IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
This release contains a few improvements and many fixes. This is possibly the last release of 4.1.x series. Please see the ReleaseNotes.txt for the full changes, some of them are highlighted below:
#455: Optimization of UFDR reader module to use half the memory (@lfcnassif) #439: Show warning in GUI for each evidence processed unsuccessfully (@lfcnassif) #1932: Imagemagick portable missing vcomp140.dll dependency [4.1.5 regression] (@lfcnassif) #2037: Bookmarks may be lost in multicase reports (@wladimirleite) #1975: Processed files in mounted folders with incorrect extension being renamed when opened externally (@lfcnassif) #2092: Incorrect directory tree when parsing partial/segmented RAR files (@lfcnassif) #1977: Telegram parser duplicating messages (@hauck-jvsh) #1921: WhatsApp recovered media messages may become duplicated (iOS only) (@wladimirleite) #2089: Failing to process Cellebrite XML Reports (@fmpfeifer, @lfcnassif) #2038: Aborting OutOfMemoryError caused by too many search results from UFEDChatParser (@lfcnassif, @wladimirleite) #2099: Non VMDK file being detected as VMDK causing processing to abort (@fsicoli) #2110: Report generation aborting because of inconsistent data types while indexing (@wladimirleite, @lfcnassif) #1942: Audios not retried and skipped if specific errors happen in remote transcription service (@lfcnassif) #2051: Stop condition for Whatsapp Message.setThumbData() recursion (@aberenguel, @lfcnassif) #2024: Geopoints wrongly indexed to OpenSearch (@hauck-jvsh)
This release fixes a critical vulnerability in Google libwebp library CVE-2023-4863. We strongly recommend all users to upgrade. There are other important fixes, listed below:
#1903: RCE vulnerability in libwebp dependency (@wladimirleite, @lfcnassif) #1898: Discord Parser can show wrong attachment file (@felipecampanini, @lfcnassif) #1843: Some deleted chats or messages not being tagged as deleted (@hauck-jvsh) #1879: Dates read from UFDR can be decoded using a wrong timezone (@wladimirleite) #1868: PDF xmp timestamps aren't extracted with timezone info (@patrickdalla) #1833: Transcribing audios with more than 2GB on remote service never ends (@hauck-jvsh, @lfcnassif) #1880: Error while parsing WhatsApp contacts (@wladimirleite) #1840: Fix links to audio and videos in WhatsApp chats, if files are in an input folder (@wladimirleite, @lfcnassif) #1836: Broken links in Whatsapp chats when attachments file names contain emojis (@wladimirleite, @gfd2020) #1897: Just first regex hit is shown if multiple regex patterns match the same input string (@wladimirleite) #1870: NPE in SleuthkitClient when generating report with a virtual disk (@aberenguel, @lfcnassif) #1875: ALT+Key to remove from bookmark not working properly with CRTL and SHIFT shortcuts (@wladimirleite) #1846: APFS password not set when opening the case on Linux (@aberenguel) #1909: Vosk transcription may slow down during large cases processing (@wladimirleite) #1842: Improve layout for audio and video tags in whatsapp chats opened in browser (@wladimirleite)
This release contains improvements and fixes, please see the ReleaseNotes.txt for the full changes. Some of them are highlighted below: News: #1294: Support parsing LZFSE compressed files from iCloud backups (@lfcnassif) #1525: Support parsing MacOS XXXXX.partial.emlx emails attachments (@FelipeFcosta, @lfcnassif) #1798: Support iLBC (Internet Low Bitrate Codec) audios (@wladimirleite) #1786: Improve the detection of Matroska files: MKV, MKA and WEBM (@wladimirleite) #1815: Improve the detection of WhatsApp iOS account plist file (@lfcnassif) #1793: Improve the detection of Apple iWork 13 documents (@lfcnassif) #1809: Extract frames from videos in mounted paths longer than 256 chars on Windows (@lfcnassif, @wladimirleite) Fixes: #1769: Map renders locations but a blank background [regression 4.1.0] (@lfcnassif) #1774: Old WhatsApp versions parsing affected by forwarded message feature [regression 4.1.3] (@hauck-jvsh, @lfcnassif, @wladimirleite) #1791: WhatsApp parser may lose recent messages (@wladimirleite) #1765: Aborting IOException from AudioTranscriptTask (@lfcnassif) #1801: Never add video: prefix to transcription properties (@lfcnassif) #1782: Error opening items inside an E01 from an unmounted READ ONLY Windows network share (@wladimirleite) #1814: Corrupted ISO caused an "infinite recursion loop" in SevenZipParser (@wladimirleite, @lfcnassif) #1752: TorTcParser timestamp in UTC although not informed (@patrickdalla, @lfcnassif)
This release contains a few improvements and fixes, please see the ReleaseNotes.txt for the full changes. Some of them are highlighted below:
News: #1287: Flag Whatsapp Forwarded messages (@wladimirleite, @gfd2020) #1647: Handle some new and common WhatsApp system messages (@wladimirleite, @lfcnassif) #1610: Read WhatsApp owner account information from more sources on Android (@wladimirleite) #1661: Support WhatsApp reactions (@wladimirleite) #1636: Emule *.part.met files carving (@hugohmk) #1707: Load Timeline chart data just when it becomes visible to decrease memory usage by UI (@patrickdalla) #1719: Use Windows trusted certificate store so Map view works through some organization proxies (@patrickdalla) #1701: Export items to local case if enableAutomaticExportFiles and enableMinIO are both enabled (@hauck-jvsh) #1694: Optimize UFDR evidences opening time through some networks (@lfcnassif, @wladimirleite) #1737: Update localization for Italian, Spanish and German (@flates, @AburtoArielPM, @mobab-th, @lfcnassif) Fixes: #1691: Possible wrong linking between WhatsApp accounts & chats if there are multiple accounts [Windows] (@wladimirleite) #1712: Max heap memory used by Analysis App can be greater than RAM causing UI crashes (@patrickdalla, @lfcnassif) #1730: Emule known.met parser missing several entries (@hauck-jvsh, @wladimirleite) #1679: WhatsApp parsing timeout can break parsing of other WA databases (@lfcnassif) #1663: Processing frozen due to infinite timeouts transcribing huge audios on transcription service (@hauck-jvsh) #1664: Problems decoding Cyrillic and other unicode chars from registry files (@lfcnassif) #1668: Aborting IllegalArgumentException: DocValuesField "parentIds" is too large, caused by GeofileParser (@patrickdalla) #1676: Aborting ArrayIndexOutOfBoundsException from Lucene when creating reports with huge files (@lfcnassif)
This release contains fixes and very few enhancements. They are listed below: News: #1559: Support decoding audio and video calls from android WhatsApp databases v2.22.8+ (@hauck-jvsh, @lfcnassif) #1170: Delete temp DLLs and whole temp folder after processing (@lfcnassif) #1643: Update localization files (@flates, @mobab-th, @AburtoArielPM, @lfcnassif) Fixes: #1630: Some Emlx emails being detected as Html (@lfcnassif) #1623: Change EML parser/viewer to inline extra txt/html body parts instead of extracting them as attachs (@lfcnassif) #1628: Communication properties of items decoded from UFDR not exported to reports (@lfcnassif) #1629: Temp files opened externally (e.g. by double click) leaked in temp folder (@lfcnassif) #1597: Parameter -d NOT working when related value has a comma in a folder name (@lfcnassif) #1607: Multicases do not work if case parent folder is named "iped" (@lfcnassif) #1606: NoRouteToHostException causing remote transcription to skip audios (@lfcnassif) #1595: "Wait" progress does not hide after quick operation on Linux (@wladimirleite, @patrickdalla) #1614: EntropyTask processing videos when creating report slowing down report generation (@wladimirleite) #1638: For some (rare) images, ocrCharCount is including a few characters that didn't come from OCR (@wladimirleite) #1641: Exception thrown by the splash screen manager in the very first usage (@wladimirleite) #1596: Test error while building when comparing Dates in some timezones (@lfcnassif)
This release contains fixes and a few improvements, please see the ReleaseNotes.txt for the full changes. Some of them are highlighted below: News: #1553: New Tab to list Referenced items (@lfcnassif) #1566: Convert audios to WAV on transcription service side again (@lfcnassif) #1556: Makes Ctrl+A and Space (check selected) work for Subitems, Duplicates, References, ReferencedBy tabs (@lfcnassif) #1267: Makes Google and Wav2Vec2 audio transcription not dependent of FFmpeg anymore (@wladimirleite) #1531: Converge all TwelveMonkeys libraries to 3.9.4 (@wladimirleite) Fixes: #1555: Media captions missed by new Android Whatsapp parser and UFDR chat parser (@lfcnassif) #1565: Layout restore prevents panels added in newer IPED versions to be visible (@wladimirleite) #1544: Error parsing Shareaza Library1/2.dat files (@wladimirleite) #1585: Some chat messages from UFDR reports being duplicated (@lfcnassif) #1142: Improve LocalConfig.txt options loading on different machines (@lfcnassif) #1584: Error reading extracted text file from XXXXX, maybe your antivirus blocked or deleted it: java.io.FileNotFoundException (@lfcnassif) #1561: Clients with slow networks blocking transcription cluster resources (@lfcnassif) #1540: Socket timeouts thrown by transcription service side not retried (@lfcnassif) #1588 & #1589: Error creating report with local/remote wav2vec2 transcription enabled (@lfcnassif)
