Mobius Forensic Toolkit v1.7 released

P2P Viewer now supports Ares Galaxy activity records. See ChangeLog file for a complete list of changes.

• Report Wizard: Two new graphic commands "while" and "exec"
• Libmobius: ED2K cryptographic hash function implemented
• Libmobius: New module mobius::model
• Libmobius: Hash functions preserve state on get_digest ()
• Python API: New module pymobius.p2p.ares
• Python API: New module mobius.model

Mobius Forensic Toolkit v1.6 released

P2P Viewer scans, retrieves and shows P2P applications activity data from evidence disk. This version adds support for Shareaza P2P application data. See ChangeLog file for a complete list of changes.

• Hive-Report: Four new fields added to Installed Programs report
• Libmobius: Handle EWF corrupted files
• Libmobius: New function mobius::core::log
• Python API: New module mobius.decoder
• Python API: New class mobius.decoder.mfc_decoder
• Python API: New function mobius.core.log

Mobius Forensic Toolkit v1.5 released

Mobius Forensic Toolkit automatically decrypts Samsung's Secret Zone .msr encrypted files, no password required. See ChangeLog file for a complete list of changes.

• New imagefile format .msr supported
• Category model in C++
• Category model data stored into category.sqlite database file
• Category-manager: import/export data as .json file
• Libmobius: Triple-DES (3des) cryptographic cipher algorithm implemented
• Libmobius: Blowfish cryptographic cipher algorithm implemented
• Libmobius: imagefile module refactored
• Libmobius: Lazy evaluation for imagefile's implementation classes

Mobius Forensic Toolkit v1.4 released

This release features the Turing view, a case view that shows user password hashes, domain cached credentials hashes, automatic logon passwords, HelpAssistant passwords, ASPNET passwords, UpdatusUser passwords, among others. See ChangeLog file for a complete list of changes. Main changes are:

• Added support for Win10 password hashes
• Retrieves old password hashes and passwords, when available
• Hive-report: More than 20 fields added to the UserAccount report
• Libmobius: MD4 cryptographic hash function implemented
• Libmobius: New module mobius::forensics::turing
• Python API: New class mobius.crypt.hash

Mobius Forensic Toolkit v1.3 released

The registry classes automatically decrypt MS Domain Cached Credentials registry values, both version 1 and version 2. See ChangeLog file for a complete list of changes. Main changes are:

• Added support for Domain Cached Credentials v2
• HMAC message authentication code implemented
• Libmobius: 5x performance improvement for hash block functions
• Libmobius: New connection_pool class with multi-thread support
• Hive-report: New fields for Cached Credentials report
• Gtk-UI: New widget widetableview
• Unittest: New benchmark tool

Mobius Forensic Toolkit v1.2 released

The registry classes automatically decrypt LSA Secrets registry values, including those LSA using PolEkList, such as Windows Vista and newer systems. See ChangeLog file for a complete list of changes. Main changes are:

• SHA-2 cryptographic hash functions implemented (224, 256, 384, 512, 512/224 and 512/256 bits)
• AES cryptographic cipher algorithm implemented (128, 192 and 256 bits)
• Hive extension: Shows decrypted LSA secrets values
• Libmobius: hash_base, hash_stream and hash_block interfaces improved

Mobius Forensic Toolkit v1.1 released

The registry classes automatically decrypt both UserAssist keys and Protected Storage System Provider (PSSP) keys. Both keys can be browsed with the hive extension. See the ChangeLog file for a complete list of changes. Main changes are:

• SHA-1 cryptographic hash function implemented
• ROT-13 cryptographic cipher algorithm implemented
• Libmobius: Automatically decodes UserAssist registry keys
• Libmobius: Automatically decrypts Protected Storage System Provider (PSSP) registry keys
• Libmobius: New functions for registry and registry_key classes: get_key_by_mask, get_value_by_mask and get_data_by_mask
• Unification of Python API under one library

