mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/NEWS.txt
Richard Cordovano dca6f54a72 Edits to 4.10.0 release notes
2018-12-18 11:57:45 -05:00

1161 lines
52 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---------------- VERSION 4.10.0 --------------
New Features:
- Users can now view information on all cases/data sources in the Central
Repository.
- SSID, MAC address, IMEI, IMSI, and ICCID properties can now be added to the
Central Repository by the Correlation Engine ingest module.
- The Correlation Engine ingest module can be configured to flag any occurrences
of SSID, MAC address, IMEI, IMSI, and ICCID properties that have been previously
added to the Central Repository.
- File type filtering for common properties search is now supported.
- Common properties search results can now be viewed by case and data source
within the case.
- Users can now search the Central Repository for property instances with a
given value.
- Added the ability for examiners to select the time zone for displaying dates.
- Custom headers and footers can now be added to HTML reports.
- Added ability to either enter or generate hashes of image data sources.
- Data sources that fail hash verification are now flagged with interesting
item artifacts by the Data Source Integrity ingest module (formerly known as the
E01 Verifier ingest module).
- Added a report module to export data in CASE/UCO format.
- Ingest filters and interesting file sets can now be defined with multiple
extensions included in a single condition/rule.
Bug Fixes:
- The Images/Videos Gallery now works for multi-user cases.
- Duplicate interesting item and EXIF metadata artifacts are no longer created
when you run the modules that generate them more than once.
- The Application content viewer now displays SQLite table column names even
when the table is empty.
- Assorted small bug fixes are included.
---------------- VERSION 4.9.1 --------------
Bug Fixes:
- Fixed possible ingest deadlock from Image Gallery database inserts.
- Image Gallery does not need lock on Case DB during pre-population, which makes UI more responsive.
- Other misc Image Gallery fixes.
---------------- VERSION 4.9.0 --------------
New Features:
- Removed data from table that are time intensive and can be found in content viewers (such as hash set hits)
- Added ability to find common items (files, emails, etc.) between current case and past cases using the Central Repository.
- Added ability to ignore common items that exist in a large number of cases by using Central Repository data.
- Data is validated and normalized before being entered into the Central Repository.
- Allow users to specify that an ad-hoc keyword search should not be saved to database
- New “Annotations” content viewer that shows all tags and comments associated with an item
- Added 2 icons to the table to show the items score (if it is notable or suspicious) and if it has a comment.
- Added column to the table to show previous number of occurrences.
- Tags are now associated with the user (in a multi-user environment) and you can hide other peoples tags
- New Display options area that unifies various new settings.
- Hash sets can be copied into the users config folder (AppData), which makes it easier to run Autopsy from a Live Triage USB and not care about what drive letter it gets.
- Image Gallery stores its groups and seen status in Case DB instead of its own.
- Image Gallery works better in multi-user setups and reloads the database when other nodes add data sources.
- Image Gallery saves which user saw a group and gives user option of seeing only their unseen groups or all unseen groups.
- Saves last export location and pre-populates that in the file picker
- Provide feedback about why some right click options are disabled (ingest is running, not file content, etc.)
Bug Fixes:
- Substring keyword search is more accurate (now uses regular expression)
- New text extractor for SQLite that better deals with full text search tables
- Better deal with Unicode text files that do not have Byte Order Marker
- Embedded file extractor module is now faster because it uses a different 7ZIP API.
- Fixed various HTML report bugs
- Duplicate hash set hits are not created when you run the Hash Ingest Module twice.
- Auto ingest (in Experimental) scan times of input folders is faster.
---------------- VERSION 4.8.0 --------------
New Features:
- Data Source Grouping:
-- The case tree view can now be grouped by data source.
-- Keyword and file search can now be restricted to a data source.
- Central Repository / Correlation:
-- New common files search feature that finds files that exist in multiple devices in the same case.
-- The Other Occurrences content viewer now shows matches in the current case (in addition to central repository).
-- Central repository options panel now shows cases that are in repo.
- A comment about a file can be created and saved in the central repository so that future cases and see it.
- Keyword Search:
-- Can enable OCR text extraction of PDF and JPG files using Tesseract.
-- Keyword search module normalizes Unicode text.
-- Keyword search module uses ICU to convert text files that do not have a BOM.
- Tagging:
-- Tagging menu changed to have user defined tags at top and "quick tag" removed one level of menus.
-- New "Replace Tag" feature to change the tag on an item.
- Other:
-- SQLite tables can be now be exported to CSV files.
-- An interesting file artifact is now created when a "zip bomb" is detected.
-- An object detection ingest module was added to the Experimental module. It requires an OpenCV trained model.
Bug Fixes:
- Expanding the case tree is more efficient.
- Improved "zip bomb" detection.
- Assorted small bug fixes are included.
---------------- VERSION 4.7.0 --------------
New Features:
- A graph visualization was added to the Communications tool to make it easier to find messages and relationships.
- A new "Application" content viewer (lower right) that will contain file-type specific viewers (to reduce number of tabs).
- New viewer for SQLite databases (in Application content viewer)
- New viewer for binary PLists (in Application content viewer)
- L01 files can be imported as data sources.
- Ingest filters can now use date range conditions for triage.
- Passwords to open password protected archive files can be entered (by right clicking on the file).
- Reports (e.g., RegRipper output) generated by ingest modules are now indexed for keyword search.
- PhotoRec carving module can be configured to keep corrupted files.
- Sector size can be specified for local drives and images when E01 is wrong or it is a raw image.
- New data source processor in Experimental module that runs Volatility, adds the outputs as files, and parses the reports to provide INTERESTING_FILE artifacts.
- Assorted small enhancements are included.
Bug Fixes:
- Memory leaks and other issues revealed by fuzzing the The Sleuth Kit have
been fixed.
- Result views (upper right) and content views (lower right) stay in synch when switching result views.
- Concurrency bugs in the ingest tasks scheduler have been fixed.
- Assorted small bug fixes are included.
