Mobius Forensic Toolkit v1.11 released

A new extension called File Activity has been implemented. It automatically retrieves and shows information about files opened by user, files received and files sent. See ChangeLog file for a complete list of changes.

• Spider: Added support for Internet Explorer v4-9
• File Activity: Added support for Chrome
• File Activity: Added support for Firefox
• File Activity: Added support for Internet Explorer v4-9
• File Activity: Added support for Skype
• Python API: Many new functions implemented

Mobius Forensic Toolkit v1.10 released

A new extension called Spider has been implemented. It is a web browser forensics tool that automatically scans, retrieves and shows URL history, cookies and form history. See ChangeLog file for a complete list of changes.

• Spider: Added support for Google Chrome
• Spider: Added support for Mozilla Firefox
• p2p.emule: Count = -1 for AC_SearchStrings searches
• Python API: New module pymobius.app
• Python API: New module pymobius.app.chrome
• Python API: New module pymobius.app.emule
• Python API: New module pymobius.app.firefox

Mobius Forensic Toolkit v1.9 released

Case model has been implemented in C++, with Python wrapper. Case data is now stored in a .sqlite database. See ChangeLog file for a complete list of changes.

• ICE: Options Save and Save As removed
• Python API: New module pymobius.json_serializer
• New tool hashfs implemented
• New tool casetree implemented
• Extension case-model removed
• Extension object-model removed
• Python examples: New example program list_categories.py
• Python examples: New example program casetree.py

100,000+ SLOC (Source lines of code)

We have reached (and passed) 100,000+ source lines of code. Mobius Forensic Toolkit is now a medium-sized project. The graph below shows the number of lines of code according to each version:

A few things can be inferred from the numbers above and from the development process in general:

• Libmobius development started in Sep, 7th 2015. In 3 years it has grown from 0 to 62,271 SLOC, about 20,700 SLOC/year or 1,729 SLOC/month.
• In the last 12 months, Libmobius has grown from 31,151 to 62,271 SLOC, about 2,593 SLOC/month or 85 SLOC/day.
• From version 0.5.22 to version 1.8, the project source lines of code has grown from 42,051 to 102,707 SLOC.
• The numbers above do not include the Python wrapper layer, also written in C++.
• The demands for refactoring in Libmobius are low, which indicates a robust design.
• The number of lines of code in Python is almost stable, even with many new features added. It means that we are successfully using the C++ API from libmobius.

Mobius Forensic Toolkit v1.8 released

P2P Viewer: added support for Emule and EmuleTorrent. See ChangeLog file for a complete list of changes.

• p2p.ares: Retrieves data from TorrentH.dat evidence files
• p2p.ares: Retrieves data from PHashIdx.dat evidence files
• p2p.ares: Retrieves data from PHashIdxTemp.dat evidence files
• p2p.ares: Retrieves data from TempPHash.dat evidence files
• p2p.ares: Retrieves data from PHash_*.dat evidence files
• p2p.ares: Retrieves data from PBTHash_*.dat evidence files
• p2p.ares: Retrieves data from ___ARESTRA___* downloading files

Mobius Forensic Toolkit v1.7 released

P2P Viewer: added support for Ares Galaxy. See ChangeLog file for a complete list of changes.

• Report Wizard: Two new graphic commands "while" and "exec"
• Libmobius: ED2K cryptographic hash function implemented
• Libmobius: New module mobius::model
• Libmobius: Hash functions preserve state on get_digest ()
• Python API: New module pymobius.p2p.ares
• Python API: New module mobius.model

Mobius Forensic Toolkit v1.6 released

P2P Viewer scans, retrieves and shows P2P applications activity data from evidence disk. This version adds support for Shareaza P2P application data. See ChangeLog file for a complete list of changes.

• Hive-Report: Four new fields added to Installed Programs report
• Libmobius: Handle EWF corrupted files
• Libmobius: New function mobius::core::log
• Python API: New module mobius.decoder
• Python API: New class mobius.decoder.mfc_decoder
• Python API: New function mobius.core.log

Mobius Forensic Toolkit v1.5 released

Mobius Forensic Toolkit automatically decrypts Samsung's Secret Zone .msr encrypted files, no password required. See ChangeLog file for a complete list of changes.

