forked from sleuthkit/sleuthkit
-
Notifications
You must be signed in to change notification settings - Fork 0
/
NEWS.txt
1869 lines (1401 loc) · 75.6 KB
/
NEWS.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Numbers refer to SourceForge.net tracker IDs:
http://sourceforge.net/tracker/?group_id=55685
---------------- VERSION 4.1.0 --------------
Core:
- Added YAFFS2 support (patch from viaForensics).
- Added Ext4 support (patch from kfairbanks)
- changed all include paths to be 'tsk' instead of 'tsk3'
-- IMPORTANT FOR ALL DEVELOPERS!
Framework:
- Added Linux and MAC support.
- Added L01 support.
- Added APIs to find files by name, path and extension.
- Removed deprecated TskFile::getAttributes methods.
- moved code around for AutoBuild tool support.
Java Bindings:
- added DerivedFile datamodel support
- added a public method to Content to add ability to close() its tsk handle before the object is gc'd
- added faster skip() and random seek support to ReadContentInputStream
- refactored datamodel by pushing common methods up to AbstractFile
- fixed minor memory leaks
- improved regression testing framework for java bindings datamodel
---------------- VERSION 4.0.2 --------------
Core:
New Features:
- Added fiwalk tool from Simson. Not supported in Visual Studio yet.
Bug Fixes:
- Fixed fcat to work on NTFS files (still doesn't support ADS though).
- Fixed HFS+ support in tsk_loaddb / SQLite -- root directory was not added.
- NTFS code now looks at all MFT entries when listing directory contents. It used to only look at unallocated entries for orphan files. This fixes an image that had allocated files missing from the directory b-tree.
- NTFS code uses sequence number when searching MFT entries for all files.
- Libewf detection code change to support v2 API more reliably (ID: 3596212).
- NTFS $SII code could crash in rare cases if $SDS was multiple of block size.
Framework:
- Added new API to TskImgDB that returns the base name of an image.
- Numerous performance improvements to framework.
- Removed requirement in framework to specify module extension in pipeline configuration file.
- Added blackboard artifacts to represent both operating system and network service user accounts.
Java Bindings:
- added more APIs to find files by name, path and where clause
- added API to get currently processed dir when image is being added,
- added API to return specific types of children of image, volume system, volume, file system.
- moved more common methods up to Content interface
- deprecated context of blackboard attributes,
- deprecated SleuthkitCase.runQuery() and SleuthkitCase.closeRunQuery()
- fixed ReadContentInputStream bugs (ignoring offset into a buffer, implementing available() )
- methods that are lazy loading are now thread safe
- Hash class is now thread-safe
- use more PreparedStatements to improve performance
- changed source level from java 1.6 to 1.7
- Throw exceptions from C++ side better
---------------- VERSION 4.0.1 --------------
New Features:
- Can open raw Windows devices with write mode sharing.
- More DOS partition types are displayed.
- Added fcat tool that takes in file name and exports content (equivalent to using ifind and icat together).
- Added new API to TskImgDB that returns hash value associated with carved files.
- performance improvements with FAT code (maps and dir_add)
- performance improvements with NTFS code (maps)
- added AONLY flag to block_walk
- Updated blkls and blkcalc to use AONLY flag -- MUCH faster.
Bug Fixes:
- Fixed mactime issue where it could choose the wrong timezone that did
not follow daylight savings times.
- Fixed file size of alternate data streams in framework.
- Incorporated memory leak fixes and raw device fixes from ADF Solutions.
---------------- VERSION 4.0.0 --------------
New Features:
- Added multithreaded support
- Added C++ wrapper classes
- Added JNI bindings / Java data model classes
- 3314047: Added utf8-specific versions of 'toid' methods for img,vs,fs types
- 3184429: More consistent printing of unset times (all zerso instead of 1970)
- New database design that allows for multiple images in the same database
- GPT volume system tries other sector sizes if first attempt fails.
- Added hash calculation and lookup to AutoDB and JNI.
- Upgraded SQLite to 3.7.9.
- Added Framework in (windows-only)
- EnCase hash support
- Libewf v2 support (it is now non-beta)
- First file in a raw split or E01 can be specified and the rest of the files
are found.
- mactime displays times as 0 if the time is not set (isntead of 1970)
- Changed behavior of 'mactime -y' to use ISO8601 format.
- Updated HFS+ code from ATC-NY.
- FAT orphan file improvements to reduce false positives.
- TskAuto better reports errors.
- Upgrade build projects from Visual Studio 2008 to 2010.
Bug Fixes:
- Relaxed checking when conflict exists between DOS and GPT partitions.
Had a Mac image that was failing to resolve which partition table
to use.
---------------- VERSION 3.2.3 --------------
New Features:
- new TskAuto method (handleNotification()) that gets verbose messages that allow for debugging when the class makes decisions.
