-
Latest Version
-
Operating System
Windows XP / Vista / Windows 7 / Windows 8 / Windows 10 / Windows 11
-
User Rating
Click to vote -
Author / Product
-
Filename
osf.exe
-
MD5 Checksum
bbe98e3a20fb7c04891b4987eb332248
Sometimes latest versions of the software can cause issues when installed on older devices or devices running an older version of the operating system.
Software makers usually fix these issues but it can take them some time. What you can do in the meantime is to download and install an older version of OSForensics 11.0.1000.
For those interested in downloading the most recent release of OSForensics or reading our review, simply click here.
All old versions distributed on our website are completely virus-free and available for download at no cost.
We would love to hear from you
If you have any questions or ideas that you want to share with us - head over to our Contact page and let us know. We value your feedback!
What's new in this version:
Analyze Shadow Copies:
- Fixed issue where analyzing "Drive-C" shadow copies was not working
- Re-arranged some UI elements
Android Artifacts:
- Changed to use a wizard to obtain, scan and load Android artifacts
- Updated OSFExtract app to support newer versions of Android
Boot VM:
- Added VirtualBox 7 and VMWare 17 to supported hypervisors
- Fixed issue with long .vmx filenames
Auto Triage:
- Added automatic encryption certificate collection option
- Fixed issue where Windows certificates task never completed
- Fixed Windows certificates option check not being saved
- Fixed certificates added to case being categorized as images
- Fixed generated report html files were incorrectly copied
Deleted File Search:
- Added Carving Option to main Deleted Files Screen, so no need to go into Config file anymore
- Added "Calculate Hash of File(s)" to right click menu
- Added ability for the user to create a new folder when utilizing the "Save Deleted File(s) to Disk" option
- Fixed possible crash when no drive is selected for scanning
- Fixed no drive being set for scanning when loaded case has no default drive
Device Manager:
- Added check for invalid sub device names (e.g. when ':' is mistakenly added to the partition name "image:\part1:\Windows\System32")
Email Viewer:
- Support displaying email messages when loading MBOX folders found on MacOS
- When opening an MSF file (meta data file) which Thunderbird uses to index emails, the Email Viewer will attempt to load the corresponding MBOX in the same directory (the MBOX has the same name as MSF file but without an extension)
- Added "To" column to the email list view
- Updated default email export title to "[{filename}] {first 32 chars of subject}"
- Updated to allow Email Boxes/Files to be removed by right-clicking on tree view item
ESEDB Viewer:
- Added support for Win11 22H2 & 23H2
Event Log Viewer:
- Added a new filtering option to allow searching all event log files at the same time
- Added RDP and PowerShell logs to the presets list
- Added option to allow cancelling of loading process that is taking a long time
- Updated to allow for reading of event log files located anywhere on the machine, in case they have been moved from their standard location
- Improved presets filtering to make it also work on folder scan and single log file scan
- Improved performance of loading large log files
File Hashing:
- Fixed Quick Set not adding to treeview
- Fixed on hash set viewer closing, it would swap to different window
File Name Search:
- It is now faster. A lot faster. In some cases up to 40x faster. Whole hard drives can be searched in under 1 second (depending on hardware and the number of files). This was the result of improved caching and dozens of separate low level optimisations.
