Mobius Forensic Toolkit

Mobius Forensic Toolkit v2.1 released

Feb 22th, 2024 by Eduardo Aguiar
  • VFS: New extension vfs.block.bitlocker adds support for Bitlocker Volumes. It detect, decode and retrieve metadata from Bitlocker Volumes, including protectors info.
  • VFS: New extension vfs-block-view-bitlocker is the counterpart to the vfs.block.bitlocker extension. It shows Bitlocker Volume protectors, replacing the bdeinfo tool.
  • VFS: Fixed decoding of DOS extended partitions.
  • VFS: Fixed detection of FAT16 filesystems.
  • app.chromium: Better automatic datetime conversion, that handles all known versions date/time values.
  • ant.accounts: Changed to retrieve Login Data from Chromium based browsers.

VFS Viewer extension showing Bitlocker Volume's protectors.
 

Mobius Forensic Toolkit v2.0 released

Dec 8th, 2023 by Eduardo Aguiar

New module mobius::vfs, implemented in C++, replaces the old item.datasource structure. This development is an important milestone for Mobius Forensic Toolkit because:

  • mobius::vfs implements a very powerful data block detection and decoding framework.
  • mobius::vfs is highly modular. You can easily implement new data block detection modules as C++ extensions.
  • mobius::vfs data block detection algorithm is fully recursive and support palimpsest structures, such as ISOHybrid disks, detecting multiple block types for each data block found.
  • mobius::vfs handles multiblock structures, and as such, is fit for future detection and decoding of RAID, LVM, and Fusion disks, for example.
  • mobius::vfs features a full Python C API, under mobius.vfs Python module.
  • mobius::vfs shows all data blocks detected and has option to export individual blocks, for use with other tools.


New extension VFS Viewer showing all data blocks detected from OpenSUSE DVD ISO v15.4.
 

Mobius Forensic Toolkit v1.37 released

Oct 12th, 2023 by Eduardo Aguiar
  • iped-frontend: Changed to set sector_size when processing imagefiles
  • iped-frontend: Removed support for IPED v3.x
  • datasource-imagefile: Added sector_size spinbutton
  • category-manager: Fixed error importing .json files
  • filesystem_vfat: Fixed precision error when calculating sectors, size, and clusters
  • AppImage: Changed to use PYTHONPATH environment variable

Mobius Forensic Toolkit v1.36 released

Mar 19th, 2023 by Eduardo Aguiar
  • Added new C++ extension: partition-system-apm
  • Added new C++ extension: partition-system-dos
  • Added new C++ extension: partition-system-gpt
  • filesystem_vfat: Improved detection of VFAT filesystem
  • filesystem_vfat: Improved detection of FAT entry size

Mobius Forensic Toolkit v1.35 released

Nov 27th, 2022 by Eduardo Aguiar
  • New extension "Evidence: Accounts" retrieves user accounts data, including passwords (when available), from both installed applications and visited sites
  • New C++ extension date-code
  • Libmobius: New mobius::core::mediator class in C++ supports callback functions written in both C++ and Python
  • Libmobius: Compatible with C++17

New extension Evidence: Accounts
 

Mobius Forensic Toolkit v1.34 released

Nov 1st, 2022 by Eduardo Aguiar
  • evidence-received-files: Added support for µTorrent
  • p2p-viewer: Added support for µTorrent
  • New extension Evidence: IP Addresses shows remote IP addresses used by users
  • Libmobius: New class mobius::core::resource
  • Python API: New class mobius.core.resource

Mobius Forensic Toolkit v1.33 released

Oct 7th, 2022 by Eduardo Aguiar
  • New extension KFF-manager
  • P2P Viewer: Checkmark suspected files, using KFF hash sets
  • P2P Viewer: Drag and drop full data from local/remote files
  • Libmobius: New class mobius::io::text_reader
  • Libmobius: New class mobius::io::text_writer
  • Libmobius: New class mobius::io::line_reader
  • Python API: New class mobius.io.text_reader
  • Python API: New class mobius.io.text_writer
  • Python API: New class mobius.io.line_reader

