OSForensics V4 Beta release

OSForensics V4 is now available for beta testing. You can download it using this link.

What’s new

Password recovery

• Wifi passwords are now recovered & decrypted from the registry and file system.
• Windows auto-logon password are now recovered & decrypted from registry.
• Outlook & Windows live mail passwords are now recovered & decrypted.
• Microsoft product keys are extracted from the Windows registry
• New Configuration window has been added to allow the user to select what items are recovered, enter in an account password for offline decryption & select a dictionary for brute force attacks on the account password.
• Specific rows in the password report can now be selected for export or adding to the case.
• GPU accelerated hardware support for brute force password recovery on Office documents, PDF, Zip & RAR file. (Work in progress)
• Support for new MS Office 2013 encryption standards for DOCX, PPTX, etc… (SHA512 hashing has been implemented in addition to SHA-1). (Work in progress)
• New columns in the report have been added for password strength & length, which can be useful when checking for compliance with password policies.
• Added NTLM hash cracking to the common password check for the Windows login password
• Added NTLM hash rainbow table generation.

User interface & work flow

• It is now possible to change the order of buttons in the left menu. Now called the Work Flow menu. This can allow the button order to reflect the chronological order of specific forensics processed.
• Checkboxes in several windows rather than multi-select with having to continuously hold select/ctrl.
• New ‘File Details’ tab in several windows that displays the search results in a list view.

Recent activity artifacts

• Added OS X artefacts to Recent Activity feature for Mac drives
• Updates in Recent Activity for newer browsers (including Edge)
• Faster collection of Window Search terms in recent activity (reducing hours to minutes for the worst case)
• Added additional USB devices from SYSTEM\CurrentControlSet\Enum\USB in Recent activity
• Added USB first connected time from parsing setupapi.dev.log
• The ability to reorganize and/or hide show certain columns by right clicking on the column title area to configure it on the File Details tab was added.

File system support & imaging

• exFAT is now a supported
• Added read-support for .Ex01, .Lx01, and .L01 image formats
• Improvements to HFS+ support for Macs.
• Added the ability for users to create Logical images from the Forensic Copy feature. Logical images are created as a .VHD virtual disk & can be remounted back into OSF or manipulated with 3rd party tools.
• Added a log option for Forensics Copy
• Added ability to supply multiple source paths when performing Forensic Copy
• Owner/group/permissions are now preserved in Forensic Copy
• Better exposed the function to compare shadow copies.

Memory viewer

• The Memory Viewer has been overhauled. Now has 47 columns of metadata for all processes.
• Handles and loaded Modules are displayed per process when available
• Users can create Process Specific binary dumps through right click options and add to the case.

File name search

• The user can now edit the list of pre-sets by editing the FileNameSearchPresets.txt file (in the C:\ProgramData\Passmark\OSForensics folder).
• Peer to peer file types have been added as a new pre-set search selection.
• The number of characters allowed in the search string field has been increased from 256 characters to 1023 characters.
• Improved the default settings
• Ability to group the search results by file type in ‘File Details’ view

File indexing and searching

• Added image file EXIF header indexing for Camera Make Model, GPS date/time, GPS Latitude, and GPS Longitude
• Improved relevance scoring when hundreds of matches are found within the same file
• Restored torrent file indexing which got accidentally broken in a past release.
• Fixed bug when indexing invalid file types (e.g. misnamed or corrupt files) causing incorrect content to be indexed.
• Improved search results layout

Reporting & Case Management

• PDF output added.
• New streamlined report layout, including a sidebar for quick access to specific forensic artifacts
• Added option to include file EXIF metadata in the report
• Custom Logos are now easier to added
• Added two custom fields to Case Information (The Edit Case and New Case windows) & allow the user to rename the fields
• Added and Add External report feature in case management will support adding an external HTML report directory to properly display other tools report.

System information

• BitLocker Detection preset added to System Information
• Updates to System information to detect new CPU types
• Added Printer Info from registry for live/scan drive and Printer Info from (WinSpool) for Live Systems in the System Information module.

Hashing

• Button to add Hash results to case

Internal file viewer

• Updated video previewer to support more video formats. Including video in these formats. 3GP, ASF, ADTS, MPEG-4, SAMI, AAC, WMA, DV Video, H.264/H.263, WMV
• Can do screen capture from the File Viewer.

Email searching

• Added BCC searching for Emails.
• Additional details are indexed when indexing Emails (for some formats).
• Support for MIME UTF8 encoded FROM, TO, CC, BCC, SUBJECT fields in MBOX files

Deleted files

• Added a new checkbox for full disk / unallocated space carving. Previously only unallocated space was used for caving, as it is usually much faster. But in rare situations the full disk option can be useful (e.g. file slack space examination).
• Added a new window showing the list of File Types that are carved (opened from within the config window). This list can be modified to add custom signatures by the user by editing the osf_filecarve.conf file.
• Ability to group the search results by file type in ‘File Details’ view

Other changes

• Added better time resolution, now fractions of seconds, in File Name Search/Mismatch Search/Deleted Search
• Added support for Win10 prefetch files, which are compressed using lzxpress huffman stream encoding
• Compare signatures can now display identical files. This is useful for duplicate file detection. There is a configuration dialog for specifying folders to exclude and file extensions to include.
• Dozens of other bug fixes and minor usability improvements, including fixing a couple of crash bugs