- Added second level search to search the File Name column within the existing results, supports wildcard characters
- Added new presets: "All Folders (No Files)", "All Files (No Folders)", "Certificate Files"
- Added .msf to the Email file search preset (.msf file is only the index, but it is an indication that Emails might be in the same folder)
- Added config option to detect encryption/compression by File Analysis (and/or Entropy)
- Start location will now display hint text if no devices in to case (for non-live acquisition only)
- Changed "folder to scan" field so it now shows "Multiple directories selected" instead of the first folder in the list
- Changed so when "Search in Hash Set Database" is checked, the hash being used is shown in the status bar
- Changed so the sort order prior to a new scan is reset to prevent triggering the Face/Illicit Detect on search completion
- Changed so user is warned if the start directory specified is a child or parent directory of existing item in the directory to be scanned list
- Changed to allow searching through directories that are re-parse points when device is in Forensics Mode
- Changed to allow adding re-parse point files to case
- Renamed "All Files" to "All Items (Files & Folders)" preset
- Opening a folder will now open the folder in File System Browser
- Increased the length of the text users can type into the configuration directory field
- Updated several search presets to exclude folders to avoid false positives and changed the search string from using wildcard (*) to improve search times
- Set the current device selection as the default value for the Directory in the Config dialog
- Set the Directory value as the case default drive when user clicks the Reset button in the Config dialog
- Fixed bug where "Make Database Active" setting was not updating the Active Database in the Hash module
- Fixed bug where "Folder to Scan" would revert to the Case default directory when switching to/from different modules
- Fixed issue where it would add to directories to scan rather than replacing them
File System Browser:
- Added option to right-click menu to allow users to open a file with OSF internal viewer
- Mapped the Back/Forward buttons on the mouse (XBUTTONS) to the existing GUI Back/Forward button on the File System Browser
- Fixed the bug where MFT Modify Date(Attribute Modify Date) column name was not displaying properly
File Viewer:
- Viewed, Tagged or Categories values can now be modified
- Separated flags into OSF and User flags
- Added "Check file in list" option, when checked, updates checkbox in file list view of the File Name, Deleted File and Mismatch File Search modules
- Added new graph to chart the entropy for a file
- Added "not in hash set" flag to File Info tab
- Added categorized case item status and category name in the file info tab
- Added EXIF metadata tag group (family) name, this would be helpful to distinguish the two tags which have the same name but belong to different tag groups
- Added check for direct access NTFS directory before retrieving $I30 entries
- Tag group names are now shown in the case item properties window and exported report
- Automatically rotate images based on EXIF data
- Fixed "in hash set" flag always being enabled even when file is not in a hash set
- Fixed issue with being unable to play .avi files with tscc encoding
- Fixed issue where images were distorted when rotated
- Fixed issue when attempting to load videos from logical drive
- Fixed column headers disappearing in OSF File Viewer for Compressed filetype when moving/hiding window
- Fixed possible crash when opening .heic images from file
- Fixed non-monospace font used for hex viewer in WinPE
- Fixed bug where files in some folders get mistaken as folders
- Removed check for ERROR_NO_MORE_FILES when displaying file metadata
Indexing:
- Combined the Create Index and Search Index modules into a single module with tabs for each module
- Added ability to index Windows Event Log files
- Fixed looping/hang issue when trying to index invalid MBOX files
- Fixed save dialog not appearing when saving files in the email tab
JSON Viewer:
- Fixed freezing on large JSON files
- Fixed crash when importing JSON files
- Fixed possible crash on JSON Viewer exit
Hash Sets:
- Added PhotoDNA hash support to hash set lookup
- Added tags field to hash sets
Logical Image:
- Added individual file hashing option when creating logical image
- Fixed bug where logical image creation log could not be added to case after completion due to file naming issue
Manage Case:
- Added new caching modes when using Forensics mode. These are set automatically:
- For disk images and read only devices, persistent caching is used. This means we hold the data from the disk (or disk image) in RAM forever. This gives maximum speed, with the second search run typically getting faster than the first run, as everything gets cached on the first run. This works well for read only devices. It doesn't work so well for live disks that have files being added and deleted all the time.
- Temporary caching means we throw away the cache before each search. Caching still occurs during the search however, but the cache starts empty. So it isn't as fast as persistent caching. The advantage is that it picks up any new files that have been created since the last search.
- You can also turn caching off. Which is useful only in very rare circumstances for debugging purposes or if the drive is very very active and being even a few seconds behind the live disk activity is an issue.
