Mobius Forensic Toolkit

Mobius Forensic Toolkit v1.16 released

Oct 12th, 2019 by Eduardo Aguiar
  • Turing: Retrieves old password hashes from CREDHIST files (up to Win 8.1)
  • Turing: Retrieves passwords from Chromium based browsers (Chrome, Opera, ...) (up to Win 8.1)
  • Turing: Retrieves passwords from Windows Credentials (up to Win 8.1)
  • Turing: Retrieves passwords from IE Intelliforms (up to Win 8.1)
  • Spider: Added support for 7 Star
  • Spider: Added support for AliExpress Browser
  • Spider: Added support for Amigo
  • Spider: Added support for Avast Browser
  • Spider: Added support for BoBrowser
  • Spider: Added support for Brave
  • Spider: Added support for CentBrowser
  • Spider: Added support for Chedot
  • Spider: Added support for Chrome Canary
  • Spider: Added support for Chromium
  • Spider: Added support for Coccoc
  • Spider: Added support for Comodo Dragon
  • Spider: Added support for Elements Browser
  • Spider: Added support for Epic Privacy Browser
  • Spider: Added support for Kometa
  • Spider: Added support for Orbitum
  • Spider: Added support for PlutoTV
  • Spider: Added support for Spotify Browser
  • Spider: Added support for Sputnik
  • Spider: Added support for Torch
  • Spider: Added support for Uran
  • Spider: Added support for Vivaldi
  • Libmobius: Upgraded to C++14
  • Libmobius: New class mobius::crypt::cipher_rc2
  • Libmobius: New function turing::hash_ie_entropy
  • Python API: Releases GIL when calling C++ intensive tasks
  • Python API: Added support for cipher RC2

Mobius Forensic Toolkit v1.15 released

Aug 15th, 2019 by Eduardo Aguiar
  • DPAPI decryption implemented. It is based on previous research by Elie Burzstein and Jean-Michel Picod [1], Francesco Picasso[2] and Benjamin Delpy[3].
  • Turing: Automatically decrypts DPAPI system master keys
  • Turing: Automatically decrypts Win WiFi passwords

Mobius Forensic Toolkit v1.14 released

Jul 2nd, 2019 by Eduardo Aguiar
  • Added native support for .vhd image files
  • Spider: Added support for Opera
  • Spider: Added support for GeckoFX
  • Case Model: New class application
  • Case Model: New class profile
  • Case Model: New class cookie

Mobius Forensic Toolkit v1.13 released

Jun 8th, 2019 by Eduardo Aguiar
  • Case Model: New class password
  • Case Model: New class password_hash
  • Turing: Exports .hashcat hash files
  • Turing: Exports .john with RID, GID and GECOS fields filled
  • Turing: Using persistence layer from Case Model
  • Libmobius: On demand connection to database implemented in Turing API

Mobius Forensic Toolkit v1.12 released

Mar 8th, 2019 by Eduardo Aguiar

A new extension called Chat Viewer has been implemented. It automatically retrieves and shows chat messages from different applications. See ChangeLog file for a complete list of changes.

  • Chat Viewer: Added support for Skype
  • app.skype: Added support for Skype v8 and newer ones
  • app.chrome: Handles Web Data.version = 52
  • Libmobius: New function mobius::crypt::pbkdf1
  • Libmobius: New function mobius::crypt::pbkdf2_hmac
  • Python API: New module mobius.evidence.chats

Mobius Forensic Toolkit v1.11 released

Jan 23th, 2019 by Eduardo Aguiar

A new extension called File Activity has been implemented. It automatically retrieves and shows information about files opened by user, files received and files sent. See ChangeLog file for a complete list of changes.

  • Spider: Added support for Internet Explorer v4-9
  • File Activity: Added support for Chrome
  • File Activity: Added support for Firefox
  • File Activity: Added support for Internet Explorer v4-9
  • File Activity: Added support for Skype
  • Python API: Many new functions implemented

Mobius Forensic Toolkit v1.10 released

Nov 21th, 2018 by Eduardo Aguiar

A new extension called Spider has been implemented. It is a web browser forensics tool that automatically scans, retrieves and shows URL history, cookies and form history. See ChangeLog file for a complete list of changes.