- DOS partitions are loaded even if an extended partition fails to load
- new TskAuto::findFilesInFs(TSK_FS_INFO *) method
- Need to only specify first E01 file and the rest are found
- Changed docs license to non-commercial
- Unicode conversion routines fix invalid UTF-16 text during conversion
- Added '-d' to tsk_recover to specify directory to recover
Bug Fixes:
- Added check to fatfs_open to compare first sectors of FAT if we used backup boot sector and verify it is FAT32.
- More checks to make sure that FAT short names are valid ASCII
- 3406523: Mactime size sanity check
- 3393960: hfind reading of Windows input file
- 3316603: Error reading last blocks of RAW CD images
- Fixed bugs in how directories and files were detected in TskAuto
---------------- VERSION 3.2.2 --------------
Bug Fixes
- 3213886: ISO9660 directory hole not advancing
- 3173095 contd: Updated checks so that tougher FAT checks are
applied to deleted directories.
- 3303678: Image type in Sqlite DB is now not always 0
- 3303679: Deleted FAT files have more name cleanup in short names
New Features:
- 3213888: RAW CD format
- Auto class accepts TSK_IMG_INFO as argument
- Copies of split image file names are stored in TSK so that the caller can free them before TSK_IMG_INFO is freed.
---------------- VERSION 3.2.1 --------------
Bug Fixes
- 3108272: fls arguments for -d and -u
- 3105539: compile error issues because of SQlite and pthreads
- 3173095: missing FAT files because of invalid dates.
- 3184419: mingew compile errors.
- 3191391: surround file name in quotes in mactime -d csv output
New Features:
- A single dummy entry is added to the SQlite DB if no volume exists
so that all programs can assume that there will be at least one
volume in the table.
- 3184455: allow srcdir != builddir
---------------- VERSION 3.2.0 --------------
Bug Fixes
- 3043092: Minor logic errors with ifind code.
- FAT performance fix when looking for parent directories
in $OrphanFiles.
- 3052302: Crash on NTFS/UFS detection test because of
corrupt data -- tsk_malloc error.
- 3088447: Error adding attribute because of run collision.
Solved by assigning unique IDs.
New Features:
- 3012324: Name mangling moved out of library into outer tools
so that they can see control characters if they want to. Patch
by Anthony Lawrence.
- 2993806: ENUM values have a specified NONE value if you don't
want to specify any special flags. Patch by Anthony Lawrence.
- 3026989: Add -e and -s flags to img_cat. patch by Simson Garfinkel.
- 2941805: Add case sensitive flag to fsstat in HFS. Patch by Rob Joyce.
- 3017764: Changed how default NTFS $DATA attribute was named. Now it
has no name, while it previously had a fake name of "$Data".
- New TskAuto class.
- New tsk_loaddb, tsk_recover, tsk_comparedir, and tsk_gettimes tools.
---------------- VERSION 3.1.3 --------------
Bug Fixes
- 3006733: FAT directory listings were slow because the inner
code was not stopping when it found the parent directory.
- Adjusted sanity / testing code on FAT directory entries to allow
non-ascii in extensions and reject entries with lots of 0s.
- 3023606: Ext2 / ffs corrupted file names.
- Applied NTFS SID fixes from Mandiant.
- ntfs_load_secure() memory leak patch from Michael Cohen
---------------- VERSION 3.1.2 --------------
Bug Fixes
- 2982426: FAT directory listings were slow because the entire
image was being scanned for parent directory information.
- 2982965: fs_attr length bug fix.
- 2988619: mmls -B display error.
- 2988330: ntfs SII cluster size increment bug
- 2991487: Zeroed content in NTFS files that were not fully intialized.
- 2993767: Slow FAT listings of OrphanFiles because hunt for parent
directory resulted in many searches for OrphanFiles. Added cache
of OrphanFiles.
- 2999567: ifind was not stopping after first hit.
- 2993804: read past end of file did not always return -1.
---------------- VERSION 3.1.1 --------------
Bug Fixes
- 2954703: ISO9660 missing files because duplicate files
had same starting block.
- 2954707: ISO9660 missing some files with zero length and
duplicate starting block. Also changed behavior of how
multiple volume descriptors are processed.
- 2955898: Orphan files not found if no deleted file names exist.
- 2955899: NTFS internal setting of USED flag.
- 2972721: Sorter fails with hash lookup if '-l' is given.
- 2941813: Reverse HFS case sensitive flags (internal fix only)
- 2954448: Debian package typo fixes, etc.
- 2975245: sorter ignores realloc entries to reduce misleading mismatch entries and duplicate entries.
---------------- VERSION 3.1.0 --------------
New Features and Changes
- 2206285: HFS+ can now be read. Lots of tracker items about this.
Thanks to Rob Joyce and ATC-NY for many of the patches and reports.
- 2677069: DOS Safety Partitions in GPT Volume Systems are better
detected instead of reporting multiple VSs.
- Windows executables can be build in Visual Studio w/out needing
other image format libraries.
- 2367426: Uninitialized file space is shown if slack space is
requested.
