forked from simsong/bulk_extractor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
2014 lines (1054 loc) · 75.1 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
2021-10-18 Simson Garfinkel
* Removed plugins directory
* Updated to 2.0.0-beta1
2020-06-20 simson garfinkel
* Removed Java GUI
2020-06-14 fedora Cloud User <[email protected]>
* src/threadpool.cpp: numCPU() now simply calls std::thread::hardware_concurrency(). Perhaps more should be replaced over time, but it would be super-exciting to see the threadpool be able to spin of threads onto other servers, which was the original intent.
2020-06-13 Simson Garfinkel <[email protected]>
* updated license to MIT License, copyright Simson L. Garfinkel, consistent with the fact that this is no longer an official US Government work product.
2019-11-10 Simson Garfinkel <[email protected]>
* tests/data_check.txt: updated offset for JAVA.EXE
sadly, Data/WindowsXPPrefetch_JAVA.exe.pdf was removed because it seems that the file was not in the git repo.
* src/scan_wordlist.cpp (scan_wordlist): changed sbuf.buf[i] to sbuf.get8u(i) to eliminate crash.
(scan_wordlist): cleaned up state machine. (The above fix made it clear there was a state machine error.)
* configure.ac: increased version number to 1.6.0 to celebrate the new scanners
* src/scan_utmp.cpp: added scanner
* src/scan_ntfsmft.cpp: added scanner
* src/scan_ntfslogfile.cpp: added scanner
* src/scan_ntfsindx.cpp: added scanner
* src/scan_evtx.cpp: added scanner
2019-11-09 Overall <[email protected]>
* ChangeLog - cleaned up for current release. Incremented version number to 1.5.6
2014-08-20 Basic <[email protected]>
* src/scan_pipe.cpp (scan_pipe): removed scan_pipe (since you don't want to fork with threads)
2014-08-12 Man Page <[email protected]>
* doc/announce_1.5.2.md: annouced release 1.5.2
2014-08-03 Basic <[email protected]>
* configure.ac: incremented version number
2014-07-18 Basic <[email protected]>
* src/image_process.cpp: multi-split files was not working properly on Windows. Fixed
2014-07-17 Basic <[email protected]>
* src/scan_rar.cpp (scan_rar): fixed typo. raw_find_volume becomes rar_find_volume
2014-05-17 Basic <[email protected]>
* src/scan_base16.flex (public): fixed decoder so that what is decoded is a child sbuf with a specific offset and length
2014-04-17 Basic <[email protected]>
* src/be13_api/feature_recorder.cpp (hexval): fixed hexval(); it was not working properly for letters A through F. (I wrote this myself becuase it isn't present on mingw.)
2014-04-15 Basic <[email protected]>
* src/be13_api/feature_recorder.h (f): several of the flags were the same, resulting in behavior that was incorrect.
2014-04-03 Basic <[email protected]>
* src/be13_api/feature_recorder_set.cpp (feature_recorder_set::unset_flag): changed clear_flag to unset_flag for consistency.
2014-04-02 Basic <[email protected]>
* bugfix: featurefiles for carved elements no longer include the name of the -o directory.
2014-02-25 Man Page <[email protected]>
* src/scan_vcard.cpp (scan_vcard): removed string myString;
2014-01-26 Basic <[email protected]>
* src/image_process.h (class process_dir): changed blocks() to max_blocks().
2014-01-10 Basic <[email protected]>
* src/be13_api/feature_recorder.cpp (feature_recorder::dump_histogram): moved regex into histogram_def so that it could be run in write(), rather than in post-processing.
2014-01-07 Basic <[email protected]>
* src/be13_api/feature_recorder.h (class feature_recorder): removed outdir and input_fname from feature_recorder, since they are in the feature_recorder_set
2014-01-02 Man Page <[email protected]>
* src/be13_api/feature_recorder.h (class feature_recorder): carve no longer needs hasher passed in, becuase it is in the feature_recorder_set
* src/be13_api/bulk_extractor_i.h (be13): hash_def moved from be13 namespace to feature_recorder_set
2013-12-13 Basic <[email protected]>
* src/image_process.h (class process_dir): implemented const correctness for a whole bunch of methods
* src/be13_api/feature_recorder.h: removed using namespace std
2013-12-11 Basic <[email protected]>
* src/be13_api/feature_recorder_set.h (class feature_recorder_set): process_histograms changed to make_histograms, because that's what it is doing
* src/be13_api/feature_recorder.h (class feature_recorder): make_histogram renamed to dump_histogram (because that's what it's doing; callback function added)
2013-11-13 Basic <[email protected]>
* src/be13_api: USE_HISTOGRAMS is gone; everybody uses them now.
