Releases: fox-it/dissect
3.15
Highlights
- Release of dissect.cstruct V.4.0 - major rewrite of dissect core engine! Further details
- target tools usability:
- Improved error description
- Indication for cache use
- Configurations query plugin including the use of glob patterns in searches
- MPLog parser added to Windows Defender plugin
- Identification of Windows 11 build improved
Contributors
Thanks to our contributors for making this release possible:
Full Changelogs
dissect: 3.14 → 3.15
https://github.com/fox-it/dissect/releases/tag/3.15
dissect.archive: 1.1 → 1.2
https://github.com/fox-it/dissect.archive/releases/tag/1.2
dissect.btrfs: 1.3 → 1.4
https://github.com/fox-it/dissect.btrfs/releases/tag/1.4
dissect.cim: 3.9 → 3.10
https://github.com/fox-it/dissect.cim/releases/tag/3.10
dissect.clfs: 1.8 → 1.9
https://github.com/fox-it/dissect.clfs/releases/tag/1.9
dissect.cstruct: 3.14 → 4.0
https://github.com/fox-it/dissect.cstruct/releases/tag/4.0
dissect.esedb: 3.13 → 3.14
https://github.com/fox-it/dissect.esedb/releases/tag/3.14
dissect.etl: 3.9 → 3.10
https://github.com/fox-it/dissect.etl/releases/tag/3.10
dissect.eventlog: 3.8 → 3.9
https://github.com/fox-it/dissect.eventlog/releases/tag/3.9
dissect.evidence: 3.9 → 3.10
https://github.com/fox-it/dissect.evidence/releases/tag/3.10
dissect.executable: 1.6 → 1.7
https://github.com/fox-it/dissect.executable/releases/tag/1.7
dissect.extfs: 3.10 → 3.11
https://github.com/fox-it/dissect.extfs/releases/tag/3.11
dissect.fat: 3.9 → 3.10
https://github.com/fox-it/dissect.fat/releases/tag/3.10
dissect.ffs: 3.8 → 3.9
https://github.com/fox-it/dissect.ffs/releases/tag/3.9
dissect.hypervisor: 3.13 → 3.14
https://github.com/fox-it/dissect.hypervisor/releases/tag/3.14
dissect.jffs: 1.2 → 1.3
https://github.com/fox-it/dissect.jffs/releases/tag/1.3
dissect.ntfs: 3.10 → 3.11
https://github.com/fox-it/dissect.ntfs/releases/tag/3.11
dissect.ole: 3.8 → 3.9
https://github.com/fox-it/dissect.ole/releases/tag/3.9
dissect.regf: 3.10 → 3.11
https://github.com/fox-it/dissect.regf/releases/tag/3.11
dissect.shellitem: 3.8 → 3.9
https://github.com/fox-it/dissect.shellitem/releases/tag/3.9
dissect.sql: 3.9 → 3.10
https://github.com/fox-it/dissect.sql/releases/tag/3.10
dissect.squashfs: 1.5 → 1.6
https://github.com/fox-it/dissect.squashfs/releases/tag/1.6
dissect.target: 3.17 → 3.18
https://github.com/fox-it/dissect.target/releases/tag/3.18
dissect.thumbcache: 1.8 → 1.9
https://github.com/fox-it/dissect.thumbcache/releases/tag/1.9
dissect.util: 3.16 → 3.17
https://github.com/fox-it/dissect.util/releases/tag/3.17
dissect.vmfs: 3.8 → 3.9
https://github.com/fox-it/dissect.vmfs/releases/tag/3.9
dissect.volume: 3.10 → 3.11
https://github.com/fox-it/dissect.volume/releases/tag/3.11
dissect.xfs: 3.9 → 3.10
https://github.com/fox-it/dissect.xfs/releases/tag/3.10
Release dissect 3.14
Highlights
New project created:
- dissect.archive: Adds parsers for various archive and backup formats
- Support for WIM format (except for split files)
Notable changes:
- Acquire:
- Better de-duplication of paths
- Consistent casing of drive letters in windows acquires
- You can now target multiple targets!
