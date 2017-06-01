OSForensics е мощен пакет програми, който се използва за компютърна експертиза. OSForensics най-често се използва от разследващите органи, специалните структури и експертните съдебни органи за съставяне на неоспорими доказателства за извършена незаконна дейност от иззетия компютър. Най-често се използва за съставяне на съвършено точни копия на дисковата система, които се изследват от независими експерти.

Основни възможности на OSForensics:

Няколко пъти по-бързо търсене, отколкото стандартното търсене на ОС Windows

Индексиране, ускоряващо още повече търсенето

Търсене в историята на всички популярни клиенти за електронна поща

Възстановяване на изтрити файлове

Преглед на неотдавна използваните документи

Преглеждане активността на използване на компютъра

Събиране на пълна информация за хардуера и софтуера на компютъра

Преглеждане и съставяне на точно копие копие на оперативната памет

Извличане на потребителските имена и паролите от браузърите

OSForensics може да се използва и за решаване на по-прости, но важни задачи, като например търсене на изгубени файлове, възстановяване на пароли и разкриване на различни вирусни зарази. Лиценз: Безплатен (Freeware).

Промени в OSForensics 5.0.1000:

New PList Viewer

◦Added a new Plist viewer

◦Text foward/reverse search option.

◦For nodes that contain „data“, added quick hex preview popup dialog when field is single-clicked (double clicking will open a new file viewer window).

•NEW $UsnJrnl Viewer

◦Added support for loading $UsnJrnl files saved as a regular file (ie. not as $J alternate data stream)

◦Added support for $MFT file lookup to determine full path

◦Added support for searching for subtext

◦Added right-click menu options for viewing file, exporting records and adding records to case

◦Added progress bar when parsing USN records, loading $MFT file and searching for subtext

◦Improved loading speed by searching for records from the end of the file

◦Path is now determined using the Parent MFT# stored in the USN record, followed by the filename stored in the USN record.

◦ Paths that may not be correct are coloured in red. This occurs when the filename or the parent MFT# in the USN record does not match what is stored in the $MFT

•Analyze Shadow Volume

◦Results can now be exported in HTML and CSV format

◦Added button to export results to case

◦Added right-click menu for exporting results

•Case Manager

◦Added support for mounting file paths as a device in the case

◦Adding devices to case now supports adding local folders in addition to network paths. Renamed ‘Network Path (UNC)’ to ‘Folder / Network Path’

◦When adding an image file to case, the ‘Select partition’ dialog has been updated to reduce confusion.

◦Added option to export $UsnJrnl records to report

◦Fixed index OOB error when exporting deleted files to report

◦Added support for adding BitLocker-encrypted drives to case. The drive must have been previously added to the case.

◦Fixed error message when viewing the properties of a Case Device

◦Recent history items for case name, investigator, contact details etc are now saved to the config and will be reloaded when OSForensics is started.

•Compare Signature

◦Check if signature reports as version 3 but is actually 4 (two extra fields were added but internal version number of signature was not changed).

•Create / Verify Hash

◦Added secondary hash function to allow calculating 2 different hashes simultaneously

•Deleted Files Search

◦Added right-click menu to re-arrange columns in Details View

◦Added ‘Source’ and ‘File number’ columns to details view

◦Directory records found in $I30 slack space are now included in the results

◦Records found in $I30 attribute in deleted MFT directory records are now included in the results

◦Fixed bug with misreported quality when multiple streams exist for the deleted file

◦“Save and Open“ right-click options no longer prompt the user for the a location to save the file; it shall be saved automatically to the temp folder and immediately opened. The right-click options have also been renamed accordingly

◦When opening deleted files in the internal viewer, the initial tab that is displayed will correspond to the file extension

◦Fixed bug with saving deleted files to disk when the file fragments are greater than 64KB

◦Added *.msg to the search preset for e-mails

•Drive Imaging

◦Fixed error copying single files to logical image due to directories not being created

◦Fixed file size of single file not included when calculating VHD image size

◦When calculating VHD image size, the file size on disk is now used. This is to account for sparse/compressed files that occupy less disk space than its file size.

◦Fixed bug with drive list in ‘Create Image’ tab containing devices from previous case after switching cases

•Email Viewer

◦Fixed buffer overflow of ‘From’ field

◦Fixed heap corruption when opening .eml files with quoted printable encoded text

•File Indexer

and searching ◦New Zoom build with fixes for:

◾Fixed bug with indexing zero date as „23/04/2009 6:24:48“

◾Indexing „delivery time“ for PST emails. Only index „submit time“ if former is not available. Previously was only indexing submit time, which means Drafts/Deleted items would have no time in index but be inconsistent with EmailViewer, which would display a date/time.

◾Now supporting Win10 CompactOS compression (when used with the default XPRESS compression option). Viewing and indexing these files is now possible.

◦Fixed bug with Search Index -> Advanced settings’ Date/Time range not being applied.

◦On History tab, when choosing right-click menu’s „Display Search Results & Add to Case…“, it will now export the list of results to the case along with adding the corresponding files.

•File Name Search

◦Added right-click menu to re-arrange columns in Details View

◦Added *.msg to the search presets for e-mail

◦Fixed performance issue when searching with alternate stream criteria. Basic search criteria (eg. file name, attributes, etc.) should be checked before performing the much slower stream criteria check.

•File System Browser

◦Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the ‘n item(s) checked’ link opens a menu with a list of operations to perform.

◦Fixed text not appearing in icon/list view

◦Improved responsiveness when changing directories

◦Fixed bug with calculating folder size on disk for non-NTFS file systems

◦Fixed deadlock when multiple threads are accessing mounted devices simultaneously

◦Added right-click menu to re-arrange columns in Details View

◦When calculating folder sizes, stream sizes are now included

◦Added error messages when performing certain operations on $I30 slack items

◦Deleted artificats recovered from $I30 slack space can now be displayed.