* src/main.cpp (main): alert_list and stop_list are no longer global variables; they are now local to main() and added to the feature_recorder_set
* src/be13_api/feature_recorder_set.cpp (feature_recorder_set::init): stop_list and alert_list are now part of the feature_recorder_set.
2013-11-11 Basic <[email protected]>
* src/be13_api/Makefile.defs: moved word_and_context_list.* from bulk_extractor to be13_api
* src/be13_api/feature_recorder.cpp (feature_recorder::feature_recorder): now has reference to feature_recorder_set
* src/stand.cpp (main): replaced manual histogram generator in stand with call to phase_histogram in be13::plugin
2013-11-08 Basic <[email protected]>
* src/be13_api/bulk_extractor_i.h (be13): added proper #ifdefs for each type
2013-11-05 Basic <[email protected]>
* src/be13_api/feature_recorder_set.h (class feature_recorder_set): more functions were made virtual and more instance values were made private
2013-10-26 Basic <[email protected]>
* src/be13_api/bulk_extractor_i.h: process_packet_info renamed to process_packet.
* src/be13_api/sbuf.h (class sbuf_t): removed pos0_t from map_file because it can be inferred.
2013-09-27 Basic <[email protected]>
* python/bulk_extractor_reader.py (BulkReport): changed .imagefile() to .image_filename
* python/identify_filenames.py: changed .imagefile to .image_filename
2013-10-22 Basic <[email protected]>
* configure.ac: updated for C++ and MacOS Mavericks. Changed version to 1.4.2
2013-10-15 Basic <[email protected]>
* src/main.cpp (main): removed BULK_EXTRACTOR_DEBUG.
2013-10-08 Basic <[email protected]>
* src/scan_net.cpp (p): removed packetset (no longer used)
* src/be13_api/sbuf.h (stoi64): stoi() removed because it is part of stdc11
2013-10-08 Simson Garfinkel <[email protected]>
* src/be13_api/feature_recorder.h (f): removed tags
2013-10-07 Basic <[email protected]>
* src/be13_api/plugin.cpp (plugin::phase_histogram): cleaned up printing of newlines during histogram output printing.
* src/be13_api/feature_recorder.cpp (feature_recorder::write): replace substr with in-place resize
2013-10-07 Basic <[email protected]>
* src/be13_api/feature_recorder.h (class feature_recorder): added MAINTHREAD() to set_flag(), becuase flags should only be set in the main thread. Also moved definition into feature_recorder.cpp, so that the in-memory histogram can be created if that flag is set.
2013-09-25 Basic <[email protected]>
* src/bulk_extractor.cpp (main): added reporting of MD5 of disk image
2013-09-18 Simson Garfinkel <[email protected]>
* src/be13_api/feature_recorder.cpp (carve): valid_dosname has to be applied to ext, since ext may come with slashes in it.
2013-09-17 Simson Garfinkel <[email protected]>
* src/scan_bulk.cpp (dfrws2012_bulk_process_dump): removed DFRWS code.
2013-09-16 Simson Garfinkel <[email protected]>
* configure.ac: incremented version to 1.4.1-dev. Enabled LT_INIT support; removed RANLIB support.
2013-08-20 Basic <[email protected]>
* src/scan_accts.flex (dob): DOBs, Fedex#s, and SSNs are now recorded to a feature recorder called 'pii.txt'.
2013-08-20 Man Page <[email protected]>
* configure.ac: updated to beta6
* src/be13_api/feature_recorder.cpp (feature_recorder::write_tag): disabled recorders no longer carve or have tag support.
2013-08-18 Man Page <[email protected]>
* src/be13_api/feature_recorder_set.cpp (feature_recorder_set::create_name): added warning if feature recorder already exists.
* src/bulk_extractor.cpp (main): removed explicit creation of alert recorder; no longer needed.
* src/be13_api/feature_recorder_set.h (class feature_recorder_set): alert_recorder should not be a global static; it is now per feature_recorder_set.