- Addtional AnyDesk paths collected
- dissect.ntfs:
- Ability to yield MFT segments in specified ranges
- dissect.target:
- Uses new flow.record v.3.15
- Added a layer filesystem that extends the root filesystem
- Support for TOML in Unix Config Parser
- target-dump supports namespace plugins
- Support for Fortinet FW files
- Catroot plugin refactored and improved
- flow.record: Changes to the TCP Splunk adapter:
type
field renamedrdtype
- Additional internal record fields added:
rd__source
from_source
rd__classification
from_classification
rd_generated
from_generated
Contributors
Thanks to our contributors for making this release possible:
@Bopobopob
@d3dave
@joost-j
@JSCU-CNI
@M1ra1B0T
@MaxGroot
@mnrkbys
@Zawadidone
Full Changelogs
dissect: 3.13 → 3.14
https://github.com/fox-it/dissect/releases/tag/3.14
dissect.archive: ✨1.1
https://github.com/fox-it/dissect.archive/releases/tag/1.1
dissect.btrfs: 1.2 → 1.3
https://github.com/fox-it/dissect.btrfs/releases/tag/1.3
dissect.cim: 3.8 → 3.9
https://github.com/fox-it/dissect.cim/releases/tag/3.9
dissect.clfs: 1.7 → 1.8
https://github.com/fox-it/dissect.clfs/releases/tag/1.8
dissect.cstruct: 3.13 → 3.14
https://github.com/fox-it/dissect.cstruct/releases/tag/3.14
dissect.esedb: 3.12 → 3.13
https://github.com/fox-it/dissect.esedb/releases/tag/3.13
dissect.etl: 3.8 → 3.9
https://github.com/fox-it/dissect.etl/releases/tag/3.9
dissect.eventlog: 3.7 → 3.8
https://github.com/fox-it/dissect.eventlog/releases/tag/3.8
dissect.evidence: 3.8 → 3.9
https://github.com/fox-it/dissect.evidence/releases/tag/3.9
dissect.executable: 1.5 → 1.6
https://github.com/fox-it/dissect.executable/releases/tag/1.6
dissect.extfs: 3.9 → 3.10
https://github.com/fox-it/dissect.extfs/releases/tag/3.10
dissect.fat: 3.8 → 3.9
https://github.com/fox-it/dissect.fat/releases/tag/3.9
dissect.ffs: 3.7 → 3.8
https://github.com/fox-it/dissect.ffs/releases/tag/3.8
dissect.hypervisor: 3.12 → 3.13
https://github.com/fox-it/dissect.hypervisor/releases/tag/3.13
dissect.jffs: 1.1 → 1.2
https://github.com/fox-it/dissect.jffs/releases/tag/1.2
dissect.ntfs: 3.9 → 3.10
https://github.com/fox-it/dissect.ntfs/releases/tag/3.10
dissect.ole: 3.7 → 3.8
https://github.com/fox-it/dissect.ole/releases/tag/3.8
dissect.regf: 3.9 → 3.10
https://github.com/fox-it/dissect.regf/releases/tag/3.10
dissect.shellitem: 3.7 → 3.8
https://github.com/fox-it/dissect.shellitem/releases/tag/3.8
dissect.sql: 3.8 → 3.9
https://github.com/fox-it/dissect.sql/releases/tag/3.9
dissect.squashfs: 1.4 → 1.5
https://github.com/fox-it/dissect.squashfs/releases/tag/1.5
dissect.target: 3.16 → 3.17
https://github.com/fox-it/dissect.target/releases/tag/3.17
dissect.thumbcache: 1.7 → 1.8
https://github.com/fox-it/dissect.thumbcache/releases/tag/1.8
dissect.util: 3.15 → 3.16
https://github.com/fox-it/dissect.util/releases/tag/3.16
dissect.vmfs: 3.7 → 3.8
https://github.com/fox-it/dissect.vmfs/releases/tag/3.8
dissect.volume: 3.9 → 3.10
https://github.com/fox-it/dissect.volume/releases/tag/3.10
dissect.xfs: 3.8 → 3.9
https://github.com/fox-it/dissect.xfs/releases/tag/3.9
Release dissect 3.13 (#48)
Highlights
New filesystem support
- vmtar (archive based filesystem)
- cpio (archive based filesystem)
New plugins
- Brave browser plugin as apps.browser.brave
- Docker logs plugin as apps.container.docker.logs
- Linux locate plugin as os.unix.locate
Plugin improvements
- The Firefox and Chromium-based browser plugins now support reporting cookie data
- In absence of configuration files, the IIS plugin wil try to find logs in default directories
- The Windows Error Report Plugin is made more robust against keys that clash with restricted record names
- The Windows Defender plugin now properly sets the ts (timestamp) field
Misc changes
- Windows installations on drive letters other than C:\ are now supported
- On Linux systems mounts by label are now supported
- The unified configuration parser now supports JSON, YAML and XML
- Integrated test runs on Windows in the CI pipeline
- Support TPM encrypted ESXi "local state" filesystem
Contributors
Thanks to our contributors for making this release possible:
@florisvanstal
@JSCU-CNI
@YoeriNijs
@Zawadidone
Full Changelogs
dissect: 3.12 → 3.13
https://github.com/fox-it/dissect/releases/tag/3.13
dissect.btrfs: 1.1 → 1.2
https://github.com/fox-it/dissect.btrfs/releases/tag/1.2
dissect.cim: 3.7 → 3.8
https://github.com/fox-it/dissect.cim/releases/tag/3.8
dissect.clfs: 1.6 → 1.7
https://github.com/fox-it/dissect.clfs/releases/tag/1.7