---------------- VERSION 4.6.0 --------------
New Features:
- A new Message content viewer was added to make it easier to view email message contents.
- A new Communications interface was added to make it easier to find messages and relationships.
- Hash sets can be centrally stored and shared in the Central Repository.
- New Encryption Detection module that will flag possibly encrypted files.
- Can more easily run Autopsy from a USB drive and leave few traces on target system.
- Tag definitions now have a "notable" property. The Central Repository uses this to mark files as notable.
- Large slack files are now file typed.
- The maximum number of Solr connections and ingest threads have increased.
- Periodic keyword search will dynamically change based on how long queries are taking.
- Users can change the amount of memory allocated to the application.
- The amount of memory required for processing keyword hits has been reduced.
- Layout of HTML reports has been modified make it easier to open.
- "Databases" was added to File Type by Extension view.
- Users can now enter more information about cases including examiner, organization, etc.
- New dialog to open multi-user cases that allows for searching.
- Auto ingest metrics are collected and displayed in dashboard.
- Auto ingest module that extracts disk images from archive files.
- Keyword search has been made more responsive to both search and ingest job cancellation.
- Number of log files to keep before rollover is now configurable.
- Preliminary changes to make Linux and OS X builds easier.
Bug Fixes:
- Memory leaks and other issues revealed by fuzzing the SleuthKit have
been fixed.
- Memory issues caused by Tika are fixed (by upgrading to 1.17)
- Assorted small enhancements and bug fixes are included.
---------------- VERSION 4.5.0 --------------
- Memory usage has been reduced to improve support for very large cases.
- The central repository and correlation engine introduced in version 4.4.1 have
been moved to Core Autopsy, so they are available without doing a plugin
installation. This optional feature includes a database (SQLite or PostgreSQL)
and logic for correlating artifacts across cases. Results are displayed using an
Interesting Artifacts branch of the Interesting Items tree and an
Other Occurrences content viewer.
- Message results with attachments can now be seen be seen by browsing to the
source file in the Data Sources tree, which will display the messages in the
results view to the right. Any messages with attachments will be shown under
the source file in the tree, and the attachments can be seen in the result view
by selecting the message.
- Volume nodes in the tree view and results view now have a context menu item
that displays a file system properties dialog.
- Nodes in the tree view now have the same context menu items as nodes in the
results view.
- Virtual directory nodes in the tree view are distinguished in the Data Sources
tree by the addition of a "V" to their icon.
- Credit card number search has added logic to reduce false positives.
- A new version of the automated ingest dashboard has been added to allow
insight into pending, running and completed automated ingest jobs in automated
ingest Examiner mode.
- All occurrences of "Known Bad" in the user interface have been changed to
"Notable."
- Assorted small enhancements and bug fixes are included.
---------------- VERSION 4.4.1 --------------
- A new central repository feature has been added to the optional
CentralRepository plug-in (NetBeans module); this optional feature includes a
database (SQLite or PostgreSQL) and logic for correlating artifacts across
cases; results are displayed using an Interesting Artifacts branch of the
Interesting Items tree and an Other Data Sources content viewer.
- Case deletion is now done using a Case menu item and both single-user and
general (not auto ingest) multi-user cases can be deleted.
- Results viewer (top right area of desktop application) sorts are persistent
and can be applied to either the table viewer or the thumbnail viewer.
- Content viewers (bottom right area of desktop application) now resize
correctly.
- The View Source File in Directory context menu item now works correctly.
- Tagged image files in the HTML report are now displayed full-size.
- Some general UI responsiveness issues have been addressed.
- Some potential deadlocks during ingest have been eliminated.
- Assorted small enhancements and bug fixes are included.
---------------- VERSION 4.4.0 --------------
Improvements:
- Keyword search supports regular expressions that include spaces.
- Improvements to keyword search highlighting and standard regular expressions.
- User can edit keyword lists.
- Simultaneous acquisition of a sparse VHD from a USB device during analysis.
- Support for ingest profiles that combine file ingest filters with ingest
module settings.
- Artifact attributes can be marked to indicate discovery by multiple tools.
- Import/export of interesting files set membership rules.
- High DPI display support added.
- Support for application service plug-in modules (Java only).
- Progress dialogs for case create/open/close/delete operations that support
cancellation of create/open operations and cancellation of the opening of case
resources by individual application services.
- Coordination service now used for all multi-user cases, not just auto
ingest cases; e.g., any open multi-user case cannot be deleted by another user.
- Updated Recent Activity ingest module to use RegRipper 2.8 plugins.
- Updated version of Tika used for extracting text.
- Updated version of POI used for extracting embedded MS Office documents.
- Ability to customize HTML report logo.
- Assorted small enhancements and bug fixes.
---------------- VERSION 4.3.0 --------------
Improvements:
- Support for slack space on files (as separate virtual files) to enable keyword searching and other analysis.
- Simple mode for the file extension mismatch module that focuses on only only multimedia and executable files to reduce false positives.
- New view in tree that shows the MIME types.
- Tagged items are highlighted in table views.
- Ordering of columns is saved when user changes them.
- Support for Android devices with preloaders (uses backup GPT)
- Support for images with no file systems (all data is added as unallocated space)
- User can bulk add list of keywords to a keyword list.
- New "Experimental" module (activate via Tools, Plugins) with auto ingest feature.
- Assorted bug fixes and minor enhancements.
---------------- VERSION 4.2.0 --------------
Improvements:
- Credit card account search.
- Encoding/decoding of extracted files to avoid anti-virus alerts/quarantine.
- Ingest history (start time, end time, status, which versions of which ingest
modules were run).
- Ingest history used to warn before doing redundant analysis.
- Options panel for managing custom tag names.
- Options panel for setting external viewer associations.
- Keyboard shortcut for applying Bookmark tags.
- Improved PhotoRec carver ingest module cancellation responsiveness.
- Results content viewer formats dates instead of showing raw seconds since
epoch.
- Update to PostgreSQL 9.5.
- Assorted bug fixes and minor enhancements.