- Added Case type: Criminal; Criminal (Contains Child Exploitation Material); Civil; Internal / Confidential; Other
- Added option when importing a case, if a custom location is detected then ask user if they want to try and restore the case to the same location
- Added option to choose what date format to use for the selected case when displaying/exporting records
- Added shortcut keys to case categories
- Added the ability to account for daylight saving time
- Added "Settings" right-click option for case devices for setting the device caching mode
- Added Device Dialog will appear after creating a case when using Investigate Disk from Another Machine option
- Added check for opened temp file when saving case narrative
- Edit Case, Restructured Case Narrative and Job Summary Data to be more user intuitive. RichEdit textbox no longer editable, but instead will display HTML Preview of the contents. Case Narrative and Job Summary must now be edited through the OSF HTML Editor
- Case List sort setting is now saved, with default sort set to by access date descending (Most recent listed first)
- Loaded case always appears on top of the list of Case List (regardless of sorting selected)
- Display full path to report listed for Case Reports in the case items list
- Changed missing thumbnail message to be more accurate
- Changed edit narrative tab to display HTML preview
- Changed so when deleting more than 10 cases at the same time, do not list all cases
- Updated list of available time zones
- Updated Manage Devices dialog UI
- Populate category colors when creating a new case
- Allow for rearranging of case categories in list view
- Highlight categorized case items if color is assigned to the category
- Display the color of the selected category in case item exports/properties dialogs
- Moved the Case Type from Offense & Custody Data to Basic Case Data window
- Cleaned up updating the access time when selecting a case
- Fixed base metadata tags config for the report export
- Fixed crash when exiting case narrative editor
- Fixed incorrect error shown when trying to create case with no name
- Fixed the bug where OSF crashes when editing summary of job in the Offense & Custody Data in advance edit mode
- Fixed issue when a device was renamed in the Case Manager
- Fixed bug where the item deleted in the Manage Devices were not being deleted in the case itself
- Fixed clipping of elements with footer for Chain of Custody report
- Fixed case sorting issue when sorting by access date after selecting different cases
- Fixed Case Activity Log not displaying anything when starting OSF and loading last case
- Fixed Case Activity Log generate report settings not set properly on open
Manage Case - Generate Report:
- Changed export window to a wizard dialog
- Exported HEIC/HEIF/TIFF images in the report will shown a PNG converted thumbnail of the original image, the exported file and link to the exported file remain unchanged
- Added option to display files in grid view
- Added a metadata level option to the report export wizard to allow fine control of the metadata level for the report generation
- Added the option to enable/disable displaying time zone next to the date and times
- Added option to disable the signature/footer
- Allows users to select EXIF metadata tags per file extension to include in the case report
- Save the custom report logo file paths and report output location after use and preload the saved paths when the export report wizard dialog is reopened
- Updated report so that apart from report.html, all files are now in a "ReportData" folder
- Updated list of default EXIF metadata tags that will be enabled and included in the report for common file types
- Updated time zone display name
- Automatically uncheck include thumbnail when created redacted report
- When loading Case Narrative Template, added warning if template exceed max characters allowed and contents will be truncated
- Removed links in title column when selecting Redacted Report option
- Fixed window redraw issue when switching tabs
- Fixed bug that report was not being properly generated for "Case Report PDF - Printer Friendly", erroring out because template does not have "categories.html" template file
- Fixed issue where report generation fails when using templates with no "files.html" file
- Fixed uncategorized category page not displaying only uncategorized items
- Fixed repeating (and also incorrect) heading for Uncategorized report page
- Fixed navigation bar formatting issue when all files are uncategorized
- Fixed issue where nothing is displayed in uncategorized category page when all files are uncategorized
- Fixed issue where using 'included Chain of Custody' option did not add to Case
- Fixed issue when using 'included Chain of Custody' option, attempting to open Case Report would open Chain of Custody instead
- Optimized report generation Code for category generation
Memory Viewer:
- Display total RAM of current system in Live Analysis tab
- After creating a process specific memory capture, browsing in static analysis tab opens to directory they were saved to
- Fixed memory dump not working on older Win11 machines
Mismatch File Search:
- Added a new Scan browser cached images option, when checked it will perform a scan of browsers (Chrome, Edge, Opera, Firefox) cache directories to search for image files
