Absolution Deterrence Code Branch
Absolution Deterrence is the second beta release of the Absolution computer forensics and
eDiscovery software. Absolution provides forensic collection, analysis and reporting for an investigator
attempting to gather information and/or evidence about activities performed on a computer.
Provide a comprehensive computer forensics data analysis tool that is simple enough for any tech savvy
individual to use.
* Compliant with all standards for forensics software.
* Extensible architecture that produces universally usable XML output.
* Provide as many automatable steps for forensics as possible.
* Improve performance of all forensic analysis steps.
* To be useful for people needing rapid forensic response.
* File Identification (by magic bytes, contents, and extension)
* Collection of data from web browsers (caches, lists, cookies, etc.)
* Identification of HTML files by contents
* Registry Hive Examinations (live and hive files)
* Internal sandboxed scripting language.
* Metadata Extraction (Microsoft, ODF, Exif, HTML, PDF, BitTorrent,
* Email Collection (Outlook, RFC822 mailboxes)
* Comparison of collections (i.e., see what data changed between two points of time.)
* Regex Pattern Matching (ANSI, UTF-8, UTF-16 supported, lots of default patterns to choose from)
* Archive Content Searching (ZIP, RAR, TAR, GZ, BZ, 7Z, etc.)
* Microsoft Event Logs
* User definable reporting
* Investigation Tools (Search Engines, Timeline, Master Index, Raw Data, Report Data)
* File Exfiltration
* All output and storage in XML format completely interoperable with 3rd party tools
* Hash matching using the NSRL hash database
* Lots of cool nice-to-haves like geo-location extraction and search engine queries
Goals of Branch:
Absolution 0.5 aka Deterrence is the second beta. The goal of this branch is to advance development
potential of Absolution, enhance stability, and extend its primary capabilities to new audiences.
Goal 1: To create both an Absolution Library (absolutionlib.dll) and a command line
(abscc.exe) version of Absolution to extend development for the community.
Goal 2: To fix all reported bugs, performance issues, and address user needs.
Of interest: improved both memory and file reading performance, faster report
generation, lighter platform requirements, and handling of parallelized processing.
Goal 3: To add support of comparing two different runs (the Comparison Tool)
Goal 4: To enhance the search by including techniques described in forensic books, magazines,
and internet articles.
Goal 5: Extend testing to other Windows platforms besides Windows 7 (in fact, starting
development with a tablet mindset using Windows 8.)
Goal 6: To divide Absolution into primary components:
Sub-goal 1: Creation of a .DLL for the Fatum code framework
Sub-goal 2: Creation of a .DLL for the Absolution forensics framework
Sub-goal 3: Creation of a Command Line version of Absolution
Goal 7: Double the number of configurable options for a scan
Goal 8: Support an All Memory scanning option for smaller loads, such as a single file or
directory, in order to improve performance for metadata gathering. (Perfect for the command
Goal 9: Update and improve the methods of handling external libraries, namely Lucene.NET
and SharpCompress, both of which are using standard distribution 64 bit DLLs instead of
imported source code.
Goal 10: Add a duplicate file handling utility to assist management of duplicate files.
Goal 11: Add timeline support to the Investigator
Goal 12: Improve the Analysis phase of Absolution to have compiled high speed activities as
well as the scripting activities.
* Improved speed and depth of file identification capabilities.
* XML file identification framework.
* Standardization of XML data naming conventions.
* Streamlined Archive reading requires less memory and higher performance.
* Changed metadata collection process to be multithreaded.
* Optimized FatumCore and Reporter to use less memory operations.
* Created additional traps and bad data handlers inside of the metadata extraction tool.
* Quad-core or larger CPU (Requirements have been lowered from previous releases.)
* A minimum of 8 gigabytes of RAM, but it helps to have more.
* At least 10 gigabytes of free drive space, SSD preferred.
* Windows 8 x64, Windows 7 x64, Vista x64, Server 2008 x64, or Server 2013 x64.
* .NET Framework 4.5 or later
Notable Bug Fixes:
* Fixed memory exhaustion during traversal of very large archives
* Fixed error preventing an examination of less than 32 total files
* Fixed incorrect statistics with files inside of archives
* Fixed various collection issues that would have resulted in confusing results
* Fixed sorting problems in the reporting system that would lead to resource exhaustion.
* Fixed problems with using ReadPST to extract data from corrupted archives.
* Fixed issues with PDFSharp to properly capture failure events.