---------------- VERSION 4.1.1 --------------
Bug Fixes:
- Restored ability of Python modules to import standard Python libraries.
---------------- VERSION 4.1.0 --------------
Improvements:
- New list view in Timeline tool
- VMWare virtual machine files (vmdk) and Microsoft Virtual Hard Drives (vhd) can be added as data sources.
- New core ingest module detects vmdk and vhd files embedded in other data sources and adds them as data sources.
- Text associated with artifacts posted to the blackboard is indexed and searched for keywords.
- Custom (user-defined) blackboard artifact and attribute types are displayed in the UI and included in reports.
- Additional Autopsy-defined custom file type definitions for assorted media file types have been added.
- The File Metadata content viewer displays MIME type.
- File size and MIME type conditions can be specified for interesting files set membership rules.
- File size and MIME type conditions can be specified for file searches by attributes.
- Local/GMT time preference is used in reports.
- User has option to choose display name for logical/local file set data sources.
- Virtual directories can be tagged.
- Improved KML reports that include all geospatial artifacts posted to the blackboard.
- Assorted bug fixes and minor enhancements.
---------------- VERSION 4.0.0 --------------
Improvements:
- Collaboration supported by optional multi-user cases with centralized data and services
- New image gallery feature
- Directory tree does not collapse if expanded and data sources or files are added
- Assorted bug fixes and minor enhancements
---------------- VERSION 3.1.3 --------------
Improvements:
- New Embedded File Extractor module that incorporates ZIP file module and extracts images from Office documents
- Views area counts updates when ZIP files and such are found
- Updates to python scripting for new version of Python, scripts are reloaded each time ingest is run, and errors are better shown.
- Updated right click actions to be consistent across all file types
- Changed logic of Interesting Files module to look for substrings of parent path.
- Lots of minor fixes and enhancements
---------------- VERSION 3.1.2 --------------
Improvements:
- New PhotoRec carving ingest module
- Regripper output is available as a report instead of TOOL_OUTPUT artifact
- Updated version of RegRipper
- New STIX/Cybox report module (manually run after image has been analyzed)
- File type module supports user defined file types and can alert when they are found
- More artifacts are extracted from registry
- Metadata tab in lower right now also shows istat (TSK) output for more metadata details
- User docs were moved online (http://sleuthkit.org/autopsy/docs/user-docs/3.1/)
---------------- VERSION 3.1.1 --------------
Improvements:
- New time line feature
- New Interesting Files module
- Added support for Python modules
- Updated HTML report
- Media Content viewer uses blackboard artifacts and detects PNG by sig.
- New logo
Bug Fixes:
- Adding local disk errors
- ZIP files inside of RAR files are properly extracted
---------------- VERSION 3.1.0 --------------
Numerous changes have gone into this long-awaited major release.
Improvements:
- Multi-threaded pipelines
- File type ingest module
- File extension mismatch ingest module
- Android ingest module
- KML report module
- Tags can be deleted
- Hash databases can be created and maintained
---------------- VERSION 3.0.10 --------------
Bug Fixes:
- Fixed 64-bit CRT dlls. No other logic changes.
---------------- VERSION 3.0.9 --------------
Bug Fixes:
- Regular expression keyword search works on file names.
- Fixed thunderbird parser for subject and dates
- Fixed errors in hex viewer
Improvements:
- Enhanced reporting on keyword search module errors
- Updated SQLite to 3.8.0
- More lazy loading to help performance with big folders and sets of files
- Times can be displayed in local time or GMT
- New "EnCase-style" report that lists files and metadata in tab delimited file
- Changed report wizard to make one report at a time
- report improvements (only regenerate if data exists)
- more error messages if recent activity module fails
- more error checking in recent activity module and don't bail as quickly
- Cleanup of recent activity module
- better handle if ingest module throws exception during init()
- do not run ingest if any module failed to init()
- Added FILE_DONE event to ingest manager
- Added search engine parsers for linkedin, twitter, and facebook
- HTML text is better formatted
- Report generation performance
- HTML parser is skipped for files > 50MB.
- Removed xdock definitions -> some claim this helps with memory problems
---------------- VERSION 3.0.8 --------------
Bug Fixes:
- Fixed installer bug on Windows. No other code changes.
---------------- VERSION 3.0.7 --------------
New features:
- 64-bit support (JavaFX for video)
- Multi-select
- different sized thumbnails
- Custom tags persist across runs of the app
- RegRipper is run on each hive and raw output is available.
- Metadata content viewer
- Basic sanity check when adding images to see if parts could be missing.
Improvements:
- EXIF module uses only signatures
- File size View does not show unalloc files
- Tagged files in report show more data
- Updated test scripts
- Better OS X look and feel
Bugfixes:
- Several -> Didn't keep good track in this file.
- Error messages from adding disk to database are better displayed.
- RecentActivity better reports errors parsing data
---------------- VERSION 3.0.6 --------------
New features:
- Logical files and folders support
- New file views in directory tree to view: deleted, executable, archive files and files by size
- ext4 and yaffs2 support (via TSK 4.1.0)
Improvements:
- Improvements to tagging of files and keyword search results
- Any file and folder can be selectively ingested using the directory tree view
Bugfixes:
- Keyword Search: fix when Solr does not cleanly shutdown
- fix for "Process Unallocated Space" option doesn't do anything
- fixed result viewer for "File Search by MD5 Hash"
- fix Solr, Timeline and RecentActivity issues with java 7.0.21
- Views->Recent Files showing inconsistent results when clicked many times
- reduced memory usage in Timeline
---------------- VERSION 3.0.5 --------------
New features:
- Archive extractor ingest module (uses 7zip)
- Timeline (Beta)
Improvements:
- Sleuthkit-4.0.2 and libewf-20130128
- improved image loading in Media View and Thumbnail View (faster loading, handles large files better)
- improve Keyword Search file indexing (use detected mime-type instead of file extension)
- exif module - better jpeg detection using signature and not only file extension.