Mobius Forensic Toolkit v1.32 released

Sep 19th, 2022 by Eduardo Aguiar
  • iped-frontend: Compatible with IPED4
  • New C++ extension imagefile-split
  • New C++ extension filesystem-exfat
  • New C++ extension filesystem-ext2
  • New C++ extension filesystem-hfs
  • New C++ extension filesystem-iso
  • New C++ extension filesystem-ntfs
  • New C++ extension filesystem-vfat
  • Libmobius: New module mobius::kff
  • Python API: New module mobius.kff

Mobius Forensic Toolkit v1.31 released

Aug 15th, 2022 by Eduardo Aguiar
  • Mobius Forensic Toolkit project has been fully migrated from Python 2 to Python 3, including all extensions.
  • Libmobius: New function mobius::encoder::hexstring
  • Python API: New function mobius.encoder.hexstring
  • Python API: New function mobius::py::isinstance
  • Python API: New function mobius::py::from_pyobject
  • Python API: New function mobius::py::to_pyobject

Mobius Forensic Toolkit v1.30 released

Jul 16th, 2022 by Eduardo Aguiar
  • New extension Evidence: Encryption Keys
  • app.chromium: Automatically decrypts cookies (up to v79)
  • app.skype: message_parser.py encoding error fixed
  • Libmobius: item.attribute datatype changed to mobius::pod::data

New Tutorial: Getting Started

Jun 25th, 2022 by Eduardo Aguiar

A long due "Getting Started Tutorial" on how to start using Mobius Forensic Toolkit has been written. You can access it here or in the "Quick Start" session at the right side of this page.

Mobius Forensic Toolkit v1.29 released

Jun 16th, 2022 by Eduardo Aguiar
  • app.skype: Added support for Skype v14 call logs
  • ant.trash_can_entries: Added support for $Recyble.bin version 1 records (Vista and Win7)
  • ant.trash_can_entries: Added support for Recycler folder (Win2k to WinXP)
  • New C++ extension imagefile-dossier
  • New C++ extension imagefile-ewf
  • New C++ extension imagefile-msr
  • New C++ extension imagefile-raw
  • New C++ extension imagefile-solo
  • New C++ extension imagefile-talon
  • New C++ extension imagefile-vhd
  • New C++ extension imagefile-vhdx

Mobius Forensic Toolkit v1.28 released

May 13th, 2022 by Eduardo Aguiar

Mobius Forensic Toolkit has been migrated from GTK2 to GTK3, including all extensions.


Integrated Case Environment (ICE) extension running on GTK3
 

Mobius Forensic Toolkit v1.27 released

Apr 6th, 2022 by Eduardo Aguiar
  • evidence-password-hashes: Keyword testing class optimized
  • evidence-password-hashes: Keyword testing handles sha1.utf-16 hashes
  • app.skype: Handle "AddMember" messages
  • app.skype: Handle "Notice" messages
  • app.skype: Handle "TopicUpdate" messages
  • app.skype: Handle "HistoryDisclosedUpdate" messages
  • app.skype: Handle "RichText/Media_CallRecording" messages
  • app.skype: Generate different messages for call started and call ended
  • Libmobius: Added support for EWF imagefiles with up to 14971 segment files
  • Libmobius: Added support for IGE cipher_block
  • Python API: mobius.model.item tp_getattro/tp_setattro implemented

AppImage bundle file released

Mar 31th, 2022 by Eduardo Aguiar

Download MobiusFT's AppImage file, make it executable and run in all common Linux distributions. The AppImage file contains almost all libraries and Python packages needed to run Mobius Forensic Toolkit, all bundled together into a single executable file for Linux. You still have to install Python v2.7.xx in order to run it.

How to use it:

Download MobiusFT AppImage file available in this page. Make it executable, using the command: chmod +x mobiusft-1.26-x86_64.AppImage. Run it.

Linux Distributions:

MobiusFT AppImage file has been tested using Debian v11.3 live image. In this system you have to install two packages python2 and libpython2.7 in order to run MobiusFT.

If you have successfully run MobiusFT AppImage using other Linux Distribution or if you had trouble running it, please send me an e-mail (aguiar at protonmail.ch) reporting it.