2013-08-02 Basic <[email protected]>
* src/be13_api/feature_recorder.cpp (feature_recorder::feature_recorder): removed carved_set that was keeping track of what was carved, as it is no longer necessary.
2013-08-01 Basic <[email protected]>
* src/scan_exif.cpp (scan_exif): jpeg carver feature recorder renamed to jpeg_carved.
2013-07-30 Basic <[email protected]>
* src/be13_api/plugin.cpp (info_scanners): now only prints -H info if it is provided by the scanner.
2013-07-29 Man Page <[email protected]>
* src/scan_zip.cpp (scan_zip_component): now records general_purpose_bit_flags in XML. Bit 1 indicates that a component is encrypted
(scan_zip_component): removed max_depth check; it's in plugin system
2013-07-26 Simson Garfinkel <[email protected]>
* src/scan_net.cpp (scan_net): the -S variable carve_tcp is now implemented by the scan_net scanner to enable or disable TCP/IP memory structure carving. It is disabled by default.
2013-07-17 Basic <[email protected]>
* src/scan_windirs.cpp (scan_windirs): windirs now only runs at top level
* src/scan_zip.cpp (scan_zip_component): now prints mtime in ISO8601 format
(scan_zip_component): (previously mtime and ctime were wrong parts)
2013-07-16 Man Page <[email protected]>
* src/scan_xor.cpp (scan_xor): will not XOR on either side of a ZIP. improved error handling
* tests/regress.py: updated numbers for 1.4 release
2013-07-14 Basic <[email protected]>
* configure.ac: updated to beta4
2013-07-11 Basic <[email protected]>
* configure.ac: updated to beta3
* src/scan_exif.cpp: fixed jpeg validation. carving now works.
2013-07-09 Simson Garfinkel <[email protected]>
* src/be13_api/plugin.cpp (GET_CONFIG): fixed bug in handling of uint8_t config values. They weren't getting set properly.. Ugh.
* src/scan_xor.cpp (scan_xor): fixed error when XOR mask was specified as 0. Previously it recused; now it does not.
2013-07-02 Simson Garfinkel <[email protected]>
* configure.ac: removed defines we aren't using anymore
2013-06-27 Basic <[email protected]>
* src/be13_api/feature_recorder.h (class feature_recorder): as a result of popular demand, the UTF8 BOM and BOM EXPLAINATION have been removed from the feature files
2013-06-26 Basic <[email protected]>
* src/be13_api/feature_recorder_set.cpp (feature_recorder_set::get_name): get_name() now returns NULL if feature recorder does not exist.
* src/be13_api/feature_recorder.h (class feature_recorder): added context_window_before() and context_window_after().
* src/bulk_extractor.cpp (main): replaced context_window with context_window_default.
2013-06-21 Man Page <[email protected]>
* src/be13_api/bulk_extractor_i.h (class scanner_params): made more variables const.
(class recursion_control_block): removed returnAfterFound(raf); now implemented with exceptions
2013-06-19 Basic <[email protected]>
* src/bulk_extractor.cpp (]): fixed handling of LIB_EXPAT
(b): restart logic did not compile. Now it is fixed.
* configure.ac: fixed bug in which expat.h was not being checked for. use AC_CHECK_HEADERS() instead of AC_CHECK_HEADER(), as AC_CHECK_HEADER() requires that you add additional logic and AC_CHECK_HEADERS() automatically adds HAVE_HEADER_H.
2013-06-18 Basic <[email protected]>
* src/scan_zip.cpp (scan_zip): removed name_len (not needed)
2013-06-17 Basic <[email protected]>
* src/pyxpress.h: removed 'extern' designation
* src/image_process.h (i): removed extern size_t opt_pagesize and extern size_t opt_margin. These are now phase1 configuration variables that are passed into the image_iterator.
2013-06-15 Basic <[email protected]>
* src/scan_email.flex (Host): removed ip_written and ip_tested (always remove dead code)
2013-06-08 Basic <[email protected]>
* src/be13_api/feature_recorder.cpp (feature_recorder::carve): changed carving so that carved files are stored with the filename of their location. Also, fixed check-then-access race error in feature_record.cpp
(feature_recorder::carve): fixed race conditon in carving.
