OSForensics allows you to identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory and binary data
It lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively.
- Discover Forensic Evidence Faster
- Identify Suspicious Files and Activity
- Manage Your Digital Investigation
- Import and export of hash sets
- Customizable system information gathering
- No limts on the amount of cases being managed through OSForensics
- Restoration of multiple deleted files in one operation
- List and search for alternate file streams
- Sort image files by colour
- Disk indexing and searching not restricted to a fixed number of files
- No watermark on web captures
- Multi-core acceleration for file decryption
- Customizable System Information Gathering
- View NTFS directory $I30 entries to identify potential hidden/deleted files
What's New (v3.1.1008 - 2015-06-10):
- Create Index
Added indexing of From, To, CC, BCC, etc. fields for PST attachments.
- Added indexing of From/CC/To etc. addresses from MSG attachments.
- Added missing support for indexing headers for MSG files
- The start and end dates for the advanced search options are now correctly using the current case timezone setting when a search is performed
- Fixed bug in Create Index -> Edit Template -> "Scan system paging and hibernation files" setting being lost.
- Fixed bug with Search Index -> Email Attachments -> Export ... results carrying incorrect From/To/CC information from previous results.
- Fixed bug with indexing attachments from MSG files (failing to recognize file type properly)
- Fixes for crashes and infinite loops when indexing corrupt DOC, XLS and PPT files.
- Fixed bug with empty emails in PST files causing previous buffer to be used for content and custom meta.
User can now specify whether logging is enabled/disabled when creating or editing a case
- Error message is displayed if the log file is corrupted or tampered with
- When generating a report Added "No title" to when there was no title for an item so the link to the file is visibly created
- When renaming (moving) cases, case items still used the old metafile path causing issues with non-existant paths. Fixed by reloading case after moving.
- E-mail attachment paths now include the attachment index number, due to the possibility of having multiple attachments with the same name
Supplemental log entries added across all modules
- When logging is disabled, controls are now disabled and message is shown to the user
Fixed drive drop down list to include Case devices
Removed "," separator between date and times for CSV exports so that Excel will automatically pick them up as dates
Fixed bug with retrieving the clusters of a deleted NTFS file. This bug can potential cause an invalid memory access crash
- Unallocated cluster information now being used for mounted devices
- Fixed bug with unable to save multiple deleted files from a partition without a drive letter (due to invalid characters in the device path)
- The number of files that were not saved due to reallocation now displayed
- Improved performance of saving deleted NTFS files
- Deleted files stored in multiple MFT records are now being handled
- Proper stream names are being used when restoring a deleted NTFS file
Fixed no default drive being selected in 'Hidden Areas - HPA/DCO' tab
- Added check for no physical disk selected
- The sizes of each respective max LBA are now displayed in the log after detecting HPA/DCO
Bug fix, stripped trailing space character from event title.
A dotted border is now custom drawn on the selected folder/e-mail so that even when the control loses focus, the selection is still apparent
- Fixed not being able to add multiple e-mail attachments with the same name. Each attachment now has a unique path.
[*]File Name Search
Added 'Save to disk' right-click option. Re-arranged right-click menu to be more readable
Files less than 5 bytes in size are now excluded from hash set lookups (this is to prevent tiny file (eg 0 byte files always appearing in a hash set where there was a 0 byte file on creation)
[*]Password Recovery (Windows Login Passwords)
Added cached domain users to recovery for local drives
- Fixed a crash that could happen when recovering cached domain users
Added timestamps to WLAN items for the associated XML profile or registry key (where available)
- Bug fix, export event to CSV will now include the item's title.
- Columns will remember their widths when filtering, sorting and navigating to different activity types.
Added To/From/CC information to attachment output when searching an index
- Removed the from/to/cc fields from the CSV export of an search for items that aren't emails/attachments
- Fixed bug with broken links in search index results for files containing percent encoding in filename
Added cached domain users to "Get User Info (registry)"
Fixed 'In Case' flag incorrectly displayed for all items in thumbnail view
List/tree views across OSF now shows the selected item regardless of when the control loses focus
- Fixed drawing issues when minimizing navigation buttons
- Removed flickering when resizing window
- Fixed buttons not being displayed when resizing window
- Fixed drawing issues when resizing file/folder popup dialog
Bug Fix. Selecting OSForensics or BurnInTest as the selected program in WinPEBuilder will now add the required WinPE packages on the WinPE/Packages tab.
Updated help for new Case Activity Log section to describe logging feature
- Updated help with info on user editable file carving configuration file, osf_filecarve.conf
- Updated help to mention timezone in case management
- Updated System information library
Release Date: 2015-06-10
Installer (51.23 MB):
Last edited by a moderator: