FTimes / News: Recent posts

Version 3.13.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. The most significant changes in this release are the addition of new encoder/decoder/embedded routines, support for B-Tree file systems (BTRFS) under Linux, and the introduction of KLEL-based include/exclude filters. Note that both PCRE and KLEL (1.2.0 or higher) libraries are now required. For now, PCRE-base filters are still enabled by default, but the plan is to phase them out completely in a future release.

Version 3.12.0 is a minor release of FTimes. Basically, the various changes, enhancements, additions, and bug fixes that have accumulated over the past few years reached critical mass. Some of the noteworthy changes include: a new option for depth-limited mapping/digging, additional encoding/decoding/transformer options/functionality, and support for a number of additional file systems (APFS, AUTOFS, JFFS2, OVERLAYFS, SMB2, UBIFS). Additionally, two new tools, ftimes-srm and ftimes-xpatool, have been added to the project. Finally, this is likely to be the last release in the 3.X branch. Going forward, the project will be setting up a new public-facing code repository (SF discontinued CVS support late in 2017), and all new effort will focus on the 4.X branch.

Version 3.11.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. This release introduces file hooks support for an embedded Python interpreter. Finally, a new tool, ftimes-bimvl, has been added to the project.

Version 3.10.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. This release includes updated support for file hooks and introduces KLEL-based XMagic. Consequently, the minimum required version of libklel has been rasied to 1.1.0, which has a library version of 2:0:1. Finally, file system support for SquashFS was added.

Version 3.9.0 is a minor release of FTimes. Basically, the various changes, enhancements, additions, and bug fixes that have accumulated over the past few years reached critical mass.

Last month's issue of the ISSA Journal (December 2008, Volume 6, Issue 12) has a nice article about FTimes written by Russ McRee. The article, entitled "All's FAIR: Forensics, Analysis, Integrity, and Response with FTimes", explores some of the capabilities of FTimes. The article is available here:

http://holisticinfosec.org/toolsmith/docs/december2008.pdf

ISSA members can also get it here: ... read more

Version 3.8.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. This release includes support for SHA256 hashes, include/exclude filters, and a number of additional file systems (DATAPLOW_ZFS, NTFS-3G, NWCOMPAT, UDF). HashDig utilities have been updated to support SHA1 and SHA256 hashes, and the following tools have been been added to the project: ftimes-crv2dbi.pl, ftimes-dig2dbi.pl, hashdig-find.pl, and tarmap. Note that documentation is no longer built at release time, and that means your build system must include the necessary tools to create the documentation -- see the Requirements Section in README.INSTALL for additional details. Since SF officially discontinued compile farm support on 2007-02-08, this project is no longer able to build/test releases in the manner and scale that it did before. Unfortunately, this may result in platform-specific issues that go unnoticed until they are discovered by someone in the field.

The FTimes Project has released an updated copy of "System Baselining -- A Forensic Perspective".

This paper, written by Klayton Monroe and Dave Bailey, defines baselining terminology, explains the mechanics of baselining, compares and contrasts different baselining techniques, and describes FTimes -- a system baselining and evidence collection tool. The paper also explores some of the criteria that evidence collection tools and techniques must satisfy if they are going to support prosecutions. In closing, it presents a pair of war stories that are typical of the times.... read more

First place in the DFRWS 2006 File Carving Challenge was awarded to Klayton Monroe, Andy Bair, and Jay Smith.

The team's approach/methodology relied heavily on tools from The FTimes Project. However, the team's contributions also influenced the direction of The FTimes Project. In fact, a majority of the new features/tools in the 3.7.0 release were directly related to the team's efforts.

For more information regarding the challenge and the results, check out the following links:... read more

Version 3.7.0 is a minor release of FTimes, a system baselining and evidence collection tool. The primary purpose of ftimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.

Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. The main focus of this release was to improve XMagic by adding new test modes, types, and operators. In particular, 16 new XMagic types and 8 new test operators have been added. Additionally, XMagic has crossed over into dig mode. Now, it is possible to use magic incantations on all the blocks in a given file. Together, these enhancements represent a significant jump forward in XMagic technology. Finally, ftimes-crv2raw.pl has been added to the project.

