Mobius Forensic Toolkit v2.9 released
This release adds a new C++ extension called app-ares that decodes the following Ares Galaxy's control files:
- ShareH.dat
- ShareL.dat
- PHashIdx.dat
- ___ARESTRA___*.*
- TempDL/PHash_*.dat
app-ares C++ extension builds a unified data model using all the files listed above and it uses this model to retrieve the following evidences:
- Autofill data
- Local Files
- Received Files
- Shared Files
- User Accounts
Click here for a complete list of supported evidence types
Mobius Forensic Toolkit v2.8 released
- ant.evidence.ufdr retrieves Contacts from Cellebrite's UFDR files
- ant.evidence.ufdr retrieves Passwords from Cellebrite's UFDR files
- ant.evidence.ufdr retrieves Encryption Keys from Cellebrite's UFDR files
- ant.evidence.ufdr retrieves Crypto Wallets from Cellebrite's UFDR files
Click here for a complete list of supported evidence types
Mobius Forensic Toolkit v2.7 released
- mobius.ui: New widgets: label, box, container, and stacked_container
- datasource.ufdr.parser: Added support for metadata section "Extraction Data"
- evidence-viewer: A simplified navigation panel has been implemented
- evidence-viewer: DND generates bookmarks to evidences
Mobius Forensic Toolkit v2.6 released
- Added new evidence type: Wireless Connection
- Added new evidence type: Wireless Network (click here for a complete list of supported evidence types)
- Fixed bugs in datasource-vfs module
- Source code of the extensions are more easily available now. Take a look into the src/extensions distribution directory
Mobius Forensic Toolkit v2.5 released
This release adds support for Cellebrite's UFDR report files. Now, you can set a UFDR datasource, you can have access to the evidences available in UFDR report files, and you can process UFDR files using IPED, through the iped-frontend extension.
New datasource type "UFDR" for Cellebrite's UFDR report files.
Mobius Forensic Toolkit v2.4 released
- Added new evidence type: Installed Programs
- ant.ip_addresses: Changed to retrieve external IP addresses from HTTP cookies
- ant.accounts: Added support for Ares Galaxy user accounts
- ant.autofill: Added support for Ares Galaxy's search history
- >evidence-viewer: Changed to use evidence model to define evidences being shown
Mobius Forensic Toolkit v2.3 released
- Added new module app.itubego to retrieve artifacts from iTubeGo app
- ant.text_autocomplete: Added support for iTubeGo URL history entries
- ant.received_files: Added support for iTubeGo download history
- ant.cookies: Changed to automatically decrypt "v10" encrypted cookies
- app.chromium: Changed to retrieve cookies from Network/Cookies files
- Added support for libgcrypt message digest algorithms in class crypt::hash
- Added support for libgcrypt HMAC algorithms in class crypt::hmac
Mobius Forensic Toolkit v2.2 released
- ant.turing automatically decrypts "v10" passwords from newest Chromium based browsers
- ant.trash_can_entries retrieves data from deleted $I entries
- Libmobius: Class crypt::cipher_impl_gcrypt adds support for libgcrypt ciphers
- Libmobius: Added support for ciphers Idea, Cast5, Twofish, Serpent, Seed, Camellia, Salsa, Gost28147, Chacha20 and SM4
- Libmobius: Added support for cipher modes CTR, CBC-CTS, GCM, and OFB
Mobius Forensic Toolkit v2.1 released
- VFS: New extension vfs.block.bitlocker adds support for Bitlocker Volumes. It detect, decode and retrieve metadata from Bitlocker Volumes, including protectors info.
- VFS: New extension vfs-block-view-bitlocker is the counterpart to the vfs.block.bitlocker extension. It shows Bitlocker Volume protectors, replacing the bdeinfo tool.
- VFS: Fixed decoding of DOS extended partitions.
- VFS: Fixed detection of FAT16 filesystems.
- app.chromium: Better automatic datetime conversion, that handles all known versions date/time values.
- ant.accounts: Changed to retrieve Login Data from Chromium based browsers.
VFS Viewer extension showing Bitlocker Volume's protectors.
Mobius Forensic Toolkit v2.0 released
New module mobius::vfs, implemented in C++, replaces the old item.datasource structure. This development is an important milestone for Mobius Forensic Toolkit because:
- mobius::vfs implements a very powerful data block detection and decoding framework.
- mobius::vfs is highly modular. You can easily implement new data block detection modules as C++ extensions.
- mobius::vfs data block detection algorithm is fully recursive and support palimpsest structures, such as ISOHybrid disks, detecting multiple block types for each data block found.
- mobius::vfs handles multiblock structures, and as such, is fit for future detection and decoding of RAID, LVM, and Fusion disks, for example.
- mobius::vfs features a full Python C API, under mobius.vfs Python module.
- mobius::vfs shows all data blocks detected and has option to export individual blocks, for use with other tools.
New extension VFS Viewer showing all data blocks detected from OpenSUSE DVD ISO v15.4.