Discover all relevant forensic evidence from a system, quickly and easily!

OSForensics

OSForensics 9.0.1000

  -  203.16 MB  -  Trial

Sometimes latest versions of the software can cause issues when installed on older devices or devices running an older version of the operating system.

Software makers usually fix these issues but it can take them some time. What you can do in the meantime is to download and install an older version of OSForensics 9.0.1000.


For those interested in downloading the most recent release of OSForensics or reading our review, simply click here.


All old versions distributed on our website are completely virus-free and available for download at no cost.


We would love to hear from you

If you have any questions or ideas that you want to share with us - head over to our Contact page and let us know. We value your feedback!

  • OSForensics 9.0.1000 Screenshots

    The images below have been resized. Click on them to view the screenshots in full size.

    OSForensics 9.0.1000 Screenshot 1
  • OSForensics 9.0.1000 Screenshot 2
  • OSForensics 9.0.1000 Screenshot 3

What's new in this version:

Map Viewer:
- Added Map Viewer module which enables users to view GPS locations marked on a world map.
- Added a new pre-set search option, “Photos with GPS Locations” to automatically find all photos with embedded GPS locations (via EXIF data) and then graphically locate where these photographs were taken on a map. On mouse over of the location on the map thumbnail images and image meta are displayed.
- Ability to import and map GPS coordinates from CSV, GPX and KML files and IP addresses, and search for GPS location by name (ie. Geocoding
- Added map email viewer integration, to draw arrows between the source and destination of an Email, plus any intermediate transit nodes referenced in Email header.

Auto Triage:
- Removed some unnecessary warning messages (You are attempting a non-live…) displayed when running Auto Triage
- Updated the Passwords to select "Live acquisition" for scan when running Auto Triage.

Boot VM:
- Updated to now allow booting for MacOS (10.13 and above)
- Now includes support for VMWare Workstation Player 16
- Clipboard Viewer and Signatures Module
- Restructured UI for consistency and simplicity in OSForensics user experience
- Create / Search Index
- Restructured UI for simplified user experience. This included convert to 'Sort' link, convert to 'Index' link, move 'Use Word List File' to button dropdown, and consolidated regex filter to search bar.
- Improved indexing of XML files to index not only data content, but also attribute values in tags. Combined with expanding the max word length to 40 characters, this now allow indexing of GUIDs values in XML files. This allows finding GUIDs in peer-2-peer file sharing files (e.g. Profiles.xml file from Shareaza)
- Added sub tabs under ‘Browse Index’. These include Words, Files and Protected lists.
- Added "Save to disk" checked items menu option
- Reporting of “protected” (or encrypted) files that were encountered and not indexed. Provides a quick way to identify all commonly encrypted document types.
- Fixed bug with "Search Index", when matching exact phrases only found in meta description
- Fixed crash bug for when page is near end of index
- Fixed bug with extra text appearing after highlighting when exact phrase matched in meta description
- Fixed timeline filter and other UI issues
- Fixed cleanup of previous state when closing case
- Fixed bug with email indexing causing corrupt index when long header or attachments are used as description in index
- Fixed crash bug when corrupt index is encountered during a search and cleanup occurs, and subsequent searches did not reload the index
- Added handling for partial index unloaded/reloading due to unexpected error cases (low memory, corrupt index, etc.)

Disk Preparation:
- Fixed a bug stopping Disk 0 from being formatted

Decrypt File:
- Password Benchmark (i.e. num password per second) is now calculated per thread. Previously only the first benchmark collected was used as the benchmark value for all clients.

Deleted File Recovery:
- Restructured UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, reduce clutter at the bottom)
- Added ability to right click on an extension in the scan status tab to view the set of files.
- Added the Face and Nudity Scan feature to the sorting option
- FileCarver Config GUI changed the +/- icons to normal expand/collapse icons. Removed the Linux EXT2 option, FileCarver will try to determine the file system and enable it if necessary.
- Fixed display bug where scrolling to the right and then back, where the listview checkbox/extension column would be unreadable. Added note to expand the extension groups to view the header/footer/etc details for each extension family.
- Fixed a crash that could occur when no files where found
- Device Manager
- Added support for per-volume encryption, as used in newer versions of Apple’s APFS file system.

Email Viewer:
- Added right-click option to lookup IP addresses in e-mail headers and then mark on Map Viewer.
- Added "Overview" button to view email address statistics in email viewer. Can now get a quick count of Emails To / From each Email address.
- OSForensics will attempt to convert X.400/X.500 e-mail addresses by parsing the MIME headers if available
- Added support for indexing EMLX files from Apple Mail
- Fix overflow with long To/Cc/Bcc strings in mbox and dbx files. Fix missing single address summary icon. Add Top 10 contacts filter to sankey graph. Combine sankey graph and summary table when added to case
- Event Log Viewer
- Added OSF generated event information as a summary string in quotation marks when viewing items in the event log viewer (for eg “Disconnected USB device "TOSHIBA External USB 3.0 " , Serial Number: XXX").