dissect.cstruct: 3.12 → 3.13
https://github.com/fox-it/dissect.cstruct/releases/tag/3.13
dissect.esedb: 3.11 → 3.12
https://github.com/fox-it/dissect.esedb/releases/tag/3.12
dissect.etl: 3.7 → 3.8
https://github.com/fox-it/dissect.etl/releases/tag/3.8
dissect.eventlog: 3.6 → 3.7
https://github.com/fox-it/dissect.eventlog/releases/tag/3.7
dissect.evidence: 3.7 → 3.8
https://github.com/fox-it/dissect.evidence/releases/tag/3.8
dissect.executable: 1.4 → 1.5
https://github.com/fox-it/dissect.executable/releases/tag/1.5
dissect.extfs: 3.8 → 3.9
https://github.com/fox-it/dissect.extfs/releases/tag/3.9
dissect.fat: 3.7 → 3.8
https://github.com/fox-it/dissect.fat/releases/tag/3.8
dissect.ffs: 3.6 → 3.7
https://github.com/fox-it/dissect.ffs/releases/tag/3.7
dissect.hypervisor: 3.11 → 3.12
https://github.com/fox-it/dissect.hypervisor/releases/tag/3.12
dissect.jffs: 1.0 → 1.1
https://github.com/fox-it/dissect.jffs/releases/tag/1.1
dissect.ntfs: 3.8 → 3.9
https://github.com/fox-it/dissect.ntfs/releases/tag/3.9
dissect.ole: 3.6 → 3.7
https://github.com/fox-it/dissect.ole/releases/tag/3.7
dissect.regf: 3.8 → 3.9
https://github.com/fox-it/dissect.regf/releases/tag/3.9
dissect.shellitem: 3.6 → 3.7
https://github.com/fox-it/dissect.shellitem/releases/tag/3.7
dissect.sql: 3.7 → 3.8
https://github.com/fox-it/dissect.sql/releases/tag/3.8
dissect.squashfs: 1.3 → 1.4
https://github.com/fox-it/dissect.squashfs/releases/tag/1.4
dissect.target: 3.15 → 3.16
https://github.com/fox-it/dissect.target/releases/tag/3.16
dissect.thumbcache: 1.6 → 1.7
https://github.com/fox-it/dissect.thumbcache/releases/tag/1.7
dissect.util: 3.14 → 3.15
https://github.com/fox-it/dissect.util/releases/tag/3.15
dissect.vmfs: 3.6 → 3.7
https://github.com/fox-it/dissect.vmfs/releases/tag/3.7
dissect.volume: 3.8 → 3.9
https://github.com/fox-it/dissect.volume/releases/tag/3.9
dissect.xfs: 3.7 → 3.8
https://github.com/fox-it/dissect.xfs/releases/tag/3.8
Release dissect 3.12 (#45)
Highlights
New platforms
- The FortiOS platform is now supported as a Linux sub-OS
New filesystem support
- jffs is now also available in dissect.target
Filesystem improvements
- Sparse indirect blocks in ExtFS now work properly
- Improved parsing of complex ACLs in NTFS
New plugins
- A PuTTY plugin is added to the apps/ssh section
- A Citrix Netscaler webserver logs plugin is added to the apps/webservers section
- A SchedLgU plugin to parse SchedLgU.txt logs is added to the os/windows/log section
Misc changes
- Speed improvements in reading esedb records
- Virtual NTFS filesystems are now acquired properly
- Acquired files from case insensitive filesystems are now correctly de-duplicated
- Numerous miscellaneous Linux and Windows artifacts are added to acquire to be collected
- TargetPath now supports Python 3.12 (and as a consequence so does the whole of dissect)
- The Yara plugin is now supported by using our own pre-build yara-python-wheel pypi repository
target-shell
now has more cyber- fuse3 support is added to
target-mount
Contributors
Thanks to our contributors for making this release possible:
@burneykb
@diversenok
@JSCU-CNI
@MaxGroot
@Repsay
@JazzCore
@ydkhatri
@Zawadidone
Full Changelogs
dissect: 3.11 → 3.12
https://github.com/fox-it/dissect/releases/tag/3.12
dissect.btrfs: 💤1.1 (no changes)
https://github.com/fox-it/dissect.btrfs/releases/tag/1.1
dissect.cim: 💤3.7 (no changes)
https://github.com/fox-it/dissect.cim/releases/tag/3.7
dissect.clfs: 💤1.6 (no changes)
https://github.com/fox-it/dissect.clfs/releases/tag/1.6
dissect.cstruct: 3.11 → 3.12
https://github.com/fox-it/dissect.cstruct/releases/tag/3.12
dissect.esedb: 3.10 → 3.11
https://github.com/fox-it/dissect.esedb/releases/tag/3.11
dissect.etl: 💤3.7 (no changes)
https://github.com/fox-it/dissect.etl/releases/tag/3.7
dissect.eventlog: 💤3.6 (no changes)
https://github.com/fox-it/dissect.eventlog/releases/tag/3.6
dissect.evidence: 💤3.7 (no changes)
https://github.com/fox-it/dissect.evidence/releases/tag/3.7
dissect.executable: 💤1.4 (no changes)
https://github.com/fox-it/dissect.executable/releases/tag/1.4
dissect.extfs: 3.7 → 3.8
https://github.com/fox-it/dissect.extfs/releases/tag/3.8
dissect.fat: 💤3.7 (no changes)
https://github.com/fox-it/dissect.fat/releases/tag/3.7
dissect.ffs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ffs/releases/tag/3.6
dissect.hypervisor: 3.10 → 3.11
https://github.com/fox-it/dissect.hypervisor/releases/tag/3.11
dissect.jffs: 💤1.0 (no changes)
https://github.com/fox-it/dissect.jffs/releases/tag/1.0
dissect.ntfs: 3.7 → 3.8
https://github.com/fox-it/dissect.ntfs/releases/tag/3.8
dissect.ole: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ole/releases/tag/3.6
dissect.regf: 💤3.8 (no changes)
https://github.com/fox-it/dissect.regf/releases/tag/3.8
dissect.shellitem: 💤3.6 (no changes)
https://github.com/fox-it/dissect.shellitem/releases/tag/3.6
dissect.sql: 💤3.7 (no changes)
https://github.com/fox-it/dissect.sql/releases/tag/3.7
dissect.squashfs: 💤1.3 (no changes)
https://github.com/fox-it/dissect.squashfs/releases/tag/1.3
dissect.target: 3.14 → 3.15
https://github.com/fox-it/dissect.target/releases/tag/3.15
dissect.thumbcache: 💤1.6 (no changes)
https://github.com/fox-it/dissect.thumbcache/releases/tag/1.6
dissect.util: 3.13 → 3.14
https://github.com/fox-it/dissect.util/releases/tag/3.14
dissect.vmfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.vmfs/releases/tag/3.6
dissect.volume: 3.7 → 3.8
https://github.com/fox-it/dissect.volume/releases/tag/3.8
dissect.xfs: 3.6 → 3.7
https://github.com/fox-it/dissect.xfs/releases/tag/3.7
Release dissect 3.11 (#41)
Highlights
New filesystem support
- btrfs
- jffs (not yet available in dissect.target)
Improved plugins
- Unix acitivity robustness
- Windows CIM (consumerbindings) database robustness
- Windows MRUList robustness
- Windows teamviewer robustness in datetime parsing
- Windows iexplore.downloads robustness
- sshd.config proper config parsing of multiple values for the same key
- walkfs now walks the target's root filesystem instead of all the separate filesystems
Misc changes
- Most unit tests should now also run on windows
- Improved output for the
--hash
option of target-query - Previously detected but unmounted filesystems are now mounted under
$fs$/fs<idx>
- Improved support for Alpine Linux
target-shell
deals better with unicode characters in path and file names
Contributors
Thanks to our contributors for making this release possible:
@JSCU-CNI
@Paradoxis
@Zawadidone
Full Changelogs
dissect: 3.10 → 3.11
https://github.com/fox-it/dissect/releases/tag/3.11
dissect.btrfs: ✨1.1
https://github.com/fox-it/dissect.btrfs/releases/tag/1.1
dissect.cim: 💤3.7 (no changes)
https://github.com/fox-it/dissect.cim/releases/tag/3.7
dissect.clfs: 💤1.6 (no changes)
https://github.com/fox-it/dissect.clfs/releases/tag/1.6
dissect.cstruct: 3.10 → 3.11
https://github.com/fox-it/dissect.cstruct/releases/tag/3.11
dissect.esedb: 3.9 → 3.10
https://github.com/fox-it/dissect.esedb/releases/tag/3.10
dissect.etl: 💤3.7 (no changes)
https://github.com/fox-it/dissect.etl/releases/tag/3.7
dissect.eventlog: 💤3.6 (no changes)
https://github.com/fox-it/dissect.eventlog/releases/tag/3.6
dissect.evidence: 💤3.7 (no changes)
https://github.com/fox-it/dissect.evidence/releases/tag/3.7
dissect.executable: 💤1.4 (no changes)
https://github.com/fox-it/dissect.executable/releases/tag/1.4
dissect.extfs: 3.6 → 3.7
https://github.com/fox-it/dissect.extfs/releases/tag/3.7
dissect.fat: 💤3.7 (no changes)
https://github.com/fox-it/dissect.fat/releases/tag/3.7
dissect.ffs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ffs/releases/tag/3.6
dissect.hypervisor: 💤3.10 (no changes)
https://github.com/fox-it/dissect.hypervisor/releases/tag/3.10
dissect.jffs: ✨1.0
https://github.com/fox-it/dissect.jffs/releases/tag/1.0
dissect.ntfs: 💤3.7 (no changes)
https://github.com/fox-it/dissect.ntfs/releases/tag/3.7
dissect.ole: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ole/releases/tag/3.6
dissect.regf: 💤3.8 (no changes)
https://github.com/fox-it/dissect.regf/releases/tag/3.8
dissect.shellitem: 💤3.6 (no changes)
https://github.com/fox-it/dissect.shellitem/releases/tag/3.6
dissect.sql: 💤3.7 (no changes)
https://github.com/fox-it/dissect.sql/releases/tag/3.7
dissect.squashfs: 💤1.3 (no changes)
https://github.com/fox-it/dissect.squashfs/releases/tag/1.3
dissect.target: 3.13 → 3.14
https://github.com/fox-it/dissect.target/releases/tag/3.14
dissect.thumbcache: 💤1.6 (no changes)
https://github.com/fox-it/dissect.thumbcache/releases/tag/1.6
dissect.util: 3.12 → 3.13
https://github.com/fox-it/dissect.util/releases/tag/3.13
dissect.vmfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.vmfs/releases/tag/3.6
dissect.volume: 💤3.7 (no changes)
https://github.com/fox-it/dissect.volume/releases/tag/3.7
dissect.xfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.xfs/releases/tag/3.6
Release dissect 3.10 (#39)
Highlights
Misc Changes
- target-info is made more robust against missing information in a target.
