Sleuth Kit 1.61 and Autopsy 1.71 Release

From: Brian Carrier <carrier(at)sleuthkit.org>
Date: Thu Apr 03 2003 - 17:45:26 EST

The Sleuth Kit version 1.61 and Autopsy version 1.71 are now available.

    http://www.sleuthkit.org/sleuthkit
    http://www.sleuthkit.org/autopsy

What is The Sleuth Kit?   

The Sleuth Kit was previously known as The @stake Sleuth Kit (TASK) and is now independent from any organization. All future releases will be available from http://www.sleuthkit.org.

What is new in The Sleuth Kit 1.71?

The Sleuth Kit had features added and a couple of bugs fixed (one is major and all users should upgrade).

Major New Features:
- Thumbnails are now created for graphic images in 'sorter'.

• 'sorter' uses the '-z' flag with 'file' to get the format inside compressed files.
• 'hfind' now supports the new NIST NSRL hash format (version 2)
• 'hfind' now supports the Hash Keeper hash format
• 'ifind -n' now accepts short names for FAT files.
• 'mactime' can create a summary of daily activity with '-i'
• 'file' was updated due to a vulnerability in it

Bug Fixes:
- A final NTFS Index Buffer was not always being processed, which
  resulted in some files not being shown. (Debugging help from   Matthew Shannon).
- NTFS MFT entries with a Magic of 0 were marked as invalid

• 'fls' would crash if a clock skew file was given, the file had an inode of 0, and '-l' or '-m' was given. (Debugging help from Josep Homs).
• 'ifind -n' could return the meta data address of a file that had a name shorter than the requested one

MD5 (sleuthkit-1.61.tar.gz) = cd6783f8d9a109ffe839912674e2f3cf

What is new in Autopsy 1.71:

Autopsy had user interface improvements and added support for new features in The Sleuth Kit.

Major New Features:
- 'autopsy' can be started with no arguments (port 9999 and localhost
  are assumed)
- The path of a directory or file can be entered instead of having to
  click through directories (suggested by William Salusky)
- The path in each directory listing now contains hyper links that can
  be used to quickly return to previous directories
- To add a passwd and group file to a timeline, only the image needs to
  be specified (Autopsy will find the inode values)
- When adding images, Autopsy will copy or create symlinks to the
  Evidence Locker instead of forcing the user to
- Added option to extact all graphic images and generate a page of
  thumbnails
- The new 'summary' page from 'mactime' is used when viewing timelines

Bug Fixes:
- Keyword searching would fail if special characters were not escaped.
  /, ., [, ^, $, ", and - are now escaped
- The path of a strings file could not have a space in it

• The opening of a case was not being logged in the case log

MD5 (autopsy-1.71.tar.gz) = 931b672fabcdb2145ae51e2885e9b685

What is the April issue of The Sleuth Kit Informer on?

The April issue will cover the 'sorter' tool, including how it works and how to write rulesets to customize how it handles file types.

    http://www.sleuthkit.org/informer/

brian

http://www.sleuthkit.org

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Apr 3 20:42:02 2003