The Sleuth Kit 4.11.1
The Sleuth Kit 4.11.0
- Added checks at various layers to detect encrypted file systems and disks to give more useful error messages.
- Added checks to detect file formats that are not supported (such as AD1, ZIP, etc.) to give more useful error messages.
- Added tsk_imageinfo tool that detects if an image is supported by TSK and if it is encrypted.
- Add numerous bound checks from @joachimmetz
- Clarified licenses as pointed out by @joachimmetz
- Updated from Schema 8.6 to 9.1.
- Added tables and classes for OS Accounts and Realms (Domains).
- Added tables and classes for Host Addresses (IP, MAC, etc.).
- Added tables and classes for Analysis Results vs Data Artifacts by adding onto BlackboardArtifacts.
- Added tables and classes for Host and Person to make it easier to group data sources.
- Added static types for standard artifact types.
- Added File Attribute table to allow custom information to be stored for each file.
- Made ordering of getting lock and connection consistent.
- Made the findFile methods more efficient by using extension (which is indexed).
The Sleuth Kit 4.10.2
- Added support for Ext4 inline data
- New Blackboard Artifacts for ALEAPP/ILEAPP, Yara, Geo Area, etc.
- Upgraded to PostgreSQL JDBC Driver 42.2.18
- Added SHA256 to files table in DB and added utility calculation methods.
- Changed TimelineManager to make events for any artifact with a time stamp
- Added Japanese translations
- Fixed synchronization bug in getUniquePath
The Sleuth Kit 4.10.1
- Changed Windows build to use Nuget for libewf, libvmdk, libvhdi.
- Fixed compiler warnings
- Clarrified licenses and added Apache license to distribution
- Improved error handling for out of memory issues
- Rejistry++ memory leak fixes
- Localized for Japanese
NOTE: .deb file was updated because the initial one was compiled for Java11 instead of Java8. The one for Java8 has an MD5 of c3ca85a89ba19ed34f26d227384a4f11.
The Sleuth Kit 4.10.0
- Removed PostgreSQL code (that was used only by Java code)
- Added Java callback support so that database inserts are done in Java.
- Added methods and callbacks as required to allow database population to happen in Java instead of C/C++.
- Added support to allow Autopsy streaming ingest where files are added in batches.
- Added TaggingManager class and concept of a TagSet to support ProjectVic categories.
- Fixed changes to normalization and validation of emails and phone numbers.
- Added a CASE/UCO JAR file that creates JSON-LD based on TSK objects.
The Sleuth Kit 4.9.0
- Removed framework project. Use Autopsy instead if you need an analysis framework.
- Various fixes from Google-based fuzzing.
- Ensure all reads (even big ones) are sector aligned when reading from Windows device.
- Ensure all command line tools support new pool command line arguments.
- Create virtual files for APFS unallocated space
- HFS fix to display type
- More artifact helper methods
- More artifacts and attributes for drones and GPS coordinates
- Updated TimelineManager to insert GPS artifacts into events table
The Sleuth Kit 4.8.0
[NOTE: The .tar.gz file was updated after the initial release to fix some compiler errors related to maven and APFS on OS X. No logic changes were made though. Hashes are at the bottom of this note]
- Pool layer was added to support APFS. NOTE: API is likely to change.
- Limited APFS support added in libtsk and some of the command line tools.
-- Encryption support is not complete.
-- Black Bag Technologies submitted the initial PR. Basis Technology did some minor refactoring.
- Refactoring and minor fixes to logical imager
- Various bug fixes from Google fuzzing efforts and Jonathan B from Afarsec
- Fixed infinite NTFS loop from cyclical attribute lists. Reported by X.
- File system bug fixes from uckelman-sf on github
- DB schema was updated to support pools
- Added concept of JSON in Blackboard Attributes
- Schema supports cascading deletes to enable data source deletion
- Added Pool class and associated infrastructure
- Added methods to support deleting data sources from database
- Removed JavaFX as a dependency by refactoring the recently introduced timeline filtering classes.
- Added attachment support to the blackboard helper package.
Hash of .tar.gz that would not compile on all systems: b5c081eb2cc92d2e56b8c470de37f890
Hash of fixed version: c7f9431bceae9b421b337d3c44af4ea9
The Sleuth Kit 4.7.0
- DB schema was expanded to store tsk_events and related tables. Time-based data is automatically added when files and artifacts are created. Used by Autopsy timeline.
- Logical Imager can save files as individual files instead of in VHD (saves space).
- Logical imager produces log of results
- Logical Imager refactor
- Removed PRIuOFF and other macros that caused problems with signed/unsigned printing. For example, TSK_OFF_T is a signed value and PRIuOFF would cause problems as it printed a negative number as a big positive number.
- Travis and Debian package use OpenJDK instead of OracleJDK
- New Blackboard Helper packages (blackboardutils) to make it easier to make artifacts.
- Blackboard scope was expanded, including the new postArtifact() method that adds event data to database and broadcasts an event to listeners.
- SleuthkitCase now has an EventBus for database-related events.
- New TimelineManager and associated filter classes to support new events table
The Sleuth Kit 4.6.7 Release
The Sleuth Kit 4.6.6
- Acquisition details are set in DB for E01 files
- Fix NTFS decompression issue (from Joe Sylve)
- Image reading fix when cache fails (Joe Sylve)
- Fix HFS+ issue with large catalog files (Joe Sylve)
- Fix free memory issue in srch_strings (Derrick Karpo)
- Fix so that local files can be relative
- More Blackboard artifacts and attributes for web data
- Added methods to CaseDbManager to enable checking for and modifying tables.
- APIs to get and set acquisition details
- Added methods to add volume and file systems to database
- Added method to add LayoutFile for allocated files
- Changed handling of JNI handles to better support multiple cases