forked from joachimmetz/sleuthkit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS.txt
2246 lines (1691 loc) · 89 KB
/
NEWS.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---------------- VERSION 4.12.0 --------------
- There was a 1-year gap since 4.11.1 and the git log has 441 commits in that timeframe.
- Many for small fixes.
- This set of release notes is much more of an overview than other releases
What's New:
- LVM Support (non-Windows) from Joachim Metz
- Logical File System support (a folder structure is parsed by TSK libraries) from Ann Priestman (Basis)
What's Changed:
- Lots of bug fixes from the Basis team and Joachim Metz
- Additional fixes from Eran-YT, msuhanov, Joel Uckelman, Aleks L, dschoemantruter
- General themes of C/C++ bounds checks and Java improvements to OS Accounts, Ingest jobs, CaseDbAccessManager, and much more.
---------------- VERSION 4.11.1 --------------
C/C++:
- Several fixes from Joachim Metz
- NTFS Decompression bug fix from Kim Stone and Joel Uckelman
Java:
- Fixed connection leak when making OS Accounts in bridge
- OsAccount updates for instance types and special Windows SIDs
- Fixed issue with duplicate value in Japanese timeline translation
---------------- VERSION 4.11.0 --------------
C/C++:
- Added checks at various layers to detect encrypted file systems and disks to give more useful error messages.
- Added checks to detect file formats that are not supported (such as AD1, ZIP, etc.) to give more useful error messages.
- Added tsk_imageinfo tool that detects if an image is supported by TSK and if it is encrypted.
- Add numerous bound checks from Joachim Metz.
- Clarified licenses as pointed out by Joachim Metz.
Java:
- Updated from Schema 8.6 to 9.1.
- Added tables and classes for OS Accounts and Realms (Domains).
- Added tables and classes for Host Addresses (IP, MAC, etc.).
- Added tables and classes for Analysis Results vs Data Artifacts by adding onto BlackboardArtifacts.
- Added tables and classes for Host and Person to make it easier to group data sources.
- Added static types for standard artifact types.
- Added File Attribute table to allow custom information to be stored for each file.
- Made ordering of getting lock and connection consistent.
- Made the findFile methods more efficient by using extension (which is indexed).
---------------- VERSION 4.10.2 --------------
C/C++
- Added support for Ext4 inline data
Java
- New Blackboard Artifacts for ALEAPP/ILEAPP, Yara, Geo Area, etc.
- Upgraded to PostgreSQL JDBC Driver 42.2.18
- Added SHA256 to files table in DB and added utility calculation methods.
- Changed TimelineManager to make events for any artifact with a time stamp
- Added Japanese translations
- Fixed sychronization bug in getUniquePath
---------------- VERSION 4.10.1 --------------
C/C++:
- Changed Windows build to use Nuget for libewf, libvmdk, libvhdi.
- Fixed compiler warnings
- Clarrified licenses and added Apache license to distribution
- Improved error handling for out of memory issues
- Rejistry++ memory leak fixes
Java:
- Localized for Japanese
---------------- VERSION 4.10.0 --------------
C/C++:
- Removed PostgreSQL code (that was used only by Java code)
- Added Java callback support so that database inserts are done in Java.
Java:
- Added methods and callbacks as required to allow database population to happen in Java instead of C/C++.
- Added support to allow Autopsy streaming ingest where files are added in batches.
- Added TaggingManager class and concept of a TagSet to support ProjectVic categories.
- Fixed changes to normalization and validation of emails and phone numbers.
- Added a CASE/UCO JAR file that creates JSON-LD based on TSK objects.
---------------- VERSION 4.9.0 --------------
C/C++
- Removed framework project. Use Autopsy instead if you need an analysis framework.
- Various fixes from Google-based fuzzing.
- Ensure all reads (even big ones) are sector aligned when reading from Windows device.
- Ensure all command line tools support new pool command line arguments.
- Create virtual files for APFS unallocated space
- HFS fix to display type
Java:
- More artifact helper methods
- More artifacts and attributes for drones and GPS coordinates
- Updated TimelineManager to insert GPS artifacts into events table
---------------- VERSION 4.8.0 --------------
C/C++
- Pool layer was added to support APFS. NOTE: API is likely to change.
- Limited APFS support added in libtsk and some of the command line tools.
-- Encryption support is not complete.
-- Blackbag Technologies submitted the initial PR. Basis Technology
did some minor refactoring.
- Refactoring and minor fixes to logical imager
- Various bug fixes from Google fuzzing efforts and Jonathan B from Afarsec
- Fixed infinite NTFS loop from cyclical attribute lists. Reported by X.
