The Sleuth Kit: History

This page contains a description of the changes for each release (starting with release 3.0.0).

This release has some bug fixes:

See NEWS.txt for more details.

This release has some bug fixes:

See NEWS.txt for more details.

This release has some bug fixes:

See NEWS.txt for more details.

This long overdue release adds new features and has many bug fixes. New features include:

HFS+ support
Supports sectors that are not 512-bytes each (adds '-b' to each of the command line tools)
NTFS SID data is now available
mactime is distributed with windows executables
Better detection of GPT partitions and DOS safety partitions
More AFFLIB formats and better support for encrypted files
Sigfind can process non-raw files
Better support for indirect blocks (adds back features that were lost in 3.0.0)
Many bug fixes.

See NEWS.txt for more details.

This release contains several bug fixes. No new features.

This major release contains many new library and tool features.

Orphan files (deleted files that have a metadata structure, but do not have a parent directory that can be reached from the root directory) are now shown in the $OrphanFiles directory.
The FAT file system MBR and File Allocation Tables are now accessible as files in the root directory.
More deleted files are shown in each directory when using 'fls' (and the corresponding library API). This used to require running 'ifind -p' for each directory and it is now done automatically.
New mmcat tool to output contents of a single volume.
New mmls flags to list only specific volumes.
Backup FAT MBRs are used, if the primary is corrupt.
d* tools (dls, dcat, etc.) are now named blk* (blkls, blkcat, etc.)
New '-b' option in sorter to specify minimum file size.
Added mingw support for cross compiling
New library APIs and docs that do not require a callback design
Minor bug fixes.