File Name Search:
- Optimizations for improved scan speed and performance, especially when using the direct access mode (also called forensics mode).
- Reorganized UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, move configuration text to tooltip for 'Config' link)
- Dynamically populate map view as files with GPS locations are found, and display image thumbnail (and file metadata) on mouseover of location while in map view
- Fix stack overflow crash due to large local string variables
- Changed search preset name ‘Windows Shortcut Files’ to ‘LNK Files’
- Updated the P2P pre-sets to include UseNet related keywords
- Hash Sets and Create Hash
- Grouped the two modules into one main hashing module (File Hashing) with two tabs (Hash Sets & Create Hash).
- Added SHA3 (256, 512) as hash options

Internal Viewer:
- Re-implemented thumbnails using global thumbnail cache for better performance. Increased number of thumbnails in lower bar to fill window width and added support for video thumbnails.
- Jump to file when double clicking thumbnail
- Add extracting of embedded thumbnails in image file within the 'Analyze' dialog. This can help with checking for image manipulation.
- When a file is fragmented on disk, viewer can display list of file fragments + right-click option to jump to fragment
- Improved drawing performance and navigation buttons.
- Hex view, add 'Export strings...' link to string extractor
- Initial support for viewing PDF files using native API in Win10. This allows faster more accurate PDF rendering in viewer.
- Display Office Documents (docx, xlsx, pptx, etc) and OpenDocument (odt, odp, odx) files as HTML.
- When analyzing images, add right-click menu options to embedded thumbnails to 'View with internal viewer...' and 'Add to Case'

Mismatch Search:
- Restructured UI for consistency and simplicity.
- Fix bug with 0 byte files not being excluded from results

Password Recovery:
- Restructured UI for consistency and simplicity.
- Distributed password cracking with support for Multiple GPUs (Pro Only). Supports up to 1000 total clients when using distributed cracking
- Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords

Program Artifacts:
- Restructured UI for consistency and simplicity

Raw Disk Viewer:
- Restructured UI for consistency and simplicity (move buttons to 'Actions' link, convert to 'Config' link, add search bar)

System Information:
- Re-organized UI for simplicity and consistency (consolidate "Live acquisition" into combo box, convert into "command list" link)

Thumbnail Viewer:
- Fixed drawing of images with alpha channel

Tag/Untag:
- Changed behaviour of Tagging Files. Keyboard Shortcut (Ctrl+T) applies to selected (not checked) files. The Checked Items Submenu will have options to Tag/Untag checked files by submenu selection only. This has been implemented in FileSystem Browser and Find Name Search.
- Ability to open some tagged items in the case manager, e.g. cookie tagged item. ‘Open internal viewer’ will open the SQLite database where cookie was stored.
- Items tagged in the User Activity modules will indicate they were added in this module in the Case Manager

User Activity:
- Restructured UI for simplicity and consistency.
- Moved 'Remove filter' link to 'Activity Filters' drop down
- Added Anti-Forensics Artifacts to scan the traces of Anti-Forensics programs
- Search Terms, cut down on duplicate entries by using DISTINCT in SQL query
- Events, filtered out 4624 event when logon type is 5 (too many system generated events swamping others)
- Added Cryptocurrency Wallet Apps to scan artifacts of wallet applications installed on the system
- Fixed activity-specific right click menu options and enter/double click options
- Added support for parsing UseNet NZB files to display filename, file size, poster and time
- Added Newshosting UseNet client P2P artifacts
- Changed the tree-view “Most Recently Used” item to be collapsed by default
- Fixed crash with change to Autofill in Edge Chromium when data value in Sqlite DB is not encrypted.
- Added a 3 second display of message "User Activity Scan Finished - No items found" when no items are found
- Added more checks for cancelled scan when processing ESEDB databases so cancel will complete faster
- Added support to parse the BitTorrent .torrent file format to display its contents info like the filename, file size, and time
- Added scanning for WiFi passwords stored on the Windows system and display under the WLAN category
- Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords
- Added support to collect details about recently viewed PDF files in Acrobat Reader and their file size and page numbers.
- Added an option in the config window to allow full scan of the selected drives, which will search Torrent and NZB files across the drives and parse them
- Added support to collect the VLC Media Player last opened filepath by parsing it's .ini file

Start Menu:
- Added search bar to the start page to quickly find OSF features

Workflow:
- Set Mount Drive Image button to be hidden by default in the Workflow menu. This was done as the Add Device function is preferable in nearly all cases

Python API:
- Add methods for adding/removing device from case (including BitLocker and Volume Shadow devices)

Remote Server:
- Fix bug in creating destination folders when source path is a network folder

Security:
- Update EXIFTool to 12.25 due to ACE security vulnerability