Mobius Forensic Toolkit v1.0 released

The hive extension now retrieves the registry files directly from the disk and builds an unified registry structure, very akin to the registry structure shown by regedit. A new C++ module mobius::ant::registry (and its Python API counterpart mobius.ant.registry) has been developed to decode the registry objects (files, keys, values and data) and has been added to the libmobius. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Main changes are:

• Hive extension: Interface reimplemented as a case view
• Hive extension: Added support to big data (db) cells
• Hive extension: New option to export registry files
• Hive extension: Stores local copies of the registry files for fast access
• C++ API: Hash_md5 calculations now fully inlined
• C++ API: New function mobius::filesystem::entry.get_child_by_name
• C++ API: New function mobius::filesystem::entry.get_child_by_path
• C++ API: New function mobius::filesystem::entry.new_reader
• Python API: New module mobius.xml
• Python API: New function PyString_from_bytearray
• Tools: New tool hive-info
• Tools: New tool hive-scan

Release 0.5.31 published

The C++ API's module mobius::filesystem navigates through the file systems using libtsk. Big performance improvement to the module mobius::imagefile::ewf. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• C++ API: new module mobius::disk
• C++ API: new class mobius::filesystem::entry
• C++ API: new class mobius::metadata
• Python API: new module mobius.disk
• Python API: new class mobius.filesystem.entry
• configure.ac: libtsk is now mandatory
• gtk-ui: lazy update implemented to viewselector
• New tool dirfs implemented

Release 0.5.30 published

The new C++ API's module mobius::filesystem detects and retrieves metadata from Ext2/3/4, HFS+ and HFSX, ISO-9660, NTFS and VFAT filesystems. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• New extension filesystem-viewer shows all filesystems detected from disks and their metadata
• C++ API: new function mobius::filesystem::get_filesystems
• C++ API: new function mobius::filesystem::get_filesystem_metadata
• Python API: new function mobius.api.get_filesystems
• Python API: new generic dataholder class api_dataholder
• New tool filesystem_scan implemented

Release 0.5.29 published

This release adds support to DOS partitions, GPT partitions and Apple Partition Map partitions. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• C++ API: new module mobius::partition
• C++ API: added support to DOS partition system
• C++ API: added support to GPT partition system
• C++ API: added support to APM partition system
• python API: new package mobius.api
• datasource-physical-device: uses mobius.api.device and get_devices
• datasource-physical-device: does not need package python_gudev anymore
• tools: new partition_table tool

Release 0.5.28 published

This release features many C++ API new implementations: support to both MD5 hash and to Adler-32 CRC has been added, as well as write support to EWF imagefiles. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• new extension gtk-report-dialog
• datasource-model: does not set empty attributes
• new ewf_decoder tool
• C++ API: new module mobius::imagefile::ewf
• C++ API: new module mobius::codec
• C++ API: new hash function mobius::crypt::hash_md5
• C++ API: new hash function mobius::crypt::hash_adler32
• C++ API: several new functions implemented into datetime module
• C++ API: new template class mobius::crypt::hash_functor evaluates hashes in parallel to reading or writing data

Release 0.5.27 published

This release features the lshw-agent extension, which reads an output from the command lshw -xml and creates notebooks/computer items and their components, such as network cards, harddisks, graphic cards. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• C++ API: new module mobius::core
• C++ API: new module mobius::decoder
• C++ API: new module mobius::database
• C++ API: imagefile_ewf handles 64-bit number of sectors
• C++ API: application class compatible with XDG Base Directory Specification
• config dir now default to $HOME/.config/mobiusft
• Python API: new class mobius.core.application
• Extensions use base64.b64decode instead of string.decode
• hive: detects NTUSER.DAT on Win10
• tools: new tool device_list
• tools: new tool disk_list

Release 0.5.26 published

This release adds imagefile classes both to the C++ API and to the Python API, supporting raw, split, talon, solo, dossier and ewf files. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