- A unified configuration parser to parse configuration files is added. For now it parses:
- .ini files,
- files with key<separator>value entries,
- plain text files (like shell scripts as configuration),
- systemd type configuration files,
- ssh(d) type configuration files.
- target-shell on unix type systems got a
registry
command, which will use theetc
plugin which builds on top of the unified configuration parser. - target-query got a
--dry-run
option to show which functions (specified by-f
) would have been executed on a target. - target-query got a
-xf
option to exclude functions sepcified by-f
. This is useful to exclude certain functions when wildcards are used in the-f
option. - The
--hash
option of target-query is fixed, as it was broken after last release.
New loaders
- Open Virtual Appliance (OVA) files.
New volumes
- LUKS v2 volumes are now supported.
- DDF (Disk Data Format, the RAID disk format used by for Dell systems) volumes are now supported.
New Plugins
- An
etc
plugin is added for unix type systems which uses the unified configuration parser.
Updated Plugins
- The wireguard plugin is more robust against missing data in configuration files, which can happen on Windows systems.
- The linux _os plugin now supports /dev/disk/by-uuid fstab entries.
Contributors
Thanks to our contributors for making this release possible:
Full Changelogs
dissect: 3.9 → 3.10
https://github.com/fox-it/dissect/releases/tag/3.10
dissect.cim: 💤3.7 (no changes)
https://github.com/fox-it/dissect.cim/releases/tag/3.7
dissect.clfs: 💤1.6 (no changes)
https://github.com/fox-it/dissect.clfs/releases/tag/1.6
dissect.cstruct: 💤3.10 (no changes)
https://github.com/fox-it/dissect.cstruct/releases/tag/3.10
dissect.esedb: 💤3.9 (no changes)
https://github.com/fox-it/dissect.esedb/releases/tag/3.9
dissect.etl: 💤3.7 (no changes)
https://github.com/fox-it/dissect.etl/releases/tag/3.7
dissect.eventlog: 💤3.6 (no changes)
https://github.com/fox-it/dissect.eventlog/releases/tag/3.6
dissect.evidence: 💤3.7 (no changes)
https://github.com/fox-it/dissect.evidence/releases/tag/3.7
dissect.executable: 💤1.4 (no changes)
https://github.com/fox-it/dissect.executable/releases/tag/1.4
dissect.extfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.extfs/releases/tag/3.6
dissect.fat: 3.6 → 3.7
https://github.com/fox-it/dissect.fat/releases/tag/3.7
dissect.ffs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ffs/releases/tag/3.6
dissect.hypervisor: 3.9 → 3.10
https://github.com/fox-it/dissect.hypervisor/releases/tag/3.10
dissect.ntfs: 💤3.7 (no changes)
https://github.com/fox-it/dissect.ntfs/releases/tag/3.7
dissect.ole: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ole/releases/tag/3.6
dissect.regf: 3.7 → 3.8
https://github.com/fox-it/dissect.regf/releases/tag/3.8
dissect.shellitem: 💤3.6 (no changes)
https://github.com/fox-it/dissect.shellitem/releases/tag/3.6
dissect.sql: 3.6 → 3.7
https://github.com/fox-it/dissect.sql/releases/tag/3.7
dissect.squashfs: 💤1.3 (no changes)
https://github.com/fox-it/dissect.squashfs/releases/tag/1.3
dissect.target: 3.12 → 3.13
https://github.com/fox-it/dissect.target/releases/tag/3.13
dissect.thumbcache: 💤1.6 (no changes)
https://github.com/fox-it/dissect.thumbcache/releases/tag/1.6
dissect.util: 3.11 → 3.12
https://github.com/fox-it/dissect.util/releases/tag/3.12
dissect.vmfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.vmfs/releases/tag/3.6
dissect.volume: 💤3.7 (no changes)
https://github.com/fox-it/dissect.volume/releases/tag/3.7
dissect.xfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.xfs/releases/tag/3.6
Release dissect 3.9 (#38)
Highlights
Misc changes:
- dissect.cstruct has a new and vastly improved expression parser
- Support for various RAID formats and LVM variants
- Volatile directories are now mounted when running on a local target
- Add support for decrypting and using System DPAPI secrets on Windows
New loaders:
- Add a new SMB loader and filesystem to use an SMB share as target
New plugins:
- cPanel lastlogin files
- Symantic Secure Endpoint
- Windows 10 notifications from appdb.dat file
- multiple plugins for volatile Linux artifacts (sockets, processes)
- Linux modules and lsmod plugin
Updated plugins
- IPv6 adresses in UTMP logs are now interpreted correctly