2013-05-28 Basic <[email protected]>
* feature_recorder_set.cpp - debug is now a static variable
* src/image_process.h (image_process): debug is now a local variable for image_process.h
2013-05-22 Man Page <[email protected]>
* src/be13_api/bulk_extractor_i.h (DEBUG_EXIT_EARLY): removed DEBUG_MALLOC and DEBUG_MALLOC_FAIL_FREQUENCY; now is handled with -S system
* src/bulk_extractor.h: removed all global options; replaced with the be config system
* src/pyxpress.c: added OpenSSL exemption per email from Matthieu Suiche
* src/be13_api/sbuf.h: md5 support removed from sbuf
2013-05-21 Basic <[email protected]>
* src/be13_api/plugin.cpp (plugin::get_scanner_feature_file_names): extensive changes to make the global functions part of the be13::plugin class.
2013-05-20 Basic <[email protected]>
* src/bulk_extractor.cpp (main): -S now sets options; -s now sets sampling fraction.
2013-05-13 Simson Garfinkel <[email protected]>
* src/bulk_extractor.cpp (usage): The -B option for specifying the blocksize for bulk data analysis has been removed. Instead specify it with -S block_size=NN.
* src/be13_api/xml.cpp (xml::xml): Routine for opening an existing DFXML file is removed. Anyone who processes XML with regular expressions is in a state of sin.
2013-05-12 Basic <[email protected]>
* src/be13_api/plugin.cpp: max_depth changed to 7
2013-05-11 <[email protected]>
* src/scan_winpe.cpp (scan_winpe_verify): added verification of section names and DLL names to reject false positives.
2013-05-09 <[email protected]>
* src/scan_net.cpp (p): carved ethernet packets are now properly recorded in ether.txt and tcp.txt
* packet carving for disembodied ethernet packets fixed! In 3ad21780, simsong was creating the hz structure but not setting it, so all carved packets had zero length
2013-05-08 <[email protected]>
* src/be13_api/feature_recorder.cpp (banner_stamp): added \n to # BANNER FILE NOT PROVIDED
* src/scan_elf.cpp (scan_elf_verify): fixed bug in scan_elf where XML was incorrect and being generated for invalid ELF headers.
2013-03-23 Simson Garfinkel <[email protected]>
* src/bulk_extractor.cpp (main): -Z is no longer fatal if directory does not exist.
2013-03-23 Simson Garfinkel <[email protected]>
* configure.ac: fixed AX_PTHREAD test to fail if pthreads are not found.
2013-03-22 <[email protected]>
* src/be13_api/feature_recorder_set.cpp (get_name): renamed Mstats to Mlock. Added Mlock to get_name() (apparently this isn't thread safe?)
2013-01-29 Simson Garfinkel <[email protected]>
* src/threadpool.h (class worker): removed pesky noreturn problem with threadpool.
2012-12-25 Simson Garfinkel <[email protected]>
* python/identify_filenames.py (process_featurefile): added #'s to report printed at bottom
(process_featurefile): added format
* python/bulk_extractor_reader.py (is_feature_line): Now handles annotated feature files.
(BulkReport.__init__.validate): added programmer notice for error of providing a feature file instead of a report directory
2012-11-25 Simson Garfinkel <[email protected]>
* src/be13_api/feature_recorder.cpp (feature_recorder::carve): fixed bad mode on mkdir
2012-11-22 Simson Garfinkel <[email protected]>
* src/scan_aes.cpp (rotate): changed implementation to avoid casting error.
* src/be13_api/bulk_extractor_i.h (class scanner_def): const scanner_t *changed to scanner_t for compliance with clang.
* src/be13_api/sbuf.h (class sbuf_t): changed cast for clang
2012-11-21 Simson Garfinkel <simsong@ubuntu>
* src/utils.h: moved ishexnumber from bulk_extractor.h to utils.h
2012-11-14 Simson Garfinkel <[email protected]>
* src/plugin.cpp (process_sbuf): renamed process_extract to process_sbuf and put it here.
* src/bulk_extractor.h: removed lowerstr() as it wasn't being used.
* src/word_and_context_list.h: replaced multimap with tr1/unordered_map
2012-11-06 Simson Garfinkel <[email protected]>
* src/scan_email.flex (Host): maximum URL size increased to 384 bytes
2012-11-05 Simson Garfinkel <[email protected]>
* src/be13_api/feature_recorder_set.h (class feature_recorder_set): changed constructor so that ALERT_RECORDER is now created in bulk_extractor.cpp and not in the constructor. This improves code reuse in other programs
* src/feature_recorder_set.cpp (feature_recorder_set::get_alert_recorder): changed ALERT_RECORDER to ALERT_RECORDER_NAME.
