a crash when indexing multiple partitions mounted from image files
Fixed potential Thumbnail view crash due to lists being deleted while thumbnails are loading
Fixed bug with DBX message count not being included in total e-mail count
Fixed Custom Limits not being saved/applied in Edit Template.
Fixed 'default' button not deselecting non-default filters in log window
Fixed unallocated cluster indexing not working for drives mounted in Standard mode
Fixed timeline date filter not filtering items correctly
Fixed regex filter combo box in 'Browse Index' tab showing invalid characters
Fixed invalid characters showing up in 'History' under the 'Settings' column
File Name Search
Timeline view now shows stacked bars grouped by file extension
Deleted files/directories can now be displayed (in red text). Added menu option to enable deleted files to be displayed.
Attribute modify date now displayed for ext2/hfs file systems
Fixed a memory leak when closing window
Hash set lookup
Added list of matched files when performing hash set look up of more than 1 items. The list view contains a list of files that are found in the hash set. Previously, only the number of matches are displayed without any information on the files that matched.
Added support for deleted files hash lookup
Internal Viewer
Metadata viewer tab now displays $I30 entries (normal + deleted) for NTFS directories
Metadata View tab now displays EXIFTool metadata for deleted files
Metadata View tab now displays carved $I30 records for deleted directories
Added jump to index right-click menu option
Deleted files opened from the file system browser can now be viewed
Thumbnail cache data opened from the ThumbCache viewer can now be viewed
File Info tab now shows the file's starting LCN
Increased the default number of strings limit in Hex view tab to 50,000. Increased the max number of strings limit to 1,000,000
Improved loading and caching of files
Reduced file loading time by optimizing file system accesses
Ctrl-C (copy)/Ctrl-A (select all) keyboard shortcuts now work in Text View
Fixed minor issue in File Info tab with short filenames appearing incorrectly
Fixed bug with hex viewer string extraction not stopping when max # results reached
Fixed viewer string extraction omitting words in results
Fixed 'Copy ASCII' in Hew view tab to copy all characters other than '\0' to clipboard
Fixed icon transparency not displaying correctly in Windows 8
Fixed metadata view tab showing icons when displaying EXIF metadata
'Unsupported file type' text is now displayed when failing to convert document files to text
'Fixed crash due to buffer overflow bug with handling Excel document conversions
Email Viewer
Added support for searching message body
Added support for date filtering
Updated "Print" functionality
Fixed a bug with HTML email printing not having any headers
Fixed a bug with not printing full headers, RTF, and plain text mail
Recent Activity
Added scanning of Windows search database (Windows.edb) index records
Added scanning of prefetch items
Added scanning of windows credential manager for browser passwords
Added 'Config' window for configuring scan options (date range, items to scan)
Added additional filter for MRU sub-categories when filtering by 'MRU'
Timeline view now shows the breakdown of activity types via stacked bar graph
Changed behaviour when using the right click "Export to" options in the timeline so only the items from the active timeline section are included (previously all the found items were exported)
Timeline view is now synchronized with File List view
Removed 'Summary' button. Summary dialog now appears when clicking the 'Total Items' hyperlink
Fixed crash when pressing 'Enter' with nothing selected
Fixed item selection when 'End' is pressed
Fixed stack overflow bug
Fixed error when opening the selected item with the registry viewer
For Chrome downloads, results now show filename from source URL if destination download path unavailable
Fixed scanning of IE history not working for certain versions of IE
Fixed a bug preventing the name of items from being output correctly for CSV export
Mismatch search
Added text colour to "Identified Type:" field for emphasis
Fixed a bug that was causing a crash when adding a file to a case
SQLite Browser
Files saved in temp folder are removed when exiting
Fixed unitialized pointer bug when exiting program
Password Recovery
Added "a-z A-Z 0-9" Alphanumeric option to password recovery random character options
Updated the Firefox password recovery feature to work with the latest version of Firefox (24)
Fixed a bug where the password was not displayed if there was only one password entry stored in the Firefox database
Updated error message to show correct error code when permissions prevented some registry changes
Fixed crash when adding .rti rainbow tables without valid file segments
Under 'Generate Rainbow Table' tab, moved the character set definition in the combo box to an edit control due to length
Under 'Generate Rainbow Table' tab, changed character set combo box to non-editable
Drive Preparation
Fixed Write pattern function incorrectly reporting a write error near the very end of the drive for some USB flash drives
Drive Imaging
Restoring VHD image files now supported
Disk image name and type is now maintained when using the browse button (if already entered)
Fixed bug with imaging drives as Encase files
Install to USB
Added window message processing during the USB installation process so the application doesn't display as "Not responding"
Disabled Install/Exit/Browse buttons when install process starts
Stopped "Install to USB" function from working when not installing to a USB/removable drive
Web Browser
No longer creates a web browser temporary dir as it was not being used and was not being cleaned up properly after program exit.
Misc
Deleted files are now supported in thumbnail view
Various performance improvements when loading thumbnails in thumbnail view
Fixed display of files without high resolution icons in thumbnail view. Previously this meant a tiny icon was drawn
Deleted file thumbnails now show the proper icon/thumbnail with a deleted overlay flag in thumbnail view
Fixed crash caused by bug with retrieving the file icon in thumbnail view
Fixed crash caused by overflow of the label exceeding 260 characters in thumbnail view
Added support for stacked bar graphs via groups in timeline view
Fixed bug when the data spans greater than 30 years in timeline view
Increased copy to clipboard limit from 100 to 10,000 files
Fixed a crash when handling compressed files on NTFS for cluster sizes
Redirected stdout containing Unicode characters should now work correctly (eg from System information tools)
Fixed some flickering when adding files to case
Updated OSFMount to v1.5.1015
Fixed several crashes that could occur when closing OSF
Fixed crash when attempting to shadow copy files from a drive mounted in standard mode
Non-raw image files that cannot be opened properly will be opened as raw
Reduced flickering when resizing window
Fixed copying of shadow copies of locked files into temporary directory
4kb>