• C++ API: new string functions
• C++ API: zlib_compress and zlib_decompress functions
• new extension hive-shareaza-report
• new extension hive-gigatribe-report
• new hive report: Shareaza General Info
• new hive report: Shareaza User Folders
• new hive report: Shareaza Protocols
• new hive report: Shareaza Search History
• attribute-viewer: retrieve item's children on DND
• tools: new tool imagefile_info
• tools: new tool imagefile_convert

Release 0.5.25 published

This release adds new classes both to the C++ API and to the Python API. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• C++ API: charset conversion functions implemented (mobius/charset.h)
• C++ API: new class mobius::io::resource
• C++ API: new class mobius::io::file
• C++ API: new class mobius::io::folder
• C++ API: new class mobius::io::reader
• C++ API: new class mobius::io::writer
• C++ API: new class mobius::system::group
• C++ API: new class mobius::system::user
• python API: new class mobius.io.file
• python API: new class mobius.io.folder
• python API: new class mobius.io.reader
• python API: new class mobius.io.writer
• part-catalogue: show confirmation dialog before inserting new part
• imagefile-ewf: handle disk section
• imagefile-ewf: handle done section
• uri extension eliminated
• uri-file extension eliminated
• configure.ac: fixed bug when libtsk is not available.

Release 0.5.24 published

This release adds new classes both to the C++ API and to the Python API. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• C++ API: new class mobius::io::uri
• C++ API: new class mobius::io::reader (abstract class)
• C++ API: new class mobius::io::seekable_reader (abstract class)
• C++ API: new class mobius::io::file_descriptor_reader
• C++ API: new class mobius::io::file_reader
• C++ API: new class mobius::io::uri_reader
• C++ API: new class mobius::datetime::date
• C++ API: new class mobius::datetime::time
• C++ API: new class mobius::datetime::datetime
• C++ API: new class mobius::datetime::timedelta
• C++ API: new functions at mobius::datetime::conv_iso_string.h
• C++ API: new functions at mobius::datetime::conv_julian.h
• C++ API: new functions at mobius::datetime::conv_nt_timestamp.h
• C++ API: new functions at mobius::datetime::conv_unix_timestamp.h
• C++ API: mobius::hash_crc32 using precalculated CRC table
• C++ API: new class mobius::crypt::cipher_base (abstract class)
• C++ API: new class mobius::regex
• C++ API: mobius/exception_posix.h for errno based exceptions
• python API: new package mobius.io
• python API: new class mobius.io.uri_reader
• part-model: use sqlite3 database
• cellphone-agent: datetime parsing bug fixed
• data-sourcerer: check if datasource is available on populate_metadata

Release 0.5.23 published

This release adds new classes both to the C++ API and to the Python API. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• C++ API: new class mobius::unittest
• C++ API: new class mobius::bytearray
• C++ API: new class mobius::crypt::hash_base (abstract class)
• C++ API: new class mobius::crypt::hash_crc32
• C++ API: new class mobius::crypt::hash_zip
• C++ API: new class mobius::crypt::cipher_block (abstract class)
• C++ API: new class mobius::crypt::cipher_block_mode (abstract class)
• C++ API: new class mobius::crypt::cipher_block_mode_ecb
• C++ API: new class mobius::crypt::cipher_block_mode_cbc
• C++ API: new class mobius::crypt::cipher_des
• C++ API: new class mobius::crypt::cipher_stream (abstract class)
• C++ API: new class mobius::crypt::cipher_rc4
• C++ API: new class mobius::crypt::cipher_zip
• C++ API: new class mobius::application
• C++ API: code compatible with C++11
• python API: new wrapper class mobius.crypt.hash_zip
• python API: new wrapper class mobius.crypt.cipher_rc4
• python API: new wrapper class mobius.crypt.cipher_zip
• python API: new wrapper class mobius.crypt.cipher_des
• hive-report: use mobius.crypt.cipher_rc4
• hive-report: use mobius.crypt.cipher_des
• hive-report: new report "encrypted volumes" lists Folder Locker 6 volumes
• hive-pstore: use mobius.crypt.cipher_des
• hive-turing: use mobius.crypt.cipher_rc4
• hive-turing: use mobius.crypt.cipher_des
• turing-model: use mobius.crypt.cipher_des

New tutorial available: Cracking Windows passwords with MobiusFT and JTR

Sep 23rd, 2015 by Eduardo Aguiar

This tutorial was previously available as a section of the Mobius Forensic Toolkit tutorial. Click here to see it.