  • Spider: Added support for Google Chrome
  • Spider: Added support for Mozilla Firefox
  • p2p.emule: Count = -1 for AC_SearchStrings searches
  • Python API: New module pymobius.app
  • Python API: New module pymobius.app.chrome
  • Python API: New module pymobius.app.emule
  • Python API: New module pymobius.app.firefox

Mobius Forensic Toolkit v1.9 released

Oct 12th, 2018 by Eduardo Aguiar

Case model has been implemented in C++, with Python wrapper. Case data is now stored in a .sqlite database. See ChangeLog file for a complete list of changes.

  • ICE: Options Save and Save As removed
  • Python API: New module pymobius.json_serializer
  • New tool hashfs implemented
  • New tool casetree implemented
  • Extension case-model removed
  • Extension object-model removed
  • Python examples: New example program list_categories.py
  • Python examples: New example program casetree.py

100,000+ SLOC (Source lines of code)

Sep 22th, 2018 by Eduardo Aguiar

We have reached (and passed) 100,000+ source lines of code. Mobius Forensic Toolkit is now a medium-sized project. The graph below shows the number of lines of code according to each version:



A few things can be inferred from the numbers above and from the development process in general:

  • Libmobius development started in Sep, 7th 2015. In 3 years it has grown from 0 to 62,271 SLOC, about 20,700 SLOC/year or 1,729 SLOC/month.
  • In the last 12 months, Libmobius has grown from 31,151 to 62,271 SLOC, about 2,593 SLOC/month or 85 SLOC/day.
  • From version 0.5.22 to version 1.8, the project source lines of code has grown from 42,051 to 102,707 SLOC.
  • The numbers above do not include the Python wrapper layer, also written in C++.
  • The demands for refactoring in Libmobius are low, which indicates a robust design.
  • The number of lines of code in Python is almost stable, even with many new features added. It means that we are successfully using the C++ API from libmobius.

Mobius Forensic Toolkit v1.8 released

Sep 15th, 2018 by Eduardo Aguiar

P2P Viewer: added support for Emule and EmuleTorrent. See ChangeLog file for a complete list of changes.

  • p2p.ares: Retrieves data from TorrentH.dat evidence files
  • p2p.ares: Retrieves data from PHashIdx.dat evidence files
  • p2p.ares: Retrieves data from PHashIdxTemp.dat evidence files
  • p2p.ares: Retrieves data from TempPHash.dat evidence files
  • p2p.ares: Retrieves data from PHash_*.dat evidence files
  • p2p.ares: Retrieves data from PBTHash_*.dat evidence files
  • p2p.ares: Retrieves data from ___ARESTRA___* downloading files

Mobius Forensic Toolkit v1.7 released

Aug 11th, 2018 by Eduardo Aguiar

P2P Viewer: added support for Ares Galaxy. See ChangeLog file for a complete list of changes.

  • Report Wizard: Two new graphic commands "while" and "exec"
  • Libmobius: ED2K cryptographic hash function implemented
  • Libmobius: New module mobius::model
  • Libmobius: Hash functions preserve state on get_digest ()
  • Python API: New module pymobius.p2p.ares
  • Python API: New module mobius.model

Mobius Forensic Toolkit v1.6 released

Jul 7th, 2018 by Eduardo Aguiar

P2P Viewer scans, retrieves and shows P2P applications activity data from evidence disk. This version adds support for Shareaza P2P application data. See ChangeLog file for a complete list of changes.

  • Hive-Report: Four new fields added to Installed Programs report
  • Libmobius: Handle EWF corrupted files
  • Libmobius: New function mobius::core::log
  • Python API: New module mobius.decoder
  • Python API: New class mobius.decoder.mfc_decoder
  • Python API: New function mobius.core.log

Mobius Forensic Toolkit v1.5 released

Jun 9th, 2018 by Eduardo Aguiar

Mobius Forensic Toolkit automatically decrypts Samsung's Secret Zone .msr encrypted files, no password required. See ChangeLog file for a complete list of changes.