2012-10-27 Simson Garfinkel <[email protected]>
* src/sbuf_private.h (sbuf_t::get16i): fixed get16i return error.
2012-10-29 Simson Garfinkel <[email protected]>
* src/Makefile.am: updated for be13_api directory
2012-10-22 Simson Garfinkel <[email protected]>
* src/sbuf_private.h (sbuf_t::get16u): fixed typo in get16u().
2012-10-14 user <[email protected]>
* src_win/Makefile.am (EXTRA_DIST): folded CONFIGURE_LIBRARIES into CONFIGURE_FC17.sh. Modified script so that tre gets built static under windows.
2012-10-09 Simson Garfinkel <[email protected]>
* Makefile.am (release): removed AM_CFLAGS = -Wall; AM_CPPFLAGS = -Wall ; AM_CXXFLAGS = -Wall as they didn't do anything
2012-09-29 Simson Garfinkel <[email protected]>
* java_gui/BEViewer: added #!/bin/sh
2012-09-20 Simson Garfinkel <[email protected]>
* configure.ac: version 1.3
* src/xml.cpp (xml::add_DFXML_build_environment): now checks for TRE version
2012-09-16 Simson Garfinkel <[email protected]>
* src/xml.cpp (xml::add_DFXML_execution_environment): replaced call to gmtime with gmtime_r
2012-09-13 Simson Garfinkel <[email protected]>
* configure.ac: fixed introduced bug with GET_DIAGNOSTIC_PRAGMA and exiv2
2012-09-13 Simson Garfinkel <[email protected]>
* configure.ac (HAVE_ASM_CPUID): now choses -O3
2012-09-13 Simson Garfinkel <[email protected]>
* src/feature_recorder.cpp (feature_recorder::write_tag): #ifdef'ed out write_tag debug point
2012-09-12 Simson Garfinkel <[email protected]>
* src/bulk_extractor.cpp (phase1): removed trapping of zero-length pages. Yes, pages may be zero length. Now it just iterates through them. Who knows, some scanner may want to count them.
2012-09-05 Simson Garfinkel <simsong@air2>
* src/exif_entry.cpp (add_user_comment_entry): corrected potential overflow error
2012-09-03 Simson Garfinkel <[email protected]>
* src/scan_net.cpp (class packet_carver): no longer reports bad checksums unless option is set. (option is not set by default and there is no way to set it)
2012-09-02 Simson Garfinkel <[email protected]>
* src/scan_email.flex (Host): added a cast for both sides of the for loop.
* src/bulk_extractor.cpp (main): now reports overall performance in MBytes/sec and total number of email features found after each rune.
2012-09-03 Simson Garfinkel <[email protected]>
* src/xml.cpp (xml::add_DFXML_build_environment): added support for libtree in DFXML output.
2012-09-02 Simson Garfinkel <simsong@FC17>
* src/xml.cpp (add_rusage): now reports win32 usage information.
2012-09-01 Simson Garfinkel <[email protected]>
* configure.ac: removed FlexLexer.h test, as we no longer use the c++ flex
2012-08-27 Simson Garfinkel <[email protected]>
* src/image_process.cpp (image_process_open): now gives error if directory specified but opt_recurse not set
* configure.ac: removed fts; imageprocess will now use dig.
2012-08-25 Simson Garfinkel <simsong@FC17>
* configure.ac: increased version number to 1.3b8
2012-08-22 Simson Garfinkel <[email protected]>
* src/bulk_extractor_i.h: phase2 now can flush report
* src/scan_email.flex (Host): no longer reports ethernet addresses 00:00:00:00:00:00 and 00:11:22:33:44:55
2012-08-21 Simson Garfinkel <[email protected]>
* src/bulk_extractor.cpp: pagesize moved back to 16MiB
2012-08-21 Simson Garfinkel <simsong@FC17>
* src/scan_winprefetch.cpp (p): added initializations for declared variables.
2012-08-20 Simson Garfinkel <simsong@FC17>
* configure.ac: removed ,,[AC_MSG_WARN([libewf_handle_get_utf8_header_value_notes not found, no E01 Header Notes])]) warning, becuase I'm really tired of seeing it. If they don't have the right libewf they won't get the notes.