• New imagefile format .msr supported
• Category model in C++
• Category model data stored into category.sqlite database file
• Category-manager: import/export data as .json file
• Libmobius: Triple-DES (3des) cryptographic cipher algorithm implemented
• Libmobius: Blowfish cryptographic cipher algorithm implemented
• Libmobius: imagefile module refactored
• Libmobius: Lazy evaluation for imagefile's implementation classes

Mobius Forensic Toolkit v1.4 released

This release features the Turing view, a case view that shows user password hashes, domain cached credentials hashes, automatic logon passwords, HelpAssistant passwords, ASPNET passwords, UpdatusUser passwords, among others. See ChangeLog file for a complete list of changes. Main changes are:

• Added support for Win10 password hashes
• Retrieves old password hashes and passwords, when available
• Hive-report: More than 20 fields added to the UserAccount report
• Libmobius: MD4 cryptographic hash function implemented
• Libmobius: New module mobius::forensics::turing
• Python API: New class mobius.crypt.hash

Mobius Forensic Toolkit v1.3 released

The registry classes automatically decrypt MS Domain Cached Credentials registry values, both version 1 and version 2. See ChangeLog file for a complete list of changes. Main changes are:

• Added support for Domain Cached Credentials v2
• HMAC message authentication code implemented
• Libmobius: 5x performance improvement for hash block functions
• Libmobius: New connection_pool class with multi-thread support
• Hive-report: New fields for Cached Credentials report
• Gtk-UI: New widget widetableview
• Unittest: New benchmark tool

Mobius Forensic Toolkit v1.2 released

The registry classes automatically decrypt LSA Secrets registry values, including those LSA using PolEkList, such as Windows Vista and newer systems. See ChangeLog file for a complete list of changes. Main changes are:

• SHA-2 cryptographic hash functions implemented (224, 256, 384, 512, 512/224 and 512/256 bits)
• AES cryptographic cipher algorithm implemented (128, 192 and 256 bits)
• Hive extension: Shows decrypted LSA secrets values
• Libmobius: hash_base, hash_stream and hash_block interfaces improved

Mobius Forensic Toolkit v1.1 released

The registry classes automatically decrypt both UserAssist keys and Protected Storage System Provider (PSSP) keys. Both keys can be browsed with the hive extension. See the ChangeLog file for a complete list of changes. Main changes are:

• SHA-1 cryptographic hash function implemented
• ROT-13 cryptographic cipher algorithm implemented
• Libmobius: Automatically decodes UserAssist registry keys
• Libmobius: Automatically decrypts Protected Storage System Provider (PSSP) registry keys
• Libmobius: New functions for registry and registry_key classes: get_key_by_mask, get_value_by_mask and get_data_by_mask
• Unification of Python API under one library

Mobius Forensic Toolkit v1.0 released

The hive extension now retrieves the registry files directly from the disk and builds an unified registry structure, very akin to the registry structure shown by regedit. A new C++ module mobius::ant::registry (and its Python API counterpart mobius.ant.registry) has been developed to decode the registry objects (files, keys, values and data) and has been added to the libmobius. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Main changes are:

• Hive extension: Interface reimplemented as a case view
• Hive extension: Added support to big data (db) cells
• Hive extension: New option to export registry files
• Hive extension: Stores local copies of the registry files for fast access
• C++ API: Hash_md5 calculations now fully inlined
• C++ API: New function mobius::filesystem::entry.get_child_by_name
• C++ API: New function mobius::filesystem::entry.get_child_by_path
• C++ API: New function mobius::filesystem::entry.new_reader
• Python API: New module mobius.xml
• Python API: New function PyString_from_bytearray
• Tools: New tool hive-info
• Tools: New tool hive-scan

Release 0.5.31 published

The C++ API's module mobius::filesystem navigates through the file systems using libtsk. Big performance improvement to the module mobius::imagefile::ewf. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• C++ API: new module mobius::disk
• C++ API: new class mobius::filesystem::entry
• C++ API: new class mobius::metadata
• Python API: new module mobius.disk
• Python API: new class mobius.filesystem.entry
• configure.ac: libtsk is now mandatory
• gtk-ui: lazy update implemented to viewselector
• New tool dirfs implemented

Release 0.5.30 published

The new C++ API's module mobius::filesystem detects and retrieves metadata from Ext2/3/4, HFS+ and HFSX, ISO-9660, NTFS and VFAT filesystems. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• New extension filesystem-viewer shows all filesystems detected from disks and their metadata
• C++ API: new function mobius::filesystem::get_filesystems
• C++ API: new function mobius::filesystem::get_filesystem_metadata
• Python API: new function mobius.api.get_filesystems
• Python API: new generic dataholder class api_dataholder
• New tool filesystem_scan implemented

Release 0.5.29 published

This release adds support to DOS partitions, GPT partitions and Apple Partition Map partitions. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• C++ API: new module mobius::partition
• C++ API: added support to DOS partition system
• C++ API: added support to GPT partition system
• C++ API: added support to APM partition system
• python API: new package mobius.api
• datasource-physical-device: uses mobius.api.device and get_devices
• datasource-physical-device: does not need package python_gudev anymore
• tools: new partition_table tool