  • New imagefile format .msr supported
  • Category model in C++
  • Category model data stored into category.sqlite database file
  • Category-manager: import/export data as .json file
  • Libmobius: Triple-DES (3des) cryptographic cipher algorithm implemented
  • Libmobius: Blowfish cryptographic cipher algorithm implemented
  • Libmobius: imagefile module refactored
  • Libmobius: Lazy evaluation for imagefile's implementation classes

Mobius Forensic Toolkit v1.4 released

Apr 28th, 2018 by Eduardo Aguiar

This release features the Turing view, a case view that shows user password hashes, domain cached credentials hashes, automatic logon passwords, HelpAssistant passwords, ASPNET passwords, UpdatusUser passwords, among others. See ChangeLog file for a complete list of changes. Main changes are:

  • Added support for Win10 password hashes
  • Retrieves old password hashes and passwords, when available
  • Hive-report: More than 20 fields added to the UserAccount report
  • Libmobius: MD4 cryptographic hash function implemented
  • Libmobius: New module mobius::forensics::turing
  • Python API: New class mobius.crypt.hash

Mobius Forensic Toolkit v1.3 released

Apr 3rd, 2018 by Eduardo Aguiar

The registry classes automatically decrypt MS Domain Cached Credentials registry values, both version 1 and version 2. See ChangeLog file for a complete list of changes. Main changes are:

  • Added support for Domain Cached Credentials v2
  • HMAC message authentication code implemented
  • Libmobius: 5x performance improvement for hash block functions
  • Libmobius: New connection_pool class with multi-thread support
  • Hive-report: New fields for Cached Credentials report
  • Gtk-UI: New widget widetableview
  • Unittest: New benchmark tool

Mobius Forensic Toolkit v1.2 released

Mar 3rd, 2018 by Eduardo Aguiar

The registry classes automatically decrypt LSA Secrets registry values, including those LSA using PolEkList, such as Windows Vista and newer systems. See ChangeLog file for a complete list of changes. Main changes are:

  • SHA-2 cryptographic hash functions implemented (224, 256, 384, 512, 512/224 and 512/256 bits)
  • AES cryptographic cipher algorithm implemented (128, 192 and 256 bits)
  • Hive extension: Shows decrypted LSA secrets values
  • Libmobius: hash_base, hash_stream and hash_block interfaces improved

Mobius Forensic Toolkit v1.1 released

Feb 11th, 2018 by Eduardo Aguiar

The registry classes automatically decrypt both UserAssist keys and Protected Storage System Provider (PSSP) keys. Both keys can be browsed with the hive extension. See the ChangeLog file for a complete list of changes. Main changes are:

  • SHA-1 cryptographic hash function implemented
  • ROT-13 cryptographic cipher algorithm implemented
  • Libmobius: Automatically decodes UserAssist registry keys
  • Libmobius: Automatically decrypts Protected Storage System Provider (PSSP) registry keys
  • Libmobius: New functions for registry and registry_key classes: get_key_by_mask, get_value_by_mask and get_data_by_mask
  • Unification of Python API under one library

Mobius Forensic Toolkit v1.0 released

Nov 18th, 2017 by Eduardo Aguiar

The hive extension now retrieves the registry files directly from the disk and builds an unified registry structure, very akin to the registry structure shown by regedit. A new C++ module mobius::ant::registry (and its Python API counterpart mobius.ant.registry) has been developed to decode the registry objects (files, keys, values and data) and has been added to the libmobius. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Main changes are:

  • Hive extension: Interface reimplemented as a case view
  • Hive extension: Added support to big data (db) cells
  • Hive extension: New option to export registry files
  • Hive extension: Stores local copies of the registry files for fast access
  • C++ API: Hash_md5 calculations now fully inlined
  • C++ API: New function mobius::filesystem::entry.get_child_by_name
  • C++ API: New function mobius::filesystem::entry.get_child_by_path
  • C++ API: New function mobius::filesystem::entry.new_reader
  • Python API: New module mobius.xml
  • Python API: New function PyString_from_bytearray
  • Tools: New tool hive-info
  • Tools: New tool hive-scan
<< older entries