[sleuthkit-users] TASK 1.60 and Autopsy 1.70 Release

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

New versions of TASK and Autopsy are available.  TASK has new tools 
including a hash database lookup tool for the NSRL and Autopsy got a 
face lift and new features.

WHAT ARE THEY?
The @stake Sleuth Kit (TASK) contains UNIX-based file system digital 
forensics tools and Autopsy is a graphical interface to the command 
line tools in TASK.

TASK CHANGES
TASK 1.60 has the following changes:
- The 'hfind' tool can be used to perform hash lookups from the NIST 
National Software Reference Library (NSRL) and hash databases created 
by 'md5sum'.

- The 'sorter' tool has been completed.  Sorter organizes files based 
on their file type, while ignoring files that are found in the NSRL and 
other user supplied databases.  It can also generate alerts when 'known 
bad' files are found and when the extension does not match the file 
type.

- The 'ifind' tool will now take a file name and identify the meta data 
structure that it has allocated.

- Bug fixes
   - Casting bug that caused MAGIC errors in fragmented or XP NTFS images
   - Casting bug that caused some inaccurate file times in NTFS images
   - Wrong value for mount status in EXT2FS images in fsstat
   - 'ifind' will not abort when it comes across invalid data in an
     unallocated file.
- See the CHANGES file for more details

   http://sleuthkit.sourceforge.net/index.html
   http://www.atstake.com/research/tools/task/index.html

   MD5 (task-1.60.tar.gz) = e8542e0cd96ea9d6d32913ac9652cd15

AUTOPSY CHANGES
Autopsy 1.70 has the following changes:
- MAJOR interface improvement.  With assistance from Samir Kapuria,  
Autopsy has a more intuitive interface (see the screen shots)

- Case Management:  Cases can contain several hosts, each of which can 
contain one or more images.  All case management is done via the 
interface (so no more hand editing of fsmorgue!!).  Each host can have 
its own time zone and time skew setting.

- Sorter has been integrated into Autopsy to examine images by file 
type.

- Hash databases can be used with Autopsy, including the NSRL.

   http://autopsy.sourceforge.net/index.html
   http://www.atstake.com/research/tools/autopsy/index.html

   MD5 (autopsy-1.70.tar.gz) = 50800683d04762779454a3a8227aeac8

OTHER
I am also going to start a monthly e-mail "newsletter" that will 
contain techniques for using the tools and documents on how the tools 
work.  For example, documenting the design of 'sorter', the     new 
case management directory structure in Autopsy, techniques for using 
the tools for Incident Response and rootkit detection.  The first issue 
will be Feb 15.  You can sign up for the 'sleuthkit-informer' at:

   http://sourceforge.net/mail/?group_id=55685

Lastly, I wrote a paper a few months back on Open Source forensics 
software and the potential legal benefits.  If interested, it can be 
found here:

   Open Source Forensics: The Legal Argument

http://www.atstake.com/research/reports/index.html#opensource_forensics

brian