sleuthkit-announce Mailing List for The Sleuth Kit (Page 4)
Brought to you by:
carrier
Menu
▾
▴
sleuthkit-announce — Low-volume list for announcements of new versions and features.
You can subscribe to this list here.
| 2002 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2003 |
Jan
(1) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2004 |
Jan
(1) |
Feb
|
Mar
(2) |
Apr
(1) |
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2005 |
Jan
|
Feb
|
Mar
(1) |
Apr
(1) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
(1) |
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2008 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
(1) |
Nov
|
Dec
|
| 2009 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2010 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
|
Sep
(2) |
Oct
(1) |
Nov
|
Dec
|
| 2011 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
(1) |
Sep
|
Oct
(1) |
Nov
(1) |
Dec
|
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
(2) |
Jul
(1) |
Aug
|
Sep
(1) |
Oct
(2) |
Nov
(2) |
Dec
(1) |
| 2013 |
Jan
(2) |
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(4) |
Oct
(1) |
Nov
|
Dec
|
| 2014 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(2) |
Aug
(1) |
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2015 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(3) |
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2018 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
(1) |
Dec
|
|
From: Brian C. <ca...@sl...> - 2005-04-08 21:19:36
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New versions of both tools are available. Both have minor bug fixes from the new 2.00 TSK features. There is one bug that impacts split image users, so everyone should upgrade TSK. Autopsy also has a new feature that shows the thumbnail of a picture when it is selected in File Mode (patch by Guy Voncken). TSK 2.01 MD5: e84ed011e7b999abc08174e239ecb474 http://www.sleuthkit.org/sleuthkit/ Autopsy 2.05 MD5: adfbb31ce665cc8efdbf8711bbd97483 http://www.sleuthkit.org/autopsy/ brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFCVvVcOK1gLsdFTIsRAmewAJ0UoZQxiB3fjpZbtYABe2lk0a/BUwCfYlKF Mf1zcz/vdWWEQWUgR/H5lAI= =HePw -----END PGP SIGNATURE----- |
|
From: Brian C. <ca...@sl...> - 2005-03-16 03:42:19
|
New versions of the tools are available!
TSK v2:
* Minor Bug Fixes
o NTFS could go into an infinite loop if attribute list entry
was reallocated.
o Last block group in ExtX fsstat output had incorrect
percentage of free blocks.
* Major Updates
o Support for split and disk images
o File system type can be detected (-f no longer required)
o New file system type names (for -f)
o Updated internal design
o New 'img_stat' tool to display details about the image file
format
o New 'mmls' flag (-b) to print sizes in bytes
o New 'mmstat' tool to give details about the volume (media
management) system
o Non-printable charactors in UFS/ExtX names are replaced
with '.'
o New Linux 'disk_sreset' tool to reset HPA on an ATA disk.
o Renamed 'diskstat' to 'disk_stat' and 'sstrings' to
'srch_strings' to make names less cryptic.
MD5 Value: 757f76f245493ebff2d0daeb64f37b5d
http://www.sleuthkit.org/sleuthkit/download.php
Autopsy v2.04:
* Bug Fixes:
o none.