- File system bug fixes from uckelman-sf on github
Database:
- DB schema was updated to support pools
- Added concept of JSON in Blackboard Attributes
- Schema supports cascading deletes to enable data source deletion
Java:
- Added Pool class and associated infrastructure
- Added methods to support deleting data sources from database
- Removed JavaFX as a dependency by refactoring the recently
introduced timeline filtering classes.
- Added attachment support to the blackboard helper package.
---------------- VERSION 4.7.0 --------------
C/C++:
- DB schema was expanded to store tsk_events and related tables.
Time-based data is automatically added when files and artifacts are
created. Used by Autopsy timeline.
- Logical Imager can save files as individual files instead of in
VHD (saves space).
- Logical imager produces log of results
- Logical Imager refactor
- Removed PRIuOFF and other macros that caused problems with
signed/unsigned printing. For example, TSK_OFF_T is a signed value
and PRIuOFF would cause problems as it printed a negative number
as a big positive number.
Java
- Travis and Debian package use OpenJDK instead of OracleJDK
- New Blackboard Helper packages (blackboardutils) to make it easier
to make artifacts.
- Blackboard scope was expanded, including the new postArtifact() method
that adds event data to database and broadcasts an event to listeners.
- SleuthkitCase now has an EventBus for database-related events.
- New TimelineManager and associated filter classes to support new events
table
---------------- VERSION 4.6.7 --------------
C/C++ Code:
- First release of new logical imager tool
- VHD image writer fixes for out of space scenarios
Java:
- Expand Communications Manager API
- Performance improvement for SleuthkitCase.addLocalFile()
---------------- VERSION 4.6.6 --------------
C/C++ Code:
- Acquisition deteails are set in DB for E01 files
- Fix NTFS decompression issue (from Joe Sylve)
- Image reading fix when cache fails (Joe Sylve)
- Fix HFS+ issue with large catalog files (Joe Sylve)
- Fix free memory issue in srch_strings (Derrick Karpo)
Java:
- Fix so that local files can be relative
- More Blackboard artifacts and attributes for web data
- Added methods to CaseDbManager to enable checking for and modifying tables.
- APIs to get and set acquisition details
- Added methods to add volume and file systems to database
- Added method to add LayoutFile for allocated files
- Changed handling of JNI handles to better support multiple cases
---------------- VERSION 4.6.5 --------------
C/C++ Code:
- HFS boundary check fix
- New fields for hash values and acquisition details in case database
- Store "created schema version" in case database
Java Code:
- New artifacts and attributes defined
- Fixed bug in SleuthkitCase.getContentById() for data sources
- Fixed bug in LayoutFile.read() that could allow reading past end offile
---------------- VERSION 4.6.4 --------------
Java Code:
- Increase max statements in database to prevent errors under load
- Have a max timeout for SQLite retries
---------------- VERSION 4.6.3 --------------
C/C++ Code:
- Hashdb bug fixes for corrupt indexes and 0 hashes
- New code for testing power of number in ExtX code
Java Code:
- New class that allows generic database access
- New methods that check for duplicate artifacts
- Added caches for frequently used content
Database Schema:
- Added Examiner table
- Tags are now associated with Examiners
- Changed parent_path for logical files to be consistent with FS files.
---------------- VERSION 4.6.2 --------------
C/C++ Code:
- Various compiler warning fixes
- Added small delay into image writer to not starve other threads
Java:
- Added more locking to ensure that handles were not closed while other threads were using them.
- Added APIs to support more queries by data source
- Added memory-based caching when detecting if an object has children or not.
---------------- VERSION 4.6.1 --------------
C/C++ Code:
- Lots of bounds checking fixes from Google's fuzzing tests. Thanks Google.
- Cleanup and fixes from uckelman-sf and others
- PostgreSQL, libvhdi, & libvmdk are supported for Linux / OS X
- Fixed display of NTFS GUID in istat - report from Eric Zimmerman.
- NTFS istat shows details about all FILE_NAME attributes, not just the first. report from Eric Zimmerman.
Java:
- Reports can be URLs
- Reports are Content
- Added APIs for graph view of communications
- JNI library is extracted to name with user name in it to avoid conflicts
Database:
- Version upgraded from to 8.0 because Reports are now Content
---------------- VERSION 4.6.0 --------------
New Features
- New Communications related Java classes and database tables.
- Java build updates for Autopsy Linux build
- Blackboard artifacts are now Content objects in Java and part of tsk_objects table in database.
- Increased cache sizes.
- Lots of bounds checking fixes from Google's fuzzing tests. Thanks Google.
- HFS fix from uckelman-sf.
---------------- VERSION 4.5.0 --------------
New Features:
- Support for LZVN compressed HFS files (from Joel Uckelman)
- Use sector size from E01 (helps with 4k sector sizes)
- More specific version number of DB schema
- New Local Directory type in DB to differentiate with Virtual Directories
- All blackboard artifacts in DB are now 'content'. Attachments can now
be children of their parent message.
