Mobius Forensic Toolkit v1.9 released

Oct 12th, 2018 by Eduardo Aguiar

Case model has been implemented in C++, with Python wrapper. Case data is now stored in a .sqlite database. See ChangeLog file for a complete list of changes.

ICE: Options Save and Save As removed
Python API: New module pymobius.json_serializer
New tool hashfs implemented
New tool casetree implemented
Extension case-model removed
Extension object-model removed
Python examples: New example program list_categories.py
Python examples: New example program casetree.py

100,000+ SLOC (Source lines of code)

Sep 22th, 2018 by Eduardo Aguiar

We have reached (and passed) 100,000+ source lines of code. Mobius Forensic Toolkit is now a medium-sized project. The graph below shows the number of lines of code according to each version:

A few things can be inferred from the numbers above and from the development process in general:

Libmobius development started in Sep, 7th 2015. In 3 years it has grown from 0 to 62,271 SLOC, about 20,700 SLOC/year or 1,729 SLOC/month.
In the last 12 months, Libmobius has grown from 31,151 to 62,271 SLOC, about 2,593 SLOC/month or 85 SLOC/day.
From version 0.5.22 to version 1.8, the project source lines of code has grown from 42,051 to 102,707 SLOC.
The numbers above do not include the Python wrapper layer, also written in C++.
The demands for refactoring in Libmobius are low, which indicates a robust design.
The number of lines of code in Python is almost stable, even with many new features added. It means that we are successfully using the C++ API from libmobius.

Mobius Forensic Toolkit v1.8 released

Sep 15th, 2018 by Eduardo Aguiar

P2P Viewer: added support for Emule and EmuleTorrent. See ChangeLog file for a complete list of changes.

p2p.ares: Retrieves data from TorrentH.dat evidence files
p2p.ares: Retrieves data from PHashIdx.dat evidence files
p2p.ares: Retrieves data from PHashIdxTemp.dat evidence files
p2p.ares: Retrieves data from TempPHash.dat evidence files
p2p.ares: Retrieves data from PHash_*.dat evidence files
p2p.ares: Retrieves data from PBTHash_*.dat evidence files
p2p.ares: Retrieves data from ___ARESTRA___* downloading files

Mobius Forensic Toolkit v1.7 released

Aug 11th, 2018 by Eduardo Aguiar

P2P Viewer: added support for Ares Galaxy. See ChangeLog file for a complete list of changes.

Report Wizard: Two new graphic commands "while" and "exec"
Libmobius: ED2K cryptographic hash function implemented
Libmobius: New module mobius::model
Libmobius: Hash functions preserve state on get_digest ()
Python API: New module pymobius.p2p.ares
Python API: New module mobius.model

Mobius Forensic Toolkit v1.6 released

Jul 7th, 2018 by Eduardo Aguiar

P2P Viewer scans, retrieves and shows P2P applications activity data from evidence disk. This version adds support for Shareaza P2P application data. See ChangeLog file for a complete list of changes.

Hive-Report: Four new fields added to Installed Programs report
Libmobius: Handle EWF corrupted files
Libmobius: New function mobius::core::log
Python API: New module mobius.decoder
Python API: New class mobius.decoder.mfc_decoder
Python API: New function mobius.core.log

Mobius Forensic Toolkit v1.5 released

Jun 9th, 2018 by Eduardo Aguiar

Mobius Forensic Toolkit automatically decrypts Samsung's Secret Zone .msr encrypted files, no password required. See ChangeLog file for a complete list of changes.

New imagefile format .msr supported
Category model in C++
Category model data stored into category.sqlite database file
Category-manager: import/export data as .json file
Libmobius: Triple-DES (3des) cryptographic cipher algorithm implemented
Libmobius: Blowfish cryptographic cipher algorithm implemented
Libmobius: imagefile module refactored
Libmobius: Lazy evaluation for imagefile's implementation classes

Mobius Forensic Toolkit v1.4 released

Apr 28th, 2018 by Eduardo Aguiar

This release features the Turing view, a case view that shows user password hashes, domain cached credentials hashes, automatic logon passwords, HelpAssistant passwords, ASPNET passwords, UpdatusUser passwords, among others. See ChangeLog file for a complete list of changes. Main changes are:

Added support for Win10 password hashes
Retrieves old password hashes and passwords, when available
Hive-report: More than 20 fields added to the UserAccount report
Libmobius: MD4 cryptographic hash function implemented
Libmobius: New module mobius::forensics::turing
Python API: New class mobius.crypt.hash

Mobius Forensic Toolkit v1.3 released

Apr 3rd, 2018 by Eduardo Aguiar

The registry classes automatically decrypt MS Domain Cached Credentials registry values, both version 1 and version 2. See ChangeLog file for a complete list of changes. Main changes are:

Added support for Domain Cached Credentials v2
HMAC message authentication code implemented
Libmobius: 5x performance improvement for hash block functions
Libmobius: New connection_pool class with multi-thread support
Hive-report: New fields for Cached Credentials report
Gtk-UI: New widget widetableview
Unittest: New benchmark tool

Mobius Forensic Toolkit v1.2 released

Mar 3rd, 2018 by Eduardo Aguiar

The registry classes automatically decrypt LSA Secrets registry values, including those LSA using PolEkList, such as Windows Vista and newer systems. See ChangeLog file for a complete list of changes. Main changes are:

SHA-2 cryptographic hash functions implemented (224, 256, 384, 512, 512/224 and 512/256 bits)
AES cryptographic cipher algorithm implemented (128, 192 and 256 bits)
Hive extension: Shows decrypted LSA secrets values
Libmobius: hash_base, hash_stream and hash_block interfaces improved

Mobius Forensic Toolkit v1.1 released

Feb 11th, 2018 by Eduardo Aguiar

The registry classes automatically decrypt both UserAssist keys and Protected Storage System Provider (PSSP) keys. Both keys can be browsed with the hive extension. See the ChangeLog file for a complete list of changes. Main changes are:

SHA-1 cryptographic hash function implemented
ROT-13 cryptographic cipher algorithm implemented
Libmobius: Automatically decodes UserAssist registry keys
Libmobius: Automatically decrypts Protected Storage System Provider (PSSP) registry keys
Libmobius: New functions for registry and registry_key classes: get_key_by_mask, get_value_by_mask and get_data_by_mask
Unification of Python API under one library

Mobius Forensic Toolkit v1.0 released

Nov 18th, 2017 by Eduardo Aguiar

The hive extension now retrieves the registry files directly from the disk and builds an unified registry structure, very akin to the registry structure shown by regedit. A new C++ module mobius::ant::registry (and its Python API counterpart mobius.ant.registry) has been developed to decode the registry objects (files, keys, values and data) and has been added to the libmobius. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Main changes are:

Hive extension: Interface reimplemented as a case view
Hive extension: Added support to big data (db) cells
Hive extension: New option to export registry files
Hive extension: Stores local copies of the registry files for fast access
C++ API: Hash_md5 calculations now fully inlined
C++ API: New function mobius::filesystem::entry.get_child_by_name
C++ API: New function mobius::filesystem::entry.get_child_by_path
C++ API: New function mobius::filesystem::entry.new_reader
Python API: New module mobius.xml
Python API: New function PyString_from_bytearray
Tools: New tool hive-info
Tools: New tool hive-scan

Release 0.5.31 published

Sep 11th, 2017 by Eduardo Aguiar

The C++ API's module mobius::filesystem navigates through the file systems using libtsk. Big performance improvement to the module mobius::imagefile::ewf. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

C++ API: new module mobius::disk
C++ API: new class mobius::filesystem::entry
C++ API: new class mobius::metadata
Python API: new module mobius.disk
Python API: new class mobius.filesystem.entry
configure.ac: libtsk is now mandatory
gtk-ui: lazy update implemented to viewselector
New tool dirfs implemented

Release 0.5.30 published

Aug 9th, 2017 by Eduardo Aguiar

The new C++ API's module mobius::filesystem detects and retrieves metadata from Ext2/3/4, HFS+ and HFSX, ISO-9660, NTFS and VFAT filesystems. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

New extension filesystem-viewer shows all filesystems detected from disks and their metadata
C++ API: new function mobius::filesystem::get_filesystems
C++ API: new function mobius::filesystem::get_filesystem_metadata
Python API: new function mobius.api.get_filesystems
Python API: new generic dataholder class api_dataholder
New tool filesystem_scan implemented

Release 0.5.29 published

Jul 5th, 2017 by Eduardo Aguiar

This release adds support to DOS partitions, GPT partitions and Apple Partition Map partitions. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

C++ API: new module mobius::partition
C++ API: added support to DOS partition system
C++ API: added support to GPT partition system
C++ API: added support to APM partition system
python API: new package mobius.api
datasource-physical-device: uses mobius.api.device and get_devices
datasource-physical-device: does not need package python_gudev anymore
tools: new partition_table tool

Release 0.5.28 published

Jun 15th, 2017 by Eduardo Aguiar

This release features many C++ API new implementations: support to both MD5 hash and to Adler-32 CRC has been added, as well as write support to EWF imagefiles. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

new extension gtk-report-dialog
datasource-model: does not set empty attributes
new ewf_decoder tool
C++ API: new module mobius::imagefile::ewf
C++ API: new module mobius::codec
C++ API: new hash function mobius::crypt::hash_md5
C++ API: new hash function mobius::crypt::hash_adler32
C++ API: several new functions implemented into datetime module
C++ API: new template class mobius::crypt::hash_functor evaluates hashes in parallel to reading or writing data

