Mobius Forensic Toolkit v1.37 released
- iped-frontend: Changed to set sector_size when processing imagefiles
- iped-frontend: Removed support for IPED v3.x
- datasource-imagefile: Added sector_size spinbutton
- category-manager: Fixed error importing .json files
- filesystem_vfat: Fixed precision error when calculating sectors, size, and clusters
- AppImage: Changed to use PYTHONPATH environment variable
Mobius Forensic Toolkit v1.36 released
- Added new C++ extension: partition-system-apm
- Added new C++ extension: partition-system-dos
- Added new C++ extension: partition-system-gpt
- filesystem_vfat: Improved detection of VFAT filesystem
- filesystem_vfat: Improved detection of FAT entry size
Mobius Forensic Toolkit v1.35 released
- New extension "Evidence: Accounts" retrieves user accounts data, including passwords (when available), from both installed applications and visited sites
- New C++ extension date-code
- Libmobius: New mobius::core::mediator class in C++ supports callback functions written in both C++ and Python
- Libmobius: Compatible with C++17
New extension Evidence: Accounts
Mobius Forensic Toolkit v1.34 released
- evidence-received-files: Added support for µTorrent
- p2p-viewer: Added support for µTorrent
- New extension Evidence: IP Addresses shows remote IP addresses used by users
- Libmobius: New class mobius::core::resource
- Python API: New class mobius.core.resource
Mobius Forensic Toolkit v1.33 released
- New extension KFF-manager
- P2P Viewer: Checkmark suspected files, using KFF hash sets
- P2P Viewer: Drag and drop full data from local/remote files
- Libmobius: New class mobius::io::text_reader
- Libmobius: New class mobius::io::text_writer
- Libmobius: New class mobius::io::line_reader
- Python API: New class mobius.io.text_reader
- Python API: New class mobius.io.text_writer
- Python API: New class mobius.io.line_reader
Mobius Forensic Toolkit v1.32 released
- iped-frontend: Compatible with IPED4
- New C++ extension imagefile-split
- New C++ extension filesystem-exfat
- New C++ extension filesystem-ext2
- New C++ extension filesystem-hfs
- New C++ extension filesystem-iso
- New C++ extension filesystem-ntfs
- New C++ extension filesystem-vfat
- Libmobius: New module mobius::kff
- Python API: New module mobius.kff
Mobius Forensic Toolkit v1.31 released
- Mobius Forensic Toolkit project has been fully migrated from Python 2 to Python 3, including all extensions.
- Libmobius: New function mobius::encoder::hexstring
- Python API: New function mobius.encoder.hexstring
- Python API: New function mobius::py::isinstance
- Python API: New function mobius::py::from_pyobject
- Python API: New function mobius::py::to_pyobject
Mobius Forensic Toolkit v1.30 released
- New extension Evidence: Encryption Keys
- app.chromium: Automatically decrypts cookies (up to v79)
- app.skype: message_parser.py encoding error fixed
- Libmobius: item.attribute datatype changed to mobius::pod::data
New Tutorial: Getting Started
A long due "Getting Started Tutorial" on how to start using Mobius Forensic Toolkit has been written. You can access it here or in the "Quick Start" session at the right side of this page.
Mobius Forensic Toolkit v1.29 released
- app.skype: Added support for Skype v14 call logs
- ant.trash_can_entries: Added support for $Recyble.bin version 1 records (Vista and Win7)
- ant.trash_can_entries: Added support for Recycler folder (Win2k to WinXP)
- New C++ extension imagefile-dossier
- New C++ extension imagefile-ewf
- New C++ extension imagefile-msr
- New C++ extension imagefile-raw
- New C++ extension imagefile-solo
- New C++ extension imagefile-talon
- New C++ extension imagefile-vhd
- New C++ extension imagefile-vhdx
Mobius Forensic Toolkit v1.28 released
Mobius Forensic Toolkit has been migrated from GTK2 to GTK3, including all extensions.