- Added extension as a column in tsk_files table.
Bug Fixes:
- Faster resolving of HFS hard links
- Lots of fixes from Google Fuzzing efforts.
---------------- VERSION 4.4.2 --------------
New Features:
- usnjls tool for NTFS USN log (from noxdafox)
- Added index to mime type column in DB
- Use local SQLite3 if it exists (from uckelman-sf)
- Blackboard Artifacts have a shortDescription metho
Bug Fixes:
- Fix for highest HFS+ inum lookup (from uckelman-sf)
- Fix ISO9660 crash
- various performance fixes and added thread safety checks
---------------- VERSION 4.4.1 --------------
- New Features:
-- Can create a sparse VHD file when reading a local drive with new
IMAGE_WRITER structure. Currently being used by Autopsy, but no TSK
command line tools.
- Bug fixes:
-- Lots of cleanup and fixes. Including:
-- memory leaks
-- UTF8 and UTF16 cleanup
-- Missing NTFS files (in fairly rare cases)
-- Really long folder structures and database inserts
---------------- VERSION 4.4.0 --------------
- Compiling in Windows now uses Visual Studio 2015
- tsk_loaddb now adds new files for slack space and JNI was upgraded
accordingly.
---------------- VERSION 4.3.1 --------------
- NTFS works on 4k sectors
- Added support in Java to store local files in encoded form (XORed)
- Added Java Account object into datamodel
- Added notion of a review status to blackboard artifacts
- Upgraded version of PostgreSQL
- Various minor bug fixes
---------------- VERSION 4.3.0 --------------
- PostgreSQL support (Windows only)
- New Release_ NoLibs Visual Studio target
- Support for virtual machine formats via libvmdk and libvhdi (Windows only)
- Schema updates (data sources table, mime type, attributes store type)
- tsk_img_open can take externally created TSK_IMG_INFO
- Various minor bug fixes
---------------- VERSION 4.2.0 --------------
- ExFAT support added
- New database schema
- New Sqlite hash database
- Various bug fixes
- NTFS pays more attention to sequence and loads metadata only
if it matches.
- Added secondary hash database index
---------------- VERSION 4.1.3 --------------
- fixed bug that could crash UFS/ExtX in inode_lookup.
- More bounds checking in ISO9660 code
- Image layer bounds checking
- Update version of SQLITE-JDBC
- changed how java loads navite libraries
- Config file for YAFFS2 spare area
- New method in image layer to return names
- Yaffs2 cleanup.
- Escape all strings in SQLite database
- SQlite code uses NTTFS sequence number to match parent IDs
---------------- VERSION 4.1.2 --------------
Core:
- Fixed more visual studio projects to work on 64-bit
- TskAutoDB considers not finding a VS/FS a critical error.
Java:
- added method to Image to perform sanity check on image sizes.
fiwalk:
- Fixed compile error on Linux etc.
---------------- VERSION 4.1.1 --------------
Core:
- Added FILE_SHARE_WRITE to all windows open calls.
- removed unused methods in CRC code that caused compile errors.
- Added NTFS FNAME times to time2 struct in TSK_FS_META to make them
easier to access -- should have done this a long time ago!
- fls -m and tsk_gettimes output NTFS FNAME times to output for timelines.
- hfind with EnCase hashsets works when DB is specified (and not only index)
- TskAuto now goes into UNALLOC partitions by default too.
- Added support to automatically find all Cellebrite raw dump files given
the name of the first image.
- Added 64-bit windows targets to VisualStudio files.
- Added NTFS sequence to parent address in directory and directory itself.
- Updated SQLite code to use sequence when finding parent object ID.
Java:
- Java bindings JAR files now have native libraries in them.
- Logical files are added with a transaction
---------------- VERSION 4.1.0 --------------
Core:
- Added YAFFS2 support (patch from viaForensics).
- Added Ext4 support (patch from kfairbanks)
- changed all include paths to be 'tsk' instead of 'tsk3'
-- IMPORTANT FOR ALL DEVELOPERS!
Framework:
- Added Linux and MAC support.
- Added L01 support.
- Added APIs to find files by name, path and extension.
- Removed deprecated TskFile::getAttributes methods.
- moved code around for AutoBuild tool support.
Java Bindings:
- added DerivedFile datamodel support
- added a public method to Content to add ability to close() its tsk handle before the object is gc'd
- added faster skip() and random seek support to ReadContentInputStream
- refactored datamodel by pushing common methods up to AbstractFile
- fixed minor memory leaks
- improved regression testing framework for java bindings datamodel
---------------- VERSION 4.0.2 --------------
Core:
New Features:
- Added fiwalk tool from Simson. Not supported in Visual Studio yet.
Bug Fixes:
- Fixed fcat to work on NTFS files (still doesn't support ADS though).