- Added support for Brave, Vivaldi, Yandex browsers cached images scan
- Added Scan Time taken results on completion
- Added call to flush cache before each scan
- Added "Exclude Edge Cache image files" option in config
- Changed to scan drive selected in 'Folder to scan' field instead of all drives in case when using 'Scan browser cached images only' option
- Changed to allow customization of columns in list view
- Start location will now display hint text if no devices in to case (for non-live acquisition only)
- Fixed issue where certain columns were not able to be sorted
- Fixed bug where "Folder to Scan" would revert to the Case default directory when switching to/from different modules
- Fixed bug where found items were incorrectly colored in the list compared to the file attributes
Passwords:
- Added ability to scan for installed certificates in the windows certificate store
- Added scan entire file system option for encryption certificates
- Added activity light to encryption Certificate scan
- Updated Windows Login Password to confirm with user if they want to continue to scan Non-Windows file system when scanning for Windows Login Password
- Fixed crash when running encryption Certificate scan on entire drive
- Fixed a bug where not all DPAPI system master keys were collected, which affected passwords decryption relying on it like WiFi password
- Fixed a bug decrypting Wi-Fi password in non-live acquisition mode
- Encryption Certificates, Added support for parsing .pem and .cer format files
- Encryption Certificates, Added support for scanning Windows Registry for non-live acquisition
- Encryption Certificates, Added support for full drive scan
- Encryption Certificates, Added right-click options (Export List to TXT/HTML/CSV), Add to Case, Copy to Clipboard
- Encryption Certificates, Added support to export certificates (raw data from Registry & PFX files) as files
- Encryption Certificates, Added support to decode .pfx files (non-encrypted ones only)
- Encryption Certificates, Added list-view checkbox, column config and sorting
- Encryption Certificates, Added new options (open with registry/file viewer, open containing folder) to right-click menu
- Encryption Certificates, Added status bar to display scan status
- Encryption Certificates, Updated path display format
- Encryption Certificates, Updated list-view columns, added new fields, hid Raw Data column
- Encryption Certificates, Case time zone setting is applied when displaying date and time
- Encryption Certificates, Path is renamed to Evidence Location and shows full registry/file path
- Encryption Certificates, Double click list-view items to open viewers
- Encryption Certificates, Fixed a bug in expiration date time conversion which may cause crash on some machines
- Encryption Certificates, Fixed serial number display format
- Encryption Certificates, Fixed issue where expiration date was empty for some certificates
- Encryption Certificates, Fixed possible crash when certificate has an unknown expiration date
- Encryption Certificates, Fixed dropdown being out of order
- Encryption Certificates, Fixed bug with displaying evidence location in live system
- Encryption Certificates, Removed Select Drive dialog and replaced with Scan Entire File System checkbox
Registry Viewer:
- Added amcache.hve file as a option to select for viewing
- Fixed incorrect Time Zone values when exporting System Hive
SQLite DB Browser:
- Added the Windows.db Windows Search database file to known locations
- Added Windows 10 Push Notification file-path to the SQLite Browser known locations
- Changed to try and open corresponding .shm & .wal files if they exist
- Fixed issue where Run SQL crashes under some conditions
System Information:
- Added support to collect Mac OS system info including: Model and serial number, Computer name, local host name, Timezone info, OS version info, User login info
- Added notes to the output for Windows Version from Registry command concerning ProductName (e.g. Windows 11 may appear as Windows 10 when querying the registry)
- Removed date after running each command, single date at the top of the report instead
- Fixed arrangement of preset dropdown
ThumbCache Viewer:
- Added support to collect thumbnails EXIF data from "Windows.db" file for Windows 11
- Improved the performance to get data from Windows.db file, especially on the machines with many thumbcache entries
- Fixed issue where VLC Media Player artifacts not recognized by the internal file viewer properly
- Fixed possible crash in thumbnail view when mousing over different video items quickly
User Activity:
- Added a new Open Evidence Source option to the right-click menu to make it clear whether users are opening an item or its evidence source file
- Added support to collect Windows Search info for Windows 11
- Added support to collect MS Office Backstage artifacts (recent documents and folders)
- Added support for parsing Mac OS Safari artifacts including Downloads, Browser History and Bookmarks records
- Added support for parsing .url format URL shortcut files for the Recent Files artifacts
- Added support for reading additional OSX MRU files (VLC, TextEdit, QuickTime Player, Recent Documents, Recent Applications)