Release 0.5.27 published

Jan 31st, 2017 by Eduardo Aguiar

This release features the lshw-agent extension, which reads an output from the command lshw -xml and creates notebooks/computer items and their components, such as network cards, harddisks, graphic cards. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

C++ API: new module mobius::core
C++ API: new module mobius::decoder
C++ API: new module mobius::database
C++ API: imagefile_ewf handles 64-bit number of sectors
C++ API: application class compatible with XDG Base Directory Specification
config dir now default to $HOME/.config/mobiusft
Python API: new class mobius.core.application
Extensions use base64.b64decode instead of string.decode
hive: detects NTUSER.DAT on Win10
tools: new tool device_list
tools: new tool disk_list

Release 0.5.26 published

Oct 8th, 2016 by Eduardo Aguiar

This release adds imagefile classes both to the C++ API and to the Python API, supporting raw, split, talon, solo, dossier and ewf files. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog file for a complete list of changes. Other changes are:

C++ API: new string functions
C++ API: zlib_compress and zlib_decompress functions
new extension hive-shareaza-report
new extension hive-gigatribe-report
new hive report: Shareaza General Info
new hive report: Shareaza User Folders
new hive report: Shareaza Protocols
new hive report: Shareaza Search History
attribute-viewer: retrieve item's children on DND
tools: new tool imagefile_info
tools: new tool imagefile_convert

Release 0.5.25 published

Jul 23rd, 2016 by Eduardo Aguiar

This release adds new classes both to the C++ API and to the Python API. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

C++ API: charset conversion functions implemented (mobius/charset.h)
C++ API: new class mobius::io::resource
C++ API: new class mobius::io::file
C++ API: new class mobius::io::folder
C++ API: new class mobius::io::reader
C++ API: new class mobius::io::writer
C++ API: new class mobius::system::group
C++ API: new class mobius::system::user
python API: new class mobius.io.file
python API: new class mobius.io.folder
python API: new class mobius.io.reader
python API: new class mobius.io.writer
part-catalogue: show confirmation dialog before inserting new part
imagefile-ewf: handle disk section
imagefile-ewf: handle done section
uri extension eliminated
uri-file extension eliminated
configure.ac: fixed bug when libtsk is not available.

Release 0.5.24 published

Dec 3rd, 2015 by Eduardo Aguiar

This release adds new classes both to the C++ API and to the Python API. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

C++ API: new class mobius::io::uri
C++ API: new class mobius::io::reader (abstract class)
C++ API: new class mobius::io::seekable_reader (abstract class)
C++ API: new class mobius::io::file_descriptor_reader
C++ API: new class mobius::io::file_reader
C++ API: new class mobius::io::uri_reader
C++ API: new class mobius::datetime::date
C++ API: new class mobius::datetime::time
C++ API: new class mobius::datetime::datetime
C++ API: new class mobius::datetime::timedelta
C++ API: new functions at mobius::datetime::conv_iso_string.h
C++ API: new functions at mobius::datetime::conv_julian.h
C++ API: new functions at mobius::datetime::conv_nt_timestamp.h
C++ API: new functions at mobius::datetime::conv_unix_timestamp.h
C++ API: mobius::hash_crc32 using precalculated CRC table
C++ API: new class mobius::crypt::cipher_base (abstract class)
C++ API: new class mobius::regex
C++ API: mobius/exception_posix.h for errno based exceptions
python API: new package mobius.io
python API: new class mobius.io.uri_reader
part-model: use sqlite3 database
cellphone-agent: datetime parsing bug fixed
data-sourcerer: check if datasource is available on populate_metadata

Release 0.5.23 published

Oct 6th, 2015 by Eduardo Aguiar

This release adds new classes both to the C++ API and to the Python API. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