2012-08-12 Simson Garfinkel <[email protected]>
* src/Makefile.am (bulk_extractor_SOURCES): removed regex_list.h; it's now in beregex.h
* src/beregex.h: myregex.h renamed to beregex.h.
(class beregex): bulk_extractor regular expressions are now pure regular expressions, and not globs
2012-08-11 Simson Garfinkel <simsong@FC17>
* src/base64_forensic.cpp (b64_pton_forensic): added initializers to avoid warnings.
2012-08-08 Simson Garfinkel <[email protected]>
* src/scan_bulk.cpp (sd_autocorrelation_cosine_variance): removed alloca, since it is bad.
2012-08-05 Simson Garfinkel <[email protected]>
* python/Makefile.am (EXTRA_DIST): cda2.py removed cda_test.py removed
2012-08-04 Simson Garfinkel <[email protected]>
* python/bulk_diff.py: minor changes to sort order and formatting; increased vesion number to 1.3
* src/word_and_context_list.cpp (word_and_context_list::readfile): changed printout
2012-07-29 Simson Garfinkel <simsong@FC17>
* src/utils.cpp (get_filesize): changed pread64() to ::pread64 to avoid some weird linking problem that never showed up before.
* src/cppmutex.h: added <string.h>, as strerror is defined there on Linux
* configure.ac (HAVE_ASM_CPUID): now only adds -D_FORTIFY_SOURCE=2 if we are compiling with the optimizer
* src/utils.cpp: renamed utils.c to be utils.cpp
* src/utils.c: removed support for PRIVATE_REGEX
* configure.ac (HAVE_REGEX_H): removed support for PRIVATE_REGEX
* src_win/CONFIGURE_FC17.sh (MPKGS): now adds mingw64-libgnurx and mingw32-libgnurx
2012-07-29 Simson Garfinkel <[email protected]>
* src/exif_entry.cpp (exif_entry::get_full_name): made invalid ifd type return that as a message, rather than assert(0)
2012-07-26 Simson Garfinkel <[email protected]>
* src/sbuf.h: added #define SBUF_TRACK to disable reference tracking (causing crash in scan_net)
2012-07-20 Simson Garfinkel <[email protected]>
* src/histogram.cpp (HistogramMaker::add): now catches utf8->utf16 and utf16->utf8 conversion exceptions when FLAG_LOWERCASE or FLAG_NUMERIC is specified.
2012-07-22 Simson Garfinkel <[email protected]>
* src/scan_find.cpp (scan_find): find now makes a histogram
2012-07-21 Simson Garfinkel <[email protected]>
* src/sbuf.h (class sbuf_t): made sbuf_t() empty allocator private.
(class sbuf_t): cleaned up code by adding some explicits, per "More Effective C++"
2012-07-17 Simson Garfinkel <[email protected]>
* src/sbuf.cpp (sbuf_t::map_file): was not closing files when MMAP was not included.
* src/bulk_extractor.cpp (phase1): added debug:exception to report.xml
2012-07-16 Simson Garfinkel <[email protected]>
* configure.ac: increased version to 1.3b5
* Makefile.am (EXTRA_DIST): changed from CONFIGURE_F17.sh to CONFIGURE_FC17.sh
2012-07-14 Simson Garfinkel <[email protected]>
* src/bulk_extractor.cpp: default pagesize changed to 4MiB; default margin size changed to 4MiB.
* configure.ac: version number bumped to 1.3b4
2012-07-12 Simson Garfinkel <[email protected]>
* src/threadpool.cpp (worker::do_work): added threadid to debug:work_end (why wasn't it there?)
* src/utils.c (gmtime_r): moved to utils.c
(localtime_r): moved to utils.c
2012-07-07 Simson Garfinkel <[email protected]>
* src/scan_windirs.cpp (scan_ntfsdirs): scan_windirs now prints $NOFILENAME for no file name
2012-07-05 Simson Garfinkel <[email protected]>
* src/histogram.cpp: added UTF-8 escaping to histogram file.
2012-07-04 Simson Garfinkel <[email protected]>
* src/unicode_escape.cpp (validateOrEscapeUTF8): UTF-8 that expands to surrogate pairs is now also invalid UTF-8
* src/threadpool.h (class threadpool): added thread_status vector
* src/scan_json.cpp (scan_json): the json scanner now writes the MD5 hash of the feature as its context
2012-07-01 Simson Garfinkel <[email protected]>
* configure.ac: upgraded version number to 1.3b1-dev1
2012-06-23 Simson Garfinkel <[email protected]>
* src/Makefile.am (bulk_extractor_SOURCES): added TSK3 includes
* COPYING: clarified copyright.