- ufw firewall configuration support added to the Linux firewall plugin
Acquire changes:
- Add collection of OSX DHCP settings and application's Info.plist paths
- Improved collection of Linux volatile paths (/proc & /sys)
- Add collection of paths related to Windows memoy
- IIS artefacts are now collected by default in the "full" profile
Contributors
Thanks to our contributors for making this release possible:
@0x49736b
@cobyge
@idem-s1n
@JSCU-CNI
@OlafHaalstra
@Paradoxis
@RGlintmeijer
@sMezaOrellana
@Zawadidone
Full Changelogs
dissect: 3.8.1 → 3.9
https://github.com/fox-it/dissect/releases/tag/3.9
dissect.cim: 💤3.7 (no changes)
https://github.com/fox-it/dissect.cim/releases/tag/3.7
dissect.clfs: 💤1.6 (no changes)
https://github.com/fox-it/dissect.clfs/releases/tag/1.6
dissect.cstruct: 3.9 → 3.10
https://github.com/fox-it/dissect.cstruct/releases/tag/3.10
dissect.esedb: 3.8 → 3.9
https://github.com/fox-it/dissect.esedb/releases/tag/3.9
dissect.etl: 💤3.7 (no changes)
https://github.com/fox-it/dissect.etl/releases/tag/3.7
dissect.eventlog: 💤3.6 (no changes)
https://github.com/fox-it/dissect.eventlog/releases/tag/3.6
dissect.evidence: 3.6 → 3.7
https://github.com/fox-it/dissect.evidence/releases/tag/3.7
dissect.executable: 💤1.4 (no changes)
https://github.com/fox-it/dissect.executable/releases/tag/1.4
dissect.extfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.extfs/releases/tag/3.6
dissect.fat: 💤3.6 (no changes)
https://github.com/fox-it/dissect.fat/releases/tag/3.6
dissect.ffs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ffs/releases/tag/3.6
dissect.hypervisor: 3.8 → 3.9
https://github.com/fox-it/dissect.hypervisor/releases/tag/3.9
dissect.ntfs: 💤3.7 (no changes)
https://github.com/fox-it/dissect.ntfs/releases/tag/3.7
dissect.ole: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ole/releases/tag/3.6
dissect.regf: 💤3.7 (no changes)
https://github.com/fox-it/dissect.regf/releases/tag/3.7
dissect.shellitem: 💤3.6 (no changes)
https://github.com/fox-it/dissect.shellitem/releases/tag/3.6
dissect.sql: 💤3.6 (no changes)
https://github.com/fox-it/dissect.sql/releases/tag/3.6
dissect.squashfs: 💤1.3 (no changes)
https://github.com/fox-it/dissect.squashfs/releases/tag/1.3
dissect.target: 3.11.1 → 3.12
https://github.com/fox-it/dissect.target/releases/tag/3.12
dissect.thumbcache: 1.5 → 1.6
https://github.com/fox-it/dissect.thumbcache/releases/tag/1.6
dissect.util: 3.10 → 3.11
https://github.com/fox-it/dissect.util/releases/tag/3.11
dissect.vmfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.vmfs/releases/tag/3.6
dissect.volume: 3.6 → 3.7
https://github.com/fox-it/dissect.volume/releases/tag/3.7
dissect.xfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.xfs/releases/tag/3.6
Release dissect 3.8.1
Highlights
- Fixed issue in
registry
plugin where theroot
key could not be fetched, which impacted theregf
plugin andtarget-regf
. - Add a OSPlugin for citrix netscalers
Full Changelogs
dissect: 3.8 → 3.8.1
https://github.com/fox-it/dissect/releases/tag/3.8.1
dissect.cim: 💤3.7 (no changes)
https://github.com/fox-it/dissect.cim/releases/tag/3.7
dissect.clfs: 💤1.6 (no changes)
https://github.com/fox-it/dissect.clfs/releases/tag/1.6
dissect.cstruct: 💤3.9 (no changes)
https://github.com/fox-it/dissect.cstruct/releases/tag/3.9
dissect.esedb: 💤3.8 (no changes)
https://github.com/fox-it/dissect.esedb/releases/tag/3.8
dissect.etl: 💤3.7 (no changes)
https://github.com/fox-it/dissect.etl/releases/tag/3.7
dissect.eventlog: 💤3.6 (no changes)
https://github.com/fox-it/dissect.eventlog/releases/tag/3.6
dissect.evidence: 💤3.6 (no changes)
https://github.com/fox-it/dissect.evidence/releases/tag/3.6
dissect.executable: 💤1.4 (no changes)
https://github.com/fox-it/dissect.executable/releases/tag/1.4
dissect.extfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.extfs/releases/tag/3.6
dissect.fat: 💤3.6 (no changes)
https://github.com/fox-it/dissect.fat/releases/tag/3.6
dissect.ffs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ffs/releases/tag/3.6
dissect.hypervisor: 💤3.8 (no changes)
https://github.com/fox-it/dissect.hypervisor/releases/tag/3.8
dissect.ntfs: 💤3.7 (no changes)
https://github.com/fox-it/dissect.ntfs/releases/tag/3.7
dissect.ole: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ole/releases/tag/3.6
dissect.regf: 💤3.7 (no changes)
