This page contains a description of the changes for each release of The Sleuth Kit ® (starting with release 3.0.0).
Newer Releases
Use the Github pages to determine what changed in each release.
Older Releases
4.8.0 (Jan 24, 2020)
C/C++
- Pool layer was added to support APFS. NOTE: API is likely to change.
- Limited APFS support added in libtsk and some of the command line tools.
- Encryption support is not complete.
- Blackbag Technologies submitted the initial PR. Basis Technology
did some minor refactoring.
- Refactoring and minor fixes to logical imager
- Various bug fixes from Google fuzzing efforts and Jonathan B from Afarsec
- Fixed infinite NTFS loop from cyclical attribute lists. Reported by X.
- File system bug fixes from uckelman-sf on github
Database:
- DB schema was updated to support pools
- Added concept of JSON in Blackboard Attributes
- Schema supports cascading deletes to enable data source deletion
Java:
- Added Pool class and associated infrastructure
- Added methods to support deleting data sources from database
- Removed JavaFX as a dependency by refactoring the recently
introduced timeline filtering classes.
- Added attachment support to the blackboard helper package.
4.7.0 (Oct 14, 2019)
See NEWS.txt for more details.
C/C++:
- DB schema was expanded to store tsk_events and related tables.
Time-based data is automatically added when files and artifacts are
created. Used by Autopsy timeline.
- Logical Imager can save files as individual files instead of in
VHD (saves space).
- Removed PRIuOFF and other macros that caused problems with
signed/unsigned printing. For example, TSK_OFF_T is a signed value
and PRIuOFF would cause problems as it printed a negative number
as a big positive number.
Java
4.6.6 (Apr 26, 2019)
See NEWS.txt for more details.
C/C++ Code:
- Acquisition deteails are set in DB for E01 files
- Fix NTFS decompression issue (from Joe Sylve)
- Image reading fix when cache fails (Joe Sylve)
- Fix HFS+ issue with large catalog files (Joe Sylve)
- Fix free memory issue in srch_strings (Derrick Karpo)
Java:
- Fix so that local files can be relative
- More Blackboard artifacts and attributes for web data
- Added methods to CaseDbManager to enable checking for and modifying tables.
- APIs to get and set acquisition details
- Added methods to add volume and file systems to database
- Added method to add LayoutFile for allocated files
- Changed handling of JNI handles to better support multiple cases
4.6.5 (Jan 15, 2019)
See NEWS.txt for more details.
C/C++ Code:
Java Code:
- New artifacts and attributes defined
- Fixed bug in SleuthkitCase.getContentById() for data sources
- Fixed bug in LayoutFile.read() that could allow reading past end of file
Case Database Schema
- New fields for hash values and acquisition details in case database
- Store "created schema version" in case database
4.6.4 (Nov 9, 2018)
See NEWS.txt for more details.
Java Code:
- Increase max statements in database to prevent errors under load
- Have a max timeout for SQLite retries
NOTE: There were no C/C++ command line / library changes. Only changes to support the Autopsy 4.9.1 release.
4.6.3 (Oct 14, 2018)
See NEWS.txt for more details.
C/C++ Code:
- Hashdb bug fixes for corrupt indexes and 0 hashes
- New code for testing power of number in ExtX code
Java Code:
- New class that allows generic database access
- New methods that check for duplicate artifacts
- Added caches for frequently used content
Database Schema:
- Added Examiner table
- Tags are now associated with Examiners
- Changed parent_path for logical files to be consistent with FS files.
4.6.2 (Aug 8, 2018)
See NEWS.txt for more details.
C/C++ Code:
- Various compiler warning fixes
- Added small delay into image writer to not starve other threads
Java:
- Added more locking to ensure that handles were not closed while other threads were using them.
- Added APIs to support more queries by data source
- Added memory-based caching when detecting if an object has children or not.
4.6.1 (May 8, 2018)
See NEWS.txt for more details.
- Lots of bounds checking fixes from Google's fuzzing tests. Thanks Google.
