Friday, December 28, 2012

Elcomsoft has a new release

ElcomSoft Distributed Password Recovery 2.99.351 has been released.

To learn more visit www.Elcomsoft.com

~Hew

Passware has a new version

Passware Forensic 12.1 has been released.

To read more about Passware Forensic visit www.LostPassword.com

For purchase and training visit www.H11DFS.com

~Hew

Black Bag has a new version of BlackLight

BlackLight 2012 4.1 has been released.

Some of the new features include:
  • Enhanced Skype Analysis
    • View Skype chat and voice communiations
    • Sort evidence by Skype account name, participant, and other key application artifacts
  • Side-by-side Evidence Analysis
    • Open multiple BlackLight windows to compare evidence
  • More Advanced Filters
  • VMWare virtual machine recognition and data processing!
  • Time Machine (Time Capsule) data import and hard link resolution
  • Comprehensive iOS 6 and OS 10.8.2 support
  • Others
To view more about BlackLight visit www.BlackBagTech.com

~Hew

Micro Systemation has released a new version of XRY

XRY 6.4.2 has been released.

The big change here is Windows 7 64bit support

For more information visit www.MSAB.com

~Hew

Cellebrite has two updates

UFED Touch 1.8.1.0 has been released.

UFED Physical Analyzer 3.6.1 has been released.

These are maintenance updates. 
The UFED Touch update is to resolve the following:
  • UFED Touch unit presented inaccurate start/end date and time of the extraction itself in the UFD/HTML/XML reports generated as apart of the extraction.  
  • Restoration of the UI languages available in the UFED Touch settings
The UFED Physical Analyzer update resolves the following:
  • Ability to export contact pictures with XML and UFDR Reports
  • iPhone decoding improvements of deleted MMS, SMS, and iMessages

For more information please visit www.Cellebrite.com

For purchase and training visit www.H11DFS.com

~Hew

(Also note that the UFED Classic application number was updated to the same "version" of the UFED touch to avoid multiple number schemes.)

Tableau has a new Firmware Update

Tableau Firmware updater 6.98 has been released.

Remember the Firmware Updater is used for most of the Tableau devices.

There is no way to update the updater.  You need to uninstall the updater and install the newer version.

In looking through the list of items updated since the last updater release in April, the following Tableau tools have updates:
  • T3458is Forensic Bridge
  • T34589is Forensic Bridge (UltraBay II)
  • T35689iu Forensic Combo Bridge
  • TD2 Forensic Disk Duplicator 2   v3.26
You may need to reboot following this install.

Fore more information visit www.Tableau.com

For purchase and training visit www.H11DFS.com

~Hew

Access Data has a new version of FTK Imager

FTK Imager 3.1.2 has been released.

This update has improved the detection of handling og corrupt$I30 index allocations.

If you are having trouble using the image mounting function of FTK Imager use the following steps:
  • As an adminsitrator, open a command prompt
    • In Run, type CMD.  Right-click on the command prompt and select run as administrator
  • Type "sc delete cbdisk" without the quotations
  • Type "sc delete cbdisk2" without the quotations
  • Reboot the computer
  • This will update the drivers for Imager
For more information visit www.AccessData.com

FTK Imager is a free tool.  If you are not using it, you should consider looking into it.

~Hew

Guidance Software Releases a new version of EnCase

EnCase 7.05.02 has been released.

Updates include:
  • Enhanced McAfee ePolicy Orchestrator (ePO) Support
  • The SAFE has been updated to version 7d2
  • USGCB Compliance
  • More Encryption Support
The encryption support includes:
  Vendor     Product     Supported Versions     64-bit Support  
  Check Point     Check Point Full Disk Encryption (formerly Pointsec PC)     6.3.1 up to 7.4     Yes  
  CREDANT     Mobile Guardian     5.2.1, 5.3, 5.4.1, 5.4.2, 6.1 through 6.8     No  
  GuardianEdge     Encryption Plus/Anywhere     7 and 8     No  
  GuardianEdge     Hard Disk Encryption     9.2.2, 9.3.0, 9.4.0, 9.5.0, 9.5.1     Yes  
  McAfee     EndPoint Encryption (formerly SafeBoot)     4.5.6 (for Windows and Macintosh computers)     No  
  Microsoft     BitLocker and BitLocker To Go     Vista 7, Server 2008     Yes  
  Sophos     SafeGuard Easy and Enterprise (formerly Utimaco)     4.5, 5.5, 5.6     Yes (only for SafeGuard Easy, not for Enterprise)  
  Symantec     PGP Whole Disk Encryption     9.8, 9.9, 10, 10.1, 10.2     Yes  
  Symantec     Endpoint Encryption     7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 8.0     Yes  
  WinMagic     SecureDoc Full Disk Encryption     4.5, 4.6     No  

For more information please visit www.GuidanceSoftware.com

For training visit www.H11DFS.com

~Hew

Monday, December 10, 2012

X-Ways forensics has some new releases

X-Ways Forensics 16.8 has been released

X-Ways Investigator 16.8 has been released

X-Ways WinHex 16.8 has been released

The X-Ways website doesn't give much in new release update notes, but to read more visit X-Ways.com

~Hew

Magnet Forensics has a new release

Magnet Forensics releases Internet Evidence Finder (IEF) 5.7.1

New features include:
  • Improved un-partitioned space search for mounted images
  • Enhanced support for eMule, Skype, Chatsync, Safari History, and JPG Pictures
  • More
To read more visit MagnetForensics.com

~Hew

Cellebrite has a new release.

Cellebrite has some new releases

UFED Touch 1.8.0.0 Firmware has been released.

UFED Physical Analyzer 3.6 has been released

New support includes:
  • More support for Samsung Galaxy SIII family
  • Android 4.2.x Logical, File System, and Physical support
  • Nokia BB5 Physical extraction from an additional 21 locked and unlocked devices
  • More
To read more visit Cellebrite.com

To purchase visit H11DFS.com

~Hew

Micro Systemation has a new version

XRY 6.4.1 has been released

Quite a bit has been added with this release including but not limited to:
  • MTK Android physical support
  • Blackberry Physical support
  • Nokia BB5 Physical support
  • MTK Chinese chipset Physical support
  • iOS 6 deleted message recovery
  • Windows Phone 7 and 8 Logical File system support
  • More
To read more visit MSAB.com

~Hew


Guidance Software releases a new EnCase 6

EnCase 6.19.7 has been released

It seems the big change is that EnCase 6.19.7 can read the electronic license for EnCase 7.  No need for multiple dongles!

They have also fixed an issue with Outside In when creating a transcript of a fragment of a deleted and overwritten file from unallocated space.

There are also a few know issued when working with Office 2007.  Guidance recommends using Office 2010.

To read more visit GuidanceSoftware.com

To purchase visit H11DFS.com

~Hew

New F-Response Release

F-Response 4.0.5 has been released

Some of the enhancements include:
  • Improved cloud connector
  • Better support for current Linux distributions
  • Support for FreeBSD 64bit
  • Windows 8 Support for all tools
  • 64bit COM objects
  • More
To read more visit F-response.com

To purchase visit H11DFS.com

As a side note, if you have never used F-Response you are missing a potential case saver.

This is one of the tools I recommend every forensic toolkit has.

F-Response makes network acquisitions simple, and effective.  Do yourself and your clients a favor and check these guys out!

~Hew

New Access Data releases.

MPE+ 5.1.2 has been released

DNA / PRTK 7.0 has been released

MPE+ 5.1.2 has the following updates:
  • Enhanced iOS support
  • Addition of 200 MediaTek Chinese phones
  • Enhanced driver support with Galaxy SII and iOS driver access
  • UNIX date conversion within Hex interpreter
  • PLIST files from iOS devices are displayed regardless of extension.
  • More...
DNA / PRTK enhancements include:
  • GPU units can now be used!!
  • This works on Microsoft Windows computers with CUDA-enabled GPUs
    • I'm looking forward to trying it!
To read more release notes please visit www.accessdata.com

For purchase please visit H11DFS.com

~Hew

Monday, November 12, 2012

Magnet Forensics has a new release

Magnet Forensics has a new release of Internet Evidence Finder.