* Updates:
o Disk and split image support
o Timeline can be created in comma delimited format
o File listing of NTFS searches for deleted files by parent
MFT entry
o Notes now contain metadata from the file
MD5 Value: 776edcd060ea7a0f187f5732e6bfeacc
http://www.sleuthkit.org/autopsy/download.php
brian
|
|
From: Brian C. <ca...@sl...> - 2004-11-02 23:56:41
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 After spending 2 hours in line voting, I have released TSK 1.73. There are a couple of bug fixes, a few updates, and four new tools (which will be discussed in the next Sleuth Kit Informer). http://www.sleuthkit.org/sleuthkit/ Bug Fixes * Now compiles & runs on 64-bit AMD Linux systems * Fixed NTFS errors when $MFT was very fragmented Major Updates * New Journal tools for Ext3 (jls & jcat) * New support for UFS2 * New diskstat tool to detect Host Protected Area of disk (Linux Only) * New sigfind tool to find binary signature values in a file * Improved fsstat and istat output for Ext3 * Improved fsstat and istat output for UFS brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBiB6sOK1gLsdFTIsRAmbDAJ0faKA4V0g3Pg1lxCHf6qy/6vsYigCfZg/s yzyPoNNYU8HCRGCmpgqerWw= =cC1g -----END PGP SIGNATURE----- |
|
From: Brian C. <ca...@sl...> - 2004-09-07 23:43:14
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New versions are available. TSK fixes the FAT error message about a recursive directory and a couple of NTFS errors. All users should upgrade. TSK also includes new EXTxFS features such as extended attributes and POSIX ACL information in istat. ALSO, there is a new tool called sstrings, which is basically just the strings program from GNU binutils. This means that all OSes have a strings that can handle Unicode and it works on large files (which some Linux distros currently don't). A new version of 'file' is also included that appears to fix the Cygwin issue. http://www.sleuthkit.org/sleuthkit/ MD5 Value: 152fda4cc80696a9f6be9d7ce619ef31 Autopsy now allows Unicode searching, has some documentation updates, and includes other minor updates. http://www.sleuthkit.org/autopsy/ MD5 Value: 51b056624cc81ca1bdf281e2e23a160d brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBPkd7OK1gLsdFTIsRAhflAJ434NpyzG+hLoFBa15Zfyvz6aAUngCeKmmU HURpo6vWF0DEVFDdfxEox4k= =v2wH -----END PGP SIGNATURE----- |
|
From: Brian C. <ca...@sl...> - 2004-07-30 06:43:42
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New releases of both tools are available with bug fixes and new features. I went through the NTFS code and added some more details and features. FFS is next. TSK 1.71 http://www.sleuthkit.org/sleuthkit/ Bug Fixes - - Type / size casting errors with FAT. - - NTFS handling of sparse files - - Filler errors with NTFS files and 'icat' (rare) - - Missing name with NTFS attribute (rare) Major Updates - - Improved istat & fsstat output for NTFS. - - 'ifind -p' will find deleted NTFS files based on their parent directory, which results in more deleted files being found. - - Encrypted and compressed files are noted, but not processed. - - Improved slack support in dls -s. - - dcalc can calculte original location of data in dls -s output. - - GPT disk support in mmls. Autopsy 2.02 http://www.sleuthkit.org/autopsy/ Bug Fixes: - - An error message was not properly printed. Updates: - - More deleted NTFS files are now listed in file mode because a search is done for unallocated files that have a given parent directory. - - A filter removes duplicate deleted NTFS names from the file listings. - - OS X no longer needs the strings wrapper. brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFBCe4WOK1gLsdFTIsRAjt8AJ9rrNpfwcuX8f3k2RtCIQfHUDkcMACeKDJM WgX1tFFAB+qBIDzHn5cjTxU= =s3Z4 -----END PGP SIGNATURE----- |
|
From: Brian C. <ca...@sl...> - 2004-06-02 22:47:22
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 New versions are available. http://www.sleuthkit.org/sleuthkit/download.php MD5: 3e06290fb633fefef443e343b97e56db http://www.sleuthkit.org/autopsy/download.php MD5: a754189ea0804efbc9709f26cd9f58cf TSK has a couple of bug fixes (allocation status of deleted FAT files and compiling under Fedora Core 2) and many updates. Updates are for improved FAT support, FAT file recovery, new 'icat' syntax, and new 'dcat' syntax. Autopsy also has a couple of bug fixes, mainly that the wrong data unit was being displayed when a keyword search was done on unallocated space (this was introduced in the last version). New features include the ability to search for a specific file name and support for new TSK features. brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAvljxOK1gLsdFTIsRAnoiAJ4imqZJRSwaeYjAMar5UPqtG7CpXgCeKnPC Dq174ZjAzW69INWZwe/ZDh0= =Qh57 -----END PGP SIGNATURE----- |
