Software Update: The Sleuth Kit 4.6.6

The program The Sleuth Kit is a collection of forensic tools that can be used to take a closer look at the hard drive. This makes it possible to recover or partially view deleted files. Support for ntfs, fat, exfat, ufs1, ufs2, ext2fs, ext3fs, etx4, hfs, yaffs2, and iso 9660 formats is provided. For more information, please refer to this page. The developers recently released version 4.6.6 with the following changes:

The Sleuth Kit 4.6.6

C/C++ Code:

• Acquisition details are set in DB for E01 files
• Fix NTFS decompression issue (from Joe Sylve)
• Image reading fix when cache fails (Joe Sylve)
• Fix HFS+ issue with large catalog files (Joe Sylve)
• Fix free memory issue in srch_strings (Derrick Karpo)

Java:

• Fix so that local files can be relative
• More Blackboard artifacts and attributes for web data
• Added methods to CaseDbManager to enable checking for and modifying tables.
• APIs to get and set acquisition details
• Added methods to add volume and file systems to database
• Added method to add LayoutFile for allocated files
• Changed handling of JNI handles to better support multiple cases

The Sleuth Kit 4.6.5

C/C++ Code:

• HFS boundary check fix

Java Code:

• New artifacts and attributes defined
• Fixed bug in SleuthkitCase.getContentById() for data sources
• Fixed bug in LayoutFile.read() that could allow reading past end of file

Case Database Schema

• New fields for hash values ​​and acquisition details in case database
• Store “created schema version” in case database

The Sleuth Kit 4.6.4

This release has no changes to the command line tools or C/C++ libraries. It is being done only to support the Autopsy 4.9.1 release.

Java Code:

• Increase max statements in database to prevent errors under load
• Have a max timeout for SQLite retries