◦Files that have reparse points are now displayed in green

•Hash Sets

◦Fixed a NSRL has set import error that could occur when the manufacturer name was greater than 100 characters

•Internal Viewer / File and Hex Viewer

◦File Viewer tab, changed volume controls to trackbar + mute button

◦Added ‘IP address’ filter to Hex Viewer string extraction

◦When viewing buffers (eg. deleted files) in the „file viewer“ tab, the buffer shall first be saved to a temporary file and then loaded. Previously, a ‘Unsupported file format’ message is displayed.

◦Removed unnecessary saving of temporary files for file paths containing case devices

◦Extracting strings is now threaded so the window is no longer blocked. String extraction can also be cancelled half way.

◦Removed limit on the number of extracted strings

◦Added encryption, reparse point, sparse file, system compression attribute checkboxes

◦Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.

◦Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)

•Memory Viewer

◦Added right-click menu to re-arrange columns of the process list

◦Changed encoding of memory dump VW cfg file from UTF16-BE to UTF-8

◦Changed the extension for memory dummp files from .bin to .mem

◦Added tabs for ‘Live Analysis’ and ‘Static Analysis’. Previous view has been moved to ‘Live Analysis’ tab. ‘Static Analysis’ allows the user to launch ‘Volatility Workbench’ process with the specified memory dump file.

•Passwords

◦New updated password cracking library. Improved GPU acceleration allows for faster cracking. Double the speed in some cases.

◦Find Passwords & Keys: Added right-click menu to re-arrange columns

◦Find Passwords & Keys: Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the ‘n item(s) checked’ link opens a menu with a list of operations to perform.

◦Fixed bug where Wifi profiles weren’t searching the correct location in some cases when “Live acquisition” was picked (could search incorrect drive letter)

◦Fixed bug where Wifi profiles might not search correct location in localised (non-english) version of windows

◦Fixed a crash that could occur when searching Wifi profiles

◦Fixed possible crash when getting system passwords

◦Added more info to display, client thread status, benchmark, password length and prefix.

•Prefetch Viewer

◦Fixed possible crash due to buffer overflow

•Raw Disk Viewer

◦Added a list of preset regular expressions combo box that can be used when performing a raw search

◦Improved performance of search window list view

◦Removed max search results limit in search window

◦Fixed synchronization issues potentially resulting in crash

•Recent Activity Viewer

◦Changed how the windows user directories are searched for so all operating system dependant locations (XP, Win7 etc) are searched now instead of searching the known location of the first one found. For example if an XP system contained a „Users“ folder in the root directory then it was previously only searching the (possibly empty) Users folder and then not searching the „Documents and Settings“ location.

◦Fixed a „missing column“ error for old versions of Firefox cookies

◦Made some changes when trying to repair a „dirty“ windows search database (eg from a system image of a currently running system) so that if the esentutl tool crashes OSF will attempt to run it again

◦Added P2P artifacts from BitTorrent and UTorrent resume.dat folder, also checks the User’s Download directory for .torrent extensions.

◦Fixed Bug with P2P Items not showing details on the File List Tab

◦Added Search queries artifacts for Ares Galaxy

◦Added Shareaza P2P Search Artifacts.

◦Added Emule P2P Artifacts

◦Added SABnzbd P2P Artifacts

•Report Templates

◦Combined ‘Drive Imaging’ and ‘Forensic Copy’ HTML template into a single ‘Forensic Imaging’ HTML template

•Start Window

◦Renamed “Website Passwords” to “Scan for Passwords/Keys”

◦Renamed “Removable Drive Preparation” to “Drive Preparation”

◦Added icon for launching ‘Volatility Workbench’ under ‘Viewers’ group

•System Information

◦Made some changes to the system information command dialogs, added columns to show „Live acquisition“ / „Drive acquisition“ / „Image acquisition“ differences of commands

•Web Browser

◦Fixed bug where saving the complete webpage was not working correctly

•Misc

◦Changed date/time format to 24-hour clock

◦Fixed crash when Exception filter is executed

◦Moved ‘Forensic Copy’ module to ‘Drive Imaging’ module as a new tab. Renamed ‘Drive Imaging’ to ‘Forensic Imaging’

◦Fixed ‘Forensic Copy’ and ‘Drive Imaging’ logs not appearing in generated report

◦Fixed some flickering issues when resizing

◦Updated File Name Search preset list to include Virtual Machine files

◦Fixed bug with EmailView and EmailViewer displaying 1/01/1601 when a 0 datetime value is given. Now reports „Unknown date“.

◦When selecting a directory via a popup dialog, if the entered path in the text box is valid, it will be returned. Otherwise, the directory selected in the tree view is returned.

◦Added template files for exporting $UsnJrnl records to report

◦Fixed bug with the initial directory not being set correctly in the select file dialog

◦When prompted to select a file, the last directory path is now used as the initial directory if not specified

◦Fixed bug in handling alternate data streams with multiple $DATA attributes

◦Added support for accessing bitlocker encrypted drives in raw form

◦Updated HTML Editor to show character count.

◦External Viewers (File, Registry, FS Browser, Email, Thumbcache, ESEDB, USNNRNL and Plist) will retain the size of their last viewer window closed for subsequent openings

◦Performance increase when opening registry files

◦Fixed several potential crash points when closing the OSF application while the progress window is still showing

◦Added encryption, reparse point, sparse file, system compression attribute checkboxes

◦Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.

◦Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)

◦Updated help file with $UsnJrnl Viewer section

◦Fixed a bug that may cause Temp Registry Files in the function call CreateTempRegFileIfNeeded() not be created when debugmode is enabled.