|
From: Brian C. <ca...@sl...> - 2004-04-20 22:41:17
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Version 1.69 of TSK is available: www.sleuthkit.org/sleuthkit/download.php MD5: 3479168ca94a3f75bbe545fae3d97ca6 Note that if you install Autopsy with this version, Autopsy will incorrectly complain that a more recent version exists. I have added a bug report for that in autopsy. The first bug is critical and everyone should upgrade. Bug Fixes o The last sector of a FAT file system may not have been viewable. o The slack flag (-s) for 'icat' could produce too much data for FFS and EXT3FS file systems. o One of the verbose messages for EXT2FS was printing to STDOUT instead of STDERR. Major Updates o More output for 'fsstat' and FAT file systems. o Updated version of 'file' to 4.09. o Changes to handling of raw and swap file system types brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAhacGOK1gLsdFTIsRAoKkAJ9GFTY1gYY7TTxeXuHrzbapRRI6LACbB6pI SoLdRMKV8GFXVMiyhX9yDb8= =SnXf -----END PGP SIGNATURE----- |
|
From: Brian C. <ca...@sl...> - 2004-03-19 20:15:34
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Version 2.00 of Autopsy has been released. http://www.sleuthkit.org/autopsy The biggest change is the internal design (which you should not notice) and the live analysis support. Check out the last Sleuth Kit Informer for more details on the live analysis mode. Basically, autopsy will create a directory that you can burn to a CD and plug it into a running UNIX system so that you can check out some logs and other stuff on a suspect system and not modify the A-Times and be affected by rootkits. There are some other minor updates as well. MD5: 73873b4af937cf11354f681b0c269f50 Signature of autopsy-2.00.tar.gz: - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQBAW0y5OK1gLsdFTIsRAp8tAJ9P1qP5NrlC8RHl9vrCcPX+Wjzj+QCeNIVt g05FdzWmEY+BVX8GJAFYEac= =Jlej - -----END PGP SIGNATURE----- brian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAW1TeOK1gLsdFTIsRArRdAJwLE5GtG/LHmYSXWb1ucD6ZmuoASQCfT/x3 LtYF0xrhA4S5Ueo/u/yniUk= =ci3L -----END PGP SIGNATURE----- |
|
From: Brian C. <ca...@sl...> - 2004-03-01 15:30:32
|
There is a new version of TSK out. Only a few changes, but I wanted to get the bug fixes out in the official release. http://sleuthkit.sourceforge.net/sleuthkit/download.php MD5: 0826e4b6b3e116a81b40a007d5948e88 (the sleuthkit.org site will be updated later today) Bug Fixes: - FAT times were an hour too fast during daylight savings. Now use mktime() instead of manual calculation. Reported by Randall Shane. (BUG: 880606) - Indirect block pointer blocks would not be identified by the ifind tool. Reported by Knut Eckstein (BUG: 902709) Updates: - 'hfind -i' now reports the header entry as an invalid entry. The first header row was ignored. - Added fs->seek_pos check to fs_read_random. brian |
|
From: Brian C. <ca...@sl...> - 2004-01-07 01:31:15
|
The 1.76 version of The Sleuth Kit is available at:
http://www.sleuthkit.org/sleuthkit/index.php
MD5: 6879b74be4cb2c964935286a11459202
This is mostly a bug fix release. A more detailed list of changes can
be found in the CHANGES file in the distribution.
Bug Fixes
o Extra entries were printed from the FAT table in 'fsstat'
o The size of EXT3FS files bigger than 2GB was incorrect
o 'icat -h' was not hiding the holes in the file
o Data storage and printing types for file sizes were incorrect
o 'ffind' could crash with the root directory of a FAT image
o The usage of _ALLOC and _UNALLOC internal flags was not consistent
New Features
o Added support for OS X 10.3
o Upgraded the file version from 3.41 to 4.07
brian
|
|
From: Brian C. <ca...@sl...> - 2003-11-15 22:12:52
|
Hello all,
There are new releases of both The Sleuth Kit and Autopsy.
The Sleuth Kit 1.66:
* Bug Fixes
o fls -r would generate duplicate deleted NTFS file names
o Would not compile under OpenBSD 3
o sorter results would go into different categories depending
on version of Perl and its internal sorting order
o ffind now reports the attribute name for NTFS
* Major New Features
o icat shows slack space with '-s'
o Solaris x86 disk label (VTOC) support added
http://www.sleuthkit.org/sleuthkit/download.php
Autopsy 1.75:
* Bug Fixes:
o Better error handling and messages
* Updates:
o Graphics load better now.
