Skip to content

Releases: sleuthkit/sleuthkit

The Sleuth Kit 4.11.1

11 Nov 17:36
sleuthkit-4.11.1
Compare
Choose a tag to compare

C/C++:

Java:

  • Fixed connection leak when making OS Accounts in bridge
  • OsAccount updates for instance types and special Windows SIDs
  • Fixed issue with duplicate value in Japanese timeline translation

The Sleuth Kit 4.11.0

02 Aug 11:41
sleuthkit-4.11.0
Compare
Choose a tag to compare

C/C++:

  • Added checks at various layers to detect encrypted file systems and disks to give more useful error messages.
  • Added checks to detect file formats that are not supported (such as AD1, ZIP, etc.) to give more useful error messages.
  • Added tsk_imageinfo tool that detects if an image is supported by TSK and if it is encrypted.
  • Add numerous bound checks from @joachimmetz
  • Clarified licenses as pointed out by @joachimmetz

Java:

  • Updated from Schema 8.6 to 9.1.
  • Added tables and classes for OS Accounts and Realms (Domains).
  • Added tables and classes for Host Addresses (IP, MAC, etc.).
  • Added tables and classes for Analysis Results vs Data Artifacts by adding onto BlackboardArtifacts.
  • Added tables and classes for Host and Person to make it easier to group data sources.
  • Added static types for standard artifact types.
  • Added File Attribute table to allow custom information to be stored for each file.
  • Made ordering of getting lock and connection consistent.
  • Made the findFile methods more efficient by using extension (which is indexed).

The Sleuth Kit 4.10.2

23 Mar 10:46
sleuthkit-4.10.2
Compare
Choose a tag to compare

C/C++

  • Added support for Ext4 inline data

Java

  • New Blackboard Artifacts for ALEAPP/ILEAPP, Yara, Geo Area, etc.
  • Upgraded to PostgreSQL JDBC Driver 42.2.18
  • Added SHA256 to files table in DB and added utility calculation methods.
  • Changed TimelineManager to make events for any artifact with a time stamp
  • Added Japanese translations
  • Fixed synchronization bug in getUniquePath

The Sleuth Kit 4.10.1

09 Nov 14:32
sleuthkit-4.10.1
Compare
Choose a tag to compare

C/C++:

  • Changed Windows build to use Nuget for libewf, libvmdk, libvhdi.
  • Fixed compiler warnings
  • Clarrified licenses and added Apache license to distribution
  • Improved error handling for out of memory issues
  • Rejistry++ memory leak fixes

Java:

  • Localized for Japanese

NOTE: .deb file was updated because the initial one was compiled for Java11 instead of Java8. The one for Java8 has an MD5 of c3ca85a89ba19ed34f26d227384a4f11.

The Sleuth Kit 4.10.0

09 Sep 21:05
sleuthkit-4.10.0
5dc00ec
Compare
Choose a tag to compare

C/C++:

  • Removed PostgreSQL code (that was used only by Java code)
  • Added Java callback support so that database inserts are done in Java.

Java:

  • Added methods and callbacks as required to allow database population to happen in Java instead of C/C++.
  • Added support to allow Autopsy streaming ingest where files are added in batches.
  • Added TaggingManager class and concept of a TagSet to support ProjectVic categories.
  • Fixed changes to normalization and validation of emails and phone numbers.
  • Added a CASE/UCO JAR file that creates JSON-LD based on TSK objects.

The Sleuth Kit 4.9.0

01 May 10:57
sleuthkit-4.9.0
57f44a2
Compare
Choose a tag to compare

C/C++

  • Removed framework project. Use Autopsy instead if you need an analysis framework.
  • Various fixes from Google-based fuzzing.
  • Ensure all reads (even big ones) are sector aligned when reading from Windows device.
  • Ensure all command line tools support new pool command line arguments.
  • Create virtual files for APFS unallocated space
  • HFS fix to display type

Java:

  • More artifact helper methods
  • More artifacts and attributes for drones and GPS coordinates
  • Updated TimelineManager to insert GPS artifacts into events table

The Sleuth Kit 4.8.0

24 Jan 13:37
sleuthkit-4.8.0
Compare
Choose a tag to compare

[NOTE: The .tar.gz file was updated after the initial release to fix some compiler errors related to maven and APFS on OS X. No logic changes were made though. Hashes are at the bottom of this note]

C/C++

  • Pool layer was added to support APFS. NOTE: API is likely to change.
  • Limited APFS support added in libtsk and some of the command line tools.
    -- Encryption support is not complete.
    -- Black Bag Technologies submitted the initial PR. Basis Technology did some minor refactoring.
  • Refactoring and minor fixes to logical imager
  • Various bug fixes from Google fuzzing efforts and Jonathan B from Afarsec
  • Fixed infinite NTFS loop from cyclical attribute lists. Reported by X.
  • File system bug fixes from uckelman-sf on github

Database:

  • DB schema was updated to support pools
  • Added concept of JSON in Blackboard Attributes
  • Schema supports cascading deletes to enable data source deletion

Java:

  • Added Pool class and associated infrastructure
  • Added methods to support deleting data sources from database
  • Removed JavaFX as a dependency by refactoring the recently introduced timeline filtering classes.
  • Added attachment support to the blackboard helper package.

Hash of .tar.gz that would not compile on all systems: b5c081eb2cc92d2e56b8c470de37f890
Hash of fixed version: c7f9431bceae9b421b337d3c44af4ea9

The Sleuth Kit 4.7.0

14 Oct 11:18
sleuthkit-4.7.0
fc36ecc
Compare
Choose a tag to compare

C/C++:

  • DB schema was expanded to store tsk_events and related tables. Time-based data is automatically added when files and artifacts are created. Used by Autopsy timeline.
  • Logical Imager can save files as individual files instead of in VHD (saves space).
  • Logical imager produces log of results
  • Logical Imager refactor
  • Removed PRIuOFF and other macros that caused problems with signed/unsigned printing. For example, TSK_OFF_T is a signed value and PRIuOFF would cause problems as it printed a negative number as a big positive number.

Java

  • Travis and Debian package use OpenJDK instead of OracleJDK
  • New Blackboard Helper packages (blackboardutils) to make it easier to make artifacts.
  • Blackboard scope was expanded, including the new postArtifact() method that adds event data to database and broadcasts an event to listeners.
  • SleuthkitCase now has an EventBus for database-related events.
  • New TimelineManager and associated filter classes to support new events table

The Sleuth Kit 4.6.7 Release

02 Aug 20:54
sleuthkit-4.6.7
Compare
Choose a tag to compare

C/C++ Code:

  • First release of new logical imager tool
  • VHD image writer fixes for out of space scenarios

Java:

  • Expand Communications Manager API
  • Performance improvement for SleuthkitCase.addLocalFile()

The Sleuth Kit 4.6.6

26 Apr 14:01
sleuthkit-4.6.6
Compare
Choose a tag to compare

C/C++ Code:

  • Acquisition details are set in DB for E01 files
  • Fix NTFS decompression issue (from Joe Sylve)
  • Image reading fix when cache fails (Joe Sylve)
  • Fix HFS+ issue with large catalog files (Joe Sylve)
  • Fix free memory issue in srch_strings (Derrick Karpo)

Java:

  • Fix so that local files can be relative
  • More Blackboard artifacts and attributes for web data
  • Added methods to CaseDbManager to enable checking for and modifying tables.
  • APIs to get and set acquisition details
  • Added methods to add volume and file systems to database
  • Added method to add LayoutFile for allocated files
  • Changed handling of JNI handles to better support multiple cases