- show children counts in directory tree
- Ingest Message Inbox showing which messages are new better
Bugfixes:
- fixed memory leaks in "Add Image"
- The "media view" tab is inactive for deleted files (#165)
- show error message in hex and string viewer if specific offset of a file could not be read.
- file search actions not always enabled when new case is open.
- fixed directory tree history being reset when tree is refreshed.
---------------- VERSION 3.0.4 --------------
New features:
- Results and files can be tagged with custom tags and reported on them.
- New notification area for error reporting (bottom right).
Improvements:
- Tweaked memory settings to eliminate out-of-memory errors.
- Faster application launch time.
- Netbeans RCP upgrade from 7.2.1 to 7.3
- Upgrade from Java 6 to Java 7
Bugfixes:
- fixed DLL dependency version issue causing Autopsy not to launch on some systems
- fixed bug when keyword search ingest would search also images previously ingested, creating duplicate results
- fixed crash and hang in html and excel report generation, due to special characters present
- fixed cancellation when creating file or result bookmark
- fixed text not being extracted and searched from all MS Office documents (such as docx, xlsx and pptx extensions)
- fixed Exif meta-data extraction in Exif ingest module
---------------- VERSION 3.0.3 --------------
*Note: Due to major changes in Keyword search module indexing this release is not fully backward compatible.
As a workaround, you will need to rebuild index by re-running Keyword Search ingest on Cases created with previous versions.
Improvements:
- Upgrade to Solr4.0 / Tika 1.2: Improved performance and highlighting
- Remake of reporting UI and functionality
- Significant increase in reporting speed
- New option to keep the most specific file viewer (default) or the lastly used viewer active.
Bugfixes:
- Fixed bug that caused the ends of large amounts of text to not be indexed (occurs mostly in unallocated space).
- Fix scrolling to first keyword hit when Text View is first loaded
- Imported keyword lists are now always enabled for ingest by default
---------------- VERSION 3.0.2 --------------
New features:
- Extraction of all unallocated blocks as a single file
- Results bookmarks with comments and basic bookmark reporting
- Hashkeeper hash database support
Improvements:
- File Ingest: minimized file queuing time and memory usage, also improving ingest stability
- Jump to arbitrary page in Thumbnail View
- Add Image Wizard - better work-flow, better device size reporting, info on currently processed directory
- Reporting: reorganized columns, sorted by 1st column, added logo, better styling
Bugfixes:
- fixed periodic keyword search during ingest, when it would only search max. 2 times
- fixed Downloads "target" in Recent Activity
- fixed missing hash and keyword search hits in reports
- fixed deselecting NSRL database for hash ingest
---------------- VERSION 3.0.1 --------------
New features:
- Physical and logical disk devices discovery in Add image wizard
Improvements:
- Significant performance improvements when adding images.
- Slight improvements in UI performance for large number of results.
- Improved stability when running ingest on multiple images.
- Removed limit on number of results displayed.
- Thumbnail viewer - added paging and removed limit of images.
- Better HTML report navigation, handling large reports better.
- Netbeans RCP upgrade from 7.2 to 7.2.1
- Build scripts enhancements to include module version tracking.
Bugfixes:
- Fixed reading content from multiple file attributes (NTFS, HFS).
- Add Extract action to Unalloc content file nodes (per file).
- Fixes bugs with case re-opening.
- UI fix for keyword search box when case is changed.
- Enable user to select any image file extension when opening image.
- Thunderbird parser module fixes.
- Reporting fixes: added missing artifacts (keyword search, hash hits, file bookmarks).
---------------- VERSION 3.0.0 --------------
New features:
- Using Sleuthkit 4.0.0
- Integrated plugin installer.
- New options menu to globally access module options.
- Added custom ingest module loader and ingest module auto-discovery
Improvements:
- Updated ingest framework APIs.
- Merged the main modules into Autopsy-Core and Autopsy-CoreLibs.
- Improved logging infrastructure.
- Improved configuration infrastructure.
- Keyword search: upgraded Lucene from 34 to 36.
- Build system improvements.
- Updated documentation.
Bugfixes:
- UI selection fix in Content and Result viewer
- UI fixes in Hash Database and Keyword Search options.
- Excel report export produced corrupt files sometimes.
- Fix for Keyword Search sometimes not property initializing when application starts.
3.0.0b5 (September 12, 2012)
New features:
- Added international string extraction from unknown file types.
- Removed size limitations of large files for keyword searching.
- Added full html parsing and extraction (including comments, scripts, meta tags, etc).
- Added support for indexing and searching disk images that have no volume and file system.
- Solr (3.6.1) and Tika (1.0) upgrade.
- Search a file by hash GUI feature and search other files with same hash.
- Web search query text extraction from popular search engines.
- Exif metadata extraction from jpeg files.
- Netbeans RCP platform upgrade (7.2).
- Basic file bookmarks support.
- Body file report.
- Improved UI.
- Updated Ingest Module API.
Bugfixes:
- Keyword search memory usage improvements.
- Directory tree now shows which directories have no children before user clicks.
- Fixed bug when recent cases would not get updated.
- Fixed a bug when sometimes a case would get deleted.
- Fixed occasional Media View crashes.
3.0.0b4 (June 29, 2012)
Funded by US Army Intelligence Center of Excellence (USAICoE):
New Features:
- MBOX parsing
- Better lnk file parsing
Bug Fixes:
- Included needed jar file for Recent Activity (Issue #52).
- Fixed error handling from ingest (Issue #53).
3.0.0b3 (June 12, 2012)
New Features (Funded by US Army Intelligence Center of Excellence (USAICoE)):
- Ingest manager runs triage/ingest task after disk is added.
- Basic keyword search (indexed via SOLR)
- Recent activity extract (web artifacts, recent documents, devices, etc.)