Integrated Case Environment (ICE) extension running on GTK3
Mobius Forensic Toolkit v1.27 released
- evidence-password-hashes: Keyword testing class optimized
- evidence-password-hashes: Keyword testing handles sha1.utf-16 hashes
- app.skype: Handle "AddMember" messages
- app.skype: Handle "Notice" messages
- app.skype: Handle "TopicUpdate" messages
- app.skype: Handle "HistoryDisclosedUpdate" messages
- app.skype: Handle "RichText/Media_CallRecording" messages
- app.skype: Generate different messages for call started and call ended
- Libmobius: Added support for EWF imagefiles with up to 14971 segment files
- Libmobius: Added support for IGE cipher_block
- Python API: mobius.model.item tp_getattro/tp_setattro implemented
AppImage bundle file released
Download MobiusFT's AppImage file, make it executable and run in all common Linux distributions. The AppImage file contains almost all libraries and Python packages needed to run Mobius Forensic Toolkit, all bundled together into a single executable file for Linux. You still have to install Python v2.7.xx in order to run it.
How to use it:
Download MobiusFT AppImage file available in this page. Make it executable, using the command: chmod +x mobiusft-1.26-x86_64.AppImage. Run it.
Linux Distributions:
MobiusFT AppImage file has been tested using Debian v11.3 live image. In this system you have to install two packages python2 and libpython2.7 in order to run MobiusFT.
If you have successfully run MobiusFT AppImage using other Linux Distribution or if you had trouble running it, please send me an e-mail (aguiar at protonmail.ch) reporting it.
Mobius Forensic Toolkit v1.26 released
- Hive-report: New report Word Wheel Query terms
- ant.text_autocomplete: Retrieves data from WordWheelQuery registry keys
- ant.text_autocomplete: Retrieves data from Search Assistant registry keys
- datasource-model: Set thumbdrive attributes
- Libmobius: New class mobius::ui::message_dialog
- Python API: New class mobius.ui.message_dialog
- Python API: Migrating code to Python 3.x
Mobius Forensic Toolkit v1.25 released
- ant.opened_files: Retrieves info from Windows/Recent .lnk files
- Libmobius: Added support for C++ extension
- Libmobius: New module mobius::ui
- New C++ extension UI/gtk2
New tutorial: Installation Guide
A complete installation guide for Mobius Forensic Toolkit is available here.
Mobius Forensic Toolkit v1.24 released
- New extension Evidence Trash Can Entries
- New extension GTK UI Hexview
- File-Explorer: New File Finder panel
- File_Explorer: New File Properties panel
- File_Explorer: New Hex Viewer panel
- File_Explorer: New Content Properties panel
- Iped-Frontend: Many improvements/bug fixes were implemented
- app.chromium: Added support for Microsoft Edge
- app.chromium: Added support for CCleaner Browser
- ant.cookies: Added support for Microsoft Edge cookies
- Libmobius: New class mobius::decoder::lnk
- Libmobius: New function mobius::decoder::btencode
- Python API: New class mobius.decoder.lnk
- Python API: New function mobius.decoder.btencode
Mobius Forensic Toolkit v1.23 released
A new extension called IPED Frontend has been implemented. It runs IPED on selected case items, open processed items and generate reports on selected items. You can download IPED at https://github.com/sepinf-inc/IPED.
IPED Frontend v1.0: Processing items
IPED Frontend v1.0: Generating report
Mobius Forensic Toolkit v1.22 released
- Added support for ExFAT filesystems
- New extension evidence-calls lists call logs
- New extension evidence-text-autocomplete shows autocomplete texts
- New module mobius::vfs::filesystem
Mobius Forensic Toolkit v1.21 released
- New extension Evidence-Viewer groups all evidence views
- New extension evidence-bookmarked-urls shows Bookmarked URLs
- app.skype: Better handling of chat messages with multiple recipients
- Libmobius: SGML tokenizer and SGML parser implemented
- Libmobius: file/folder implementation for interfacing libtsk
Evidence Viewer v1.0: List view
Evidence Viewer v1.0: Visited URLs
Mobius Forensic Toolkit v1.20 released
- New extension Search Viewer shows textual searches made by users on WWW sites
- Spider: Added support for AppWiki
- Spider: Added support for CKaach Browser
- Spider: Added support for Kodi Browser Launcher
- Spider: Added support for Kodi Chrome Launcher
- Spider: Added support for Bradesco Net Express
- Libmobius: New module mobius::pod for dynamic data models
Mobius Forensic Toolkit v1.19 released
- Added native support for VHDX image files
- Libmobius: Added support for smb:// files
- Spider: Added support for CryptoTab Browser
- Spider: Added support for NavegadorPJe
- Spider: Added support for Firefox Portable
- Spider: Added support for Firefox folder from Avast Browser Cleanup
- Spider: Added support for Chrome folder from Avast Browser Cleanup
Mobius Forensic Toolkit v1.18 released
- New extension File Explorer browses evidence files on the fly, no preprocessing is needed.