http://www.sleuthkit.org/autopsy/download.php
brian
|
|
From: Brian C. <ca...@sl...> - 2003-08-28 22:45:06
|
New versions of both tools are on the website. http://www.sleuthkit.org/sleuthkit/index.php http://www.sleuthkit.org/autopsy/index.php MD5 (sleuthkit-1.65.tar.gz) = f736a71f7cf849f681a382f1d30ea2c8 MD5 (autopsy-1.74.tar.gz) = 89041a2f18340ab884df3f4627a2e0fb Major Highlights include: - Bug fixes with keyword searching - Support for raw and swap data - Removed NSRL as a known good database until a better solution can be found to seperate them from the known bad entries - The Perl 5.8 buffer issues are better handled. brian |
|
From: Brian C. <ca...@sl...> - 2003-08-04 04:35:36
|
------------- Forwarded Message ------------- Date: 02 Aug 2003 14:29 PDT From: Brian Carrier <ca...@sl...> Subject: Sleuth Kit 1.64 Release Ralf said: > Although there is an issue compiling on Red Hat Linux 9 at least: > mmls.c:39: initializer element is not constant Brian's lesson of the day is to never again say "I don't need to test the extra debug / verbose messages on all platforms". Thanks Ralf. There was also a typo in the docs that Jake pointed out, that Sun VTOC stands for Volume TOC and not Virtual TOC (and I'm not quite sure why I thought it was "virtual"). MD5 (sleuthkit-1.64.tar.gz) = 12e01373f06ec3dcf73283fca64b30d4 http://www.sleuthkit.org/sleuthkit/download.php brian |
|
From: Brian C. <ca...@sl...> - 2003-08-01 19:34:01
|
The Sleuth Kit ver 1.63 has been released.
http://www.sleuthkit.org/sleuthkit/index.php
Updates
- Added Media Management Tools so that partitions can be
analyzed and extracted. Support exists for DOS partitions, BSD
partitions, Mac partitions, and Sun slices. The 'mmls' tool works
like fdisk, but supports the above formats and lists the unallocated
space. There are sample outputs in the 'Tool Description' page.
(This is useful for OS X users that have no way of listing DOS
partition layouts).
- Relaxed the requirements for listing DOS directory entries so that the
wtime can now be 0 (Adam Uccello).
Bug Fixes
- 'sorter' had a regular expression bug that did not process all
unallocated meta data structures. (Jeff Reava)
MD5 (sleuthkit-1.63.tar.gz) = df31503389419cebc95465e6aa31c0ca
brian
|
|
From: Brian C. <ca...@sl...> - 2003-06-11 04:39:25
|
In record time, a new version of Autopsy is available. The new mactime
flag format ('-i day' instead of just '-i') was not incorporated into the
distributed version of autopsy. So, when a timeline was created an error was shown. v1.73 fixes this. Thanks to Cathy Buckman for pointing
this out!
MD5: ea6d78cc494aa7255ef05ccb2006f0e8
http://www.sleuthkit.org/autopsy/index.php
thanks,
brian
|
|
From: Brian C. <ca...@sl...> - 2003-06-10 06:32:15
|
The Sleuth Kit v1.62 and Autopsy v1.72 are now available. Overview: The Sleuth Kit has a few bug fixes and a few updates. Autopsy also has a few bug fixes and two new features. brian THE SLEUTH KIT 1.62 MD5: sleuthkit-1.62.tar.gz = 98947fb65b41aa5ba600422bd8390062 Updates: - Added the '-d' flag to 'mactime' to output the timeline in comma delimited format so that it can be imported into spread sheets for report generation or graphing. - 'mactime' can create summary index files in a daily or hourly basis. These are useful with the -d flag to import the summary files into a spread sheet and graph a histogram of activity. Bug Fixes: - In 'fsstat', the last group in an FFS file system could have reported an incorrect last fragment. - The last fragments in an FFS file system can be read when there are not enough fragments for the block. - The 'file' output is sanitized in 'sorter' to reduce UTF-8 messages. - 'sorter' now accepts linux-ext3 as a file system type. http://www.sleuthkit.org/sleuthkit/index.php http://sleuthkit.sourceforge.net/sleuthkit/index.php AUTOPSY 1.72 MD5: autopsy-1.72.tar.gz = f8a74270ced5c302c04b5f17f4643827 New Features / Updates: - The new Event Sequencer mode allows one to create time-based events for file activity and other logs. This allows one to easily sort a sequence of events during the investigation. - The results of keyword searches are saved to a file and can be quickly recalled. Bug Fixes: - calc_md5() would error if it was called more than once (Paul Bakker) - Added 'LANG=C LC_ALL=C' to sorter and mactime to reduce the UTF-8 warning messages (debugging help from Daniel Schwartzer). - The timeline view now allows multiple users for a UID (reported by Cathy Buckman). http://www.sleuthkit.org/autopsy/index.php http://sleuthkit.sourceforge.net/autopsy/index.php |
|
From: Brian C. <ca...@sl...> - 2003-04-03 21:58:26
|
The Sleuth Kit version 1.61 and Autopsy version 1.71 are now
available.
