Sleuthkit Versions Save

The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

sleuthkit-4.12.1

6 months ago

C/C++:

  • Bug fixes from Luis Nassif and Joachim Metz
  • Added check to stop for very large folders to prevent memory exhaustion

Java:

  • Added File Repository concept for files to be stored in another location
  • Schema updated to 9.4
  • Fixed OS Account merge bug and now fire events when accounts are merged

sleuthkit-4.12.0

1 year ago

There was a 1-year gap since 4.11.1 and the git log has 441 commits in that timeframe.

  • Many for small fixes.
  • This set of release notes is much more of an overview than other releases

What's New:

  • LVM Support (non-Windows) from @joachimmetz
  • Logical File System support (a folder structure is parsed by TSK libraries) from @APriestman (Basis)

What's Changed:

  • Lots of bug fixes from the Basis team and Joachim Metz
  • Additional fixes from @Eran-YT, @msuhanov, @uckelman , @dschoemantruter, and @sashashura
  • General themes of C/C++ bounds checks and Java improvements to OS Accounts, Ingest jobs, CaseDbAccessManager, and much more.

sleuthkit-4.11.1

2 years ago

C/C++:

  • Several fixes from @joachimmetz
  • NTFS Decompression bug fix from @kastonework and @uckelman-sf

Java:

  • Fixed connection leak when making OS Accounts in bridge
  • OsAccount updates for instance types and special Windows SIDs
  • Fixed issue with duplicate value in Japanese timeline translation

sleuthkit-4.11.0

2 years ago

C/C++:

  • Added checks at various layers to detect encrypted file systems and disks to give more useful error messages.
  • Added checks to detect file formats that are not supported (such as AD1, ZIP, etc.) to give more useful error messages.
  • Added tsk_imageinfo tool that detects if an image is supported by TSK and if it is encrypted.
  • Add numerous bound checks from @joachimmetz
  • Clarified licenses as pointed out by @joachimmetz

Java:

  • Updated from Schema 8.6 to 9.1.
  • Added tables and classes for OS Accounts and Realms (Domains).
  • Added tables and classes for Host Addresses (IP, MAC, etc.).
  • Added tables and classes for Analysis Results vs Data Artifacts by adding onto BlackboardArtifacts.
  • Added tables and classes for Host and Person to make it easier to group data sources.
  • Added static types for standard artifact types.
  • Added File Attribute table to allow custom information to be stored for each file.
  • Made ordering of getting lock and connection consistent.
  • Made the findFile methods more efficient by using extension (which is indexed).

sleuthkit-4.10.2

3 years ago

C/C++

  • Added support for Ext4 inline data

Java

  • New Blackboard Artifacts for ALEAPP/ILEAPP, Yara, Geo Area, etc.
  • Upgraded to PostgreSQL JDBC Driver 42.2.18
  • Added SHA256 to files table in DB and added utility calculation methods.
  • Changed TimelineManager to make events for any artifact with a time stamp
  • Added Japanese translations
  • Fixed synchronization bug in getUniquePath

sleuthkit-4.10.1

3 years ago

C/C++:

  • Changed Windows build to use Nuget for libewf, libvmdk, libvhdi.
  • Fixed compiler warnings
  • Clarrified licenses and added Apache license to distribution
  • Improved error handling for out of memory issues
  • Rejistry++ memory leak fixes

Java:

  • Localized for Japanese

NOTE: .deb file was updated because the initial one was compiled for Java11 instead of Java8. The one for Java8 has an MD5 of c3ca85a89ba19ed34f26d227384a4f11.

sleuthkit-4.10.0

3 years ago

C/C++:

  • Removed PostgreSQL code (that was used only by Java code)
  • Added Java callback support so that database inserts are done in Java.

Java:

  • Added methods and callbacks as required to allow database population to happen in Java instead of C/C++.
  • Added support to allow Autopsy streaming ingest where files are added in batches.
  • Added TaggingManager class and concept of a TagSet to support ProjectVic categories.
  • Fixed changes to normalization and validation of emails and phone numbers.
  • Added a CASE/UCO JAR file that creates JSON-LD based on TSK objects.

sleuthkit-4.9.0

3 years ago

C/C++

  • Removed framework project. Use Autopsy instead if you need an analysis framework.
  • Various fixes from Google-based fuzzing.
  • Ensure all reads (even big ones) are sector aligned when reading from Windows device.
  • Ensure all command line tools support new pool command line arguments.
  • Create virtual files for APFS unallocated space
  • HFS fix to display type

Java:

  • More artifact helper methods
  • More artifacts and attributes for drones and GPS coordinates
  • Updated TimelineManager to insert GPS artifacts into events table

sleuthkit-4.8.0

4 years ago

[NOTE: The .tar.gz file was updated after the initial release to fix some compiler errors related to maven and APFS on OS X. No logic changes were made though. Hashes are at the bottom of this note]

C/C++

  • Pool layer was added to support APFS. NOTE: API is likely to change.
  • Limited APFS support added in libtsk and some of the command line tools. -- Encryption support is not complete. -- Black Bag Technologies submitted the initial PR. Basis Technology did some minor refactoring.
  • Refactoring and minor fixes to logical imager
  • Various bug fixes from Google fuzzing efforts and Jonathan B from Afarsec
  • Fixed infinite NTFS loop from cyclical attribute lists. Reported by X.
  • File system bug fixes from uckelman-sf on github

Database:

  • DB schema was updated to support pools
  • Added concept of JSON in Blackboard Attributes
  • Schema supports cascading deletes to enable data source deletion

Java:

  • Added Pool class and associated infrastructure
  • Added methods to support deleting data sources from database
  • Removed JavaFX as a dependency by refactoring the recently introduced timeline filtering classes.
  • Added attachment support to the blackboard helper package.

Hash of .tar.gz that would not compile on all systems: b5c081eb2cc92d2e56b8c470de37f890 Hash of fixed version: c7f9431bceae9b421b337d3c44af4ea9

sleuthkit-4.7.0

4 years ago

C/C++:

  • DB schema was expanded to store tsk_events and related tables. Time-based data is automatically added when files and artifacts are created. Used by Autopsy timeline.
  • Logical Imager can save files as individual files instead of in VHD (saves space).
  • Logical imager produces log of results
  • Logical Imager refactor
  • Removed PRIuOFF and other macros that caused problems with signed/unsigned printing. For example, TSK_OFF_T is a signed value and PRIuOFF would cause problems as it printed a negative number as a big positive number.

Java

  • Travis and Debian package use OpenJDK instead of OracleJDK
  • New Blackboard Helper packages (blackboardutils) to make it easier to make artifacts.
  • Blackboard scope was expanded, including the new postArtifact() method that adds event data to database and broadcasts an event to listeners.
  • SleuthkitCase now has an EventBus for database-related events.
  • New TimelineManager and associated filter classes to support new events table