Mobius Forensic Toolkit v1.26 released

Mar 4th, 2022 by Eduardo Aguiar
  • Hive-report: New report Word Wheel Query terms
  • ant.text_autocomplete: Retrieves data from WordWheelQuery registry keys
  • ant.text_autocomplete: Retrieves data from Search Assistant registry keys
  • datasource-model: Set thumbdrive attributes
  • Libmobius: New class mobius::ui::message_dialog
  • Python API: New class mobius.ui.message_dialog
  • Python API: Migrating code to Python 3.x

Mobius Forensic Toolkit v1.25 released

Feb 11th, 2022 by Eduardo Aguiar
  • ant.opened_files: Retrieves info from Windows/Recent .lnk files
  • Libmobius: Added support for C++ extension
  • Libmobius: New module mobius::ui
  • New C++ extension UI/gtk2

New tutorial: Installation Guide

Feb 9th, 2022 by Eduardo Aguiar

A complete installation guide for Mobius Forensic Toolkit is available here.

Mobius Forensic Toolkit v1.24 released

Dec 27th, 2021 by Eduardo Aguiar
  • New extension Evidence Trash Can Entries
  • New extension GTK UI Hexview
  • File-Explorer: New File Finder panel
  • File_Explorer: New File Properties panel
  • File_Explorer: New Hex Viewer panel
  • File_Explorer: New Content Properties panel
  • Iped-Frontend: Many improvements/bug fixes were implemented
  • app.chromium: Added support for Microsoft Edge
  • app.chromium: Added support for CCleaner Browser
  • ant.cookies: Added support for Microsoft Edge cookies
  • Libmobius: New class mobius::decoder::lnk
  • Libmobius: New function mobius::decoder::btencode
  • Python API: New class mobius.decoder.lnk
  • Python API: New function mobius.decoder.btencode

Mobius Forensic Toolkit v1.23 released

May 13th, 2021 by Eduardo Aguiar

A new extension called IPED Frontend has been implemented. It runs IPED on selected case items, open processed items and generate reports on selected items. You can download IPED at https://github.com/sepinf-inc/IPED.


IPED Frontend v1.0: Processing items
 

IPED Frontend v1.0: Generating report
 

Mobius Forensic Toolkit v1.22 released

Oct 12th, 2020 by Eduardo Aguiar
  • Added support for ExFAT filesystems
  • New extension evidence-calls lists call logs
  • New extension evidence-text-autocomplete shows autocomplete texts
  • New module mobius::vfs::filesystem

Mobius Forensic Toolkit v1.21 released

Aug 15th, 2020 by Eduardo Aguiar
  • New extension Evidence-Viewer groups all evidence views
  • New extension evidence-bookmarked-urls shows Bookmarked URLs
  • app.skype: Better handling of chat messages with multiple recipients
  • Libmobius: SGML tokenizer and SGML parser implemented
  • Libmobius: file/folder implementation for interfacing libtsk

Evidence Viewer v1.0: List view
 

Evidence Viewer v1.0: Visited URLs
 

Mobius Forensic Toolkit v1.20 released

Jun 10th, 2020 by Eduardo Aguiar
  • New extension Search Viewer shows textual searches made by users on WWW sites
  • Spider: Added support for AppWiki
  • Spider: Added support for CKaach Browser
  • Spider: Added support for Kodi Browser Launcher
  • Spider: Added support for Kodi Chrome Launcher
  • Spider: Added support for Bradesco Net Express
  • Libmobius: New module mobius::pod for dynamic data models

Mobius Forensic Toolkit v1.19 released

Mar 7th, 2020 by Eduardo Aguiar
  • Added native support for VHDX image files
  • Libmobius: Added support for smb:// files
  • Spider: Added support for CryptoTab Browser
  • Spider: Added support for NavegadorPJe
  • Spider: Added support for Firefox Portable
  • Spider: Added support for Firefox folder from Avast Browser Cleanup
  • Spider: Added support for Chrome folder from Avast Browser Cleanup

Mobius Forensic Toolkit v1.18 released

Jan 23th, 2020 by Eduardo Aguiar
  • New extension File Explorer browses evidence files on the fly, no preprocessing is needed.
  • Libmobius: New methods for mobius::io::file class (remove, rename, copy, move, ...).
  • Libmobius: New methods for mobius::io::folder class (remove, rename, ...).