Internet Evidence Finder (IEF) 5.7 has been released!

New features in this release are:
  • Chrome Incognito & Firefox Private Browsing History
  • Carbonite & Google Maps Artifacts
  • Web History Categorization
  • Support for Ex01, Lx01, and L01 images
  • Dates and time are now converted to local or a specified time zone.
  • Picture and Video Analysis, Carving and Parsing
    • EXIF Data
    • Skin Tone & Body Part Detection
  • Others
Remember that JAD Software is now Magnet Forensics, so update your bookmarks!

To read more visit Magnet Forensics

Also Magnet Forensics has Webinar Demonstrations, if you have not checked these guys out, you are potentially missing tons of information!

~Hew

As a side note for any of you curious.  Incognito and Private browsing does leave traces, usually in flash cookies.  I am assuming that is where IEF is parsing this information.  (Maybe other locations as well.)  If so, it is cool that someone is now taking those cookies and parsing them out.

Friday, November 9, 2012

BlackBag Technologies has a new release.

BlackLight 2012 R4 has been released.

New features include:
  • Skype analysis - View Skype chat and voice communications
  • Side-by-side evidence analysis - Open multiple Black Light window instances to simultaneously compare and analyze related evidence
  • Virtual Machine Support
  • Time Machine Support
  • iOS 6 and Mountain Lion (10.8.2) support
  • And More
To read more about BlackLight visit Black Bag

~Hew

Logicube has released new firmware for CellXtract

CellXtract 1.4.0.5 has been released.

Updates include:
  • Support for iOS 6
  • Support for iPhone 5 (No cable has been supplied yet, so users must use an "off the shelf" cable.)
  • Android extractions of email from default and Gmail locations
  • Improved rooting for Android 2.3.5 and 2.3.6
  • Support for Apple iPad and iPhone devices with back-up passwords (user must know tha password and enter it when extracting.)
  • Others
To read more visit Logicube.

For Logicube sales and training visit H-11 Digital Forensics

~Hew

X-Ways has released some updates

X-Ways Forensic, X-Ways Investigator, and WinHex are all on Version 16.7

To read more visit X-Ways

~Hew

Cellebrite has released a new version of Physical Analyzer

Cellebrite has released Physical Analyzer 3.5

In viewing the release notes some of the changes include the following:

  • New decoding of Blackberry Messenger (groups, attachments, and deleted data)
  • Nokia BB5 File system reconstruction and decoding
  • View Android application files
  • Improved TomTom trip-log decryption
  • Export Locations to KML files
  • Export Emails to EML files
  • Embedded Text Viewer
  • Others
To read more visit Cellebrite.

For training or to purchase Cellebrite visit H-11 Digital Forensics

~Hew

Guidance Software has released a new version of EnCase

EnCase 7.05.01 has been released.

The main update is:
  • SMS Checking - Prevents you from running a version of EnCase released after your SMS has expired.
 Fixed issues include:
  • An encryption error with BitLocker, where upon closing and re-opening the Evidence tab the volume was displayed as encrypted.
  • The IsValidCreditCard() string does not accommodate strings with more than 16 characters.
  • An EnServer configured to use NAS (Network Authentication Server) does not accept a HASP dongle configured to run Version 7.
  • After creating a search and selecting "Save Results" EnCase crashes.
  • Others
To read more please visit Guidance Software.

For Sales or Training with EnCase 7 please visit H-11 Digital Forensics.

~Hew

Changes to the blog.

Due to the random nature of release dates.  I will be making updates every Friday.  This will save me some time, and hopefully you as well, as Friday will be "new post day."

This way I can allot a solid block of time to the blog and be more thorough.

Thankyou

~Hew

Thursday, October 25, 2012

Cellebrite has two new updates.

Cellebrite Physical Analyzer 3.3 has been released.
iOS support package 4.2 has been released.

Physical Analyzer 3.3 mainly gives support for iOS 6 on devices that were currently supported by Cellebrite.

 The new iOS package gives support for older versions of iOS.

To read more visit Cellebrite

To be trained with the Cellebrite tool and on cellular technologies in the Forensics environment, visit H-11 Digital Forensics

~Hew

Thursday, October 11, 2012

Cellebrite has some new releases

To start I have added the Cellebrite Touch to the "Current Versions" page.

The Releases are:
Cellebrite Touch Application 1.7.0.0
Cellebrite Classic Application 1.2.2.3
Physical Analyzer 3.2
Logical Analyzer 3.2
Phone Detective 1.1.7

Updates include:
  • iPhone 5 file system support
  • iOS 6 file system extractions (I know this pretty much includes the iPhone 5...)
  • Android 4.1 "Jelly Bean" physical and file system support including, pattern, pin, or passcode lock bypass during physical extraction
  • 550 new logical extractions (remember, this can mean multiple versions of the same phone as "multiple" new devices"
  • 34 new physical extractions
  • 6 new file system extractions
  • 4 new password extractions
  • And more
To read about this check out Cellebrite

For training visit H-11 Digital Forensics

~Hew

Wednesday, October 10, 2012

Passware has released a new version

Passware 12.0 has been released.

To read up on what it can do for you visit Passware

To purchase visit H-11 Digital Forensics 

~Hew


Vound Software has a new version of Intella

Intella 1.6.2 has been released.

The main changes include:
  • Improved the reporting of indexing errors
  • Faster performance and heightened stability
  • An experimental 64 bit version is now available on request.
To learn more visit Vound

To purchase visit H-11 Digital Forensics

~Hew

Katana Forensics has released a new version of Lantern

Lantern 2.4 has been released.

To see/read more visit them Katana Forensics

~Hew

Access Data has released some new versions.

FTK Imager 3.1.1 has been released!
License Manager 3.1.5
Mobile Phone Examiner Plus 5.1
Codemeter Runtime 4.5.0b (both 32 bit and 64 bit)

FTK Imager release notes mention that it now:
  • Supports creating, reading, and verifying E01 files of drives greater than 2 TB
  • When performing a memory capture, you can now include the pagefile and save memory as an AD1
  • A fixed issue with reading exFAT partitions even if there is a slight difference between the sector count of the volume and the partition information.
The release note for Mobile Phone Examiner Plus 5.1 include:
  • A Social Analyzer Spoke Chart that allows you to visually represent multiple contacts on a cluster
  • Performance enhancements
  • Support of DD8 images
  • More support for iOS devices
  • Ability to mount any image as a drive letter
 Fore more information visit Access Data

To purchase or for even more information visit H-11 Digital Forensics 

~Hew

Guidance Software release EnCase 7.05

EnCase 7.05 has been released!
Guidance Software also released EnCase Portable 4.01

For the most part, this update revolves around speeding up processing time within EnCase 7.  The release notes talk about:
  • Faster processing
  • Prioritized processing
  • Ability to embed Hyperlinks in Exported Reports
  • Two new ways to filter
  •   Filter the current table and stay in the same view with all the metadata available
  •   Filter across all pieces of evidence in your case and view the responsive items in the results view.
  • You can now review search hits while EnCase is processing, rather than waiting for EnCase to finish.
  • In the Search and Results Tabs you can now copy files, copy folders, add results to the hash library, and save results!
  • PGP 10.1 and 10.2 support
  • Mac OS 10.6 and OS 10.7 supported
  • Enhancements were made to the Windows Event Log Parser.
  • And more
To see more visit GuidanceSoftware.com

Or to purchase and get trained on EnCase visit H-11 Digital Forensics

~Hew

An Apology

I feel the need to apologize to any of my readers.

I have been traveling for the past few weeks and updating the blog from different areas has been problematic in the past so I avoided doing so.  I promised myself that I would update over the weekends, but that did not happen.