- Fixed HFS+ support in tsk_loaddb / SQLite -- root directory was not added.
- NTFS code now looks at all MFT entries when listing directory contents. It used to only look at unallocated entries for orphan files. This fixes an image that had allocated files missing from the directory b-tree.
- NTFS code uses sequence number when searching MFT entries for all files.
- Libewf detection code change to support v2 API more reliably (ID: 3596212).
- NTFS $SII code could crash in rare cases if $SDS was multiple of block size.
Framework:
- Added new API to TskImgDB that returns the base name of an image.
- Numerous performance improvements to framework.
- Removed requirement in framework to specify module extension in pipeline configuration file.
- Added blackboard artifacts to represent both operating system and network service user accounts.
Java Bindings:
- added more APIs to find files by name, path and where clause
- added API to get currently processed dir when image is being added,
- added API to return specific types of children of image, volume system, volume, file system.
- moved more common methods up to Content interface
- deprecated context of blackboard attributes,
- deprecated SleuthkitCase.runQuery() and SleuthkitCase.closeRunQuery()
- fixed ReadContentInputStream bugs (ignoring offset into a buffer, implementing available() )
- methods that are lazy loading are now thread safe
- Hash class is now thread-safe
- use more PreparedStatements to improve performance
- changed source level from java 1.6 to 1.7
- Throw exceptions from C++ side better
---------------- VERSION 4.0.1 --------------
New Features:
- Can open raw Windows devices with write mode sharing.
- More DOS partition types are displayed.
- Added fcat tool that takes in file name and exports content (equivalent to using ifind and icat together).
- Added new API to TskImgDB that returns hash value associated with carved files.
- performance improvements with FAT code (maps and dir_add)
- performance improvements with NTFS code (maps)
- added AONLY flag to block_walk
- Updated blkls and blkcalc to use AONLY flag -- MUCH faster.
Bug Fixes:
- Fixed mactime issue where it could choose the wrong timezone that did
not follow daylight savings times.
- Fixed file size of alternate data streams in framework.
- Incorporated memory leak fixes and raw device fixes from ADF Solutions.
---------------- VERSION 4.0.0 --------------
New Features:
- Added multithreaded support
- Added C++ wrapper classes
- Added JNI bindings / Java data model classes
- 3314047: Added utf8-specific versions of 'toid' methods for img,vs,fs types
- 3184429: More consistent printing of unset times (all zerso instead of 1970)
- New database design that allows for multiple images in the same database
- GPT volume system tries other sector sizes if first attempt fails.
- Added hash calculation and lookup to AutoDB and JNI.
- Upgraded SQLite to 3.7.9.
- Added Framework in (windows-only)
- EnCase hash support
- Libewf v2 support (it is now non-beta)
- First file in a raw split or E01 can be specified and the rest of the files
are found.
- mactime displays times as 0 if the time is not set (isntead of 1970)
- Changed behavior of 'mactime -y' to use ISO8601 format.
- Updated HFS+ code from ATC-NY.
- FAT orphan file improvements to reduce false positives.
- TskAuto better reports errors.
- Upgrade build projects from Visual Studio 2008 to 2010.
Bug Fixes:
- Relaxed checking when conflict exists between DOS and GPT partitions.
Had a Mac image that was failing to resolve which partition table
to use.
---------------- VERSION 3.2.3 --------------
New Features:
- new TskAuto method (handleNotification()) that gets verbose messages that allow for debugging when the class makes decisions.
- DOS partitions are loaded even if an extended partition fails to load
- new TskAuto::findFilesInFs(TSK_FS_INFO *) method
- Need to only specify first E01 file and the rest are found
- Changed docs license to non-commercial
- Unicode conversion routines fix invalid UTF-16 text during conversion
- Added '-d' to tsk_recover to specify directory to recover
Bug Fixes:
- Added check to fatfs_open to compare first sectors of FAT if we used backup boot sector and verify it is FAT32.
- More checks to make sure that FAT short names are valid ASCII
- 3406523: Mactime size sanity check
- 3393960: hfind reading of Windows input file
- 3316603: Error reading last blocks of RAW CD images
- Fixed bugs in how directories and files were detected in TskAuto
---------------- VERSION 3.2.2 --------------
Bug Fixes
- 3213886: ISO9660 directory hole not advancing
- 3173095 contd: Updated checks so that tougher FAT checks are
applied to deleted directories.
- 3303678: Image type in Sqlite DB is now not always 0
- 3303679: Deleted FAT files have more name cleanup in short names
New Features:
- 3213888: RAW CD format
- Auto class accepts TSK_IMG_INFO as argument
- Copies of split image file names are stored in TSK so that the caller can free them before TSK_IMG_INFO is freed.