File Explorer v1.0
 

Mobius Forensic Toolkit v1.17 released

Dec 8th, 2019 by Eduardo Aguiar
  • Chat-Viewer: Added support for Skype App v14 (sl4-username.db files)
  • Turing: Automatically decrypts System Credentials
  • Turing: New Chain Reaction algorithm to test all passwords/hashes against all hashes/keys
  • Python API: New wrapper functions for migration to Python 3

Mobius Forensic Toolkit v1.16 released

Oct 12th, 2019 by Eduardo Aguiar
  • Turing: Retrieves old password hashes from CREDHIST files (up to Win 8.1)
  • Turing: Retrieves passwords from Chromium based browsers (Chrome, Opera, ...) (up to Win 8.1)
  • Turing: Retrieves passwords from Windows Credentials (up to Win 8.1)
  • Turing: Retrieves passwords from IE Intelliforms (up to Win 8.1)
  • Spider: Added support for 7 Star
  • Spider: Added support for AliExpress Browser
  • Spider: Added support for Amigo
  • Spider: Added support for Avast Browser
  • Spider: Added support for BoBrowser
  • Spider: Added support for Brave
  • Spider: Added support for CentBrowser
  • Spider: Added support for Chedot
  • Spider: Added support for Chrome Canary
  • Spider: Added support for Chromium
  • Spider: Added support for Coccoc
  • Spider: Added support for Comodo Dragon
  • Spider: Added support for Elements Browser
  • Spider: Added support for Epic Privacy Browser
  • Spider: Added support for Kometa
  • Spider: Added support for Orbitum
  • Spider: Added support for PlutoTV
  • Spider: Added support for Spotify Browser
  • Spider: Added support for Sputnik
  • Spider: Added support for Torch
  • Spider: Added support for Uran
  • Spider: Added support for Vivaldi
  • Libmobius: Upgraded to C++14
  • Libmobius: New class mobius::crypt::cipher_rc2
  • Libmobius: New function turing::hash_ie_entropy
  • Python API: Releases GIL when calling C++ intensive tasks
  • Python API: Added support for cipher RC2

Mobius Forensic Toolkit v1.15 released

Aug 15th, 2019 by Eduardo Aguiar
  • DPAPI decryption implemented. It is based on previous research by Elie Burzstein and Jean-Michel Picod [1], Francesco Picasso[2] and Benjamin Delpy[3].
  • Turing: Automatically decrypts DPAPI system master keys
  • Turing: Automatically decrypts Win WiFi passwords

Mobius Forensic Toolkit v1.14 released

Jul 2nd, 2019 by Eduardo Aguiar
  • Added native support for .vhd image files
  • Spider: Added support for Opera
  • Spider: Added support for GeckoFX
  • Case Model: New class application
  • Case Model: New class profile
  • Case Model: New class cookie

Mobius Forensic Toolkit v1.13 released

Jun 8th, 2019 by Eduardo Aguiar
  • Case Model: New class password
  • Case Model: New class password_hash
  • Turing: Exports .hashcat hash files
  • Turing: Exports .john with RID, GID and GECOS fields filled
  • Turing: Using persistence layer from Case Model
  • Libmobius: On demand connection to database implemented in Turing API

Mobius Forensic Toolkit v1.12 released

Mar 8th, 2019 by Eduardo Aguiar

A new extension called Chat Viewer has been implemented. It automatically retrieves and shows chat messages from different applications. See ChangeLog file for a complete list of changes.

  • Chat Viewer: Added support for Skype
  • app.skype: Added support for Skype v8 and newer ones
  • app.chrome: Handles Web Data.version = 52
  • Libmobius: New function mobius::crypt::pbkdf1
  • Libmobius: New function mobius::crypt::pbkdf2_hmac
  • Python API: New module mobius.evidence.chats

Mobius Forensic Toolkit v1.11 released

Jan 23th, 2019 by Eduardo Aguiar

A new extension called File Activity has been implemented. It automatically retrieves and shows information about files opened by user, files received and files sent. See ChangeLog file for a complete list of changes.