There have been a few updates since my last post so here they are...

Well, in the the next couple posts... ;)

~Hew

Monday, September 17, 2012

Micro Systemation has a new XRY release

Micro Systemation has released XRY Complete 6.3.2

New features include:
  • Bypass of some iOS passcodes
  • Full support for new iOS6
  • RAM disk extraction for iOS devices
  • Logical Support for Samsung Galaxy SIII
  • New Word export funtionality
  • New agent for extracting data from Windows Phone 7
  • New support for extracting information from .sbu backup files
  • Others
To see more visit Micro Systemation.

To learn more about imaging smart phone visit us at H-11 Digital Forensics.

~Hew

Magnet Forensics has a new release

Magnet Forensics (Formerly JAD Software) has released Internet Evidence Finder 5.6.1

New features include:
  • The ability to rebuild web pages as they were viewed by the suspect
  • Recovery from iOS backups
  • Enhanced support for Skype carved messages, Facebook chat, and Gmail and Google Drive
  • Carving for Skype sync chat, ooVoo chat, and Mail.RU chat client
To see more visit Magnet Forensics.

~Hew

Access Data has released a new version of MPE+

Mobile Phone Examiner Plus (MPE+) 5.0 has been released.

New features include:
  • Physical imaging of the Samsung Galaxy II Series
  • Physical imaging of Android 2.5.3
  • New Interface
  • Others
To see more visit Access Data.

To purchase visit us at H-11 Digital Forensics.

~Hew

Guidance Software has released EnCase 6.19.6

This was released to fix some bugs.
  • EnCase stops responding when adding evidence with 4KB sectors
  • Copy/Unerase and Copy Folders were exporting corrupted RMS content
  • New Outside In security update applied
  • Fixes in hashing with the encase.hash sets
To see more visit Guidance Software.

Fore training with EnCase visit us at H-11 Digital Forensics.

~Hew

Thursday, August 23, 2012

Elcomsoft has released a new version of their Phone Password Breaker

Elcomsoft Phone Password Breaker 1.86.1399 has been released.

With each release more devices are supported.

To learn more visit: Elcomsoft

~Hew

F-Response has released a new version.

F-Response 4.0.0.4.1 has been released.

Updates include:
  • F-Response cloud connector now supports Windows Azure Blob Storage
  • Now has improved handling of non-standard mount points in Linux
  • Improved Physical Memory access stability based on further input from the Volatility Project
To learn more visit: F-Response

www.f-response.com

~Hew

Wetstone Tech has released a new Gargoyle Dataset

Gargoyle Dataset July 2012 has been released.

Visit: Wetstone Technologies

~Hew

Vound Software has released a new version of Intella

Intella Version 1.6.1 has been released!

Some of the major highlights include:
  • Indexing of Cellebrite, XRY, and Oxygen cellphone reports
  • New Smart Search Capability
  • New Case Backup Feature
  • Chinese Language Support
  • Resolved an issue of Intella failing to render through remote desktop connections
  • Improvements to negate the impact of virus scanners on Intella's database
  • Dongle Manager has been updated
  • Many more improvements
To read more on the updates visit: Vound-Software

 To purchase Intella visit: H-11 Digital Forensics

~Hew


Black Bag Technologies has released a new version of Black Light

Black Light 2012 R3 has been released.

Some of the updates are:
  • Encrypted iOS Image Support
  • Automated iOS Backup Folder Recovery
  • Network-based (LAN) Licensing
  • and more
To see more about this release visit: Black Bag

~Hew

Cellebrite has released a new UFED Application

Since my last Cellebrite update post UFED Application 1.2.1.1 has been released.

I have not found any documentation concerning this release as of yet.

I will update this post when I know more.

~Hew

X-Ways Forensics has released a new version.

X-Ways Forensic, X-Ways Investigator, and WinHex 16.6 has been released.

To see about the release visit them at: www.x-ways.net

~Hew

Friday, August 3, 2012

Wetstone Technologies has released some new tools

Gargoyle Forensics Pro Edition and G-Flash 5.2.1 has been released.

  • G-Pro command line capability now uses G-Pro's fibonacci hashing
  • -XML command line now gives users the ability to export to XML reports via command line
  • Index column added for reporting for easier identification of specific hits
  • Clarifies the results screen to distinguish between program and category hits
The Fibonacci dataset creator 1.0 is new

The Gargoyle Investigator Enterprise Module 3.2.0 has been released

And the newest dataset for Gargoyle has been released: June 2012

For more information please visit: www.wetstonetech.com

~Hew


Monday, July 30, 2012

Cellebrite has some new releases

Cellebrite has released the following:
Firmware Update 1.2.1.0
Physical Analyzer 3.1
Logical Analyzer 3.1
Phone Detective 1.1.6

Firmware Update:
  • Enhances Logical reporting
  • Replaces report manager
  • Nokia 100 Logical Support
Physical Analyzer Update:
  • Nokia BB5 Physical Extraction
  • More UFED Chinex Support
  • Supports Instant Messaging Attachments
  • Excel reports compatible with Open Office
  • Decoding Improvements
  • Croatian Language Support
Logical Analyzer Update (new):
  • Allows users to perform basic analysis on logical extractions
  • Functionalities include Filters, Watch Lists (manual or automatic), Timelines, Chronological Conversation Viewer, Bookmarking, and more
  • More customizable report creator
36 New Logical Extractions
45 New Physical Extractions
78 New File System Extractions
4 New Password Extractions
  • LG VS-740
  • Samsung SGH-A885
  • Samsung GT-S3600i
  • UniMile PR-600
To see more visit www.cellebrite.com

~Hew

Tuesday, July 24, 2012

F-Response has released a new version

F-Response has announced the new version 4.0.0.4 of their line of tools.

Some of the upgrades include:
  • F-Response cloud connector that allows examiners a read-only connection to Amazon S3, Rackspace Cloud Files, HP Public Cloud, and more
  • Updates to better locate non-standard storage paths
  • Physical memory improvements
  • A new powershell script for automating physical memory imaging
  • And more
To see more of what F-Response offers visit: http://www.f-response.com/

For anyone that hasn't tried F-Response I give it a huge recommendation as a great Forensic Tool for the aid in imaging.

~Hew

Friday, July 6, 2012

Elcomsoft has released a new version of their IM Password Recovery

Elcomsoft IM Password Recover 4.3 has been released.

This is a tool to retrieve login and password information for various instant messengers.

For more information visit www.elcomsoft.com

~Hew

Blackbag has released a new version of BlackLight

Black Light 2012 R2 has been released.

Some of the new features include:
  • Automated iOS Backup Folder Recovery
  • Custom template for Import and Export
  • Video Frame Analysis
  • Network-based License Authorization
  • And others
To read more visit the Black Light release page

~Hew

Wednesday, June 27, 2012

Logicube has released two new updates

The Forensic Dossier version 3.3.3RC13 has been released!
The Forensic Talon Enhanced version 3.3.3RC13 has been released!

Both of these updates now give the Talon Enhanced and the Dossier Spanish Menus.

...Finally!

For more information visit us at: http://h11dfs.com/dossier-forensic-capture-tool.php

or for the Talon Enhanced visit: http://h11dfs.com/talon-e-data-capture.php

You can also visit Logicube at: www.logicube.com

~Hew

JAD Software has released a new version of IEF

JAD Software has released a new version of the Internet Evidence Finder (IEF)

Some of the notable updates:
  • Recover browser history from IE10
  • Recover evidence from Dropbox, Google Docs, Google Drive, SkyDrive, and Flikr
  • Enhancements for Twitter and Facebook
  • Chat now supports Skype 3
  • Improved support for Hotmail and Yahoo
  • Reported faster speeds
  • A new user interface
  • And More
To see more visit: www.jadsoftware.com

~Hew

Tuesday, June 26, 2012

Cellebrite has three new updates.