---------------- VERSION 3.2.1 --------------
Bug Fixes
- 3108272: fls arguments for -d and -u
- 3105539: compile error issues because of SQlite and pthreads
- 3173095: missing FAT files because of invalid dates.
- 3184419: mingew compile errors.
- 3191391: surround file name in quotes in mactime -d csv output
New Features:
- A single dummy entry is added to the SQlite DB if no volume exists
so that all programs can assume that there will be at least one
volume in the table.
- 3184455: allow srcdir != builddir
---------------- VERSION 3.2.0 --------------
Bug Fixes
- 3043092: Minor logic errors with ifind code.
- FAT performance fix when looking for parent directories
in $OrphanFiles.
- 3052302: Crash on NTFS/UFS detection test because of
corrupt data -- tsk_malloc error.
- 3088447: Error adding attribute because of run collision.
Solved by assigning unique IDs.
New Features:
- 3012324: Name mangling moved out of library into outer tools
so that they can see control characters if they want to. Patch
by Anthony Lawrence.
- 2993806: ENUM values have a specified NONE value if you don't
want to specify any special flags. Patch by Anthony Lawrence.
- 3026989: Add -e and -s flags to img_cat. patch by Simson Garfinkel.
- 2941805: Add case sensitive flag to fsstat in HFS. Patch by Rob Joyce.
- 3017764: Changed how default NTFS $DATA attribute was named. Now it
has no name, while it previously had a fake name of "$Data".
- New TskAuto class.
- New tsk_loaddb, tsk_recover, tsk_comparedir, and tsk_gettimes tools.
---------------- VERSION 3.1.3 --------------
Bug Fixes
- 3006733: FAT directory listings were slow because the inner
code was not stopping when it found the parent directory.
- Adjusted sanity / testing code on FAT directory entries to allow
non-ascii in extensions and reject entries with lots of 0s.
- 3023606: Ext2 / ffs corrupted file names.
- Applied NTFS SID fixes from Mandiant.
- ntfs_load_secure() memory leak patch from Michael Cohen
---------------- VERSION 3.1.2 --------------
Bug Fixes
- 2982426: FAT directory listings were slow because the entire
image was being scanned for parent directory information.
- 2982965: fs_attr length bug fix.
- 2988619: mmls -B display error.
- 2988330: ntfs SII cluster size increment bug
- 2991487: Zeroed content in NTFS files that were not fully initialized.
- 2993767: Slow FAT listings of OrphanFiles because hunt for parent
directory resulted in many searches for OrphanFiles. Added cache
of OrphanFiles.
- 2999567: ifind was not stopping after first hit.
- 2993804: read past end of file did not always return -1.
---------------- VERSION 3.1.1 --------------
Bug Fixes
- 2954703: ISO9660 missing files because duplicate files
had same starting block.
- 2954707: ISO9660 missing some files with zero length and
duplicate starting block. Also changed behavior of how
multiple volume descriptors are processed.
- 2955898: Orphan files not found if no deleted file names exist.
- 2955899: NTFS internal setting of USED flag.
- 2972721: Sorter fails with hash lookup if '-l' is given.
- 2941813: Reverse HFS case sensitive flags (internal fix only)
- 2954448: Debian package typo fixes, etc.
- 2975245: sorter ignores realloc entries to reduce misleading mismatch entries and duplicate entries.
---------------- VERSION 3.1.0 --------------
New Features and Changes
- 2206285: HFS+ can now be read. Lots of tracker items about this.
Thanks to Rob Joyce and ATC-NY for many of the patches and reports.
- 2677069: DOS Safety Partitions in GPT Volume Systems are better
detected instead of reporting multiple VSs.
- Windows executables can be build in Visual Studio w/out needing
other image format libraries.
- 2367426: Uninitialized file space is shown if slack space is
requested.
- 2677107 All image formats supported by AFFLIB can be accessed by
specifying the "afflib" type.
- 2206265: sigfind can now process non-raw files.
- 2206331: Indirect block addresses are now available in the library
and command line tools. They are stored in a different attribute.
- Removed 'docs' files and moved them to the wiki.
- Removed disk_stat and disk_sreset because they were out of date
and hdparm now has the same functionality.
- 2874854: Image layer tools now support non-512 byte device sector
sizes. Users can specify sector size using the -b argument to the
command line tools. This has several consequences:
-- 'mmls -b' is now 'mmls -B'. Similarly with istat -b.
-- Changed command line format for '-o' so that sector size is
specified only via -b and not using '-o 62@4096'.
- 2874852: Sanity checking on partition table entires is relaxed
and only first couple of partitions are checked to make sure that
they can fit into the image.
- 2895607: NTFS SID data is available in the library and 'istat'.
- 2206341: AFF encrypted images now give more proper error message
if password is not given.
- 2351426: mactime is now distributed with Windows execs.
Developer-level Changes
- Abstracted name comparison to file system-specific function.