  • Spider: Added support for Internet Explorer v4-9
  • File Activity: Added support for Chrome
  • File Activity: Added support for Firefox
  • File Activity: Added support for Internet Explorer v4-9
  • File Activity: Added support for Skype
  • Python API: Many new functions implemented

Mobius Forensic Toolkit v1.10 released

Nov 21th, 2018 by Eduardo Aguiar

A new extension called Spider has been implemented. It is a web browser forensics tool that automatically scans, retrieves and shows URL history, cookies and form history. See ChangeLog file for a complete list of changes.

  • Spider: Added support for Google Chrome
  • Spider: Added support for Mozilla Firefox
  • p2p.emule: Count = -1 for AC_SearchStrings searches
  • Python API: New module pymobius.app
  • Python API: New module pymobius.app.chrome
  • Python API: New module pymobius.app.emule
  • Python API: New module pymobius.app.firefox

Mobius Forensic Toolkit v1.9 released

Oct 12th, 2018 by Eduardo Aguiar

Case model has been implemented in C++, with Python wrapper. Case data is now stored in a .sqlite database. See ChangeLog file for a complete list of changes.

  • ICE: Options Save and Save As removed
  • Python API: New module pymobius.json_serializer
  • New tool hashfs implemented
  • New tool casetree implemented
  • Extension case-model removed
  • Extension object-model removed
  • Python examples: New example program list_categories.py
  • Python examples: New example program casetree.py

100,000+ SLOC (Source lines of code)

Sep 22th, 2018 by Eduardo Aguiar

We have reached (and passed) 100,000+ source lines of code. Mobius Forensic Toolkit is now a medium-sized project. The graph below shows the number of lines of code according to each version:



A few things can be inferred from the numbers above and from the development process in general:

  • Libmobius development started in Sep, 7th 2015. In 3 years it has grown from 0 to 62,271 SLOC, about 20,700 SLOC/year or 1,729 SLOC/month.
  • In the last 12 months, Libmobius has grown from 31,151 to 62,271 SLOC, about 2,593 SLOC/month or 85 SLOC/day.
  • From version 0.5.22 to version 1.8, the project source lines of code has grown from 42,051 to 102,707 SLOC.
  • The numbers above do not include the Python wrapper layer, also written in C++.
  • The demands for refactoring in Libmobius are low, which indicates a robust design.
  • The number of lines of code in Python is almost stable, even with many new features added. It means that we are successfully using the C++ API from libmobius.

Mobius Forensic Toolkit v1.8 released

Sep 15th, 2018 by Eduardo Aguiar

P2P Viewer: added support for Emule and EmuleTorrent. See ChangeLog file for a complete list of changes.

  • p2p.ares: Retrieves data from TorrentH.dat evidence files
  • p2p.ares: Retrieves data from PHashIdx.dat evidence files
  • p2p.ares: Retrieves data from PHashIdxTemp.dat evidence files
  • p2p.ares: Retrieves data from TempPHash.dat evidence files
  • p2p.ares: Retrieves data from PHash_*.dat evidence files
  • p2p.ares: Retrieves data from PBTHash_*.dat evidence files
  • p2p.ares: Retrieves data from ___ARESTRA___* downloading files

Mobius Forensic Toolkit v1.7 released

Aug 11th, 2018 by Eduardo Aguiar

P2P Viewer: added support for Ares Galaxy. See ChangeLog file for a complete list of changes.

  • Report Wizard: Two new graphic commands "while" and "exec"
  • Libmobius: ED2K cryptographic hash function implemented
  • Libmobius: New module mobius::model
  • Libmobius: Hash functions preserve state on get_digest ()
  • Python API: New module pymobius.p2p.ares
  • Python API: New module mobius.model

Mobius Forensic Toolkit v1.6 released

Jul 7th, 2018 by Eduardo Aguiar

P2P Viewer scans, retrieves and shows P2P applications activity data from evidence disk. This version adds support for Shareaza P2P application data. See ChangeLog file for a complete list of changes.

  • Hive-Report: Four new fields added to Installed Programs report
  • Libmobius: Handle EWF corrupted files
  • Libmobius: New function mobius::core::log
  • Python API: New module mobius.decoder
  • Python API: New class mobius.decoder.mfc_decoder
  • Python API: New function mobius.core.log

Mobius Forensic Toolkit v1.5 released

Jun 9th, 2018 by Eduardo Aguiar

Mobius Forensic Toolkit automatically decrypts Samsung's Secret Zone .msr encrypted files, no password required. See ChangeLog file for a complete list of changes.

