[sleuthkit-announce] TASK and Autopsy Release
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-announce] TASK and Autopsy Release
|
From: Brian C. <ca...@at...> - 2003-01-29 22:25:31
|
New versions of TASK and Autopsy are available. TASK has new tools
including a hash database lookup tool for the NSRL and Autopsy got a
face lift and new features.
WHAT ARE THEY?
The @stake Sleuth Kit (TASK) contains UNIX-based file system digital
forensics tools and Autopsy is a graphical interface to the command
line tools in TASK.
TASK CHANGES
TASK 1.60 has the following changes:
- The 'hfind' tool can be used to perform hash lookups from the NIST
National Software Reference Library (NSRL) and hash databases created
by 'md5sum'.
- The 'sorter' tool has been completed. Sorter organizes files based
on their file type, while ignoring files that are found in the NSRL and
other user supplied databases. It can also generate alerts when 'known
bad' files are found and when the extension does not match the file
type.
- The 'ifind' tool will now take a file name and identify the meta data
structure that it has allocated.
- Bug fixes
- Casting bug that caused MAGIC errors in fragmented or XP NTFS images
- Casting bug that caused some inaccurate file times in NTFS images
- Wrong value for mount status in EXT2FS images in fsstat
- 'ifind' will not abort when it comes across invalid data in an
unallocated file.
- See the CHANGES file for more details
http://sleuthkit.sourceforge.net/index.html
http://www.atstake.com/research/tools/task/index.html
MD5 (task-1.60.tar.gz) = e8542e0cd96ea9d6d32913ac9652cd15
AUTOPSY CHANGES
Autopsy 1.70 has the following changes:
- MAJOR interface improvement. With assistance from Samir Kapuria,
Autopsy has a more intuitive interface (see the screen shots)
- Case Management: Cases can contain several hosts, each of which can
contain one or more images. All case management is done via the
interface (so no more hand editing of fsmorgue!!). Each host can have
its own time zone and time skew setting.
- Sorter has been integrated into Autopsy to examine images by file
type.
- Hash databases can be used with Autopsy, including the NSRL.
http://autopsy.sourceforge.net/index.html
http://www.atstake.com/research/tools/autopsy/index.html
MD5 (autopsy-1.70.tar.gz) = 50800683d04762779454a3a8227aeac8
OTHER
I am also going to start a monthly e-mail "newsletter" that will
contain techniques for using the tools and documents on how the tools
work. For example, documenting the design of 'sorter', the new
case management directory structure in Autopsy, techniques for using
the tools for Incident Response and rootkit detection. The first issue
will be Feb 15. You can sign up for the 'sleuthkit-informer' at:
http://sourceforge.net/mail/?group_id=55685
Lastly, I wrote a paper a few months back on Open Source forensics
software and the potential legal benefits. If interested, it can be
found here:
Open Source Forensics: The Legal Argument
http://www.atstake.com/research/reports/index.html#opensource_forensics
brian
|