https://github.com/fox-it/dissect.regf/releases/tag/3.7
dissect.shellitem: 💤3.6 (no changes)
https://github.com/fox-it/dissect.shellitem/releases/tag/3.6
dissect.sql: 💤3.6 (no changes)
https://github.com/fox-it/dissect.sql/releases/tag/3.6
dissect.squashfs: 💤1.3 (no changes)
https://github.com/fox-it/dissect.squashfs/releases/tag/1.3
dissect.target: 3.11 → 3.11.1
https://github.com/fox-it/dissect.target/releases/tag/3.11.1
dissect.thumbcache: 💤1.5 (no changes)
https://github.com/fox-it/dissect.thumbcache/releases/tag/1.5
dissect.util: 💤3.10 (no changes)
https://github.com/fox-it/dissect.util/releases/tag/3.10
dissect.vmfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.vmfs/releases/tag/3.6
dissect.volume: 💤3.6 (no changes)
https://github.com/fox-it/dissect.volume/releases/tag/3.6
dissect.xfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.xfs/releases/tag/3.6
Release dissect 3.8
Highlights
New plugins:
- Generic:
- OpenVPN configuration plugin for client and server configuration - OSX:
- User plugin, which shows all the users on osx machines
- IPs plugin, allows the ips to work on osx targets
Updated plugins:
- ETL: Now decompresses compressed buffers
- Unix services: Improved the systemd service parsing
Loader:
- DirLoader: functions with directories made using acquire
- MultiRawLoader: Allows you to load multiple disks into one target.
This has to be a + separated string containing absolute or relative path to the disks. (/path/to/disk1+/path/to/disk2
)
Misc changes/fixes:
- Target-shell
- Use
enter <path>
to open a target inside of another target. - No duplicate files when saving a directory using the
save
command.
- Use
- Registry improvements: Allows for globbing through the windows registry
Contributors
Thanks to our contributors for making this release possible:
@cobyge
@nrhtr
@JSCU-CNI
@sMezaOrellana
@sulonl
@Zawadidone
Full Changelogs
dissect: 3.7 → 3.8
https://github.com/fox-it/dissect/releases/tag/3.8
dissect.cim: 💤3.7 (no changes)
https://github.com/fox-it/dissect.cim/releases/tag/3.7
dissect.clfs: 💤1.6 (no changes)
https://github.com/fox-it/dissect.clfs/releases/tag/1.6
dissect.cstruct: 3.8 → 3.9
https://github.com/fox-it/dissect.cstruct/releases/tag/3.9
dissect.esedb: 💤3.8 (no changes)
https://github.com/fox-it/dissect.esedb/releases/tag/3.8
dissect.etl: 3.6 → 3.7
https://github.com/fox-it/dissect.etl/releases/tag/3.7
dissect.eventlog: 💤3.6 (no changes)
https://github.com/fox-it/dissect.eventlog/releases/tag/3.6
dissect.evidence: 💤3.6 (no changes)
https://github.com/fox-it/dissect.evidence/releases/tag/3.6
dissect.executable: 💤1.4 (no changes)
https://github.com/fox-it/dissect.executable/releases/tag/1.4
dissect.extfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.extfs/releases/tag/3.6
dissect.fat: 💤3.6 (no changes)
https://github.com/fox-it/dissect.fat/releases/tag/3.6
dissect.ffs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ffs/releases/tag/3.6
dissect.hypervisor: 💤3.8 (no changes)
https://github.com/fox-it/dissect.hypervisor/releases/tag/3.8
dissect.ntfs: 3.6 → 3.7
https://github.com/fox-it/dissect.ntfs/releases/tag/3.7
dissect.ole: 💤3.6 (no changes)
https://github.com/fox-it/dissect.ole/releases/tag/3.6
dissect.regf: 3.6 → 3.7
https://github.com/fox-it/dissect.regf/releases/tag/3.7
dissect.shellitem: 💤3.6 (no changes)
https://github.com/fox-it/dissect.shellitem/releases/tag/3.6
dissect.sql: 💤3.6 (no changes)
https://github.com/fox-it/dissect.sql/releases/tag/3.6
dissect.squashfs: 💤1.3 (no changes)
https://github.com/fox-it/dissect.squashfs/releases/tag/1.3
dissect.target: 3.10 → 3.11
https://github.com/fox-it/dissect.target/releases/tag/3.11
dissect.thumbcache: 💤1.5 (no changes)
https://github.com/fox-it/dissect.thumbcache/releases/tag/1.5
dissect.util: 3.9 → 3.10
https://github.com/fox-it/dissect.util/releases/tag/3.10
dissect.vmfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.vmfs/releases/tag/3.6
dissect.volume: 💤3.6 (no changes)
https://github.com/fox-it/dissect.volume/releases/tag/3.6
dissect.xfs: 💤3.6 (no changes)
https://github.com/fox-it/dissect.xfs/releases/tag/3.6
Release dissect 3.7 (#33)
Highlights
- Windows plugin additions and improvements:
at.exe
jobs are now emitted by the tasks plugin.- Tasks from AD Group Policy Objects are now emitted by the tasks plugin.
