OSForensics will allow you to extract forensic data from computers, quicker and easier than ever. Uncover everything hidden inside a PC. Discover relevant forensic data faster with high performance file searches and indexing. Restore deleted files. Identify suspicious files and activity with hash matching, drive signature comparisons, and look into e-mails, memory, and binary data. Manage your digital investigation. Organize information and create reports about collected forensic data.
- Case Management ?Images/drives without valid partition/file system info (ie. boot sector) can now be added to the case. This allows the drive to be viewable using the Raw Disk Viewer
- File Indexing ?Added support for indexing extracted binary text from "hiberfil.sys" and "pagefile.sys" (not limited by max file size limit)
- Fixed stemming problems during indexing
- Fixed bug with updating indexing status causing small indexing jobs to report no files being indexed
- Fixed bugs with identifying misnamed ZIP files during indexing
- Updated Engine/CGIs to V7 build 1008
- Image search results that are nested in archives are now displayed in the 'Images' tab
- Image search results that are nested in archives are now displayed with an 'archive' overlay on the top left corner of the icon
- Fixed bugs with accented characters in search result URLs
- Fixed bug with opening search results in the Internal Viewer
- Deleted Files Search ?Fixed bug in file carving of .mov files (was including 4 additional bytes in the end, now removed)
- Fixed file carving of .pdf files. Will now check buffer for four known combination for end markers. If not found, will default to look for %EOF
- Fixed scanning of deleted files on mounted drives without partition information
- Raw Disk Viewer ?Fixed divide by error bug when performing a raw disk search on a disk with sector size = 0
- Fixed partition info in the Decode window not being updated correctly when a new disk is loaded
- Web Browser ?Module Will now load on first use instead of loading on startup. Starting Page is now set to about:blank (was set http://www.osforensics.com ). This minmises the impact on a live target system when running OSF from a USB drive
- Internal Viewer ?Fixed image stored in the alternate stream of a file not being displayed
- Misc ?Fixed bug with FAT file system parsing caused by truncating errors when calculating cluster offset. This could prevent some FAT partitions from being mounted when the FAT partition's starting offset was a long way from the start of the disk
- Added debug statements to FAT file system parsing (when DEBUGMODE mode is enabled)
- Added debug statements when there are NTFS file system parsing errors in applying fixup values to MFT and index records (when DEBUGMODE mode is enabled)
- Updated WinPEBuilder.exe to include more debug messages
Reviewing 2.1.1000 (Aug 12, 2013)
Pretty interesting. Has a serious learning curve attached to it. Don't expect to be a CSI right out of the gate. Compared to enCase, this has a nicer interface, and has the same challenge to learning where everything is, and how it all ties together. Haven't completed a full case in this one yet, but so far it's worked decently. Get it and try it. Certainly useful for any Information Assurance students.
Also sets itself as transportable which is ridiculously useful. I'll give it a 5 because it all comes together well.
Reviewing 2.0.1001 (Feb 4, 2013)
Most interesting +
Reviewing 1.2.1003 (Oct 7, 2012)
wholemkt9 go fu*** your self!
No comments yet