- Libmobius: New methods for mobius::io::file class (remove, rename, copy, move, ...).
- Libmobius: New methods for mobius::io::folder class (remove, rename, ...).
File Explorer v1.0
Mobius Forensic Toolkit v1.17 released
- Chat-Viewer: Added support for Skype App v14 (sl4-username.db files)
- Turing: Automatically decrypts System Credentials
- Turing: New Chain Reaction algorithm to test all passwords/hashes against all hashes/keys
- Python API: New wrapper functions for migration to Python 3
Mobius Forensic Toolkit v1.16 released
- Turing: Retrieves old password hashes from CREDHIST files (up to Win 8.1)
- Turing: Retrieves passwords from Chromium based browsers (Chrome, Opera, ...) (up to Win 8.1)
- Turing: Retrieves passwords from Windows Credentials (up to Win 8.1)
- Turing: Retrieves passwords from IE Intelliforms (up to Win 8.1)
- Spider: Added support for 7 Star
- Spider: Added support for AliExpress Browser
- Spider: Added support for Amigo
- Spider: Added support for Avast Browser
- Spider: Added support for BoBrowser
- Spider: Added support for Brave
- Spider: Added support for CentBrowser
- Spider: Added support for Chedot
- Spider: Added support for Chrome Canary
- Spider: Added support for Chromium
- Spider: Added support for Coccoc
- Spider: Added support for Comodo Dragon
- Spider: Added support for Elements Browser
- Spider: Added support for Epic Privacy Browser
- Spider: Added support for Kometa
- Spider: Added support for Orbitum
- Spider: Added support for PlutoTV
- Spider: Added support for Spotify Browser
- Spider: Added support for Sputnik
- Spider: Added support for Torch
- Spider: Added support for Uran
- Spider: Added support for Vivaldi
- Libmobius: Upgraded to C++14
- Libmobius: New class mobius::crypt::cipher_rc2
- Libmobius: New function turing::hash_ie_entropy
- Python API: Releases GIL when calling C++ intensive tasks
- Python API: Added support for cipher RC2
Mobius Forensic Toolkit v1.15 released
- DPAPI decryption implemented. It is based on previous research by Elie Burzstein and Jean-Michel Picod [1], Francesco Picasso[2] and Benjamin Delpy[3].
- Turing: Automatically decrypts DPAPI system master keys
- Turing: Automatically decrypts Win WiFi passwords
Mobius Forensic Toolkit v1.14 released
- Added native support for .vhd image files
- Spider: Added support for Opera
- Spider: Added support for GeckoFX
- Case Model: New class application
- Case Model: New class profile
- Case Model: New class cookie
Mobius Forensic Toolkit v1.13 released
- Case Model: New class password
- Case Model: New class password_hash
- Turing: Exports .hashcat hash files
- Turing: Exports .john with RID, GID and GECOS fields filled
- Turing: Using persistence layer from Case Model
- Libmobius: On demand connection to database implemented in Turing API
Mobius Forensic Toolkit v1.12 released
A new extension called Chat Viewer has been implemented. It automatically retrieves and shows chat messages from different applications. See ChangeLog file for a complete list of changes.