- Added support for recycle bin artifacts in OSX
- Added new subcategory in Event Logs: OSX - KnowledgeC
- Added new category "Call History" - currently only for OSX
- Added option to scan dynamic-*.dat files used for auto-correction and predictive text features in OSX for Form History artifacts
- Added scanning progress and scan time taken on completion
- Added a new column to show Visit Duration of URLs in Browser History
- Browser History now shows all the web page visits
- Changed the tree-view to stay in the previously selected category/subcategory after filtering
- Changed Browser History to show all visits to a webpage instead of just the last visit
- Updated to collect cookies in updated file locations for newer versions of Google Chrome, MS Edge, and Opera
- Updated right-click menu options for P2P
- Updated list-view double-click/Enter behavior
- Updated to scan Downloads location for the Anti-Forensics artifacts
- Updated so tree-view width can now be adjusted
- Updated to display status for some slow scan processes
- Disable sort drop-down if timeline tab is selected
- Fixed the issue where VLC Media Player artifacts not recognized by the internal file viewer properly
- Fixed issue with displaying Installed programs evidence location for Linux images scan
- Fixed issue with parsing event logs from Linux images
- Fixed issue with parsing Chrome/Edge/Firefox browser artifacts on Linux & OSX
- Fixed issue where MRU item name displayed a empty string in LNK, Recent Files and MS Office categories
- Fixed issue where MUICache artifacts evidence file did not open correctly by Registry Viewer
- Fixed crash when adding a filter in the config dialog
- Fixed potential buffer overflow issue during the Event Log rendering
- Fixed system.log gathering in OSX
- Fixed issue where "Sort by:" text was not updated when switching between categories
- Fixed issue where some categories were using the same color in the timeline tab
- Fixed images not displaying in File Previewer when opening Recycle bin items
- Fixed text overflowing in File List tab for some types of artifacts
- Fixed possible crash when scanning browser artifacts
- Fixed possible crash when Windows 10 Timeline scan fails to open ActivitiesCache.db database
- Fixed possible crash when using activity filters
- Fixed possible crash when trying to obtain FireFox Install Location
- Reordered Internet Artifacts
Verify Hash:
- Added auto population of comparison hash field when internal hash value exists, so users do not have to re-validate EO1 files with pre-calculated hashes when importing into OSF
Web Browser:
- Allow user to select whether the captured image to be added to case or save to file
- Updated Export GUI
Web Server Viewer:
- Fixed issue where the log format radio buttons were not checked/unchecked properly when switching around them
Misc:
- Added support for scanning images with multiple partitions for various modules
- Added options to export and import OSFConfig files from Settings
- Added right click option to customize workflow in start page area
- Added color legend when exporting timelines as image
- Added deactivate option for perpetual licenses
- Added some missing time zones
- Added option to settings that allows user to pick a custom location for temp files
- Added RAM drive as a option for a custom temp location
- Added "FBI Most Wanted Terrorists 2023" search list as a new Word List for the index search module
- Changed wording of "Other devices available" option to warn that it's not running in Forensics mode
- Changed USB write block icon text and description text to be clearer when its enabled/disabled
- Changed to use UTC instead of GMT for time zone information
- Changed thumbnail size slide button to allow to view images with larger sizes
- Updated "Add Device" & "Manage Devices" icons
- Updated VolatilityWorkbench to v3.0.1006
- Update OSFMount to v3.1.1002
- Updated German/Spanish/Japanese localization
- Updated library for reading E01/Ex01 image files
- UI fixes to account for localization changes
- Improved performance when hovering over a thumbnail to see a video preview
- Display a more serious warning when running OSF as a non admin user, as several important features are missing if you are not running as Admin
- Make backup of old config file when updating/downgrading OSF
- Module running statuses on now cleared when loading a new case
- Fixed tabbing on some "Add to case" windows
- Fixed incorrect GUI Message (Warning drive/valid not found for APFS) on Password/User Activity module
- Fixed text clipping with the legend in timelines
- Fixed OSF being unable to load on Win7
- Fixed main screen icons not loading properly while running in WinPE
- Fixed possible buffer overflow when generating long date & time strings
- OperaOpera 115.0 Build 5322.109 (64-bit)
- 4K Download4K Video Downloader+ 1.10.3 (64-bit)
- PhotoshopAdobe Photoshop CC 2025 26.2 (64-bit)
- OKXOKX - Buy Bitcoin or Ethereum
- iTop VPNiTop VPN 6.2.0 - Fast, Safe & Secure
- Premiere ProAdobe Premiere Pro CC 2025 25.1
- BlueStacksBlueStacks 10.41.642.1001
- Hero WarsHero Wars - Online Action Game
- TradingViewTradingView - Trusted by 60 Million Traders
- LockWiperiMyFone LockWiper (Android) 5.7.2
Comments and User Reviews