- Improved UI
3.0.0b2 (Nov 9, 2011)
New Features:
- New database design
- Hashlookup / calculation
- Minor overall improvements
- NOTE: Cases created with b1 are not supported in b2 (different DB)
3.0.0b1 (Aug 16, 2011)
- Initial release
- Windows only
- Directory tree
- File Search
- Table and thumbnail viewer
--------------------------- Version 2.24 --------------------------------
3/22/10: Bug Fix: resolved issue 2950986 to support HFS directories.
--------------------------- Version 2.23 --------------------------------
2/12/10: bug fix: resolved issue 2950693 where previous searches
were not shown if they used quotes.
2/12/10: bug fix: resolved issue 2932385 where wrong flag was being used
to do only doing category searching"
2/12/10: bug fix: resolved issue 2779244 where wrong sorter path was
being used.
--------------------------- Version 2.22 --------------------------------
10/27/09: Update: Change istat to use -B instead of -b (new change in TSK).
11/19/09: Update: Improved configure script process and error message for
FILE_EXE check.
11/25/09: Fixed MD5 exe bug when building live CD
12/30/09: Fixed issue 2923857 re: cookie errors for the icon and css file
links when cookies are used.
--------------------------- Version 2.21 --------------------------------
11/7/08: Bug Fix: Changed case management code to not error when 'dls ...'
line was encountered.
11/14/08: Bug Fix: Fixed bug 2288406 (parsing of new fls -l format when file name searching and deleted file listing)
--------------------------- Version 2.20 --------------------------------
7/1/08: Update: Updated FAT sizes based on new "special" files.
7/9/08: Update: Updated NTFS processing for orphan files / removed
ifind -p etc.
7/9/08: Update: Updated mactime and time formats to ISO formats.
9/13/08: Update: Changed usage to new TSK d* to blk* names.
9/26/08: Bug Fix: Input check on host was printing invalid host values
w/out encoding HTML entities. Reported by Russ McRee.
10/01/08: Update: HFS support is enabled if TSK was compiled with
support for it.
10/08/08: Bug Fix: Added some more HTML entity escaping to case management
values (such as description). Reported by Daniel Medianero.
10/13/08: Update: Added perl version check back into configure, but used
perl $] variable to do checking. Based on patch by Joerg Friedrich.
--------------------------- Version 2.10 --------------------------------
2/20/08: Bug Fix: Added 'tsk' to the path for sorter to find the 'images'
config file. Reported by Russell Reynolds.
3/2/08: Update: Modified the adding of disk image process to save a
call to mmls (reported by Pope).
3/2/08: Update: Added more basic control char filtering back into Print().
--------------------------- Version 2.09 --------------------------------
2/4/07: Update: Bind only to localhost network if remote addr is local.
Suggested by Markus Waldeck.
4/19/07: Bug Fix: Event sequencer notes for file did not have clock skew
in the times. Reported by Len CulBreath.
12/21/07: Update: updated configure and install process for TSK 2.50
1/28/08: Update: Added NSRL support back in.
--------------------------- Version 2.08 --------------------------------
8/23/06: Bug Fix: The configure script did not like TSK directory names
with a space in them.
8/23/06: Update: The PATH variable is not entirely cleared anymore.
Instead, it is replaced by the basic bin directories (this was causing
some problems with Cygwin).
8/31/06: Update: If Autopsy is running under Cygwin, then it will set
the PATH to contain the basic bin directories. Otherwise, it is clear
(original behavior).
--------------------------- Version 2.07 --------------------------------
3/15/06: Bug Fix: Caseman.pm had DATA_DIR instead of DATADIR and a
concatenation error message occurred. Reported by Jason DePriest.
5/3/06: Update: Added support for ISO9660 file systems.
5/3/06: Update: Added support for AFF and AFD image formats.
5/03/06: Update: Added image format type to image details screen.
5/3/06: Update: Added hexdump view for file analysis and reports (initial
patch by Patrick Knight).
5/3/06: Update: Changed number of dashes in reports to 70 instead of 62.
5/4/06: Update: Integrity checking disabled for non-raw image files
until a specialized tool exists in TSK to abstract the embedded hash
calculation.
5/8/06: Update: Added support for AFM files.
--------------------------- Version 2.06 --------------------------------
05/02/05: Fix: Typo in timeline creation window (reported by Surago Jones).
06/15/05: Update: Added css style sheet and changed some formatting.
08/13/05: Update: Added "utf-8" as HTML type so that TSK unicode
output will be properly dispayed.
10/13/05: Update: Removed print_output() function contents because
it broke the Unicode chars.
10/13/05: Update: Require 5.8 version of Perl now (in config and
in source) because it has best Unicode support.
--------------------------- Version 2.05 --------------------------------
03/16/05: Update: Image name is given in the Image Details window
when adding a new image file. (Suggested by Surago Jones).
03/17/05: Bug Fix: swap and raw host config entries could not be
read after the conversion because of a regular expression bug in
the read code. (Reported by Surago Jones) (BUG: 1165235)
03/21/05: Bug Fix: When a new host was added to a case with no
investigator names, then it would prompt you to select a name from
an empty list. (BUG: 1167970).
03/25/05: Update: Check return status of rename functions and print
error if failed.
04/04/05: Bug Fix: A missing volume type message was reported when
adding a disk image. The flow of add_img_prep was modified to
ensure that it was set. (Reported by Bradley Bitzkowski) (BUG:
1177042)
04/08/05: Update: A thumbnail of images is shown when selected in the File
mode. Suggested by and patch by Guy Voncken.
--------------------------- Version 2.04 --------------------------------
10/22/04: Update: Changed the way that NTFS lists directory contents. No
longer lists the deleted entries from 'fls', only from 'ifind'. Reduces
the inaccurate information.
02/XX/05: Update: Incorporated new TSK 2 features:
- Disk images (split and raw)
- new config file formats
- moved images and output md5.txt file into one
03/01/05: Update: Changed behavior of some links that created new
Autopsy Windows
03/05/05: Update: timeline output can be in comma delimited format
03/05/05: Update: Added SSN and credit card seach patterns from
Jerry Shenk.
03/05/05: Update: Added temporal data when a note is created.