- 2677107 All image formats supported by AFFLIB can be accessed by
specifying the "afflib" type.
- 2206265: sigfind can now process non-raw files.
- 2206331: Indirect block addresses are now available in the library
and command line tools. They are stored in a different attribute.
- Removed 'docs' files and moved them to the wiki.
- Removed disk_stat and disk_sreset because they were out of date
and hdparm now has the same functionality.
- 2874854: Image layer tools now support non-512 byte device sector
sizes. Users can specify sector size using the -b argument to the
command line tools. This has several consequences:
-- 'mmls -b' is now 'mmls -B'. Similarly with istat -b.
-- Changed command line format for '-o' so that sector size is
specified only via -b and not using '-o 62@4096'.
- 2874852: Sanity checking on partition table entires is relaxed
and only first couple of partitions are checked to make sure that
they can fit into the image.
- 2895607: NTFS SID data is available in the library and 'istat'.
- 2206341: AFF encrypted images now give more proper error message
if password is not given.
- 2351426: mactime is now distributed with Windows execs.
Developer-level Changes
- Abstracted name comparison to file system-specific function.
- Added support in mactime to read body files with comment lines.
- 2596153: Changed img_open arguments, similar to getopt().
- 2797169: tsk_fs_make_ls is now supported as an external library
function. Now named tsk_fs_meta_make_ls.
- 2908510: Nanosecond resolution of timestamps is now available.
- 2914255: Version info is now available in .h files in both string
and integer form.
Bug Fixes:
- 2568528: incorrect adjustment of attribute FILLER offset.
- 2596397: Incorrect date sorting in mactime.
- 2708195: Errors when doing long reads in fragmented attributes.
- Fixed typo bugs in sorter (reported via e-mail by Drew Hunt).
- 2734458: added orphan cache map to prevent slow NTFS listing times.
- 2655831: Sorter now knows about the ext2 and ext3 types.
- 2725799: ifind not converting UTF16 names properly on Windows
because it was using endian ordering of file system and not local
system.
- 2662168: warning messages on macs when reading the raw character
device.
- 2778170: incorrect read size on resident attributes.
- 2777633: missing second resolution on FAT creation times.
- Added the READ_SHARE option to the CreateFile command for split
image files. Patch by Christopher Siwy.
- 2786963: NTFS compression infinite loop fix.
- 2645156: FAT / blkls error getting slack because allocsize was
being set too small (and other values were not being reset).
- 2367426: Zeros are set for VDL slack on NTFS files.
- 2796945: Inifite loop in fs_attr.
- 2821031: Missing fls -m fields.
- 2840345: Extended DOS partitions in extended partitions are now
marked as Meta.
- 2848162: Reading attributes at offsets that are on boundary of
run fragment.
- 2824457: Fixed issue reading last block of file system with blkcat.
- 2891285: Fixed issue that prevented reads from the last block of
a file system when using the POSIX-style API.
- 2825690: Fixed issue that prevented blkls -A from working.
- 2901365: Allow FAT files to have a 0 wdate.
- 2900761: Added FAT directory sanity checks to prevent infinite loops.
- 2895607: Fixed various memory leaks.
- 2907248: Fixed image layer cache crash.
- 2905750: all file system read() functions now return -1 when
offset given is past end of file.
---------------- VERSION 3.0.1 --------------
11/11/08: Bug Fix: Fixed crashing bug in ifind on FAT file system.
Bug: 2265927
11/11/08: Bug Fix: Fixed crashing bug in istat on ExtX $OrphanFiles
dir. Bug: 2266104
11/26/08: Update: Updated fls man page.
11/30/08: Update: Removed TODO file and using tracker for bugs and
feature requests.
12/29/08: Bug Fix: Fixed incorrectly setting block status in file_walk
for compressed files (Bug: 2475246)
12/29/08: Bug Fix: removed fs_info field from FS_META because it
was not being set and should have been removed in 3.0. Reported by
Rob Joyce and Judson Powers.
12/29/08: Bug Fix: orphan files and NTFS files found via parent
directory have an unknown file name type (instead of being equal
to meta type). (Bug: 2389901). Reported by Barry Grundy.
1/12/09: Bug Fix: Fixed ISO9660 bug where large directory contents
were not displayed. (Bug: 2503552). Reported by Tom Black.
1/24/09: Bug Fix: Fixed bug 2534449 where extra NTFS files were
shown if the MFT address was changed to 0 because fs_dir_add was
checking the address and name. Reported by Andy Bontoft.
1/29/09: Update: Fixed fix for bug 2534449. The fix is in ifind
instead of fs_dir_add().
2/2/09: Update: Added RPM spec file from Morgan Weetmam.
---------------- VERSION 3.0.0 --------------
0/00/00: Update: Many, many, many API changes.
2/14/08: Update: Added mmcat tool.
2/26/08: Update: Added flags to mmls to specify partition types.
3/1/08: Update: Major update of man pages.