Release 0.5.28 published

This release features many C++ API new implementations: support to both MD5 hash and to Adler-32 CRC has been added, as well as write support to EWF imagefiles. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• new extension gtk-report-dialog
• datasource-model: does not set empty attributes
• new ewf_decoder tool
• C++ API: new module mobius::imagefile::ewf
• C++ API: new module mobius::codec
• C++ API: new hash function mobius::crypt::hash_md5
• C++ API: new hash function mobius::crypt::hash_adler32
• C++ API: several new functions implemented into datetime module
• C++ API: new template class mobius::crypt::hash_functor evaluates hashes in parallel to reading or writing data

Release 0.5.27 published

This release features the lshw-agent extension, which reads an output from the command lshw -xml and creates notebooks/computer items and their components, such as network cards, harddisks, graphic cards. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• C++ API: new module mobius::core
• C++ API: new module mobius::decoder
• C++ API: new module mobius::database
• C++ API: imagefile_ewf handles 64-bit number of sectors
• C++ API: application class compatible with XDG Base Directory Specification
• config dir now default to $HOME/.config/mobiusft
• Python API: new class mobius.core.application
• Extensions use base64.b64decode instead of string.decode
• hive: detects NTUSER.DAT on Win10
• tools: new tool device_list
• tools: new tool disk_list

Release 0.5.26 published

This release adds imagefile classes both to the C++ API and to the Python API, supporting raw, split, talon, solo, dossier and ewf files. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• C++ API: new string functions
• C++ API: zlib_compress and zlib_decompress functions
• new extension hive-shareaza-report
• new extension hive-gigatribe-report
• new hive report: Shareaza General Info
• new hive report: Shareaza User Folders
• new hive report: Shareaza Protocols
• new hive report: Shareaza Search History
• attribute-viewer: retrieve item's children on DND
• tools: new tool imagefile_info
• tools: new tool imagefile_convert

Release 0.5.25 published

This release adds new classes both to the C++ API and to the Python API. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• C++ API: charset conversion functions implemented (mobius/charset.h)
• C++ API: new class mobius::io::resource
• C++ API: new class mobius::io::file
• C++ API: new class mobius::io::folder
• C++ API: new class mobius::io::reader
• C++ API: new class mobius::io::writer
• C++ API: new class mobius::system::group
• C++ API: new class mobius::system::user
• python API: new class mobius.io.file
• python API: new class mobius.io.folder
• python API: new class mobius.io.reader
• python API: new class mobius.io.writer
• part-catalogue: show confirmation dialog before inserting new part
• imagefile-ewf: handle disk section
• imagefile-ewf: handle done section
• uri extension eliminated
• uri-file extension eliminated
• configure.ac: fixed bug when libtsk is not available.

Release 0.5.24 published

This release adds new classes both to the C++ API and to the Python API. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• C++ API: new class mobius::io::uri
• C++ API: new class mobius::io::reader (abstract class)
• C++ API: new class mobius::io::seekable_reader (abstract class)
• C++ API: new class mobius::io::file_descriptor_reader
• C++ API: new class mobius::io::file_reader
• C++ API: new class mobius::io::uri_reader
• C++ API: new class mobius::datetime::date
• C++ API: new class mobius::datetime::time
• C++ API: new class mobius::datetime::datetime
• C++ API: new class mobius::datetime::timedelta
• C++ API: new functions at mobius::datetime::conv_iso_string.h
• C++ API: new functions at mobius::datetime::conv_julian.h
• C++ API: new functions at mobius::datetime::conv_nt_timestamp.h
• C++ API: new functions at mobius::datetime::conv_unix_timestamp.h
• C++ API: mobius::hash_crc32 using precalculated CRC table
• C++ API: new class mobius::crypt::cipher_base (abstract class)
• C++ API: new class mobius::regex
• C++ API: mobius/exception_posix.h for errno based exceptions
• python API: new package mobius.io
• python API: new class mobius.io.uri_reader
• part-model: use sqlite3 database
• cellphone-agent: datetime parsing bug fixed
• data-sourcerer: check if datasource is available on populate_metadata