03/11/05: Update: Changed to new TSK names for srch_strings and img_stat
03/15/05: Update: improved handling of white space around investigator
names and image names (suggested by Brian Baskin).
--------------------------- Version 2.03 --------------------------------
08/24/04: Update: Added SHA-1 hash to the metadata view.
09/01/04: Update: Added sstrings instead of local version of strings.
09/05/04: Update: Added more help text.
09/06/04: Update: Use the local version of file if TSK version is
not found.
09/06/04: Update: Added links to the notes and events page after a
note or event has been created.
09/06/04: Update: Added Unicode extract and search functionality using
the 'sstrings' tool from TSK.
--------------------------- Version 2.02 --------------------------------
07/19/04: Bug Fix: print_err message in Caseman.lib did not have correct
Print:: package, which caused an error (BUG: 994199).
07/29/04: Update: Added support for NTFS 'ifind -p' option to find deleted
files that do not have a name in the parent directory.
07/29/04: Update: Added a filter to remove duplicate entries from a file
listing. Duplicate names with the same name and meta address are
removed.
07/29/04: Update: OS X no longer needs the strings script, Autopsy
will adjust for the different flags.
07/29/04: Update: When a deleted file name is entered into the find
directory box, the recover bit is set so the full contents are shown.
--------------------------- Version 2.01 --------------------------------
03/29/04: Update: Changed text for the data integrity option when
adding a new image.
04/20/04: Bug Fix: Fixed error that occurred when data browsing with
a raw or swap image. The TSK usage for these file system types was
inconsistent and it was fixed in version 1.69. (BUG: 925382).
(Reported by Harald Katzer)
05/03/04: Update: Changed regular expression in META so that the
new recovery listing in FAT istat will not show up as a hyperlink.
05/03/04: Update: Removed usage of '-H' with 'icat' in File.PM.
05/20/04: Bug Fix: Fixed the incorrect error message that was printed
when installing autopsy with a newer version of TSK than 1.68.
(BUG: 938909)
05/20/04: Update: Added new feature that allows perl regular
expressions to be used to find file names.
05/20/04: Update: Added file recovery features to File.pm, Meta.pm,
and Appview.pm.
05/27/04: Update: Added a space to $REG_ZONE2 so that CYGWIN would
work if no zone was given (Marcus Muller).
/05/27/04: Update: Added 'p' as an option for the type of a file in the
'fls' output and made the $::REG_MTYPE global for the pattern.
05/28/04: Update: Cleaned up code so that commands and directories
do not have double slashes (//) sometimes. This caused problems
with CYGWIN (reported by Marcus Muller).
05/28/04: Bug Fix: Keyword search of unallocated space would link to
incorrect data unit (although the address was correct). (Reported by
Jorge Ortiz, David Perez, Raul Siles). (BUG: 962410).
05/28/04: Update: Updated dcat usage and syntax to reflect changes to
TSK.
05/28/04: Update: Changed the messages printed when multiple data units
were displayed. Now the number of units or range are given instead of
number of bytes.
--------------------------- Version 2.00 --------------------------------
11/25/03: Update: made evidence locker directory names constant (define.pl)
11/25/03: Update: Started process of re-architecture
12/2/03: Update: Replaced logo.jpg with Hash the Hound
12/7/03: Update: Added favicon.ico with Hash
01/06/04: Update: Changed command line arguments
01/24/04: Update: made it only a warning if cookie file can't be opened
02/15/04: Update: Timezone is now optional. Defaults to local if not given.
02/15/04: Update: Timezone value optional in () in file listing (prevents
parsing errors if incorrect timezone is given
03/16/04: Bug Fix: Fixed zombie problem by ignoring child signal
(BUG: 860186) Reported by Angus Marshall.
03/18/04: Update: New layout for adding cases, hosts, and images.
03/18/04: Update: changed HTML to use lowercase values instead of all caps.
03/18/04: Update: New windows are no longer opened when changing modes.
03/19/04: Release: Big release with a new redesign and a few other
changes (live analysis)
--------------------------- Version 1.75 --------------------------------
09/22/03: Update: Changed the internal 'get_' functions that parse the
URL arguments to error instead of just return 0 when a problem occurs.
10/22/03: Bug Fix: Check for an investigator name before trying to log
to the exec log. This is a problem when indexing a hash database, an
error message is printed because of the null string. reported by
Brian Baskin.
11/10/03: Update: Improved error message when strings can't be parsed.
(Bug: 823081)
11/15/03: Update: Improved messages in installation script
11/15/03: Bug Fix: Added 'defined' checks to command output to prevent
string errors when command fails. (BUG 842824)
11/15/03: Update: Added 'HEIGHT' value to HTML images to make images
align better and load faster and with the right size
11/15/03: Update: Added a timer so that a char is printed every 5 seconds
during keyword searching, file type sorting, and MD5 for images.
--------------------------- Version 1.74 --------------------------------
08/03/03: Bug Fix: Notes could not be added for some files because
the HTML code was missing a closing bracket.
08/18/03: Bug Fix: added POSIX:settz() because some versions of Perl do
not use the most recent ENV{TZ} variable when running 'localtime'. This
cause some incorrect times for events in the sequencer.
08/19/03: Update: NSRL is no longer used with 'sorter' until it is
easier to identify which files in the NSRL are known good and which
are known bad.
08/20/03: Update: Added support for swap and raw images for searching
and data unit analysis.
08/20/03: Update: Added the unit size to the display of the Data Unit
mode.
08/20/03: Update: Search for perl5.6.0 first during install
08/21/03: Update: Changed use of backticks to pipes for executing commands
08/21/03: ?: Added a 'sleep(1)' to the pipe to prevent the loss of data
that can be seen with perl5.8.0 in the buffer. This should be fixed
in a better way though.
08/21/03: Update: The exact command executed is now saved to the log
directory.
08/21/03: Update: Changed 'date' regexp to make year optional.
08/22/03: Update: Added warning if Perl 5.8 is used because of the buffer
problem.