Release 0.5.22 published

Sep 7th, 2015 by Eduardo Aguiar

This release introduces the Mobius Forensic Toolkit API, an API written in C++ with Python bindings. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• C++ API: new mobius::tsk classes to access libtsk
• python API: wrapper for mobius::tsk
• new installation method using configure, make and make install
• mediator.py: moved to mobius package
• emule-agent: new report "shared folders"
• emule-agent: handle tags 0x34 and 0x35
• emule-agent: fix BLOB decoding
• emule-agent: specific policies for dreamule and emule config
• emule-agent: check if AC_SearchStrings.dat exists before opening
• hive-report: catch exceptions at get_computer_name function
• hive-report: add Wow6432Node subkeys to the Installed Program report
• datasource-physical-device: fix retrieve_metadata for disks that have empty serial numbers
• imagefile-ewf: fix amount of bytes read in decode_hash_section
• engelbart: class UIManager implemented

Release 0.5.21 published

Oct 7th, 2014 by Eduardo Aguiar

This release introduces the eMule Agent extension, an extension to parse eMule artifacts. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• new extension emule-agent
• new extension engelbart
• hive-report: new report "Ares accounts"
• hive-report: new report "last mounted devices"
• hive-report: installed program handles UNIX install datetime
• hive-report: installed program also retrieves from NTUSER.dat uninstall subkeys. Suggested by Clemente Paixão
• gigatribe-agent: datetime decoder fixed
• gtk-ui: service ui.start moved to engelbart extension
• gtk-ui: service ui.stop moved to engelbart extension
• gtk-ui: service ui.flush moved to engelbart extension
• gtk-ui: deprecated service ui.render-icon removed
• gtk-ui: service ui.new-icon-from-data set deprecated
• gtk-ui: service ui.new-icon-from-file set deprecated
• skype-agent: REPORT_ICON_DATA replaced by report.run icon
• emule-agent: REPORT_ICON_DATA replaced by report.run icon
• ice: REPORT_ICON_DATA replaced by report.run icon
• report-wizard: TRASH_BIN_ICON replaced by dnd.delete icon
• ice: use image_buffer instead of ui.render-icon
• category-manager: use image_buffer instead of ui.render-icon
• engelbart: new service ui.new-factory
• extension-manager: use image_buffer instead of ui.new-icon-from-data
• date-code: copyright (c) 2014

New Homepage

Jul 26th, 2014 by Eduardo Aguiar

Due to the shutdown of freecode.com, I had to hastily make this homepage. For now on, every announcement about the project will be posted here. It is a work in progress, and suggestions are welcome.

Release 0.5.20 published

Jul 23, 2014 by Eduardo Aguiar

This release introduces the CellPhone Agent extension, an extension to browse Cellebrite's report.xml files. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

• new extension cellphone-agent
• report-model: new service report.run-dialog
• report-model: verbatim generates '%' instead of '%%'
• report-model: do not generate duplicated methods in .py
• gtk-ui: forbid treeitem DND onto itself
• gtk-ui: case treeview icon cache implemented
• gtk-ui: do not expand selected item when item.children is modified
• skype-agent: "generate report" option
• skype-agent: account view disables DND when not selected
• skype-agent: account tile image repositioned
• ice: use service report.run-dialog
• sdi-window-manager: call to on_widget_started eliminated
• partition-viewer: scan only partition-system components
• partition-agent: update item.children only if it detects partitions
• partition-agent-dos: keep item.children when building components
• turing: test dictionary option fixed