Mobius Forensic Toolkit

Mobius Forensic Toolkit v2.9 released

Nov 18th, 2024 by Eduardo Aguiar

This release adds a new C++ extension called app-ares that decodes the following Ares Galaxy's control files:

  • ShareH.dat
  • ShareL.dat
  • PHashIdx.dat
  • ___ARESTRA___*.*
  • TempDL/PHash_*.dat

app-ares C++ extension builds a unified data model using all the files listed above and it uses this model to retrieve the following evidences:

  • Autofill data
  • Local Files
  • Received Files
  • Shared Files
  • User Accounts

Click here for a complete list of supported evidence types

Mobius Forensic Toolkit v2.8 released

Oct 12th, 2024 by Eduardo Aguiar
  • ant.evidence.ufdr retrieves Contacts from Cellebrite's UFDR files
  • ant.evidence.ufdr retrieves Passwords from Cellebrite's UFDR files
  • ant.evidence.ufdr retrieves Encryption Keys from Cellebrite's UFDR files
  • ant.evidence.ufdr retrieves Crypto Wallets from Cellebrite's UFDR files

Click here for a complete list of supported evidence types

Mobius Forensic Toolkit v2.7 released

Sep 15th, 2024 by Eduardo Aguiar
  • mobius.ui: New widgets: label, box, container, and stacked_container
  • datasource.ufdr.parser: Added support for metadata section "Extraction Data"
  • evidence-viewer: A simplified navigation panel has been implemented
  • evidence-viewer: DND generates bookmarks to evidences

Mobius Forensic Toolkit v2.6 released

Aug 22th, 2024 by Eduardo Aguiar
  • Added new evidence type: Wireless Connection
  • Added new evidence type: Wireless Network (click here for a complete list of supported evidence types)
  • Fixed bugs in datasource-vfs module
  • Source code of the extensions are more easily available now. Take a look into the src/extensions distribution directory

Mobius Forensic Toolkit v2.5 released

Jul 31th, 2024 by Eduardo Aguiar

This release adds support for Cellebrite's UFDR report files. Now, you can set a UFDR datasource, you can have access to the evidences available in UFDR report files, and you can process UFDR files using IPED, through the iped-frontend extension.


New datasource type "UFDR" for Cellebrite's UFDR report files.
 

Mobius Forensic Toolkit v2.4 released

Jul 2nd, 2024 by Eduardo Aguiar
  • Added new evidence type: Installed Programs
  • ant.ip_addresses: Changed to retrieve external IP addresses from HTTP cookies
  • ant.accounts: Added support for Ares Galaxy user accounts
  • ant.autofill: Added support for Ares Galaxy's search history
  • >evidence-viewer: Changed to use evidence model to define evidences being shown

Mobius Forensic Toolkit v2.3 released

May 31th, 2024 by Eduardo Aguiar
  • Added new module app.itubego to retrieve artifacts from iTubeGo app
  • ant.text_autocomplete: Added support for iTubeGo URL history entries
  • ant.received_files: Added support for iTubeGo download history
  • ant.cookies: Changed to automatically decrypt "v10" encrypted cookies
  • app.chromium: Changed to retrieve cookies from Network/Cookies files
  • Added support for libgcrypt message digest algorithms in class crypt::hash
  • Added support for libgcrypt HMAC algorithms in class crypt::hmac

Mobius Forensic Toolkit v2.2 released

May 13th, 2024 by Eduardo Aguiar
  • ant.turing automatically decrypts "v10" passwords from newest Chromium based browsers
  • ant.trash_can_entries retrieves data from deleted $I entries
  • Libmobius: Class crypt::cipher_impl_gcrypt adds support for libgcrypt ciphers
  • Libmobius: Added support for ciphers Idea, Cast5, Twofish, Serpent, Seed, Camellia, Salsa, Gost28147, Chacha20 and SM4
  • Libmobius: Added support for cipher modes CTR, CBC-CTS, GCM, and OFB

Mobius Forensic Toolkit v2.1 released

Feb 22th, 2024 by Eduardo Aguiar
  • VFS: New extension vfs.block.bitlocker adds support for Bitlocker Volumes. It detect, decode and retrieve metadata from Bitlocker Volumes, including protectors info.
  • VFS: New extension vfs-block-view-bitlocker is the counterpart to the vfs.block.bitlocker extension. It shows Bitlocker Volume protectors, replacing the bdeinfo tool.
  • VFS: Fixed decoding of DOS extended partitions.
  • VFS: Fixed detection of FAT16 filesystems.
  • app.chromium: Better automatic datetime conversion, that handles all known versions date/time values.
  • ant.accounts: Changed to retrieve Login Data from Chromium based browsers.

VFS Viewer extension showing Bitlocker Volume's protectors.
 

Mobius Forensic Toolkit v2.0 released

Dec 8th, 2023 by Eduardo Aguiar

New module mobius::vfs, implemented in C++, replaces the old item.datasource structure. This development is an important milestone for Mobius Forensic Toolkit because:

  • mobius::vfs implements a very powerful data block detection and decoding framework.
  • mobius::vfs is highly modular. You can easily implement new data block detection modules as C++ extensions.
  • mobius::vfs data block detection algorithm is fully recursive and support palimpsest structures, such as ISOHybrid disks, detecting multiple block types for each data block found.
  • mobius::vfs handles multiblock structures, and as such, is fit for future detection and decoding of RAID, LVM, and Fusion disks, for example.
  • mobius::vfs features a full Python C API, under mobius.vfs Python module.
  • mobius::vfs shows all data blocks detected and has option to export individual blocks, for use with other tools.


New extension VFS Viewer showing all data blocks detected from OpenSUSE DVD ISO v15.4.
 
<< older entries