- Cleanup and fixes from uckelman-sf and others
- PostgreSQL, libvhdi, & libvmdk are supported for Linux / OS X
- Fixed display of NTFS GUID in istat - report from Eric Zimmerman.
- NTFS istat shows details about all FILE_NAME attributes, not just the first. report from Eric Zimmerman.
- Reports can be URLs
- Reports are Content
- Added APIs for graph view of communications
- JNI library is extracted to name with user name in it to avoid conflicts
- Database Version upgraded from to 8.0 because Reports are now Content
4.6.0 (Feb 21, 2018)
See NEWS.txt for more details.
- New Communications related Java classes and database tables.
- Java build updates for Autopsy Linux build
- Blackboard artifacts are now Content objects in Java and part of tsk_objects table in database.
- Increased cache sizes.
- Lots of bounds checking fixes from Google's fuzzing tests. Thanks Google.
- HFS fix from uckelman-sf.
4.5.0 (Oct 15, 2017)
See NEWS.txt for more details.
New Features:
- Support for LZVN compressed HFS files (from Joel Uckelman)
- Use sector size from E01 (helps with 4k sector sizes)
- More specific version number of DB schema
- New Local Directory type in DB to differentiate with Virtual Directories
- All blackboard artifacts in DB are now 'content'. Attachments can now be children of their parent message.
- Added extension as a column in tsk_files table.
Bug Fixes:
- Faster resolving of HFS hard links
- Lots of fixes from Google Fuzzing efforts.
4.4.2 (Aug 7, 2017)
See NEWS.txt for more details.
- usnjls tool for NTFS USN log (from noxdafox)
- Added index to mime type column in DB
- Use local SQLite3 if it exists (from uckelman-sf)
- Blackboard Artifacts have a shortDescription metho
- Fix for highest HFS+ inum lookup (from uckelman-sf)
- Fix ISO9660 crash
- various performance fixes and added thread safety checks
4.4.1 (May 30, 2017)
See NEWS.txt for more details.
- Can create a sparse VHD file when reading a local drive with new
IMAGE_WRITER structure. Currently being used by Autopsy.
- Lots of cleanup and fixes. Including memory leaks, unicode cleanup, missing NTFS files (in rare cases), really long folder structures and database inserts
4.4.0 (Jan 18, 2017)
See NEWS.txt for more details.
- Compiling in Windows now uses Visual Studio 2015
- tsk_loaddb now adds new files for slack space and JNI was upgraded accordingly.
- Java API updates
4.3.1 (Oct 25, 2016)
See NEWS.txt for more details.
- NTFS works on 4k sectors
- Added support in Java to store local files in encoded form (XORed)
- Added Java Account object into datamodel
- Added notion of a review status to blackboard artifacts
- Upgraded version of PostgreSQL
- Various minor bug fixes
4.3.0 (July 19, 2016)
See NEWS.txt for more details.
- PostgreSQL support (Windows only)
- New Release_ NoLibs Visual Studio target
- Support for virtual machine formats via libvmdk and libvhdi (Windows only)
- Schema updates (data sources table, mime type, attributes store type)
- tsk_img_open can take externally created TSK_IMG_INFO
- Various minor bug fixes
4.2.0 (Sep 16, 2015)
See NEWS.txt for more details.
- ExFAT support added
- New database schema
- New Sqlite hash database
- Various bug fixes
- NTFS pays more attention to sequence and loads metadata only
if it matches.
- Added secondary hash database index
4.1.3 (Jan 25, 2014)
See NEWS.txt for more details.
- fixed bug that could crash UFS/ExtX in inode_lookup.
- More bounds checking in ISO9660 code
- Image layer bounds checking
- Update version of SQLITE-JDBC
- changed how java loads navite libraries
- Config file for YAFFS2 spare area
- New method in image layer to return names
- Yaffs2 cleanup.
- Escape all strings in SQLite database
- SQlite code uses NTTFS sequence number to match parent IDs
4.1.2 (Sep 25, 2013)
See NEWS.txt for more details.