http://www.sleuthkit.org/sleuthkit
http://www.sleuthkit.org/autopsy
What is The Sleuth Kit?
The Sleuth Kit was previously known as The @stake Sleuth Kit (TASK)
and is now independent from any organization. All future releases
will be available from http://www.sleuthkit.org.
What is new in The Sleuth Kit 1.71?
The Sleuth Kit had features added and a couple of bugs were fixed
(one is major and all users should upgrade).
Major New Features:
- Thumbnails are now created for graphic images in 'sorter'.
- 'sorter' uses the '-z' flag with 'file' to get the format inside
compressed files.
- 'hfind' now supports the new NIST NSRL hash format (version 2)
- 'hfind' now supports the Hash Keeper hash format
- 'ifind -n' now accepts short names for FAT files.
- 'mactime' can create a summary of daily activity with '-i'
- 'file' was updated due to a vulnerability in it
Bug Fixes:
- A final NTFS Index Buffer was not always being processed, which
resulted in some files not being shown. (Debugging help from
Matthew Shannon).
- NTFS MFT entries with a Magic of 0 were marked as invalid
- 'fls' would crash if a clock skew file was given, the file
had an inode of 0, and '-l' or '-m' was given. (Debugging
help from Josep Homs).
- 'ifind -n' could return the meta data address of a file that had
a name shorter than the requested one
MD5 (sleuthkit-1.61.tar.gz) = cd6783f8d9a109ffe839912674e2f3cf
What is new in Autopsy 1.71:
Autopsy had user interface improvements and added support for new
features in The Sleuth Kit.
Major New Features:
- 'autopsy' can be started with no arguments (port 9999 and localhost
are assumed)
- The path of a directory or file can be entered instead of having to
click through directories (suggested by William Salusky)
- The path in each directory listing now contains hyper links that can
be used to quickly return to previous directories
- To add a passwd and group file to a timeline, only the image needs to
be specified (Autopsy will find the inode values)
- When adding images, Autopsy will copy or create symlinks to the
Evidence Locker instead of forcing the user to
- Added option to extact all graphic images and generate a page of
thumbnails
- The new 'summary' page from 'mactime' is used when viewing timelines
Bug Fixes:
- Keyword searching would fail if special characters were not escaped.
/, ., [, ^, $, ", and - are now escaped
- The path of a strings file could not have a space in it
- The opening of a case was not being logged in the case log
MD5 (autopsy-1.71.tar.gz) = 931b672fabcdb2145ae51e2885e9b685
What is the April issue of The Sleuth Kit Informer on?
The April issue will cover the 'sorter' tool, including how it works and
how to write rulesets to customize how it handles file types.
http://www.sleuthkit.org/informer/
brian
http://www.sleuthkit.org
|
|
From: Brian C. <ca...@at...> - 2003-01-29 22:25:31
|
New versions of TASK and Autopsy are available. TASK has new tools
including a hash database lookup tool for the NSRL and Autopsy got a
face lift and new features.
WHAT ARE THEY?
The @stake Sleuth Kit (TASK) contains UNIX-based file system digital
forensics tools and Autopsy is a graphical interface to the command
line tools in TASK.
TASK CHANGES
TASK 1.60 has the following changes:
- The 'hfind' tool can be used to perform hash lookups from the NIST
National Software Reference Library (NSRL) and hash databases created
by 'md5sum'.
- The 'sorter' tool has been completed. Sorter organizes files based
on their file type, while ignoring files that are found in the NSRL and
other user supplied databases. It can also generate alerts when 'known
bad' files are found and when the extension does not match the file
type.