  • New imagefile format .msr supported
  • Category model in C++
  • Category model data stored into category.sqlite database file
  • Category-manager: import/export data as .json file
  • Libmobius: Triple-DES (3des) cryptographic cipher algorithm implemented
  • Libmobius: Blowfish cryptographic cipher algorithm implemented
  • Libmobius: imagefile module refactored
  • Libmobius: Lazy evaluation for imagefile's implementation classes

Mobius Forensic Toolkit v1.4 released

Apr 28th, 2018 by Eduardo Aguiar

This release features the Turing view, a case view that shows user password hashes, domain cached credentials hashes, automatic logon passwords, HelpAssistant passwords, ASPNET passwords, UpdatusUser passwords, among others. See ChangeLog file for a complete list of changes. Main changes are:

  • Added support for Win10 password hashes
  • Retrieves old password hashes and passwords, when available
  • Hive-report: More than 20 fields added to the UserAccount report
  • Libmobius: MD4 cryptographic hash function implemented
  • Libmobius: New module mobius::forensics::turing
  • Python API: New class mobius.crypt.hash

Mobius Forensic Toolkit v1.3 released

Apr 3rd, 2018 by Eduardo Aguiar

The registry classes automatically decrypt MS Domain Cached Credentials registry values, both version 1 and version 2. See ChangeLog file for a complete list of changes. Main changes are:

  • Added support for Domain Cached Credentials v2
  • HMAC message authentication code implemented
  • Libmobius: 5x performance improvement for hash block functions
  • Libmobius: New connection_pool class with multi-thread support
  • Hive-report: New fields for Cached Credentials report
  • Gtk-UI: New widget widetableview
  • Unittest: New benchmark tool

Mobius Forensic Toolkit v1.2 released

Mar 3rd, 2018 by Eduardo Aguiar

The registry classes automatically decrypt LSA Secrets registry values, including those LSA using PolEkList, such as Windows Vista and newer systems. See ChangeLog file for a complete list of changes. Main changes are:

  • SHA-2 cryptographic hash functions implemented (224, 256, 384, 512, 512/224 and 512/256 bits)
  • AES cryptographic cipher algorithm implemented (128, 192 and 256 bits)
  • Hive extension: Shows decrypted LSA secrets values
  • Libmobius: hash_base, hash_stream and hash_block interfaces improved

Mobius Forensic Toolkit v1.1 released

Feb 11th, 2018 by Eduardo Aguiar

The registry classes automatically decrypt both UserAssist keys and Protected Storage System Provider (PSSP) keys. Both keys can be browsed with the hive extension. See the ChangeLog file for a complete list of changes. Main changes are:

  • SHA-1 cryptographic hash function implemented
  • ROT-13 cryptographic cipher algorithm implemented
  • Libmobius: Automatically decodes UserAssist registry keys
  • Libmobius: Automatically decrypts Protected Storage System Provider (PSSP) registry keys
  • Libmobius: New functions for registry and registry_key classes: get_key_by_mask, get_value_by_mask and get_data_by_mask
  • Unification of Python API under one library

Mobius Forensic Toolkit v1.0 released

Nov 18th, 2017 by Eduardo Aguiar

The hive extension now retrieves the registry files directly from the disk and builds an unified registry structure, very akin to the registry structure shown by regedit. A new C++ module mobius::ant::registry (and its Python API counterpart mobius.ant.registry) has been developed to decode the registry objects (files, keys, values and data) and has been added to the libmobius. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Main changes are:

  • Hive extension: Interface reimplemented as a case view
  • Hive extension: Added support to big data (db) cells
  • Hive extension: New option to export registry files
  • Hive extension: Stores local copies of the registry files for fast access
  • C++ API: Hash_md5 calculations now fully inlined
  • C++ API: New function mobius::filesystem::entry.get_child_by_name
  • C++ API: New function mobius::filesystem::entry.get_child_by_path
  • C++ API: New function mobius::filesystem::entry.new_reader
  • Python API: New module mobius.xml
  • Python API: New function PyString_from_bytearray
  • Tools: New tool hive-info
  • Tools: New tool hive-scan
<< older entries