- fiwalk now compiles on linux! Sorry about that.
4.1.1 (Sep 24, 2013)
See NEWS.txt for more details.
- FILE_NAME times in timelines
- Cellebrite disk image auto-detect
- 64-bit windows targets
- Fixed bug with Sqlite code not using NTFS Sequence
- Jar files have native libraries in them
4.1.0 (Jun 17, 2013)
See NEWS.txt for more details.
New Features in Core:
- Added YAFFS2 support (patch from viaForensics).
- Added Ext4 support (patch from kfairbanks)
Framework:
- Added Linux and MAC support.
- Added L01 support.
- Added APIs to find files by name, path and extension.
- Removed deprecated TskFile::getAttributes methods.
- moved code around for AutoBuild tool support.
Java Bindings:
- added DerivedFile datamodel support
- added a public method to Content to add ability to close() its tsk handle before the object is gc'd
- added faster skip() and random seek support to ReadContentInputStream
- refactored datamodel by pushing common methods up to AbstractFile
- fixed minor memory leaks
- improved regression testing framework for java bindings datamodel
4.0.2 (Feb 4, 2013)
New Features in Core:
Bug Fixes in Core:
- Fixed fcat to work on NTFS files (still doesn't support ADS though).
- Fixed HFS+ support in tsk_loaddb / SQLite -- root directory was not added.
- NTFS code now looks at all MFT entries when listing directory contents. It used to only look at unallocated entries for orphan files. This fixes an image that had allocated files missing from the directory b-tree.
- NTFS code uses sequence number when searching MFT entries for all files.
- Libewf detection code change to support v2 API more reliably (ID: 3596212).
- NTFS $SII code could crash in rare cases if $SDS was multiple of block size.
Framework:
- Added new API to TskImgDB that returns the base name of an image.
- Numerous performance improvements to framework.
- Removed requirement in framework to specify module extension in pipeline configuration file.
- Added blackboard artifacts to represent both operating system and network service user accounts.
Java Bindings
- More methods to query files
- Methods to get current directory when being added to DB.
- Modified class structure a bit
- More lazy loading for children / parents.
- Better exception throwing from C++
See NEWS.txt for more details.
4.0.1 (Nov 13, 2012)
Contains minor new features and bug fixes.
New Features:
- More DOS partition types are displayed.
- Added fcat tool that takes in file name and exports content (equivalent to using ifind and icat together).
- performance improvements with FAT code (maps and dir_add)
- performance improvements with NTFS code (maps)
- added AONLY flag to block_walk
- Updated blkls and blkcalc to use AONLY flag -- MUCH faster.
Bug Fixes:
- Fixed mactime issue where it could choose the wrong timezone that did
not follow daylight savings times.
- Fixed file size of alternate data streams in framework.
- Incorporated memory leak fixes and raw device fixes from ADF Solutions.
See NEWS.txt for more details.
4.0.0 (Oct 2, 2012)
This is the first non-beta release of 4.0, which added the framework and lots of other bug fixes and features. See the history notes for the beta release below for the full list of new things since 3.2.3. New things in this release from the beta include:
- Better FAT orphan file hunting and loop detection.
- Better error reporting in TskAuto
- Updated HFS+ code from ATC-NY
- New mactime -y argument to use ISO8601 format
- Framework has new EXIF module and minor updates.
- tsk_analyzeimg can do carving with scalplel.
See NEWS.txt for more details.
4.0.0 (beta 1: May 30, 2012)
This release adds the new analysis framework, C++ classes, Java bindings, and other things that make it easier to build end-to-end forensics systems.
- Framework with first set of basic modules (hash calculation, hash lookup, entropy calculation, RegRipper, ZIP file extraction, extraction via name signatures, etc.) -- Windows-only
- Multithreaded support
- C++ wrapper classes
- JNI bindings and data model classes
- All non-set times are displayed as 0 instead of 1970.
- Support for libewf v2
- Only first file in split or E01 needs to be specified.