Cellebrite has released Physical Analyzer 3.0.1
Firmware (Application) 1.2.0.0
Phone Detective 1.1.5

  Some of the releases for this version of Physical Analyzer include:
  • This adds Physical Extraction from locked Nokia BB5 (base band 5) devices
  • Logical Extraction of the Samsung Galaxy S III
  • Improved Parsing of SQLite databases
  • 71 new devices supported for logical dump
  • 47 new devices supported for physical dump
  • 84 new devices supported for file system dump
  • Others
For more information www.cellebrite.com

For training on Cellebrite visit http://h11dfs.com/cellebrite-training-courses.php

~Hew

I have added a new tool (Lightgrep) to the current versions page.

Lightbox Technologies has a tool that I have been told about called Lightgrep.  It has been added to the current versions page of the blog.

Lightgrep is, and I quote, "a Perl-compatible regular expression search engine for forensics that's several times faster than EnCase's keyword search."  It looks to be a promising add-on for EnCase!

I look forward to trying it out!

Check them out at Lightbox Technologies

~Hew

Tuesday, June 19, 2012

Guidance Software releases EnCase 7.04.01

EnCase 7.04.01 has been released!

This release seems primarily to be a bunch of Bug Fixes, some of which are detailed below:
  • Preview of a network node fails when the user has only one connection
  • EnCase crashes shortly after starting a memory acquisition from a remote machine
  • Text and Hex tabs the Go To option is missing
  • Hash calculation of deleted files with a size greater than one cluster on FAT and EXT volumes is incorrect
  • When bookmarking transcript text, text is not displayed in the report, only metadata
  • Others

For more information visit: http://h11dfs.com/encase-forensic-v7.php

www.guidancesoftware.com

~Hew

Elcomsoft has released a few updates

Elcomsoft has released 4 updates for various tools this month.

Elcomsoft Distributed Password Recovery 2.97.311
Advanced PDF Password Recovery 5.5
Elcomsoft Phone Password Breaker 1.84.1350
Elcomsoft Blackberry Backup Explorer 10.01

Fore more information visit: http://elcomsoft.com/download.html

~Hew

Wednesday, June 13, 2012

Friday, June 8, 2012

AccessData releases a new version of FTK

FTK version 4.0.2 has been released.

Some of the changes are as follow:
  • Improved handling of unallocated space on Android EXT4 and YAFFS partitions
  • Ability to back up multiple cases simultaneously
  • Expanded decryption support for YAFFS 1 and 2, and iOS systems
  • Support for the Ex01 Evidence File Format
  • You can now bookmark more than 9,999 items at a time
  • New OCR support with a new engine has been added
  • Others
You can read more at www.accessdata.com

Available at H11 Digital Forensics

Also Access Data has announced that as of October 2012 FTK 1.8x will no longer be available for download.  They will also stop all support for it October 2013.

It was a great tool and had a great run!

~Hew

Wednesday, June 6, 2012

Logicube's CellXtract adds physical capture

Logicube has announced the release of the CellXtract-TNT as well as an upgrade for existing CellXtract units.

CellXtract-TNT will be released next week and will support Chinese knock-off as well as legitimate Chinese phones.

Both CellXtract units will also add Physical extraction for Android devices.

Current Android O/S versions supported are 1.6 - 2.3.4

I look forward to this release!

For more information visit our CellXtract page.

Or visit Logicube

~Hew

Monday, June 4, 2012

Added Elcomsoft Phone Password Breaker to Current Versions

Elcomsoft is one of the leaders in password cracking technologies.

This tool can grant access to the backup files of various phones.

See more at: http://elcomsoft.com/eppb.html

~Hew

X Ways Forensic has released a new version of their tool/s.

X-Ways Forensic 16.5 has been released
X-Ways Investigator 16.5 has been released
Winhex 16.5 has been released.

Visit them at: www.x-ways.net

~Hew

Thursday, May 31, 2012

Cellebrite Announces a new Device

Cellebrite has announced a new device!

The UFED touch.

Take a look - www.cellebrite.com

Aside from a touch screen and a new look it seems to be very similar to its predecessor, with reported faster capture speeds.  I look forward to trying it out!

~Hew

Microsystemation releases a new version of XRY

XRY v6.3 has been released. 

Some of the new features include:
  • New agent for extracting data from Windows Phone 7
  • Support added for Samsung .sbu backup files
  • Keychain password support for iPhones
  • Logical Application decoding for iPhones
  • Motorola iDEN decoding support
  • Improved IPD decoding and BBM extraction for Blackberry
  • Possible to have multiple SQLite viewers open simultaneously
  • Others
For a full list see the download notes available from Micro Systemation

~Hew

Tuesday, May 29, 2012

Blackbag Releases new version of Macquisition

Macquisition 2012 R3 has been released.

New features include:
  • Live disk Imaging
  • E01 image file format support
  • Improved Speeds
  • Optional Hash Processing
www.blackbagtech.com

~Hew

Tuesday, May 15, 2012

JAD Software released a new version of IEF

JAD Software has released a new version of the Internet Evidence Finder (IEF)

IEF v5.4 is out.

Some of the included updates:
  • Support for LinkedIn email added - support for browser cache and carving
  • Support for Trillain chat added
  • Improved support for other chat carving (now supports Yahoo Messenger v11)
  • Stealth mode now removes IEF related prefetch files
  • Auto decompress of gzipped files prior to searching.  This means for artifacts are found
  • Non-License report viewer has been added for ease of sharing findings
  • Large exports to html are now split into multiple files with an easy to use index
  • Exported URLs are now hyperlinked
Check out the Internet Evidence Finder (IEF) at:

www.jadsoftware.com

~Hew

Monday, May 14, 2012

Logicube has another new update.

The CellXtract v1.2.0.15 has been released.

Three things have been announced with this release:
  • Validated support for 21 new phones
  • Improved support for Android Ad-Hoc Rooting
  • Support for Android Location Information
Another step in the right direction for the CellXtract.

www.logicube.com

~Hew

Cellebrite has a new Release

The Cellebrite UFED has two new releases

UFED Application 1.1.9.7
Physical Analyzer 3.0


www.cellebrite.com

~Hew

Thursday, May 10, 2012

Logicube has a couple new releases!

Logicube has released the following:

Talon Enhanced 1.1.1RC22

Forensic Dossier 2.2.1RC22

CellDek 1.22.0.1

The Talon update includes the following:
  • Timestamp for  completion time added in log files for E01 and DD images.
  • Bug Fixes
The Forensic Dossier update includes the following:
  • Timestamp for  completion time added in log files for E01 and DD images.
  • Bug Fixes
For those of you that have been following my blog this was one of my biggest arguments against the Talon and Dossier.  This is an awesome new update for these tools!

The Cell Dek update includes the following:
  • Support for 20 new phones
  • Support for Android Location
  • Improved Android ad-hoc rooting
I am excited for these new updates!

www.logicube.com

~Hew

Guidance Software releases Encase 7.04 and Portable 3.1.2

EnCase 7.04 has been released.

A few of the updates:
New automatic case backup feature has been added.  It allows you to backup all or some of your cases as a scheduled backup.

Enhancement to the "file carver" has been added.  Now the "file carver" automatically checks file headers for file length information to better ascertain the length of the file.  This will hopefully cut down on extra data being carved out for certain files.

It is now a bit easier to create templates for reporting.

EnCase has added iOS 5.0 and 5.1 iPhone and iPad device support.

More password integration with Passware.

others...

EnCase Portable 3.1.2 has also been released.

www.guidancesoftware.com

~Hew

Thursday, May 3, 2012

Wetstone has released a new version of Gargoyle

Gargoyle 5.2 has been released.

Also, if you own Gargoyle remember to log on at least monthly to get the Gargoyle Dataset Updates.

The most recent dataset update was for March of 2012!

www.wetstonetech.com

~Hew

Friday, April 20, 2012

Comparison of Handheld Forensic Duplicators

Let me start by saying that I have been fortunate to have had the ability to try out a number of different duplicators in my career.  For this post I want to show some of the strengths and weaknesses of three of the duplicators that I currently use on a semi-regular basis.