- Chat Viewer: Added support for Skype
- app.skype: Added support for Skype v8 and newer ones
- app.chrome: Handles Web Data.version = 52
- Libmobius: New function mobius::crypt::pbkdf1
- Libmobius: New function mobius::crypt::pbkdf2_hmac
- Python API: New module mobius.evidence.chats
Mobius Forensic Toolkit v1.11 released
A new extension called File Activity has been implemented. It automatically retrieves and shows information about files opened by user, files received and files sent. See ChangeLog file for a complete list of changes.
- Spider: Added support for Internet Explorer v4-9
- File Activity: Added support for Chrome
- File Activity: Added support for Firefox
- File Activity: Added support for Internet Explorer v4-9
- File Activity: Added support for Skype
- Python API: Many new functions implemented
Mobius Forensic Toolkit v1.10 released
A new extension called Spider has been implemented. It is a web browser forensics tool that automatically scans, retrieves and shows URL history, cookies and form history. See ChangeLog file for a complete list of changes.
- Spider: Added support for Google Chrome
- Spider: Added support for Mozilla Firefox
- p2p.emule: Count = -1 for AC_SearchStrings searches
- Python API: New module pymobius.app
- Python API: New module pymobius.app.chrome
- Python API: New module pymobius.app.emule
- Python API: New module pymobius.app.firefox
Mobius Forensic Toolkit v1.9 released
Case model has been implemented in C++, with Python wrapper. Case data is now stored in a .sqlite database. See ChangeLog file for a complete list of changes.
- ICE: Options Save and Save As removed
- Python API: New module pymobius.json_serializer
- New tool hashfs implemented
- New tool casetree implemented
- Extension case-model removed
- Extension object-model removed
- Python examples: New example program list_categories.py
- Python examples: New example program casetree.py
100,000+ SLOC (Source lines of code)
We have reached (and passed) 100,000+ source lines of code. Mobius Forensic Toolkit is now a medium-sized project. The graph below shows the number of lines of code according to each version:
A few things can be inferred from the numbers above and from the development process in general:
- Libmobius development started in Sep, 7th 2015. In 3 years it has grown from 0 to 62,271 SLOC, about 20,700 SLOC/year or 1,729 SLOC/month.
- In the last 12 months, Libmobius has grown from 31,151 to 62,271 SLOC, about 2,593 SLOC/month or 85 SLOC/day.
- From version 0.5.22 to version 1.8, the project source lines of code has grown from 42,051 to 102,707 SLOC.
- The numbers above do not include the Python wrapper layer, also written in C++.
- The demands for refactoring in Libmobius are low, which indicates a robust design.
- The number of lines of code in Python is almost stable, even with many new features added. It means that we are successfully using the C++ API from libmobius.
Mobius Forensic Toolkit v1.8 released
P2P Viewer: added support for Emule and EmuleTorrent. See ChangeLog file for a complete list of changes.
- p2p.ares: Retrieves data from TorrentH.dat evidence files
- p2p.ares: Retrieves data from PHashIdx.dat evidence files
- p2p.ares: Retrieves data from PHashIdxTemp.dat evidence files
- p2p.ares: Retrieves data from TempPHash.dat evidence files
- p2p.ares: Retrieves data from PHash_*.dat evidence files
- p2p.ares: Retrieves data from PBTHash_*.dat evidence files
- p2p.ares: Retrieves data from ___ARESTRA___* downloading files
Mobius Forensic Toolkit v1.7 released
P2P Viewer: added support for Ares Galaxy. See ChangeLog file for a complete list of changes.
- Report Wizard: Two new graphic commands "while" and "exec"
- Libmobius: ED2K cryptographic hash function implemented
- Libmobius: New module mobius::model
- Libmobius: Hash functions preserve state on get_digest ()
- Python API: New module pymobius.p2p.ares
- Python API: New module mobius.model
Mobius Forensic Toolkit v1.6 released
P2P Viewer scans, retrieves and shows P2P applications activity data from evidence disk. This version adds support for Shareaza P2P application data. See ChangeLog file for a complete list of changes.