- The 'ifind' tool will now take a file name and identify the meta data
structure that it has allocated.
- Bug fixes
- Casting bug that caused MAGIC errors in fragmented or XP NTFS images
- Casting bug that caused some inaccurate file times in NTFS images
- Wrong value for mount status in EXT2FS images in fsstat
- 'ifind' will not abort when it comes across invalid data in an
unallocated file.
- See the CHANGES file for more details
http://sleuthkit.sourceforge.net/index.html
http://www.atstake.com/research/tools/task/index.html
MD5 (task-1.60.tar.gz) = e8542e0cd96ea9d6d32913ac9652cd15
AUTOPSY CHANGES
Autopsy 1.70 has the following changes:
- MAJOR interface improvement. With assistance from Samir Kapuria,
Autopsy has a more intuitive interface (see the screen shots)
- Case Management: Cases can contain several hosts, each of which can
contain one or more images. All case management is done via the
interface (so no more hand editing of fsmorgue!!). Each host can have
its own time zone and time skew setting.
- Sorter has been integrated into Autopsy to examine images by file
type.
- Hash databases can be used with Autopsy, including the NSRL.
http://autopsy.sourceforge.net/index.html
http://www.atstake.com/research/tools/autopsy/index.html
MD5 (autopsy-1.70.tar.gz) = 50800683d04762779454a3a8227aeac8
OTHER
I am also going to start a monthly e-mail "newsletter" that will
contain techniques for using the tools and documents on how the tools
work. For example, documenting the design of 'sorter', the new
case management directory structure in Autopsy, techniques for using
the tools for Incident Response and rootkit detection. The first issue
will be Feb 15. You can sign up for the 'sleuthkit-informer' at:
http://sourceforge.net/mail/?group_id=55685
Lastly, I wrote a paper a few months back on Open Source forensics
software and the potential legal benefits. If interested, it can be
found here:
Open Source Forensics: The Legal Argument
http://www.atstake.com/research/reports/index.html#opensource_forensics
brian
|
|
From: Brian C. <ca...@at...> - 2002-10-10 15:01:31
|
TASK 1.52 and Autopsy 1.62 are now available.
What is New?
- Autopsy has new features that make the Honeynet Scan of the Month
a little easier:
- Extract or view any number of consecutive data units (fragments,
sectors, clusters etc.).
- The file type (output from 'file') is shown when viewing a data
unit.
- Autopsy has a bug fix that caused problems when key word searching
a large file (thanks to Michael Stone)
- TASK has a beta version of a new tool: 'sorter'.
- It runs 'file' on every file in the system and sorts them based
on type. It either just writes the name to a file or will
save the file. - It also does extension checking to verify
the type corresponds with
the extension.
Where do I get them?
http://www.atstake.com/research/tools/task
MD5 (task-1.52.tar.gz) = 475af26bad7492d61490a69ad7f2472e
http://www.atstake.com/research/tools/autopsy
MD5 (autopsy-1.62.tar.gz) = 84f8618c84c1c48db0a1d4591ed22b06
What Are They?
The @stake Sleuth Kit (TASK) is a collection of open source forensic
analysis tools for the analysis of Windows and UNIX file systems.
Autopsy is an HTML-based graphical interface to the command line
tools of TASK.
brian
|
|
From: Brian C. <bca...@at...> - 2002-09-20 15:43:47
|
TASK 1.51 and Autopsy 1.61 are now available. TASK: http://www.atstake.com/research/tools/task Autopsy: http://www.atstake.com/research/tools/autopsy Summary of Changes: TASK: - fixed 2 bugs with the NTFS code that generated errors. They had to do with $MFT and fragmentation (details in CHANGES). - Updated the version of 'file' that is included - Added flag to some tools for time skew in seconds. This makes it easier to correlate data between multiple sources that do not have NTP. Autopsy: - improved error messages and minor updates Tool Descriptions: The @stake Sleuth Kit (TASK) is an open source collection of file system forensic analysis tools for Windows and UNIX file systems. TASK allows one to view allocated and deleted data from NTFS, FAT, FFS, and EXT2FS images. The Autopsy Forensic Browser is a graphical interface to the command line tools in TASK. Autopsy allows one to view allocated and deleted file system content in a "File Manager" style interface and perform keyword searches. brian |