This release contains fixes and important new features, please see the ReleaseNotes.txt for the full changes. Some of them are highlighted below:
#306: Timeline chart to show item counts and filter items based on date ranges (@patrickdalla, @lfcnassif, @FelipeFCosta, @paulobreim) #1214: New local/remote audio transcription using Facebook wav2vec2 and transcription cluster service (@lfcnassif) #1286: Parser for Windows 10 Mail App (@FelipeFcosta, @lfcnassif) #390: Discord cache files parser (@felipecampanini, @lfcnassif) #1322: New Windows EVTX parser to extract events timestamps (@patrickdalla, @lfcnassif) #1461: Support importing new NIST NSRL RDS version 3 format (@wladimirleite) #1201: Support rendering tracks on Map tab (@patrickdalla) #1282: Extract telegram deleted groups (@hauck-jvsh, @lfcnassif) #281: Extract P2P (Emule, Shareaza, Ares) history entries as separate items in case (@patrickdalla, @lfcnassif) #1107: Option to extract a number of video frames as a function of video duration (@lfcnassif) #1371: Search for Vendors and Products Identifiers for Hardware Wallets (@mobab-th, @lfcnassif) #1370: Create categories for other types extracted from UFDRs (@wladimirleite) #1202: Image blur and gray filters in gallery and image viewer (@abdalla-mar, @lfcnassif, @wladimirleite) #1291: Render file type icons on user interface (@gfd2020, @lfcnassif, @wladimirleite) #1511: Visual Enhancements in Processing UI (@wladimirleite) #1279: RegRipper Custom Reports (@DHoelz, @lfcnassif) #1092: Spanish Translation (@AburtoArielPM) #1340: Upgrade to Sleuthkit-4.12.0 (@lfcnassif) #1434: Update localization files to Italian, German & Spanish (@flates, @mobab-th, @AburtoArielPM, @lfcnassif)
This release has important fixes, please see the ReleaseNotes.txt for the full changes. Some of them are highlighted below: #1336: Makes analysis UI to work from an unmounted network path again (@tc-wleite) #1446: Map tab not working with http(s) system proxy (@lfcnassif) #1403: OutOfMemoryError caused by com.dd.plist library (@lfcnassif) #1421: Aborting StackOverflow exception thrown by QRCodeTask (@lfcnassif) #1415: QRCodeTask hanging for hours (@hauck-jvsh @lfcnassif) #1392: Error applying user defined filters with colon in property name after reopening the case (@lfcnassif) #1441: DocThumbTask not working on 4.0.x if enableExternalParsing is enabled (@lfcnassif) #1409: Items with "thumbsOnly" option don't display properly in the generated report (@tc-wleite) #1452: LedCarveTask might miss a lot of items (@lfcnassif) #1428: On Linux v.4.0.6. fails to decrypt APFS partition that v.3.17.1 could decrypt - Sleuthkit 4.11.1 issue (@arisjr) #1454: Remove "<br/> Empty media" from Telegram messages (@lfcnassif)
This release fixes a critical vulnerability caused by Apache Commons Text 1.8 library, and others. We strongly recommend all users to upgrade. Fixes: #1374: Vulnerability in WhatsAppParser caused by Apache Commons Text 1.8 lib [affects 3.18.1 to 4.0.5] (@lfcnassif) #1379: DBX parser plugin not working [4.0 regression] (@lfcnassif) #1358: OutOfMemoryError caused by processing queue growing too much (@lfcnassif) #1368: User interface scaling is not working in some environments (@tc-wleite) #1357: Any zero sized file rendered as X icon in gallery (@lfcnassif) #1387: Unneeded network dependency slowing down application start up (@lfcnassif, @tc-wleite) #1381: Sometimes autocomplete (TAB) does not find certain properties (@tc-wleite) #1365: Minor UI glitch in similar image search panel (@tc-wleite) #471: Log Console Error (@tc-wleite)
This release has a few fixes, some of them very important. They are listed below: #1350: Several folders and files missed by Sleuthkit-4.11.1 when processing an evidence with files owned by IIS default account (@lfcnassif) #1338: UFED chat messages with unknown sender (@hauck-jvsh, @lfcnassif) #1349: Timeouts while transcribing small audios - 4.0.4 regression (@lfcnassif) #1328: IgnoreFilesByPathTask.js not being executed by triage profile (@lfcnassif) #1327: Aborting IndexOutOfBoundsException caused by carved file with negative size (@lfcnassif) #1332: Databases classified in categories other than 'Databases' are showing all table content on HTMLViewer - affects 3.18.x (@lfcnassif, @patrickdalla) #1353: Table column parallel sorting may not be visible to other threads - affects 3.18.x (@lfcnassif, @patrickdalla) #1348: Check/Uncheck all items action not propagated to Map tab - affects 3.18.x (@lfcnassif) #697: Map previous/next buttons first click after sorting change are considering previous sorting order - affects 3.18.x (@patrickdalla, @lfcnassif) #1352: If processing aborts, sometimes a different exception than the cause is printed in the Console - affects 3.18.x (@lfcnassif)