- Hive-Report: Four new fields added to Installed Programs report
- Libmobius: Handle EWF corrupted files
- Libmobius: New function mobius::core::log
- Python API: New module mobius.decoder
- Python API: New class mobius.decoder.mfc_decoder
- Python API: New function mobius.core.log
Mobius Forensic Toolkit v1.5 released
Mobius Forensic Toolkit automatically decrypts Samsung's Secret Zone .msr encrypted files, no password required. See ChangeLog file for a complete list of changes.
- New imagefile format .msr supported
- Category model in C++
- Category model data stored into category.sqlite database file
- Category-manager: import/export data as .json file
- Libmobius: Triple-DES (3des) cryptographic cipher algorithm implemented
- Libmobius: Blowfish cryptographic cipher algorithm implemented
- Libmobius: imagefile module refactored
- Libmobius: Lazy evaluation for imagefile's implementation classes
Mobius Forensic Toolkit v1.4 released
This release features the Turing view, a case view that shows user password hashes, domain cached credentials hashes, automatic logon passwords, HelpAssistant passwords, ASPNET passwords, UpdatusUser passwords, among others. See ChangeLog file for a complete list of changes. Main changes are:
- Added support for Win10 password hashes
- Retrieves old password hashes and passwords, when available
- Hive-report: More than 20 fields added to the UserAccount report
- Libmobius: MD4 cryptographic hash function implemented
- Libmobius: New module mobius::forensics::turing
- Python API: New class mobius.crypt.hash
Mobius Forensic Toolkit v1.3 released
The registry classes automatically decrypt MS Domain Cached Credentials registry values, both version 1 and version 2. See ChangeLog file for a complete list of changes. Main changes are:
- Added support for Domain Cached Credentials v2
- HMAC message authentication code implemented
- Libmobius: 5x performance improvement for hash block functions
- Libmobius: New connection_pool class with multi-thread support
- Hive-report: New fields for Cached Credentials report
- Gtk-UI: New widget widetableview
- Unittest: New benchmark tool
Mobius Forensic Toolkit v1.2 released
The registry classes automatically decrypt LSA Secrets registry values, including those LSA using PolEkList, such as Windows Vista and newer systems. See ChangeLog file for a complete list of changes. Main changes are:
- SHA-2 cryptographic hash functions implemented (224, 256, 384, 512, 512/224 and 512/256 bits)
- AES cryptographic cipher algorithm implemented (128, 192 and 256 bits)
- Hive extension: Shows decrypted LSA secrets values
- Libmobius: hash_base, hash_stream and hash_block interfaces improved
Mobius Forensic Toolkit v1.1 released
The registry classes automatically decrypt both UserAssist keys and Protected Storage System Provider (PSSP) keys. Both keys can be browsed with the hive extension. See the ChangeLog file for a complete list of changes. Main changes are:
- SHA-1 cryptographic hash function implemented
- ROT-13 cryptographic cipher algorithm implemented
- Libmobius: Automatically decodes UserAssist registry keys
- Libmobius: Automatically decrypts Protected Storage System Provider (PSSP) registry keys
- Libmobius: New functions for registry and registry_key classes: get_key_by_mask, get_value_by_mask and get_data_by_mask
- Unification of Python API under one library
Mobius Forensic Toolkit v1.0 released
The hive extension now retrieves the registry files directly from the disk and builds an unified registry structure, very akin to the registry structure shown by regedit. A new C++ module mobius::ant::registry (and its Python API counterpart mobius.ant.registry) has been developed to decode the registry objects (files, keys, values and data) and has been added to the libmobius. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Main changes are:
- Hive extension: Interface reimplemented as a case view
- Hive extension: Added support to big data (db) cells
- Hive extension: New option to export registry files
- Hive extension: Stores local copies of the registry files for fast access
- C++ API: Hash_md5 calculations now fully inlined
- C++ API: New function mobius::filesystem::entry.get_child_by_name
- C++ API: New function mobius::filesystem::entry.get_child_by_path
- C++ API: New function mobius::filesystem::entry.new_reader
- Python API: New module mobius.xml
- Python API: New function PyString_from_bytearray
- Tools: New tool hive-info
- Tools: New tool hive-scan