4/14/08: Bug Fix: Fixed the calculation of "actual" last block.
Off by 1 error. Reported by steve.
5/23/08: Bug Fix: Incorrect malloc return check in srch_strings.
reported by Petri Latvala.
5/29/08: Bug Fix: Fixed endian ordering bug in ISO9660 code. Reported
by Eduardo Aguiar de Oliveira.
6/17/08: Update: 'sorter' now uses the ifind method for finding
deleted NTFS files (like Autopsy) does instead of relying on fls.
Reported by John Lehr.
6/17/08: Update: 'ifind -p' reports data on ADS.
7/10/08: Update: FAT looks for a backup boot sector in FAT32 if
magic is 0
7/21/08: Bug Fix: Changed define of strcasecmp to _stricmp instead
of _strnicmp in Windows. (reported by Darren Bilby).
7/21/08: Bug Fix: Fall back to open "\\.\" image files on Windows
with SHARE_WRITE access so that drive devices can be opened.
(reported by Darren Bilby).
8/20/08: Bug Fix: Look for Windows objects when opening files in
Cygwin, not just Win32. Reported by Par Osterberg Medina.
8/21/08: Update: Renamed library and install header files to have a '3'
in them to allow parallel installations of v2 and v3. Suggested by
Simson Garfinkel.
8/22/08: Update: Added -b option to sorter to specify minimum file size
to process. Suggested by Jeff Kell.
8/22/08: Update: Added libewf as a requirement to build win32 so that
E01 files are supported.
8/29/08: Update: Added initial mingw patches for cross compiling and
Windows. Patches by Michael Cohen.
9/X/08: Update: Added ability to access attibutes
9/6/08: Update: Added image layer cache.
9/12/08: Bug Fix: Fixed crash from incorrectly cleared value in FS_DIR
structure. Reported and patched by Jason Miller.
9/13/08: Update: Changed d* tool names to blk*.
9/17/08: Update: Finished mingw support so that both tools and
library work with Unicode file name support.
9/22/08: Update: Added new HFS+ code from Judson Powers and Rob Joyce (ATC-NY)
9/24/08: Bug Fix: Fixed some cygwin compile errors about types on Cygwin.
Reported by Phil Peacock.
9/25/08: Bug Fix: Added O_BINARY to open() in raw and split because Cygwin
was having problems. Reported by Mark Stam.
10/1/08: Update: Added ifndef to TSK_USE_HFS define to allow people
to define it on the command line. Patch by RB.
---------------- VERSION 2.52 --------------
2/12/08: Bug Fix: Fixed warning messages in mactime about non-Numeric
data. Reported by Pope.
2/19/08: Bug Fix: Added #define to tsk_base_i.h to define
LARGEFILE64_SOURCE based on LARGEFILE_SOURCE for older Linux systems.
2/20/08: Bug Fix: Updated afflib references and code.
3/13/08: Update: Added more fixes to auto* so that AFF will compile
on more systems. I have confirmed that AFFLIB 3.1.3 will run with
OS X 10.4.11.
3/14/08: Bug Fix: Added checks to FAT code that calcs size of
directories. If starting cluster of deleted dir points into a
cluster chain, then problems can occur. Reported by John Ward.
3/19/08: Update: I have verified that this compiles with libewf-20070512.
3/21/08: Bug Fix: Deleted Ext/FFS directories were not being recursed
into. This case was rare (because typically the metadata are
wiped), but possible. Reported by JWalker.
3/24/08: Update: I have verified that this compiles with libewf-20080322.
Updates from Joachim Metz.
3/26/08: Update: Changed some of the header file design for the tools
so that the define settings in tsk_config.h can be used (for large files).
3/28/08: Update: Added config.h reference to srch_strings to get the
LARGEFILE support.
4/5/08: Update: Improved inode argument number parsing function.
---------------- VERSION 2.51 --------------
1/30/08: Bug Fix: Fixed potential infinite loop in fls_lib.c. Patch
by Nathaniel Pierce.
2/7/08: Bug Fix: Defined some of the new constants that are used
in disktools because older Linux distros did not define them.
Reported by Russell Reynolds.
2/7/08: Bug Fix: Modified autoconf to check for large file build
requirements and look for new 48-bit structures needed by disktools.
Both of these were causing problems on older Linux distros.
2/7/08: Update: hfind will normalize hash values in database so
that they are case insensitive.
---------------- VERSION 2.50 --------------
12/19/07: Update: Finished upgrade to autotools building design. No
longer include file, afflib, libewf. Resulted in many source code layout
changes and sorter now searches for md5, sha1, etc.
---------------- VERSION 2.10 --------------
7/12/07: Update: 0s are returned for AFF pages that were not imaged.
7/31/07: Bug Fix: ifind -p could crash if a deleted file name was found
that did not point to a valid meta data stucture. (Reported by Andy Bontoft)
8/5/07: Update: Added NSRL support back into sorter.