The first I would like to discuss is the Talon Enhanced by Logicube.

The second I would like to discuss is the TD2 by Tableau.

The third and final is the Forensic Dossier also by Logicube.

The Talon Enhanced and the TD2 are very similar machines.  The Forensic Dossier has a few extra capabilities that I will discuss in the Dossier section (coming soon).  I will detail a couple speed tests that I have done with the tools.  I will also list some strengths, weaknesses, and key difference between the tools.

All three tools report roughly the same transfer speeds.  It is my hope to document tests I have personally run using the same Hard Drives in each test.  This will show some differences that you can draw conclusions from yourselves.

The Talon Enhanced
Strengths:
  • Formats Destination FAT32 or NTFS
  • Will create two copies of the source (can copy simultaneously to two destinations)
  • Can act as a write-blocker via USB or eSATA for computer access
  • Stealth mode to hide what the Talon is currently doing
  • Will image to E01 (compressed and non-compressed) or DD (Raw) format.
  • Full QWERTY keyboard for inputting case information 
  • Touch Screen for easy navigation
Weaknesses:
  • (10/May/2012) As of release 1.1.1RC22 the Talon now logs the time of processes! 
  • Larger than the TD2, however with the first destination located inside, the desk space is about the same.
Key Differences from the TD2:
  • Source inputs from the top of the Talon and the Destination/s go inside or to the right.
  • Has NTFS Format Option
  • Allows examiner to plug the Talon into a computer via USB or eSATA and use as a write-blocker.
  • Options to wipe once (1) or DoD wipe which wipes seven (7) times.  TD2 offers one (1) wipe or three (3) wipes  
  • Gives options for compressed E01 and non-compressed E01
Speed Tests:
Source is a Samsung 64GB SSD 830 Series Model: MZ -- 7PC064 with 44.7 GB of data on it
Destination is a WD 500GB HDD Model: WD5000KS wiped previous to each image.

Speed Test 1:
Destination formatted FAT32, E01 option with compression, Hashed
Time to completion:    00:30:50
Size of Image:   44.7 GB

Speed Test 2:
Destination formatted FAT32, E01 option with no compression, Hashed
Time to completion:  00:31:36 (yes it took longer w/o compression)
Size of Image:    59.6 GB

Speed Test 3:
Destination formatted FAT32, DD, Hashed
Time to completion:   00:30:38
Size of Image:    59.6 GB

Speed Test 4:
Destination formatted NTFS, E01 option with compression, Hashed
Time to completion:    00:29:58
Size of Image:    44.7 GB

There are more options available for imaging but I believe that the above four (4) give a reasonable showing of the Talon's capabilities.

TD2
Strengths:
  • Size, The TD2 is smaller than the Talon.
  • Will create two copies of the source (can copy simultaneously to two destinations)
  • Will image to E01 compressed or DD (Raw) format.
  • Logs the time for an image to complete as well as the average speeds.  
  • All Tableau tools are updated using the same update utility.
  • Quick Start.  Allows user to setup a common setup and use it as the first and only option
Weaknesses:
  • Does not Format destinations NTFS.  Tableau has said that an ExFAT option will be released later this year.
  • Only seven buttons that are used with up and down arrows for inputting case information.
  • In my tests the TD2 image time logs were off by about 30 seconds.  It recorded a time 30 seconds faster than the actual time on a 64GB source. 
Key Differences from the Talon Enhanced:
  • Source drive is placed on the left and destination is placed on the right
  • Options to wipe once (1) or three (3) times.  Talon Enhanced and Dossier offer one (1) wipe or DoD wipe which is seven (7) passes.

Speed Tests:
Source is a Samsung 64GB SSD 830 Series Model: MZ -- 7PC064 with 44.7 GB of data on it
Destination is a WD 500GB HDD Model: WD5000KS wiped previous to each image.

Speed Test 1:
Destination formatted FAT32, E01 option with compression, Hashed
Time to completion:   00:31:07
Size of Image:   44.5 GB

Speed Test 2:
Destination formatted FAT32, DD, Hashed
Time to completion:    00:32:35 (yes this is slower than an E01 w/compression)
Size of Image:    59.6 GB

Forensic Dossier:
Coming Soon...

www.h11dfs.com

~Hew

Monday, April 16, 2012

I added X-Ways forensics to the "Current Versions" page

X-Ways has been added to the "current versions" page

I also added Win Hex which can be found on their home page as well.

www.x-ways.net

~Hew

Katana releases a new version of Lantern

Katana has released a new version of Lantern.  Version 2.3

I also added Lantern Lite Imager to the current versions page.

www.katanaforensics.com

~Hew

Access Data releases a new version of the FTK

FTK 4.0.1 has been released.

Quite a bit has been updated with this release.
http://accessdata.com/downloads/current_releases/ftk/FTK_4_0_1_RN.pdf

From the Release notes:
  • You can now obtain metadata from PDFs.  This feature also allows you to extract attachments, but not embedded graphics.
  • Additional Registry data processing
  • New index processing option "Do Not include document metadata in filtered text"
  • Speed for optical character recognition has been improved
  • KFF processing through a Postgres SQL database has been improved
  • Reporting process times for the log file and progress window have been improved
  • When bookmarking index.dat entries, the 'Create Bookmark' dialog now provides an option to include the entry's parent index.dat file in the bookmark
  • Improvement in the exportation of NSF emails into MSG format
  • A new default filter named 'Cerberus Static Analysis' has been added to let you see the files that have had Cerberus Stage 2 Analysis run against them
  • Improved support for finding hidden processed
For more information visit accessdata:
www.accessdata.com

~Hew

Monday, April 9, 2012

Tableau has released a new Firmware Updater

Tableau has released firmware updater 6.90!

Looking in the Firmware Versions section of the updater the only update I see is a new TD2 update.

This takes the TD2 to version 3.15

www.tableau.com

~Hew

Wednesday, April 4, 2012

Guidance Software has released a new version of EnCase

EnCase 7.03.02 has been released.

The primary bug fixes they have listed are the following:
  • HFS+ hard link, Extents Overflow and .rtd files not reading correctly on Apple Macintosh computers
  • Data in HFS+ resource forks not displaying correctly.
  • File Carver using default length instead of footer to carve files.
  • Compound queries with "and" or "or" operators not completing in certain cases.
www.guidancesoftware.com

I will be reading all of the release notes and playing with the new build more this week.  I will post more on version 7.03.02 the beginning of next week.

~Hew

I read up on the the release notes, and there are a few more things to be mentioned.

  • Fixed an issue where acquiring a remote device via the evidence processor always resulted in the same acquisition hash for an Ex01 file
  • Fixed an issued where the Evidence tab "rescan" capability was not working
 ~Hew

Tuesday, March 27, 2012

Katana releases a new version of Lantern

Lantern Version 2.2.3 has been released.

http://katanaforensics.com/

~Hew

Passware Releases a new Version

Passware 11.5 has been released. 

Acceleration using GPU / TACC has been enhanced.

More file types are supported.

For full notes visit: http://www.lostpassword.com/kit-forensic.htm

There is not listing of what is new versus what was present in release 11.3.

~Hew

Friday, March 23, 2012

Wednesday, March 21, 2012

Micro Systemation releases a new version of XRY

Micro Systemation XRY 6.2 has been released!

Things that have been updated/changed
  • Apple iOS - passcode, dumping, and encryption
  • Android - automatic rooting and swipe codes
  • Support for an additional 70 Chinese clones
  • Blackberry - Improved physical support
  • More CDMA and iDEN support
 XRY has been and continued to be a leader in the cell phone forensics industry.  This is another tool I recommend in most arsenals.

www.masb.com

~Hew

Current Versions

Just a reminder. 