C++ API: new class mobius::unittest
C++ API: new class mobius::bytearray
C++ API: new class mobius::crypt::hash_base (abstract class)
C++ API: new class mobius::crypt::hash_crc32
C++ API: new class mobius::crypt::hash_zip
C++ API: new class mobius::crypt::cipher_block (abstract class)
C++ API: new class mobius::crypt::cipher_block_mode (abstract class)
C++ API: new class mobius::crypt::cipher_block_mode_ecb
C++ API: new class mobius::crypt::cipher_block_mode_cbc
C++ API: new class mobius::crypt::cipher_des
C++ API: new class mobius::crypt::cipher_stream (abstract class)
C++ API: new class mobius::crypt::cipher_rc4
C++ API: new class mobius::crypt::cipher_zip
C++ API: new class mobius::application
C++ API: code compatible with C++11
python API: new wrapper class mobius.crypt.hash_zip
python API: new wrapper class mobius.crypt.cipher_rc4
python API: new wrapper class mobius.crypt.cipher_zip
python API: new wrapper class mobius.crypt.cipher_des
hive-report: use mobius.crypt.cipher_rc4
hive-report: use mobius.crypt.cipher_des
hive-report: new report "encrypted volumes" lists Folder Locker 6 volumes
hive-pstore: use mobius.crypt.cipher_des
hive-turing: use mobius.crypt.cipher_rc4
hive-turing: use mobius.crypt.cipher_des
turing-model: use mobius.crypt.cipher_des

New tutorial available: Cracking Windows passwords with MobiusFT and JTR

Sep 23rd, 2015 by Eduardo Aguiar

This tutorial was previously available as a section of the Mobius Forensic Toolkit tutorial. Click here to see it.

Release 0.5.22 published

Sep 7th, 2015 by Eduardo Aguiar

This release introduces the Mobius Forensic Toolkit API, an API written in C++ with Python bindings. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

C++ API: new mobius::tsk classes to access libtsk

python API: wrapper for mobius::tsk

new installation method using configure, make and make install

mediator.py: moved to mobius package

emule-agent: new report "shared folders"

emule-agent: handle tags 0x34 and 0x35

emule-agent: fix BLOB decoding

emule-agent: specific policies for dreamule and emule config

emule-agent: check if AC_SearchStrings.dat exists before opening

hive-report: catch exceptions at get_computer_name function

hive-report: add Wow6432Node subkeys to the Installed Program report

datasource-physical-device: fix retrieve_metadata for disks that have empty serial numbers

imagefile-ewf: fix amount of bytes read in decode_hash_section

engelbart: class UIManager implemented

Release 0.5.21 published

Oct 7th, 2014 by Eduardo Aguiar

This release introduces the eMule Agent extension, an extension to parse eMule artifacts. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

new extension emule-agent

new extension engelbart

hive-report: new report "Ares accounts"

hive-report: new report "last mounted devices"

hive-report: installed program handles UNIX install datetime

hive-report: installed program also retrieves from NTUSER.dat uninstall subkeys. Suggested by Clemente Paixão

gigatribe-agent: datetime decoder fixed

gtk-ui: service ui.start moved to engelbart extension

gtk-ui: service ui.stop moved to engelbart extension

gtk-ui: service ui.flush moved to engelbart extension

gtk-ui: deprecated service ui.render-icon removed

gtk-ui: service ui.new-icon-from-data set deprecated

gtk-ui: service ui.new-icon-from-file set deprecated

skype-agent: REPORT_ICON_DATA replaced by report.run icon

emule-agent: REPORT_ICON_DATA replaced by report.run icon

ice: REPORT_ICON_DATA replaced by report.run icon

report-wizard: TRASH_BIN_ICON replaced by dnd.delete icon

ice: use image_buffer instead of ui.render-icon

category-manager: use image_buffer instead of ui.render-icon

engelbart: new service ui.new-factory

extension-manager: use image_buffer instead of ui.new-icon-from-data

date-code: copyright (c) 2014

New Homepage

Jul 26th, 2014 by Eduardo Aguiar

Due to the shutdown of freecode.com, I had to hastily make this homepage. For now on, every announcement about the project will be posted here. It is a work in progress, and suggestions are welcome.

Release 0.5.20 published

Jul 23, 2014 by Eduardo Aguiar

This release introduces the CellPhone Agent extension, an extension to browse Cellebrite's report.xml files. Minor improvements have been made and a few bugs have been fixed. See the ChangeLog:

new extension cellphone-agent

report-model: new service report.run-dialog

report-model: verbatim generates '%' instead of '%%'

report-model: do not generate duplicated methods in .py

gtk-ui: forbid treeitem DND onto itself

gtk-ui: case treeview icon cache implemented

gtk-ui: do not expand selected item when item.children is modified

skype-agent: "generate report" option

skype-agent: account view disables DND when not selected

skype-agent: account tile image repositioned

ice: use service report.run-dialog

sdi-window-manager: call to on_widget_started eliminated

partition-viewer: scan only partition-system components

partition-agent: update item.children only if it detects partitions

partition-agent-dos: keep item.children when building components

turing: test dictionary option fixed

Search

Try It!

mobiusft-1.9.tar.xz

mobiusft-1.9.tar.bz2

mobiusft-1.9.zip

Contact us!

Mailing List

Tech Support

Bug Tracker