8/15/07: Update: Errors are given if supplied sector offset is larger than
disk image. Reported by Simson Garfinkel.
8/16/07: Update: Renamed MD5 and SHA1 functions to TSK_MD5_.. and TSK_SHA_....
8/16/07: Update: tsk_error_get() does not reset the error messages.
9/26/07: Bug Fix: Changed FATFS check for valid dentries to consider
second values of 30. Reported by Alessandro Camillo.
10/18/07: Update: inode_walk for NTFS and FAT will not abort if
data corruption is found in one entry -- instead they will just
skip it.
10/18/07: Update: tsk_os.h uses standard gcc system names instead
of TSK specific ones.
10/18/07: Update: Updated raw.c to use ioctl commands on OS X to
get size of raw device because it does not work with SEEK_END.
Patch by Rob Joyce.
10/31/07: Update: Finished upgrade to fatfs_file_walk_off so that
walking can start at a specific offset. Also finished upgrade that
caches FAT run list to make the fatfs_file_walk_off more effecient.
11/14/07: Update: Fixed few places where off_t was being used
instead of OFF_T. Reported by GiHan Kim.
11/14/07: Update: Fixed a memory leak in aff.c to free AFF_INFO.
Reported by GiHan Kim.
11/24/07: Update: Finished review and update of ISO9660 code.
11/26/07: Bug Fix: Fixed 64-bit calculation in HFS+ code. Submitted
by Rob Joyce.
11/29/07: Update: removed linking of srch_strings.c and libtsk. Reported by
kwizart.
11/30/07: Upate: Made a #define TSK_USE_HFS compile flag for incorporating
the HFS support (flag is in src/fstools/fs_tools_i.h)
11/30/07: Update: restricted the FAT dentry sanity checks to verify
space padding in the name and latin-only extensions.
12/5/07: Bug Fix: fs_read_file_int had a bug that ignored the type passed
for NTFS files. Reported by Dave Collett.
12/12/07: Update: Changed teh FAT dentry sanity checks to allow spaces
in volume labels and do more checking on the attribute flag.
---------------- VERSION 2.09 --------------
4/6/07: Bug Fix: Inifite loop in ext2 and ffs istat code because of using
unsigned size_t variable. Reported by Makoto Shiotsuki.
4/16/07: Bug Fix: Changed use of fseek() to fseeko() in hashtools. Patch
by Andy Bontoft.
4/16/07: Bug Fix: Changed Win32 SetFilePointer to use LARGE_INTEGER.
Reported by Kim GiHan.
4/19/07: Bug Fix: Not all FAT orphan files were being found because of
and offset error.
4/26/07: Bug Fix: ils -O was not working (link value not being
checked). Reported by Christian Perst.
4/27/07: Bug Fix: ils -r was showing UNUSED inodes. Reported by
Christian Perst.
5/10/07: Update: Redefined the USED and UNUSED flags for NTFS so that
UNUSED is set when no attributes exist.
5/16/07: Bug Fix: Fixed several bounds checking bugs that may cause
a crash if the disk image is corrupt. Reported by Tim Newsham (iSec
Partners)
5/17/07: Update: Updated AFFLIB to 2.2.11
5/17/07: Update: Updated libewf to libewf-20070512
5/17/07: Update: Updated file to 4.20
5/29/07: Update: Removed NTFS SID/SDS contributed code because it causes
crashes on some systems and its output is not entirely clear. (most recent bug
reported by Andy Scott)
6/11/07: Update: Updated AFFLIB to 2.2.12.
6/12/07: Bug Fix: ifind -p was not reporting back info on the allocated name
when one existed (because strtok was overwritting the name when the search
continued). Reported by Andy Bontoft.
6/13/07: Update: Updated file to 4.21
---------------- VERSION 2.08 --------------
12/19/06: Bug Fix: ifind_path was not setting *result when root inode
was searched for. patch by David Collett.
12/29/06: Update: Removed 'strncpy' in ntfs.c to manual assignment of
text for '$Data' and 'N/A' for performance reasons.
1/11/07: Update: Added duname to FS_INFO that contains a string of
name for a file system's data unit -- Cluster for example.
1/19/07: Bug Fix: ifind_path was returning an error even after some
files were found. Errors are now ignored if a file was found.
Reported by Michael Cohen.
1/26/07: Bug Fix: Fixed calcuation of inode numbers in fatfs.c
(reported by Simson Garfinkel).
2/1/07: Update: Changed aff-install to support symlinked directory.
2/1/07: Update: img_open modified so that it does not report errors for
s3:// and http:// files that do not exist.
2/5/07: Update: updated *_read() return values to look for "<0" instead of
simply "== -1". (suggested by Simson Garfinkel).
2/8/07: Update: removed typedef for uintptr in WIN32 code.
2/13/07: Update: Applied patch from Kim Kulak to update HFS+ code to internal
design changes.
2/16/07: Update: Renamed many of the external data structures and flags
so that they start with TSK_ or tsk_ to prevent name collisions.