The first post in January (the first post of the blog) is a listing of all the tools I have been following, and their current release versions. 

The is an up to date list that I update weekly.

~Hew

mail.h11dfs.com

I added Micro Systemation to the blog.

I have added Micro Systemation (XRY) to the blog.

www.msab.com

~Hew

Monday, March 19, 2012

AccessData releases new PRTK and DNA

Access Data has released a new version of PRTK v.6.6.0

They have also released a new version of DNA v.3.6.0

This release has seen the following updates/changes:
  • Enhanced processing to utilize multiple cores more effectively
  • No longer run as a Windows Service
  • Installation must be done as an Administrator
  • Uses the latest patched version of Java 1.6
  • More efficient on 64bit workers
  • Dictionary Utility can work against passwords that are longer than 64 characters
  • Users can now select multiple dictionaries of a similar name using shift+alt
  • User Interface cleanup in the job properties dialog


New Modules:
  • Cypherus
  • DGCA
  • iPhone
  • TightVNC
New Rules Options:
  •  Leet Speak
  • Case Permutations
  • Tertiary
For a complete list of issues fixed please see the Accessdata Release Notes found:

http://accessdata.com/support/adownloads

~Hew

Friday, March 16, 2012

Updated the Comparrison of Hardware Requirements entry.

Guidance Software sent me the official specifications for EnCase and it has now been updated.

Also I have listed the specs of both computers I have that are running EnCase 7x and FTK 3.

Hope this is interesting.

~Hew

www.h11dfs.com

F-Response Releases New Version

F-Response released version 4.0.0.3 all versions today!

www.f-response.com

Thursday, March 15, 2012

Comparison of Hardware Requirements

This is a list of Hardware Requirements that I have been able to find concerning some of the leading tools.

A number of people have asked me during trainings, what is the hardware requirement of various tools.

I thought it would be nice to make a brief list of the these requirements, it was harder than I thought to find these.

*Please note this is what I have been able to dig up myself (and with help from the vendors now.)  I will not guess on anything (unless otherwise stated) and will only use data that I have found on the vendor websites.
**Guidance Software sent me an official specifications sheet today!  (16-Mar-2012)


EnCase

  EnCase 7 -  I am running it on my computer and am satisfied with the speeds.

Minimum Setup
  •  Dual-core Processor
  • 4 GB RAM
  • First Hard Drive for OS and Software with 300 MB available space
  • Second Hard Drive for cases
  • Windows XP Pro, Server 2003, Server 2008, Vista, 7 (32bit)
  • Gigabit network
Recommended Setup
  • Quad-core Processor (Intel Itanium is not supported)
  • 16 GB RAM
  • First Hard Drive for OS and Software with 300 MB available space (I really like the WD velociraptor for its speed of 10,000 rpm)
  • Second Hard Drive should be a RAID array for I/O speeds and redundancy
  • Windows 7 (64bit)
  • Gigabit network
What I am running it on.  I am satisfied with the speeds.
  • 2.67 GHz Quad-core processor (Intel Q9400)
  • 8 GB of RAM DDR3 PC3-10600
  • Velociraptor 10,000rpm Operating System Drive
  • 1 TB Drive for Cases
  • Windows 7 Professional (64 bit)

  EnCase 7 Processor - Guidance has released the following specifications:
  • CPU Quad-core i7
  • 16 GB of RAM
  • Drive 1: Operating System and Pagefile
  • Drive 2: Evidence
  • Drive 3: Primary Evidence Cache (This drive should be as fast as possible)
  • Windows 7 (64bit) or Windows Server 2k8 R2 (64bit)
  • (Make sure you have a Gigabit network before trying this)

FTK 3 and FTK 4

  Minimum Setup
  • One Computer with
  • Quad-core processor 
  • 2 GB RAM per core.  A Quad-core would have 8 GB RAM
  • First Hard Drive with FTK and 500 MB of free space
  • Second Separate large Hard Drive for the database
  • (I have found no recommendation for Windows but with the RAM constraints it must be a 64bit install)
  • (I have attempted this with FTK 3.0.  It was extremely bogged down.  I would personally recommend a minimum of a dual quad-core with 16 GB of RAM if you are going to run this on a single computer.)
   Recommended Setup
  • Separate Computers (You must have a Gigabit network for this to work properly)
  • First Computer runs FTK
  • Dual Quad-core (8 cores)
  • 2 GB RAM per core.  Dual Quad-core would have 16 GB RAM
  • 5 GB available space for install of FTK
  • (I have found no recommendation for Windows but with the RAM constraints it must be a 64bit install)
  • Second Computer
  • Dual Quad-core (8 cores)
  • 2 GB RAM per core.  Dual Quad-core would have 16 GB RAM
  • Separate HDD RAID 5 or 6 for Database
  • (I have found no recommendation for Windows but with the RAM constraints it must be a 64bit install)
  • Third+ Computer/s can be added as processors
What I am running it on.  Speeds are acceptable, however I would prefer to have the database on a seperate computer.
  • Dual Quad-core Xeon 2.5Ghz
  • 16 GB RAM DDR3
  • First Hard Drive 7200rpm for OS and Software
  • Second Hard Drive RAID 5 for redundancy and I/O speeds.  This is the database drive array.
  • Windows 7 Ultimate (64bit)

 I hope this helps anyone who has been curious.

~Hew

www.h11dfs.com

matt@h11dfs.com

Wednesday, March 14, 2012

Logicube releases a new software update for the Quest 2

Software update 1.08 has been released for the Quest 2.

It appears the only change in this update is the addition of Chinese Language support (both Traditional and Simplified)

www.logicube.com

AccessData releases new License Manager

License Manager 3.1.3.60 has been released.

Access Data also released a new CodeMeter Runtime v. 4.4.0
    Both 32 bit and 64 bit

www.AccessData.com

Monday, March 12, 2012

Guidance Software Releases EnCase 7.03.1 and 6.19.4

Guidance Software has released two new versions of EnCase.

EnCase 7.03.1 fixed a bug in relation to mounting compound files.

EnCase 6.19.4 now allows support of Sophos Safeguard.

www.guidancesoftware.com

~Hew

Thursday, March 8, 2012

EnCase 7.03 Experiences 002

I stated at the end of EnCase 7.03 Experiences 001 that I would go into greater detail a concern about the copy folders / files option.

I currently have a ticket open with Guidance Software concerning the below issue and will update this post when they respond, and share their response.

The issue:

Again, this is an issue that I have noticed with EnCase 7.03

I have tried three different scenarios and have come up with similar results on all of them.  Two are listed below.

The issue is that when exporting folders from EnCase 7.03, EnCase reports that it is going to export more "space" than is on the volume.  I will explain in more depth by walking through my scenarios:

Scenario 1: A small FAT32 Partition from a Windows 7 Machine.

  In the report of the volume the:
    Total Capacity = 39.1 MB
    Total Allocated = 8.9 MB
    Total Unallocated = 30.2 MB

  When I blue check all and export folders the total size displayed is 43.8 MB which is more than the capacity of the volume.  I followed through to see if just the report was in error, and 43.8 MB exported.
  I removed the unallocated sectors (unchecked) and exported the remainder and was shown 13.6 MB which is more than previously reported.
  I tried just the unallocated (only it checked) and was shown 30.2 MB unallocated, which was the previously shown total.

It appears that the allocated area is having an issue.

Scenario 2: A small NTFS Partition from a Windows Vista Machine.

  In the report of the volume the:
    Total Capacity = 14.6 GB
    Total Allocated = 4.4 GB
    Total Unallocated = 10.3 GB

  This one was similar to the previous but even more pronounced... 
  With Export all I had a total size of 35.4 GB, more than twice the partition size.
  With the removal of unallocated it showed 25.1 GB.
  With just unallocated it showed 10.3 GB.

Again it appears the issue is somewhere in the allocated memory.  Is there any reason that this would report such a vast discrepancy?

www.h11dfs.com

~Hew

Update for EnCase 7.03.01

Sadly this hasn't been fixed.  The errors are still the same.