08/22/03: Bug Fix: Fixed some keyword escape values in the search mode.
08/22/03: Update: Added a new help page on the limitations of keyword
searching.
08/22/03: Update: Moved the unallocated space and strings file creation
to the Image Details view instead of the keyword search window
(suggested by: Paul Bakker)
08/25/03: Update: improved wording of the Add Image window to better
explain the mounting point.
08/26/03: Update: When adding sequencer notes in manually, the time
is set to the last note entered to make it easier to add notes from
logs and external sources.
08/26/03: Update: The keyword search display has a final clause that
prints the results even if they are not found in the 'index' method.
This prevents any hits from being lost during the analysis of the
output.
08/26/03: Bug Fix: strings less than 4 chars would not be found before
because 'strings' only shows strings that are 4 or more in length
08/28/03: Update: if more than 1000 keyword hits are found, then a message
is reported and the user must choose a new keyword. This prevents the
browser from hanging from a huge HTML table.
08/28/03: Update: A '.' is printed during the keyword search for each
100 hits as a status update.
--------------------------- Version 1.73 --------------------------------
06/10/03: Bug Fix: The '-i day' was not added to the mactime code and
caused an error (reported by Cathy Buckman)
--------------------------- Version 1.72 ---------------------------------
04/09/03: Bug Fix: The Java Script check on the main page broke in 1.71
because the document.write was on multiple lines
04/11/03: Bug Fix: Keyword Search False Hit code had a bug that it
would be printed in error and message was improved
04/22/03: Update: Added examples to case management help file
05/06/03: Bug Fix: calc_md5 did not need 'o' tag on end of regular
expression because it would not work if the method was called more
than once. (Paul Bakker)
06/01/03: Bug Fix: Some keyword searches with $ in it were failing
06/01/03: Update: Keyword searches are now saved to a file and can be
found in the keyword search main menu
06/01/03: Update: Changed the format a little of the keyword search
menu
06/01/03: Update: Added grep cheat sheet
06/03/03: Update: Tables now have alternating colors for file listing
and timeline viewing
06/03/03: Update: Sequencer mode added
06/03/03: Update: Sequencer help file added
06/04/03: Bug Fix: Added 'LANG=C LC_ALL=C' to sorter & mactime to prevent
UTF-8 errors (Debugging help from Daniel Schwartzer)
06/04/03: Bug Fix: The regular expression for viewing timelines did not
allow multiple users to have the same UID (reported by Cathy Buckman)
06/05/03: Update: Added button for Event Sequencer and added tables to
the standard notes reading window
06/09/03: Update: Added '-i day' flag to mactime for new feature in
The Sleuth Kit
--------------------------- Version 1.71 ---------------------------------
02/27/03: Bug Fix: Regular expression searches w/out a strings file had
problems because the '-n' value was being incorrectly calculated.
03/17/03: Update: Added more logging to investigator log
03/17/03: Bug Fix: The case opening was not being logged in the case log
03/17/03: Update: The current 'mode' tab is also a hyperlink now
03/17/03: Bug Fix: Fixed bug that did not allow the path for a strings
file to have a space in it.
03/17/03: Update: When no port and remote address are given on the
command line, port 9999 and localhost are used. Documents also
updated to reflect new syntax.
03/18/03: Update: Use the 'x' repetition operator for ASCII reports
instead of a row of dashes.
03/18/03: Update: Added <NOFRAMES> tag to MAIN_FR and incorporated more
'<<EOF' HTML code.
03/19/03: Update: Added $FIL_NAME function that translates a name to
a meta data address using 'ifind -n'
03/19/03: Update: A directory name can be entered in the $FIL_DIR
frame now to jump to a directory or file
03/19/03: Update: The directory path in $FIL_LIST was changed to have
hyperlinks that allow one to jump to a previous directory (using
$FILE_NAME)
03/19/03: Update: Cleaned up HTML code in $FIL_LIST
03/20/03: Update: passwd and group files are now imported in timelines
by selecting the image - no more inode values
03/20/03: Update: Cleaned up HTML code in timeline section
03/21/03: Update: Added '-z' flag to usage of 'file' so that compressed
files are opened.
03/21/03: Bug Fix: Some special values needed to be escaped in the
grep keyword search (for non regular expressions) (\.]^$"-).
03/24/03: Update: Changed how images are added (symlinks, copies,
or moves).
03/24/03: Update: Added a file system sanity check when adding one
03/27/03: Update: Added a check to the 'File Type' mode that extracts
just graphic images and makes thumbnails.
03/27/03: Update: Added '-i' flag when 'mactime' is run to create the
summary file for timelines.
03/27/03: Update: Added link to summary page with hyper links to actual
month for timelines
03/27/03: Update: Added more HTML table columns for date in timeline view
03/27/03: Update: Made the 'ifind' process optional in Data Unit and key
word searching mode (makes browsing faster)
03/27/03: Update: Evidence Locker now contains entries for when a case
is created or opened.
03/30/03: Update: Improved the help file for time lines.
03/31/03: Update: Changed addresses to sleuthkit.org
--------------------------- Version 1.70 ---------------------------------
Interface Changes:
- Too many to note individually
- New windows are created when modes or images are changed
- Improved error messages
- Can load the unallocated image in the Data Unit Mode
- Case management
12/10/02: Update: Help is now a directory and contents can be viewed at
any time.
01/02/03: Update: Added support for sorter and hfind tools in TASK
01/02/03: Update: NSRL now requested at startup
01/02/03: Update: Alert and exclude hash databases are options when making
a new host now
01/09/03: Update: Carriage Returns are now sent if it is a Windows client
01/09/03: Update: Improved the pre-defined IP keyword search expression
01/10/03: Update: Changed use of "_new" as target to "_blank"
01/28/03: Update: Installation and other system directories can now
have spaces and other symbols in them (Dave Goldsmith)
--------------------------- Version 1.62 ---------------------------------
10/07/02: Update: Added File Type to block mode
10/07/02: Update: Can now add notes to 'dls' image blocks
10/07/02: Update: One can now view as many consecutive data units as they
want in data mode. Many other changes and updates were done with this
as well. (inspired by the Honeynet sotm)
10/07/02: Update: The File System details view for FAT now has hyperlinks
to view the run and follow to the next run.