2/16/07: Update: Moved MD5 and SHA1 routines and binaries to auxtools
instead of hashtools so that they are more easy to access.
2/16/07: Update: started redesign and port of hashtools.
2/21/07: Update: Changed inode_walk callback API to remove the flags
variable -- this was redundant since flags are also in TSK_FS_INODE.
Same for TSK_FS_DENT.
3/7/07: Bug Fix: fs_read_file failed for NTFS resident files. Reported
by Michael Cohen.
3/8/07: Bug Fix: FATFS assumed a 512-byte sector in a couple of locations.
3/13/07: Update: Finished hashtools update.
3/13/07: Update: dcat reads block by block instead of all at once.
3/23/07: Update: Change ntfs_load_secure to allocate all of its
needed memory at once instead of doing reallocs.
3/23/07: Update: Updated AFFLIB to 2.2.0
3/24/07: Bug Fix: Fixed many locations where return value from strtoull
was not being properly checked and therefore invalid numbers were not
being detected.
3/24/07: Bug Fix: A couple of error messages in ntfs_file_walk should
have been converted to _RECOVER when the _RECOVERY flag was given.
3/24/07: Update: Changed behavior of ntfs_file_walk. If no type is
given, then a default type is chosen for files and dirs. Now, no error
is generated if that type does not exist -- similar to how no error is
generated if a FAT file has 0 file size.
3/26/07: Update: cleaned up and documented fs_data code more.
3/29/07: Update: Updated AFF to 2.2.2.
3/29/07: Update: Updated install scripts for afflib, libewf, and file to
touch files so that the auto* files are in the correct time stamp order.
4/5/07: Bug Fix: Added sanity checks to offsets and addresses in ExtX and
UFS group descriptors. Reported by Simson Garfinkel.
---------------- VERSION 2.07 --------------
9/6/06: Update: Changed TCHAR and _T to TSK_TCHAR and _TSK_T to avoid
conflicts with other libraries.
9/18/06: Update: Added tsk_list_* functions and strutures.
9/18/06: Update: Added checks for recursive FAT directories.
9/20/06: Update: Changed FS_META_* flags for LINK and UNLINK and moved
them to ILS_? flags.
9/20/06: Update: added flags to ils to find only orphan inodes.
9/20/06: Update: Added Orphan support for FAT, NTFS, UFS, Ext2, ISO.
9/20/06: Update: File walk actions now have a flag to identify if a block
is SPARSE or not (used to identify if the address being passed is valid
or made up).
9/21/06: Update: Added file size sanity check to fatfs_is_dentry and
fixed assignment of fatfs->clustcnt.
9/21/06: Update: block_, inode, and dent_walk functions now do more flag
checking and make sure that some things are set instead of making the
calling code do it.
9/21/06: Update: Added checks for recursive (infinite loop) NTFS, UFS,
ExtX, and ISO9660 directories.
9/21/06: Update Added checks to make sure that walking the FAT for files
and directories would result in an infinite loop (if FAT is corrupt).
9/21/06: Update: Added -a and -A to dls to specify allocated and
unallocated blocks to display.
9/21/06: Update: Updated AFFLIB to 1.6.31.
9/22/06: Update: added a fs_read_file() function that allows you to read
random parts of a file.
10/10/06: Update: Improved performance of fs_read_file() and added
new FS_FLAG_META_COMP and FS_FLAG_DATA_COMP flags to show if a file
and data are using file system-level compression (NTFS only).
10/18/06: Bug fix: in fs_data_put_run, added a check to see
if the head was null before looking up. An extra error message
was being created for nothing.
10/18/06: Bug Fix: Added a check to the compression buffer
to see if it is null in _done().
10/25/06: Bug Fix: Added some more bounds checks to NTFS uncompression code.
11/3/06: Bug Fix: added check to dcat_lib in case the number of blocks
requested is too large.
11/07/06: Update: Added fs_read_file_noid wrapper around fs_read_file
interface.
11/09/06: Update: Updated AFF to 1.7.1
11/17/06: Update: Updated libewf to 20061008-1
11/17/06: Bug Fix: Fixed attribute lookup bug in fs_data_lookup.
Patch by David Collett.
11/21/06: Bug Fix: Fixed fs_data loops that were stopping when they hit
an unused attribute. Patch by David Collett.
11/21/06: Bug Fix: sorter no longer clears the path when it starts. THis
was causing errors on Cygwin because OpenSSL libraries could not be found.
11/22/06: Update: Added a tskGetVersion() function to return the string
of the current version.
11/29/06: Update: Added more tsk_error_resets to more places to prevent
extra error messages from being displayed.
11/30/06: Update: Added Caching to the getFAT function and to fs_read.
12/1/06: Update: Changed TSK_LIST to a reverse sorted list of buckets.
12/5/06: Bug Fix: Fixed FS_DATA_INUSE infinite loop bug.