~Hew

**I got an update on this from Guidance.

The discrepancy is caused by a file named $BadClus.Bad

If/when bad clusters are found they are mapped to this file.  The initialized size is 0 so it is safe, and recommended to be skipped.  This file can potentially be as large as the volume so be careful to deselect it when copying out files.

There is a series of posts in the support files of the Guidance Software site discussing this issue.

https://support.guidancesoftware.com/forum/showthread.php?t=36504&highlight=bad+clusters 
 
 ~Hew 

EnCase 7.03 Experiences 001

This is an initial review of EnCase 7.03 as it relates to experiences with 7.02.04.

There are some major positives that I would like to share!

The right-click has returned.  The majority of the functions that were available with a right-click in EnCase 6.x have finally returned, some are listed below...
  • Recover Folders (This is great and I will explain in detail below the list.)*
  • Remove Recovered Folders
  • Bookmark
  • Copy Files / Folders (An issue with this is explained below.)***
  • View File Structure (YAY)
  • Add To Hash Library
  • Hash / Run Signature on Selected (See below for added bonus to this)*
  • Acquire E01 / Ex01
  • Acquire L01
  • Disk View (A Limitation listed below)**
  • Restore
  • Scan Disk Config
  • Share with PDE / VFS
  • Share with Enterprise View
  • Modify Time Zones
  • Send To File Viewers
* Recover Folders / Run Hash Analysis and Signature Analysis on Selected
  • This is independent of the Evidence Processor!
  • This means that you can do it multiple times prior to running the Evidence Processor, and select which volumes to run the recover folders on.
** Disk View
  • If you select disk view from a right-click you will go to the cluster of that file.  Not the Sector.
  • The limitation is that there is no way to un-check the cluster view box and stay where you are located.  Once you un-check cluster view you are taken to the start of the volume.
  • Make sure to document the Physical Sector in the data bar (GPS) so that you can return to the correct Sector!
*** Copy Files Folders
  • Instead of going into full detail here I will create a new post concerning this issue.

www.h11dfs.com

Hew

New Cellebrite Release

Cellebrite has released Firmware update 1.1.9.4

  • This updates their support of Chinese phones
  • This is also an update for more support for logical extractions from Android phones
www.cellebrite.com

With Regards,
Hew

Friday, March 2, 2012

Wetstone has released a new Version of Gargoyle

Gargoyle version 5.1 has been released!

www.wetstonetech.com

Vound Software releases New Intella

Intella 1.5.4 was released on March 01.

Intella is a great tool for email and data investigations.  If you are unfamiliar with them you can download a fully functional time limited trial version.

http://www.vound-software.com/download-request

Whenever I have a case where email is an artifact I use Intella, so give them a try!

Hew

Saturday, February 25, 2012

A momentary lapse of reason in the Current Versions Post...

Sorry for any inconvenience.  An update while in Mexico on a computer running a Spanish OS caused the Current Versions post to break down.  It has now been fixed and updated with the newest releases once again.  

Remember that the first post (Current Versions) is an updated list of the current versions of multiple tools!

Thanks,
Hew

Guidance Software Releases EnCase Portable 3.1.1

EnCase Portable 3.1.1 has been released to work with the new functions of EnCase 7.03

www.guidancesoftware.com

Friday, February 24, 2012

New hash libraries for EnCase 7.03

There has been a new release of the NSRL hash library

The new release is 2.90GB and has a hash of:
  • DEAEDA24413ADC057236A707544A552A

Thursday, February 23, 2012

EnCase 7.03 has been released!

EnCase 7.03 is here!

According to Guidance Software the following changes have been made:
  • There is now an option for a seperate processor dongle.  This will allow an examiner to use a second computer to aid in the processing of cases.  It states that you can queue processes on a seperate machine while you examine already processed evidence.
  • Evidence Processor is 2-3 times as fast.  (I hope so!)
  • Indexing Text in both File Slack and Unallocated Space.
  • System Info in the processor now supports NetShare and USB Registry information.
  • Support for Google Chrome Artifacts has been added!! (Finally!)
  • You can now process from the local view and the network preview.  You no longer need to acquire a case to process it.  Indexing is not supported with this feature yet.
  • A Review package option has been added where you can export search results into an easily opened web browser tool.  (This will hopefully make sharing results a bit simpler.)  An important part of this is that the recipient can review and make tags that can be imported back into EnCase for you to see.
  • The Text and Hex tabs will now show search hits!  You don't have to use the Transcript tab only now!
  • EnCase 7.03 now allows Enterprise functionality involving the SAFE and servlets. 
  • The ability to rescan previewed drives has been added.
  • You now have the ability to view the status of remote devices as they are being acquired.
  • A few default text styles have been added.
  • Support for EXT 4 Linux Software RAID arrays
  • iOS 5 Beta support
Numerous items have been fixed.  Please see the EnCase 7.03 release notes to see everything.  I will mention a few that I have encountered:
  • When acquiring a physical device, only the first logical partition is acquired.
  • The default error granularity for memory acquisitions is 64, causing large sections of memory to be missed in memory acquisitions.  (I'm not sure what it has been changed to.  I will report on this when I see!)
  • Time zone names are not saving and loading correctly.
  • Evidence Processor's file carver module creates multiple identical records.
  • Windows 7 Thumbcache files do not display in Pictures/Doc tabs.  (I am taking this to mean that EnCase 7.03 now supports the thumbcache files.  I will report on this when I have a chance to play with it.)
Things that I have not seen in the release notes:

I have not seen that they allow multiple passes with the source processer. 
I did not see anything about a fix for when EnCase crashes when a partition is rebuilt.

If you have any other questions, please send a post and I will try to answer them over the weekend.

Please check EnCase out at www.guidancesoftware.com

Check me out at www.h11dfs.com

JADSoftware Has released Internet Evidence Finder 5.2

JAD Software has released a new Internet Evidence Finder!

For those of you unaware of this tool, I highly recommend it.  It is great for carving out email, and chat logs from numerous browsers.

The new release notes include:
  • Skype Message Carving from the newer SQLite logs
  • Safari Web History carving has been added.  This is awesome because now IEF carves from, Internet Explorer, Firefox, Chrome, Sfari, and Opera!
  • The new Triage version searches on a low level to avoid changing axxess times of files it has searched.  JAS is also claiming to have the ability to erase any trace of dongle evidence in the System Hive.
I am looking forward to trying this tool out and will report back when I know more!

Check JAD Software out at www.jadsoftware.com

Hew

Tuesday, February 21, 2012

New Cellebrite Release

Cellebrite has released the Application version 1.1.9.3!

This release sees the support of Android 2.3.x for physical extractions.

Unlock Pattern decoding from an Android image file. 

And more.

Check it out at www.cellebrite.com

Friday, February 17, 2012

AccessData FTK 4.0 Release

AccessData has officially relaased their FTK 4.0.

There has also been new releases for both the Oracle and the Postgre KFF

http://accessdata.com/support/adownloads

Tableau Firmware Update

Tableau has released a new firmware updater.

v6.87 has been released.

This update is for models T8, T35e, TDW1, and the TD1.

www.tableau.com

Thursday, February 9, 2012

It has been one month!

I have been online with this Blog for one month now.  It has been a lot more enjoyable than I had hoped.  It gives me an excuse to constantly be reading the new updates and visiting the various vendor's websites.

As a reminder to everyone, the first entry back on 09-Jan-2012 is an up to date list of the current versions of various tools.  As stated in that post, please contact me if there are other tools you want to be on the list.

With regards,
Hew

www.h11dfs.com

Thursday, February 2, 2012

Cellebrite Physical Analyzer New Version

UFED Physical Analyzer 2.4.2.1 has been released.