- Added support in mactime to read body files with comment lines.
- 2596153: Changed img_open arguments, similar to getopt().
- 2797169: tsk_fs_make_ls is now supported as an external library
function. Now named tsk_fs_meta_make_ls.
- 2908510: Nanosecond resolution of timestamps is now available.
- 2914255: Version info is now available in .h files in both string
and integer form.
Bug Fixes:
- 2568528: incorrect adjustment of attribute FILLER offset.
- 2596397: Incorrect date sorting in mactime.
- 2708195: Errors when doing long reads in fragmented attributes.
- Fixed typo bugs in sorter (reported via e-mail by Drew Hunt).
- 2734458: added orphan cache map to prevent slow NTFS listing times.
- 2655831: Sorter now knows about the ext2 and ext3 types.
- 2725799: ifind not converting UTF16 names properly on Windows
because it was using endian ordering of file system and not local
system.
- 2662168: warning messages on macs when reading the raw character
device.
- 2778170: incorrect read size on resident attributes.
- 2777633: missing second resolution on FAT creation times.
- Added the READ_SHARE option to the CreateFile command for split
image files. Patch by Christopher Siwy.
- 2786963: NTFS compression infinite loop fix.
- 2645156: FAT / blkls error getting slack because allocsize was
being set too small (and other values were not being reset).
- 2367426: Zeros are set for VDL slack on NTFS files.
- 2796945: Inifite loop in fs_attr.
- 2821031: Missing fls -m fields.
- 2840345: Extended DOS partitions in extended partitions are now
marked as Meta.
- 2848162: Reading attributes at offsets that are on boundary of
run fragment.
- 2824457: Fixed issue reading last block of file system with blkcat.
- 2891285: Fixed issue that prevented reads from the last block of
a file system when using the POSIX-style API.
- 2825690: Fixed issue that prevented blkls -A from working.
- 2901365: Allow FAT files to have a 0 wdate.
- 2900761: Added FAT directory sanity checks to prevent infinite loops.
- 2895607: Fixed various memory leaks.
- 2907248: Fixed image layer cache crash.
- 2905750: all file system read() functions now return -1 when
offset given is past end of file.
---------------- VERSION 3.0.1 --------------
11/11/08: Bug Fix: Fixed crashing bug in ifind on FAT file system.
Bug: 2265927
11/11/08: Bug Fix: Fixed crashing bug in istat on ExtX $OrphanFiles
dir. Bug: 2266104
11/26/08: Update: Updated fls man page.
11/30/08: Update: Removed TODO file and using tracker for bugs and
feature requests.
12/29/08: Bug Fix: Fixed incorrectly setting block status in file_walk
for compressed files (Bug: 2475246)
12/29/08: Bug Fix: removed fs_info field from FS_META because it
was not being set and should have been removed in 3.0. Reported by
Rob Joyce and Judson Powers.
12/29/08: Bug Fix: orphan files and NTFS files found via parent
directory have an unknown file name type (instead of being equal
to meta type). (Bug: 2389901). Reported by Barry Grundy.
1/12/09: Bug Fix: Fixed ISO9660 bug where large directory contents
were not displayed. (Bug: 2503552). Reported by Tom Black.
1/24/09: Bug Fix: Fixed bug 2534449 where extra NTFS files were
shown if the MFT address was changed to 0 because fs_dir_add was
checking the address and name. Reported by Andy Bontoft.
1/29/09: Update: Fixed fix for bug 2534449. The fix is in ifind
instead of fs_dir_add().
2/2/09: Update: Added RPM spec file from Morgan Weetmam.
---------------- VERSION 3.0.0 --------------
0/00/00: Update: Many, many, many API changes.
2/14/08: Update: Added mmcat tool.
2/26/08: Update: Added flags to mmls to specify partition types.
3/1/08: Update: Major update of man pages.
4/14/08: Bug Fix: Fixed the calculation of "actual" last block.
Off by 1 error. Reported by steve.
5/23/08: Bug Fix: Incorrect malloc return check in srch_strings.
reported by Petri Latvala.
5/29/08: Bug Fix: Fixed endian ordering bug in ISO9660 code. Reported
by Eduardo Aguiar de Oliveira.
6/17/08: Update: 'sorter' now uses the ifind method for finding
deleted NTFS files (like Autopsy) does instead of relying on fls.
Reported by John Lehr.
6/17/08: Update: 'ifind -p' reports data on ADS.
7/10/08: Update: FAT looks for a backup boot sector in FAT32 if
magic is 0
7/21/08: Bug Fix: Changed define of strcasecmp to _stricmp instead
of _strnicmp in Windows. (reported by Darren Bilby).
7/21/08: Bug Fix: Fall back to open "\\.\" image files on Windows
with SHARE_WRITE access so that drive devices can be opened.
(reported by Darren Bilby).