Release 0.5.23 published

This release adds new classes both to the C++ API and to the Python API. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• C++ API: new class mobius::unittest
• C++ API: new class mobius::bytearray
• C++ API: new class mobius::crypt::hash_base (abstract class)
• C++ API: new class mobius::crypt::hash_crc32
• C++ API: new class mobius::crypt::hash_zip
• C++ API: new class mobius::crypt::cipher_block (abstract class)
• C++ API: new class mobius::crypt::cipher_block_mode (abstract class)
• C++ API: new class mobius::crypt::cipher_block_mode_ecb
• C++ API: new class mobius::crypt::cipher_block_mode_cbc
• C++ API: new class mobius::crypt::cipher_des
• C++ API: new class mobius::crypt::cipher_stream (abstract class)
• C++ API: new class mobius::crypt::cipher_rc4
• C++ API: new class mobius::crypt::cipher_zip
• C++ API: new class mobius::application
• C++ API: code compatible with C++11
• python API: new wrapper class mobius.crypt.hash_zip
• python API: new wrapper class mobius.crypt.cipher_rc4
• python API: new wrapper class mobius.crypt.cipher_zip
• python API: new wrapper class mobius.crypt.cipher_des
• hive-report: use mobius.crypt.cipher_rc4
• hive-report: use mobius.crypt.cipher_des
• hive-report: new report "encrypted volumes" lists Folder Locker 6 volumes
• hive-pstore: use mobius.crypt.cipher_des
• hive-turing: use mobius.crypt.cipher_rc4
• hive-turing: use mobius.crypt.cipher_des
• turing-model: use mobius.crypt.cipher_des

New tutorial available: Cracking Windows passwords with MobiusFT and JTR

Sep 23rd, 2015 by Eduardo Aguiar

This tutorial was previously available as a section of the Mobius Forensic Toolkit tutorial. Click here to see it.

Release 0.5.22 published

Sep 7th, 2015 by Eduardo Aguiar

This release introduces the Mobius Forensic Toolkit API, an API written in C++ with Python bindings. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• C++ API: new mobius::tsk classes to access libtsk
• python API: wrapper for mobius::tsk
• new installation method using configure, make and make install
• mediator.py: moved to mobius package
• emule-agent: new report "shared folders"
• emule-agent: handle tags 0x34 and 0x35
• emule-agent: fix BLOB decoding
• emule-agent: specific policies for dreamule and emule config
• emule-agent: check if AC_SearchStrings.dat exists before opening
• hive-report: catch exceptions at get_computer_name function
• hive-report: add Wow6432Node subkeys to the Installed Program report
• datasource-physical-device: fix retrieve_metadata for disks that have empty serial numbers
• imagefile-ewf: fix amount of bytes read in decode_hash_section
• engelbart: class UIManager implemented

Release 0.5.21 published

Oct 7th, 2014 by Eduardo Aguiar

This release introduces the eMule Agent extension, an extension to parse eMule artifacts. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• new extension emule-agent
• new extension engelbart
• hive-report: new report "Ares accounts"
• hive-report: new report "last mounted devices"
• hive-report: installed program handles UNIX install datetime
• hive-report: installed program also retrieves from NTUSER.dat uninstall subkeys. Suggested by Clemente Paixão
• gigatribe-agent: datetime decoder fixed
• gtk-ui: service ui.start moved to engelbart extension
• gtk-ui: service ui.stop moved to engelbart extension
• gtk-ui: service ui.flush moved to engelbart extension
• gtk-ui: deprecated service ui.render-icon removed
• gtk-ui: service ui.new-icon-from-data set deprecated
• gtk-ui: service ui.new-icon-from-file set deprecated
• skype-agent: REPORT_ICON_DATA replaced by report.run icon
• emule-agent: REPORT_ICON_DATA replaced by report.run icon
• ice: REPORT_ICON_DATA replaced by report.run icon
• report-wizard: TRASH_BIN_ICON replaced by dnd.delete icon
• ice: use image_buffer instead of ui.render-icon
• category-manager: use image_buffer instead of ui.render-icon
• engelbart: new service ui.new-factory
• extension-manager: use image_buffer instead of ui.new-icon-from-data
• date-code: copyright (c) 2014

New Homepage

Jul 26th, 2014 by Eduardo Aguiar

Due to the shutdown of freecode.com, I had to hastily make this homepage. For now on, every announcement about the project will be posted here. It is a work in progress, and suggestions are welcome.

Release 0.5.20 published

Jul 23, 2014 by Eduardo Aguiar

This release introduces the CellPhone Agent extension, an extension to browse Cellebrite's report.xml files. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• new extension cellphone-agent
• report-model: new service report.run-dialog
• report-model: verbatim generates '%' instead of '%%'
• report-model: do not generate duplicated methods in .py
• gtk-ui: forbid treeitem DND onto itself
• gtk-ui: case treeview icon cache implemented
• gtk-ui: do not expand selected item when item.children is modified
• skype-agent: "generate report" option
• skype-agent: account view disables DND when not selected
• skype-agent: account tile image repositioned
• ice: use service report.run-dialog
• sdi-window-manager: call to on_widget_started eliminated
• partition-viewer: scan only partition-system components
• partition-agent: update item.children only if it detects partitions
• partition-agent-dos: keep item.children when building components
• turing: test dictionary option fixed