New release notes:

  • Decoding of blackberry physical extraction
  • Opening and Decoding of iPhone
  • MMS decoding of LG CDMA VM-510 physical extraction
  • SMS decoding of Sanyo 6760 physical extraction

www.cellebrite.com

    Wednesday, February 1, 2012

    Cellebrite Physical Analyzer Success

    Today I had an iPhone 4S (CDMA) that I needed to image.  It was locked and the password was unknown.  Cellebrite Physical Analyzer was able to crack the password, and get a physical dump of the phone in under two (2) hours.

    Physical analyzer is becoming stronger and stronger with each new release.  I am excited to see what new abilities will be available in the near future!

    www.h11dfs.com

    Logicube Updates

    A new Forensic Dossier Software has been released.

    Version 2.2.1RC02

    Chinese Language Packs added
    Logicube also states that other bugs have been fixed.

    A new Talon Enhanced Software has been released

    Version 1.1.1RC02

    Chinese Language Packs added
    Logicube also states that other bugs have been fixed.

    This is a step in the right direction for Logicube.  Finally a foreign language pack has been added to the tool, hopefully with more to soon follow!

    www.logicube.com

    Sunday, January 29, 2012

    Intella New Version

    Intella has released version 1.5.3

    Whats new:

    General
    Date Format setting in the preferences, so you can display the dates in the format of your region
    Solved an issue of the main process not stopping properly when a user exits Intella
    Java heap size of the main and child processes can no be adjusted

    Numerous Index features added as well

    www.vound-software.com

    Thursday, January 26, 2012

    Wetstone has two new releases

    Gargoyle Investigator Forensic Pro Edition Version 5.0

    Stego Suite Version 6.0

    www.wetstonetech.com

    Access Data New License Manager

    License Manager 3.1.3 has been released

    www.accessdata.com

    Cellebrite Release

    Cellebrite has released two new versions of software.

    Physical Analyzer 2.4.1.3 has been released

    Cellebrite Application 1.1.9.2 Firmware Update has been released

    Four (4) new Blackberry devices supported via physical:
    • GSM - 8520 Curve
    • GSM - 8120 Pearl
    • GSM - 8910
    • CDMA - 9650 Bold
    Improvements related to:
    • Blackberry Logical Extractions
    • Blackberry 8900 curve physical extraction
    • Android Physical Extractions
    Physical Analyzer has had the following changes:
    • New Decoding for the following
    1. HTC: ADR6400L, ADR6425, PG41200
    2. Motorola: A953, A956, MB810, MB855, MB870, XT610, XT865
    • UFED Physical Analyzer Improvements to iPhone backups and the decryption and decoding of Blackberry email. 

    www.cellebrite.com

      Wednesday, January 25, 2012

      EnCase 6 New Version

      EnCase 6.19.3 has been released

      Items fixed as of the release:

      Fluctuating CPU speeds with On Demand machines causes values in the Registry to change, which in turn stops the SAFE.

      A user cannot decrypt RMS devices with known good credentials

      The default error granularity (64) for memory acquisitions is too high.  It should be 1.

      CREDANT file decryption intermittently fails to properly process a file, resulting in a hash mismatch.

      www.guidancesoftware.com

      Friday, January 20, 2012

      Cellebrite Blackberry Physical

      It is here.  It works.

      This is not a chip off examination.  The blackberry was not damaged by this imaging!

      I have tried it on one phone so far and intend to keep playing with the tool.  I had a successful physical dump from a blackberry!

      The Cellebrite dumped this into a .bin file that you can look at with any tool that allows you to view hex.  (Physical Analyzer, EnCase, FTK Imager, or any others.)

      www.cellebrite.com

      Thursday, January 19, 2012

      Encase 7 New Version

      Encase 7.02.04 is here.

      Foreign language support is here!

      Items Fixed:

      An Internal error occasionally displays when running Case Analyzer, casing Case Analyzer to not start.

      When using the format DD/MM/YY, EnCase reports a "Date is out of range" error.  This occurs only for European customers.

      www.guidancesoftware.com

      Thursday, January 12, 2012

      Cellebrite Update!

      New Cellebrite Version is out.

      Application 1.1.9.0
      Physical Analyzer 2.4 is also out

      Cellebrite is claiming Blackberry Support.  I will test it this week and report back on it here.

      Thanks for tuning in!

      Remember to keep a copy of the previous versions just in case an error occurs.  This happens with all Forensic tools on occasion and it is better to be safe than sorry.

      www.cellebrite.com

      Monday, January 9, 2012

      Current Versions

      Listed are some of the tools I use and the current versions.  I will update this blog weekly and edit this list as a Master of these tools.  If there are any tools you want added to the list please ask.

      The homepages for the listed tools are linked as well.  For most of the sites you will need to create user accounts to gain access.

      If you want/need to purchase any of these tools visit us at: http://www.h11dfs.com or call us 801-596-2727

      Regards Hew

      Guidance Software
      www.guidancesoftware.com
      EnCase 7.06
      EnCase 6.19.7
      EnCase Portable 4.01

      Access Data
      www.accessdata.com
      FTK 4.2
      FTK 3.4.1
      FTK 1.81.6
      Registry Viewer 1.6.3
      FTK Imager 3.1.2
      FTK Imager Lite 3.1.1
      PRTK 7.0
      DNA 7.0
      PORT 2.0.3
      License Manager 3.1.5
      Mobile Phone Examiner Plus 5.2.1
      MPE+ Investigator 5.2.1

      Paraben
      www.paraben.com
      Device Seizure v6
      P2 Commander v2
      E-mail Examiner v7.1


      X-Ways
      www.x-ways.net
      X-Ways Forensic 16.8
      Investigator 16.8
      Win Hex 16.8

      Lightbox Technologies
      www.lightboxtechnologies.com
      Lightgrep Search 1.01

      Tableau
      www.tableau.com
      Firware Updater 7.01


      Logicube
      www.logicube.com
      Forensic Dossier 3.3.3RC13
      USB/Firewire Cloning 0.27
      Talon Enhanced 3.3.3RC13
      Quest 2 1.08
      Talon (Legacy) 2.57
      CellXtract 1.4.0.5

      Cellebrite
      www.cellebrite.com
      UFED Touch Application: 1.8.5.0
      UFED Classic Application: 1.8.5.0
      Full 1.0.2.9_34
      Tiny 1.0.2.1
      UFED Physical Analyzer 3.6.5
      Phone Detective 1.1.7

      Micro Systemation
      www.msab.com
      XRY 6.5 current


      Black Bag
      www.blackbagtech.com
      MacQuisition 2013 Release 1
      BlackLight 2012 Release 4.1

      Katana Forensics
      http://katanaforensics.com
      Lantern 2.4.1
      Lantern Lite Imager 0.7.2

      Intella
      www.vound-software.com
      Intella 1.6.3

      WetStone
      www.wetstonetech.com
      Gargoyle Forensic Pro 5.2.1
       Latest Gargoyle Data-set is November 2012
      Fibonacci Dataset Creator 1.0
      Gargoyle Investigator Enterprise Module (GEM) 3.2.0
      Stego Hunt 6.0
      Stego Break 6.0
      Stego Analyst 6.0

      SARC
      www.sarc-wv.com
      StegAlyzer

      F-Response
      www.f-response.com
      F-Response Field Kit 4.0.6
      F-Response Consultant 4.0.6
      F-Response Enterprise 4.0.6

      Magnet Forensics (Formerly JAD Software)
      www.magnetforensics.com
      Internet Evidence Finder v5.8.1

      Passware
      www.lostpassword.com
      Passware Kit Forensic 12.3

      Elcomsoft
      www.elcomsoft.com
      Distributed Password Recovery 2.99
      Office Password Recovery 5.11
      Office Password Breaker 3.02
      Phone Password Breaker 1.87

      H-11 Digital Forensics offers training on many of the tools listed above.  If you have questions about any of the tools feel free to email me.  Matt@h11dfs.com

       If you are interested in training check out our training pages:
       www.h11-digital-forensics.com/h11-tap-training.php