12/5/06: Bug Fix: Fixed infinite loop bug with NTFS decompression code.
12/5/06: Update: Added NULL check to fs_inode_free (from Michael Cohen).
12/5/06: Update: Updated ifind_path so that an allocated name will be
shown if one exists -- do not exit if we find simply an unallocated
entry with an address of 0. Suggested by David Collett.
12/6/06: Update: Updated file to version 4.18.
12/6/06: Update: Updated libaff to 2.0a10 and changed build process
accordingly.
12/7/06: Update: Added a tsk_error_get() function that returns a string
with the error messages -- can be used instead of tsk_error_print.
12/7/06: Update: fixed some memory leaks in FAT and NTFS code.
12/11/06: Bug Fix: fatfs_open error message code referenced a value that
was in freed memory -- reordered statements.
12/15/06: Update: Include VCProj files in build.
---------------- VERSION 2.06 --------------
8/11/06: Bug Fix: Added back in ASCII/UTF-8 checks to remove control
characters in file names.
8/11/06: Bug Fix: Added support for fast sym links in UFS1
8/11/06: Update: Redesigned the endian support so that getuX takes only
the endian flag so that the Unicode design could be changed as well.
8/11/06: Update: Redesigned the Unicode support so that there is a
tsk_UTF... routine instead of fs_UTF...
8/11/06: Update: Updated GPT to fully convert UTF16 to UTF8.
8/11/06: Update: There is now only one aux_tools header file to include
instead of libauxtools and/or aux_lib, which were nearly identical.
8/16/06: Bug Fix: ntfs_dent_walk could segfault if two consecutive
unallocated entries were found that had an MFT entry address of 0.
Reported by Robert-Jan Mora.
8/16/06: Update: Changed a lot of the header files and reduced them so
that it is easier to use the library and only one header file needs to
be included.
8/21/06: Update: mmtools had char * instead of void * for walk callback
8/22/06: Update: Added fs_load_file function that returns a buffer full
with the contents of a file.
8/23/06: Update: Upgraded AFFLIB to 1.6.31 and libewf to 20060820-1.
8/25/06: Update: Created printf wrappers so that output is UTF-16 on
Windows and UTF-8 on Unix.
8/25/06: Update: Continued port to Windows by starting to use more
TCHARS and defining needed macros for the Unix side.
8/25/06: Bug Fix: Fixed crash that could occur because of SDS code
in NTFS. (reported by Simson Garfinkel) (BUG: 1546925).
8/25/06: Bug Fix: Fixed crash that could occur because path stack became
corrupt with deep directories or corrupt images. (reported by Simson
Garfinkel) (BUG: 1546926).
8/25/06: Bug Fix: Fixed infinite loop that could occur when trying to
determine size of FAT directory when the FAT has a loop in it. (BUG:
1546929)
8/25/06: Update: Improved FAT checking code to look for '.' and '..'
entries when inode value is replaced during dent_walk.
8/29/06: Update: Finished Win32 port and changes to handle UTF-16 vs
UTF-8 inputs.
8/29/06: Update: Created a parse_inum function to handle parsing inode
addresses from command line.
8/30/06: Update: Made progname a local variable instead of global.
8/31/06: Bug Fix: Fixed a sizeof() error with the memset in fatfs_inode_walk
for the sect_alloc buffer.
8/31/06: Update: if mktime in dos2unixtime returns any negative value,
then the return value is set to 0. Windows and glibc seem to have
different return values.
---------------- VERSION 2.05 --------------
5/15/06: Bug Fix: Fixed a bug in img_cat that could cause it to
go into an infinite loop. (BUG: 1489284)
5/16/06: Update: Fixed printf statements in tsk_error.c that caused
warning messages for some compilers. Reported by Jason DePriest.
5/17/06: Update: created a union of file system-specific file times in
FS_INFO (Patch by Wyatt Banks)
5/22/06: Bug Fix: Updated libewf to 20060520 to fix bug with reported
image size. (BUG: 1489287)
5/22/06: Bug Fix: Updated AFFLIB to 1.6.24 so that TSK could compile in
CYGWIN. (BUG: 1493013)
5/22/06: Update: Fixed some more printf statements that were causing
compile warnings.
5/23/06: Update: Added a file existence check to img_open to make error
message more accurate.
5/23/06: Update: Usage messages had extra "Supported image types message".
5/25/06: Update: Added block / page range to fsstat for raw and swapfs.
6/5/06: Update: fixed some typos in the output messages of sigfind (reported
by Jelle Smet)
6/9/06: Update: Added HFS+ template to sigfind (Patch by Wyatt Banks)
6/9/06: Update: Added ntfs and HFS template to sigfind.
6/19/06: Update: Begin Windows Visual Studio port
6/22/06: Update: Updated a myflags check in ntfs.c (reported by Wyatt Banks)
6/28/06: Update: Incorporated NTFS compression patch from I.D.E.A.L.
6/28/06: Update: Incorporated NTFS SID patch from I.D.E.A.L.