10/09/02: Bug Fix: Removed use of 'use integer' so that large blocks do
no turn into '-1' when doing a keyword search (Michael Stone - Loyola)
--------------------------- Version 1.61 ---------------------------------
08/28/02: Update: White space is allowed at the beginning of the morgue file
08/28/02: Bug Fix: No error is generated if md5.txt does not exist from
main menu
08/28/02: Update: Improved error messages
08/28/02: Update: Added code to Main Menu to check for Java Script turned on
09/19/02: Update: fsmorgue can be a symlink in the morgue directory
--------------------------- Version 1.60 ---------------------------------
- Changed NTFS c-time to Changed from Created (5/20/02)
- Fixed a couple little bugs with parsing NTFS output (5/20/02)
- Improved sorting (name is case insensitive and name is used as
secondary sorting index) (5/20/02)
- Improved error messages of invalid input to inode & block mode
- Added ability to import password and group files when making a time line
(5/28/02)
- Fixed bug that did not allow IP addresses to be used for the ACL when
DNS was not available (5/30/02)
- Fixed some issues to make Internet Explorer not complain so much (05/30/02)
- Improved the logging so that one can retrace their actions (05/31/02)
- Moved autopsy.log to logs directory (05/31/02)
- Added ability to write Notes about a given block, inode, or file (06/04/02)
(suggestion by Dave Dittrich)
- Set default investigators name (an error was generated if no name was given)
(06/04/02)
- Added links in the help page to the window help pages (06/05/02)
- Updated timeline to reflect new format in new TASK (06/19/02)
- Added '-C' flag to turn off cookies on command line (06/20/02)
- Added new main menu (06/20/02)
- Made MD5 generation 'opt-out' (06/22/02)
- New code to remove duplicate entries in md5.txt and fsmorgue
- fsmorgue can have whitespace at end of line (7/6/02)
- An error is generated if an image in fsmorgue does not exist (7/6/02)
- updated automatic date search (7/9/02)
- New feature allows one to save the MD5 values of all files in a directory,
which makes the Solaris Finger Print Database easier (7/12)
--------------------------- Version 1.50 ---------------------------------
- Modified to support TASK instead of TCT and TCTUTILs (8/25/01)
- Removed chmod 'bug' for the cookie file (8/25/01)
- Fixed number of hits bug in Search mode (off by one) (8/25/01)
- Added ftype support (8/28/01)
- Added ftype field to reports (8/28/01)
- Encoded dir arg in FIL_DEL
- Filter option holds for usage of next and rev in block mode
- If using fat, a separate option is given to run find_inode due to how
slow it runs
- removed use of zoneinfo in favor of the new timezone value in fsmorgue.
- strings now uses '-a' flag to show all strings
- When doing a search, the length of the string is given as the '-n'
flag to strings to speed up the search
- Allow user to "force" blocks when an inode size is 0 (the istat -b flag)
- use the md5 that comes with TCT/TASK
- multiple images with the same mounting point can now exist
- Added the morgue directory to the MENU to make it easier to manage
multiple hosts
- Files are sorted by name by default
- can import strings files and create them if needed
- Run files through 'file' to get data type
- case insensitive searches
- MAC headers correspond to file system type (create vs change)
- Deleted files are displayed in red
- Correct address name used (fragment, sector etc.)
- Support for NTFS attributes
- parse bad tags from HTML when viewing it (send sterile pict)
- cookie file has port number to aid in scripting
- cookie files are deleted upon closing
- log messages are printed for each request
- added integrity checker
- renamed aux directory to base to make Windows happy
- added time line support
- added fsstat support
- Added built-in search values in search.pl
May 29, 2001 1.01 released
- Fixed Hex link when in search mode (3/23/01)
- Corrected heading of ctime (Addam Schroll, Purdue University) (4/24/01)
- Parses output of new istat correctly (5/1/01)
- When viewing 'inode as a file', the image and inode are sent as the dir
name (5/1/01)
- Added wait() to collect zombies in Linux (5/22/01)
- Added auto-flush to prevent repeat log entries (5/22/01)
- Added a 'save as' option to file and inode browsing (Addam Schroll)
(5/22/01)
- Added option for unrm block numbers (due to blockcalc) (5/22/01)
- Improved side menu for inode, block, and search (5/22/01)
- Added "Content-Disposition" so that reports and "save as" have a
unique default filename. (5/23/01)
- Organization changes to Main Menu (5/24/01)
- Automated installation process (5/24/01)
March 19, 2001 1.0 released
- Added man page for autopsy (3/10/01)
- Directory entries in config files no longer require an / at the end
- Morgue file names can have a '.' in them (but still not '/') (3/10)
- autopsy first checks for /dev/urandom for random cookie (3/10/01)
- morgue directory is a command line option to autopsy (3/10/01)
- the lib variable in autopsy is no longer set to './' so that it
can be run outside of /usr/local/autopsy (3/10/01)
- changed all references of device to image (3/11/01)
- changed all reports to print full image path (3/11/01)
- Investigator is a command line option to autopsy (3/11/01)
- CGI support removed. Only autopsy is supported (3/16/01)
- renamed autopsyd to autopsy (3/16/01)
- Fixed UID and GID heading (3/16/01)
- Run image through strings before grep to prevent memory errors (3/16/01)
- output of find_file and find_inode is prepended with rdir (3/16/01)
Feb 27, 2001 0.2b released
- Added stand alone server, autopsyd (as suggested by Dan Farmer)
- Reorganized files due to new program
- Changed names of some executables that changed in TCTUTILs
Feb 19, 2001 0.1b released
------------------------------------------------------------------------
Reference in New Issue View Git Blame Copy Permalink