8/20/08: Bug Fix: Look for Windows objects when opening files in
Cygwin, not just Win32. Reported by Par Osterberg Medina.
8/21/08: Update: Renamed library and install header files to have a '3'
in them to allow parallel installations of v2 and v3. Suggested by
Simson Garfinkel.
8/22/08: Update: Added -b option to sorter to specify minimum file size
to process. Suggested by Jeff Kell.
8/22/08: Update: Added libewf as a requirement to build win32 so that
E01 files are supported.
8/29/08: Update: Added initial mingw patches for cross compiling and
Windows. Patches by Michael Cohen.
9/X/08: Update: Added ability to access attibutes
9/6/08: Update: Added image layer cache.
9/12/08: Bug Fix: Fixed crash from incorrectly cleared value in FS_DIR
structure. Reported and patched by Jason Miller.
9/13/08: Update: Changed d* tool names to blk*.
9/17/08: Update: Finished mingw support so that both tools and
library work with Unicode file name support.
9/22/08: Update: Added new HFS+ code from Judson Powers and Rob Joyce (ATC-NY)
9/24/08: Bug Fix: Fixed some cygwin compile errors about types on Cygwin.
Reported by Phil Peacock.
9/25/08: Bug Fix: Added O_BINARY to open() in raw and split because Cygwin
was having problems. Reported by Mark Stam.
10/1/08: Update: Added ifndef to TSK_USE_HFS define to allow people
to define it on the command line. Patch by RB.
---------------- VERSION 2.52 --------------
2/12/08: Bug Fix: Fixed warning messages in mactime about non-Numeric
data. Reported by Pope.
2/19/08: Bug Fix: Added #define to tsk_base_i.h to define
LARGEFILE64_SOURCE based on LARGEFILE_SOURCE for older Linux systems.
2/20/08: Bug Fix: Updated afflib references and code.
3/13/08: Update: Added more fixes to auto* so that AFF will compile
on more systems. I have confirmed that AFFLIB 3.1.3 will run with
OS X 10.4.11.
3/14/08: Bug Fix: Added checks to FAT code that calcs size of
directories. If starting cluster of deleted dir points into a
cluster chain, then problems can occur. Reported by John Ward.
3/19/08: Update: I have verified that this compiles with libewf-20070512.
3/21/08: Bug Fix: Deleted Ext/FFS directories were not being recursed
into. This case was rare (because typically the metadata are
wiped), but possible. Reported by JWalker.
3/24/08: Update: I have verified that this compiles with libewf-20080322.
Updates from Joachim Metz.
3/26/08: Update: Changed some of the header file design for the tools
so that the define settings in tsk_config.h can be used (for large files).
3/28/08: Update: Added config.h reference to srch_strings to get the
LARGEFILE support.
4/5/08: Update: Improved inode argument number parsing function.
---------------- VERSION 2.51 --------------
1/30/08: Bug Fix: Fixed potential infinite loop in fls_lib.c. Patch
by Nathaniel Pierce.
2/7/08: Bug Fix: Defined some of the new constants that are used
in disktools because older Linux distros did not define them.
Reported by Russell Reynolds.
2/7/08: Bug Fix: Modified autoconf to check for large file build
requirements and look for new 48-bit structures needed by disktools.
Both of these were causing problems on older Linux distros.
2/7/08: Update: hfind will normalize hash values in database so
that they are case insensitive.
---------------- VERSION 2.50 --------------
12/19/07: Update: Finished upgrade to autotools building design. No
longer include file, afflib, libewf. Resulted in many source code layout
changes and sorter now searches for md5, sha1, etc.
---------------- VERSION 2.10 --------------
7/12/07: Update: 0s are returned for AFF pages that were not imaged.
7/31/07: Bug Fix: ifind -p could crash if a deleted file name was found
that did not point to a valid meta data stucture. (Reported by Andy Bontoft)
8/5/07: Update: Added NSRL support back into sorter.
8/15/07: Update: Errors are given if supplied sector offset is larger than
disk image. Reported by Simson Garfinkel.
8/16/07: Update: Renamed MD5 and SHA1 functions to TSK_MD5_.. and TSK_SHA_....
8/16/07: Update: tsk_error_get() does not reset the error messages.
9/26/07: Bug Fix: Changed FATFS check for valid dentries to consider
second values of 30. Reported by Alessandro Camillo.
10/18/07: Update: inode_walk for NTFS and FAT will not abort if
data corruption is found in one entry -- instead they will just
skip it.
10/18/07: Update: tsk_os.h uses standard gcc system names instead
of TSK specific ones.
10/18/07: Update: Updated raw.c to use ioctl commands on OS X to
get size of raw device because it does not work with SEEK_END.
Patch by Rob Joyce.