6/28/06: Bug Fix: A segfault could occur with NTFS if no inode was loaded
in the dent_walk code. (Reported by Pope).
7/5/06: Update: Added tsk_error_reset function and updated code to use it.
7/5/06: Update: Added more sanity checks to the DOS partitions code.
7/10/06: Update: Upgraded libewf to version 20060708.
7/10/06: Update: Upgraded AFFLIB to version 1.6.28
7/10/06: Update: added 'list' option to usage message so that file
system, image, volume system types are listed only if '-x list' is given.
Suggested by kenshin.
7/10/06: Update: Compressed NTFS files use the compression unit size
specified in the header.
7/10/06: Update: Added -R flag to icat to suppress recovery warnings and
use this flag in sorter to prevent FAT recovery messages from filling
up screen.
7/10/06: Update: file_walk functions now return FS_ERR_RECOVERY error
codes for most cases if the RECOVERY flag is set -- this allows the
errors to be more easily suppressed.
7/12/06: Update: Removed individual libraries and now make a single
static libtsk.a library.
7/12/06: Update: Cleaned up top-level Makefile. Use '-C' flag (suggested
by kenshin).
7/14/06: Update: Fixed and redesigned some of the new NTFS compression
code. Changed variable names.
7/20/06: Update: Fixed an NTFS compression bug if a sub-block was not
compressed.
7/21/06: Update: Made NTFS compression code thread friendly.
---------------- VERSION 2.04 --------------
12/1/05: Bug Fix: Fixed a bug in the verbose output of img_open
that would crash if no type or offset was given. Reported and
patched by Wyatt Banks.
12/20/05: Bug Fix: An NTFS directory index sanity check used 356
instead of 365 when calculating an upper bound on the times. Reported
by Wyatt Banks.
12/23/05: Bug Fix: Two printf statements in istat for NTFS printed
to stdout instead of a specific file handle. Reported by Wyatt
Banks.
1/22/06: Bug Fix: fsstat, imgstat and dcalc were using a char instead
of int for the return value of getopt, which caused some systems to not
execute the programs. (internal fix and later reported by Bernhard Reiter)
2/23/06: Update: added support for FreeBSD 6.
2/27/06: Bug Fix: Indirect blocks would nto be found by ifind with
UFS and Ext2. Reported by Nelson G. Mejias-Diaz. (BUG: 1440075)
3/9/06: Update: Added AFF image file support.
3/14/06: Bug Fix: If the first directory entry of a UFS or ExtX block
was unallocated, then later entries may not be shown. Reported by John
Langezaal. (BUG: 1449655)
4/3/06: Update: Finished the improved error handling. Many internal
changes, not many external changes. error() function no longer used
and instead tsk_err variables and function are used. This makes the
library more powerful.
4/5/06: Update: The byte offset for a volume is now passed to the mm_
and fs_ functions instead of img_open. This allows img_info to be used
for multiple volumes at the same time. This required some mm_ changes.
4/5/06: Update: All TSK libraries are written to the lib directory.
4/6/06: Update: Added FS_FLAG_DATA_RES flag to identify data that are
resident in ntfs_data_walk (suggested by Michael Cohen).
4/6/06: Update: The partition code (media Management) now checks that a
partition starts before the end of the image file. There are currently
no checks about the end of the partition though.
4/6/06: Update: The media management code now shows unpartitioned space
as such from the end of the last partition to the end of the image file
(using the image file size). (Suggested by Wyatt Banks).
4/7/06: Update: New version of ISO9660 code from Wyatt Banks and Crucial
Security added and other code updated to allow CDs to be analyzed.
4/7/06: There was a conflict with guessuXX with mmtools and fstools.
Renamed to mm_guessXX and fs_guessXX.
4/10/06: Upgraded AFFLIB to 1.5.6
4/12/06: Added version of libewf and support for it in imgtools
4/13/06: Added new img_cat tool to extract raw data from an image format.
4/24/06: Upgraded AFFLIB to 1.5.12
4/24/06: split and raw check if the image is a directory
4/24/06: Updated libewf to 20060423-1
4/26/06: Updated makedefs to work with SunOS 5.10
5/3/06: Added iso9660 patch from Wyatt Banks so that version number
is not printed with file name.
5/4/06: Updated error checking in icat, istat, fatfs_dent, and ntfs_dent
5/8/06: Updated libewf to 20060505-1 to fix some gcc 2 compile errors.
5/9/06: Updated AFFLIB to 1.6.18
5/11/06: Cleaned up error handling (removed %m and unused legacy code)
5/11/06: Updated AFFLIB to 1.6.23
---------------- VERSION 2.03 --------------
7/26/05: Update: Removed incorrect print_version() statement from
fs_tools.h (reported by Jaime Chang)
7/26/05: Update: Renamed libraries to start with "lib"
7/26/05: Update: Removed the logfp variable for verbose statements
and instead use only stderr.