- EnCase Hashset support in hash tools.
- New table schema for loaddb database that supports more data types (carved, local files, etc.).
- ...
See NEWS.txt for more details.
3.2.3 (Oct 7, 2011)
This release has some minor bug fixes and features. New features include:
- Only need to specify first E01 file in a set of files
- Added -d option to tsk_recover
- DOS partitions are loaded even if an extended partition fails
Bug fixes include:
- Cleanup of corrupt orphan FAT names
- RAW CD Support
See NEWS.txt for more details.
3.2.2 (June 10, 2011)
This release has some minor bug fixes. New features include:
Bug fixes include:
- ISO9660 directory processing
- FAT deleted file detection
- FAT deleted name cleanup
See NEWS.txt for more details.
3.2.1 (Feb 27, 2011)
This release has some minor bug fixes. New features include:
- SQLite DB contains a dummy entry if there is no volume system.
- The build directory can be different from the source directory when building on Unix.
Bug fixes include:
- fls arguments
- Compile errors with pthreads on some Linux systems
- Different FAT directory entry checking
- mingw compile errors
- mactime CSV output surrounds file name in quotes
See NEWS.txt for more details.
3.2.0 (Oct 28, 2010)
This release has new features and bug fixes. Thanks to Anthony Lawrence for help with the new features. New features include:
- New tsk_recover tool that extracts files from an image to a local directory.
- New tsk_loaddb tool that dumps file system metadata to SQLite database.
- New tsk_getimes tool that collects MAC time data on all file systems (equivalent to fls -m on a series of volumes)
- New tsk_comparedir tool that compares a directory to an image to detect rootkits.
- New C++ TskAuto class that makes it easier to create automated tools that analyze all files.
- Name cleanup out of libraries and into tools.
- img_cat -e and -s flags.
- Changed how default NTFS $Data attribute is named.
- HFS+ Case sensitive flag in fsstat.
Bug fixes include:
- FAT performance
- Crash fix for corrupt NTFS file
- Adding attribute runs on fragmented files with multiple attributes of the same type.
See NEWS.txt for more details.
3.1.3 (July 2, 2010)
This release has some bug fixes:
See NEWS.txt for more details.
3.1.2 (May 23, 2010)
This release has some bug fixes:
- FAT performance
- Reading errors
- ifind not stopping
- mmls -B display error
See NEWS.txt for more details.
3.1.1 (Mar 31, 2010)
This release has some bug fixes:
- ISO9660 fixes
- sorter fixes
See NEWS.txt for more details.
3.1.0 (Jan 13, 2010)
This long overdue release adds new features and has many bug fixes. New features include:
- HFS+ support
- Supports sectors that are not 512-bytes each (adds '-b' to each of the command line tools)
- NTFS SID data is now available
- mactime is distributed with windows executables
- Better detection of GPT partitions and DOS safety partitions
- More AFFLIB formats and better support for encrypted files
- Sigfind can process non-raw files
- Better support for indirect blocks (adds back features that were lost in 3.0.0)
- Many bug fixes.
See NEWS.txt for more details.
3.0.1 (Feb 2, 2009)
This release contains several bug fixes. No new features.
3.0.0 (Oct 19, 2008)
This major release contains many new library and tool features.
- Orphan files (deleted files that have a metadata structure, but do not have a parent directory that can be reached from the root directory) are now shown in the $OrphanFiles directory.
- The FAT file system MBR and File Allocation Tables are now accessible as files in the root directory.
- More deleted files are shown in each directory when using 'fls' (and the corresponding library API). This used to require running 'ifind -p' for each directory and it is now done automatically.
- New mmcat tool to output contents of a single volume.
- New mmls flags to list only specific volumes.
- Backup FAT MBRs are used, if the primary is corrupt.
- d* tools (dls, dcat, etc.) are now named blk* (blkls, blkcat, etc.)
- New '-b' option in sorter to specify minimum file size.
- Added mingw support for cross compiling
- New library APIs and docs that do not require a callback design
- Minor bug fixes.