- Tasks within a ScheduledTask.xml file are not parsed when nested in a
<ScheduledTask>
element. This will be supported in the next release.
- Tasks within a ScheduledTask.xml file are not parsed when nested in a
- A new AppX debug information plugin
appxdebugkeys
is added. - The Windows defender plugin can now also emit exclusions.
amcache
now returns the proper arp created install records.- A new shophos plugin supporting Sophos Home and Sophos Hitman has been added.
- Linux plugin additions and improvements:
- A new systemd journal plugin is added.
- Loader additions and improvements:
- The
LogLoader
can now handle IIS logs.
- The
- Misc improvements:
- Cleaner handling of
KeyboardInterrups
andOSErrors
in the various target tools. - Compatibility for
TargetPath
andFilesystemEntry
with Python 3.11.4. - The LZO decompressor now handles bitstream compressed data properly.
target-info
now handles time zones properly for older Windows versions.
- Cleaner handling of
Contributors
Thanks to our contributors for making this release possible:
Full Changelogs
dissect: 3.6 → 3.7
https://github.com/fox-it/dissect/releases/tag/3.7
dissect.cim: 3.6 → 3.7
https://github.com/fox-it/dissect.cim/releases/tag/3.7
dissect.clfs: 1.5 → 1.6
https://github.com/fox-it/dissect.clfs/releases/tag/1.6
dissect.cstruct: 3.7 → 3.8
https://github.com/fox-it/dissect.cstruct/releases/tag/3.8
dissect.esedb: 3.7 → 3.8
https://github.com/fox-it/dissect.esedb/releases/tag/3.8
dissect.etl: 3.5 → 3.6
https://github.com/fox-it/dissect.etl/releases/tag/3.6
dissect.eventlog: 3.5 → 3.6
https://github.com/fox-it/dissect.eventlog/releases/tag/3.6
dissect.evidence: 3.5 → 3.6
https://github.com/fox-it/dissect.evidence/releases/tag/3.6
dissect.executable: 1.3 → 1.4
https://github.com/fox-it/dissect.executable/releases/tag/1.4
dissect.extfs: 3.5 → 3.6
https://github.com/fox-it/dissect.extfs/releases/tag/3.6
dissect.fat: 3.5 → 3.6
https://github.com/fox-it/dissect.fat/releases/tag/3.6
dissect.ffs: 3.5 → 3.6
https://github.com/fox-it/dissect.ffs/releases/tag/3.6
dissect.hypervisor: 3.7 → 3.8
https://github.com/fox-it/dissect.hypervisor/releases/tag/3.8
dissect.ntfs: 3.5 → 3.6
https://github.com/fox-it/dissect.ntfs/releases/tag/3.6
dissect.ole: 3.5 → 3.6
https://github.com/fox-it/dissect.ole/releases/tag/3.6
dissect.regf: 3.5 → 3.6
https://github.com/fox-it/dissect.regf/releases/tag/3.6
dissect.shellitem: 3.5 → 3.6
https://github.com/fox-it/dissect.shellitem/releases/tag/3.6
dissect.sql: 3.5 → 3.6
https://github.com/fox-it/dissect.sql/releases/tag/3.6
dissect.squashfs: 1.2 → 1.3
https://github.com/fox-it/dissect.squashfs/releases/tag/1.3
dissect.target: 3.9 → 3.10
https://github.com/fox-it/dissect.target/releases/tag/3.10
dissect.thumbcache: 1.4 → 1.5
https://github.com/fox-it/dissect.thumbcache/releases/tag/1.5
dissect.util: 3.8 → 3.9
https://github.com/fox-it/dissect.util/releases/tag/3.9
dissect.vmfs: 3.5 → 3.6
https://github.com/fox-it/dissect.vmfs/releases/tag/3.6
dissect.volume: 3.5 → 3.6
https://github.com/fox-it/dissect.volume/releases/tag/3.6
dissect.xfs: 3.5 → 3.6
https://github.com/fox-it/dissect.xfs/releases/tag/3.6