10/31/07: Update: Finished upgrade to fatfs_file_walk_off so that
walking can start at a specific offset. Also finished upgrade that
caches FAT run list to make the fatfs_file_walk_off more efficient.
11/14/07: Update: Fixed few places where off_t was being used
instead of OFF_T. Reported by GiHan Kim.
11/14/07: Update: Fixed a memory leak in aff.c to free AFF_INFO.
Reported by GiHan Kim.
11/24/07: Update: Finished review and update of ISO9660 code.
11/26/07: Bug Fix: Fixed 64-bit calculation in HFS+ code. Submitted
by Rob Joyce.
11/29/07: Update: removed linking of srch_strings.c and libtsk. Reported by
kwizart.
11/30/07: Upate: Made a #define TSK_USE_HFS compile flag for incorporating
the HFS support (flag is in src/fstools/fs_tools_i.h)
11/30/07: Update: restricted the FAT dentry sanity checks to verify
space padding in the name and latin-only extensions.
12/5/07: Bug Fix: fs_read_file_int had a bug that ignored the type passed
for NTFS files. Reported by Dave Collett.
12/12/07: Update: Changed teh FAT dentry sanity checks to allow spaces
in volume labels and do more checking on the attribute flag.
---------------- VERSION 2.09 --------------
4/6/07: Bug Fix: Inifite loop in ext2 and ffs istat code because of using
unsigned size_t variable. Reported by Makoto Shiotsuki.
4/16/07: Bug Fix: Changed use of fseek() to fseeko() in hashtools. Patch
by Andy Bontoft.
4/16/07: Bug Fix: Changed Win32 SetFilePointer to use LARGE_INTEGER.
Reported by Kim GiHan.
4/19/07: Bug Fix: Not all FAT orphan files were being found because of
and offset error.
4/26/07: Bug Fix: ils -O was not working (link value not being
checked). Reported by Christian Perst.
4/27/07: Bug Fix: ils -r was showing UNUSED inodes. Reported by
Christian Perst.
5/10/07: Update: Redefined the USED and UNUSED flags for NTFS so that
UNUSED is set when no attributes exist.
5/16/07: Bug Fix: Fixed several bounds checking bugs that may cause
a crash if the disk image is corrupt. Reported by Tim Newsham (iSec
Partners)
5/17/07: Update: Updated AFFLIB to 2.2.11
5/17/07: Update: Updated libewf to libewf-20070512
5/17/07: Update: Updated file to 4.20
5/29/07: Update: Removed NTFS SID/SDS contributed code because it causes
crashes on some systems and its output is not entirely clear. (most recent bug
reported by Andy Scott)
6/11/07: Update: Updated AFFLIB to 2.2.12.
6/12/07: Bug Fix: ifind -p was not reporting back info on the allocated name
when one existed (because strtok was overwritting the name when the search
continued). Reported by Andy Bontoft.
6/13/07: Update: Updated file to 4.21
---------------- VERSION 2.08 --------------
12/19/06: Bug Fix: ifind_path was not setting *result when root inode
was searched for. patch by David Collett.
12/29/06: Update: Removed 'strncpy' in ntfs.c to manual assignment of
text for '$Data' and 'N/A' for performance reasons.
1/11/07: Update: Added duname to FS_INFO that contains a string of
name for a file system's data unit -- Cluster for example.
1/19/07: Bug Fix: ifind_path was returning an error even after some
files were found. Errors are now ignored if a file was found.
Reported by Michael Cohen.
1/26/07: Bug Fix: Fixed calcuation of inode numbers in fatfs.c
(reported by Simson Garfinkel).
2/1/07: Update: Changed aff-install to support symlinked directory.
2/1/07: Update: img_open modified so that it does not report errors for
s3:// and http:// files that do not exist.
2/5/07: Update: updated *_read() return values to look for "<0" instead of
simply "== -1". (suggested by Simson Garfinkel).
2/8/07: Update: removed typedef for uintptr in WIN32 code.
2/13/07: Update: Applied patch from Kim Kulak to update HFS+ code to internal
design changes.
2/16/07: Update: Renamed many of the external data structures and flags
so that they start with TSK_ or tsk_ to prevent name collisions.
2/16/07: Update: Moved MD5 and SHA1 routines and binaries to auxtools
instead of hashtools so that they are more easy to access.
2/16/07: Update: started redesign and port of hashtools.
2/21/07: Update: Changed inode_walk callback API to remove the flags
variable -- this was redundant since flags are also in TSK_FS_INODE.
Same for TSK_FS_DENT.
3/7/07: Bug Fix: fs_read_file failed for NTFS resident files. Reported
by Michael Cohen.
3/8/07: Bug Fix: FATFS assumed a 512-byte sector in a couple of locations.
3/13/07: Update: Finished hashtools update.
3/13/07: Update: dcat reads block by block instead of all at once.