Version 3.6.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. Externally, there have been a number of important changes: SHA1 hashes are now a standard file attribute; compressed snapshots can now be compared directly; XMagic now includes regular expression file typing (via PCRE); HashSymbolicLinks is now on by default; support for the following file systems has been added: NWFS, RAMFS, VZFS, and XFS; and put mode has been removed. Also, several of the companion utilities and the test harness have been improved. Finally, ftimes-cmp2dbi.pl has been added to the project.

Version 3.5.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. Externally, there have been several changes: (1) the default installation directory has changed; (2) several new controls have been added; (3) regular expression (via PCRE) and case insensitive digs are now supported; and (4) support for the CDROM, DEVFS, SMBFS, and TMPFS file systems has been added. A test harness has been added along with tests to validate MD5 hashes using sample vectors provided and used by NIST. Internally, the main improvements are MD5 performance and the addition of large file support. Also, many of the dig, hashdig, and map utilities have been improved -- see the ChangeLog for details.

Version 3.4.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. Several bugs have been fixed -- see the ChangeLog for details. The configure/build process has been updated to include support for HP-UX, amd64, and x86_64 platforms. The following controls have been added to FTimes: AnalyzeDeviceFiles, AnalyzeRemoteFiles, BaseNameSuffix, EnableRecursion, and FileSizeLimit. The nph-ftimes.cgi script has been completely overhauled. The new script includes support for reading properties from a configuration file, and it has been ported to run under Apache on Win32 platforms. Support for OpenSSL and HashKeeper data sets has been added to the HashDig tools, and hipdig.pl has been given the ability to dig for SSNs. Finally, two new tools, ftimes-map2dbi.pl and hashdig-stat.pl, have been added to the project.

Version 3.3.0 is a minor release of FTimes. Generally, code was cleaned up and refined as necessary. This release includes two new modes: diglean and maplean. These modes were added to fill the gap between the auto and full modes. Additionally, all MD5 code has been replaced, and a new control, HashSymbolicLinks, has been added. The MAC/MACH timeline script, ftimes-map2mac.pl, now includes support for an external sorting method, and hipdig.pl has been given the ability to dig for Track[12] credit card data. Finally, configure/build support for the ia64 platform was added.

Version 3.2.1 is an update release of FTimes. Generally, code was cleaned up and refined as necessary. The configure/build process has been updated, and several new configure options were added. The major event for this release was the addition of a number of new Dig, HashDig, and Map utilities. These tools were designed to support various workbench activities such as extracting DigString context, resolving MD5 hashes, and constructing MAC/MACH timelines. The primary focus of the work effort was to refine these utilities to the point where they could be released in beta form.

Version 3.2.0 is a minor release of FTimes. Compare logic has been completely overhauled. Hash collisions are detected and properly handled now, and the db's hard-coded size limit has been eliminated. Support for NTFS mounted partitions under Linux has been added. Faulty Content-Length detection and validation logic has been fixed. The static SSL build process for WIN32 platforms was changed to use /MT instead of /MD. This change requires that static OpenSSL builds use the /MT flag as well. The install location for nph-ftimes.cgi has been moved to ${prefix}/cgi/cgi-client.

Version 3.1.0 is a minor release of FTimes. Various files were cleaned up and/or synchronized with their WebJob counterparts. The CGI script, nph-ftimes.cgi, was modified to ensure that a content length is always defined. A word size problem in the MD5 routines was patched for Linux running on Alpha. The LaTeX version of "System Baselining -- A Forensic Perspective" was added to the project. New capabilities added in this release include: support for MacOS X, block/character device mapping/digging, and embedding SSL passphrases inside LRS pools.

The FTimes Project released the following paper today: "System Baselining -- A Forensic Perspective"

This paper, written by Klayton Monroe and Dave Bailey, defines baselining terminology, explains the mechanics of baselining, compares and contrasts different baselining techniques, and describes FTimes -- a system baselining and evidence collection tool. The paper also explores some of the criteria that evidence collection tools and techniques must satisfy if they are going to support prosecutions. In closing, it presents a pair of war stories that are typical of the times.

FTimes (a.k.a ftimes) is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop information about specified directories and files in a manner conducive to intrusion analysis. Version 3.0.0 is the first Open Source release of FTimes.