Releases: pjrinaldi/wombatforensics
Wombat Forensics v0.4
A New Release is out finally. Some new features have been added and some features are no longer available.
Removed is HFS/HFS+ and APFS support. After having issues with interacting with the tsk library, I decided to back out of using the tsk library and just implementing file system parsing myself. As such I implemented FAT12,16,32, initial NTFS, ext2/3/4, and exfat. Bugs will probably exist but they are in a state which is good enough to test out and definitely good enough for a v0.4 release.
I also wasn't happy with the fuse code and using fuse to mount e01/aff/etc as a raw virtual image and then processing the raw image so I wrote my own ForImg QIODevice which handles the image calls using libewf and afflib.
So while it doesn't look like much was implemented new, a bunch of reworking on the backend occurred which will be more functional at the end of the day as I move forward.
Some new features with this release:
- Registry Viewer
- file system detection for HFS, HFS+, APFS, XFS, BTRFS, BITLOCKER, BFS, F2FS, ZFS, REFS, EROFS, BCACHEFS, ISO9660, and UDF
- Ability to add a regular file to a case and simply view the hex and viewer if it's available for it. so it functions as a hexviewer
- Hash migration from MD5 to BLAKE3
- Initial Implementation of a hash list comparison feature. You can create lists, import lists, but can't run the lists agains selected/checked/all files yet.
- Creating a Forensic Image (currently disabled) Work needs to be done on notification of the creation process to the user
- Verifying a Forensic Image (currently disabled) Work needs to be done on notification to the user as well as improving verification speed
- Exporting to a logical image (currently disabled) work needs to be done on notification to the user as well as a more robust logical image format - the current version was a proof of concept which only includes basic file properties to populate the tree and doesn't handle folder heirarchy.
I created a custom forensic image and logical forensic image format. These formats create blake3 hashed forensic images. The forensic image format was testing the methodology to create a forensic image, then I moved onto the logical forensic image format. This is so I can eventually export files to an opensource logical forensic image format. There are command line tools, wombattools repository, which include wombatimager, wombatlogical, wombatinfo, wombatverify, wombatexport, wombatfuse. Wombatfuse still has an issue i need to address and wombatlogical is a rudimentary test format that I need to expand upon.
I also created a command line hashing tool, wombathasher repository), which can create hash lists which can be imported into the tool for use once I implement the comparison functionality. This functionality should be implemented by v0.5
Wombat Forensics v0.3
Happy to announce the v0.3 release. Some new features include:
- HFS/HFS+ support
- basic unencrypted APFS support
- carving framework implementation including semi smart carving for JPG, MPG1/2, GIF, PNG, and PDF
- Basic PDF Viewer
- Recycle Bin INFO2 $I parser/viewer
- $I30 Index Root parser/viewer
- Prefetch parser/viewer
- LNK file parser/viewer
- ZIP file extraction and parsing/viewer
- byte converter for 8, 16, 32, 64 bit, windows 64 bit datetime, unix timestamp
- bug fixes
WombatForensics v0.2
- Added the ability to create tags and tag files for reporting.
- Added video thumbnailing.
- Added a preview report feature which allows you to preview the report as you create it. based on tags.
- Added manual carving from hex to either a file (export) or to a tag (add to report).
- Added the ability to publish a report (html).
- Added the ability to set the preferred timezone for the published report in the settings.
- Added the ability to set the publish report directory in the settings.
- Added the ability to search within displayed hex/ascii.
- Added the ability to jump to offsets within hex display.
- Added rotating dig status message which show the # of # dug for each dig type as well as the total.
- Add wait cursor where gui may hang for larger gui operations.
- Fixed numerous bugs, improved hex highlighting performance and graphics thumbnailing.
- Reworked underlining case file storage structure.
WombatForensics v0.1
Initial release of wombatforensics. it currently allows for creating new cases, opening existing cases, adding evidence to a case, removing evidence from a case, as well as the initial processing and then also thumbnailing and hashing with either MD5. SHA1, or SHA256.