2012-06-15 Simson Garfinkel <[email protected]>
* src/scan_kml.cpp: Complete rewrite on KML scanner. Faster now.
* src/scan_accts.flex: modified regular expressions, replaced [^0-9] with [^0-9a-z] so that a CCN or phone number can't be immediately prefixed with a letter.
2012-06-13 Simson Garfinkel <[email protected]>
* src/sbuf.h (class sbuf_t): fixed error when adding an size_t
offset to an sbuf where the offset was larger than the pagesize.
2012-06-03 Simson Garfinkel <[email protected]>
* src/bulk_extractor_i.h (class scanner_params): added phase_t as an additional quantifier to all scanner_params
* src/scan_lift/linear_binary_svm.h (class LinearBinarySVM): added wt_max(), which is the maximum weights read.
(class LinearBinarySVM): changed classifier numbers from signed to unsigned
2012-05-29 Simson Garfinkel <[email protected]>
* src/scan_lift/linear_binary_svm.cpp (LinearBinarySVM::clear): replaced REP(i,wt_capacity) weights[i]=0 with memset(weights,0,sizeof(weights[0])*wt_capacity);
* configure.ac: increased version to 1.3-devel_005
2012-05-24 Bruce Allen <[email protected]>
* ../branches/: Added and then removed testing branch
../branches/1.2.x_Bruce, r9369 for testing scan_winprefetch on
Windows.
2012-05-24 Bruce Allen <[email protected]>
* ../branches/: Added ../branches/ directory to stage work on older
revisions. bulk_extractor V1.2.x is r8561. bulk_extractor V1.2.0 is
r8193. Removed ../tags/1.2.x and ../tags/1.2.0.
2012-05-16 Simson Garfinkel <[email protected]>
* src/feature_recorder.h (class feature_recorder): banner_stamp is no longer static, as we now want to put the name in the feature file.
* src/scan_base16.flex (public): changed from case-insensitive to sensitive. Let's see if that gets rid of the junk.
2012-05-08 Simson Garfinkel <[email protected]>
* src/sbuf.h (class sbuf_t): get32i changed to get32u (because that's what it is)
2012-05-07 Simson Garfinkel <[email protected]>
* src/scan_zip.cpp (scan_zip): now only processes buffer in phase 1
* src/scan_wordlist.cpp (scan_wordlist): now only processes buffer in phase 1
* src/scan_winprefetch.cpp (scan_winprefetch): now only processes buffer in phase 1
* src/scan_vcard.cpp (scan_vcard): now only processes buffer in phase 1
* src/scan_pipe.cpp (scan_pipe): now only processes buffer in phase 1
* src/scan_pdf.cpp (scan_pdf): now only processes buffer in phase 1
* src/scan_net.cpp (scan_net): now only processes buffer in phase 1
* src/scan_json.cpp (scan_json): now only processes buffer in phase 1
* src/scan_hiberfile.cpp (scan_hiberfile): now only processes buffer in phase 1
* src/scan_gzip.cpp (scan_gzip): now only processes buffer in phase 1
* src/scan_gps.flex: now only processes buffer in phase 1
* src/scan_exiv2.cpp (scan_exiv2): now only processes buffer in phase 1
* src/scan_exif.cpp (scan_exif): now only processes buffer in phase 1
* src/scan_email.flex (Host): now only processes buffer in phase 1
* src/scan_base64.cpp (scan_base64): now only processes buffer in phase 1
* src/scan_ascii85.cpp (scan_ascii84): now only processes buffer in phase 1
* src/scan_aes.cpp (scan_aes): now only processes buffer in phase 1
* src/scan_accts.flex (dob): now only processes scanner in phase1
2012-04-27 Simson Garfinkel <[email protected]>
* src/bulk_extractor.cpp (validate_fn): usage now goes to stdout.
2012-04-25 Simson Garfinkel <[email protected]>
* src/scan_email.flex (Host): ethernet "MAC" suppressed there is a : on either side
* src/scan_accts.cpp (scan_accts): added author information.
2012-04-22 Simson Garfinkel <[email protected]>
* src/bulk_extractor.cpp (usage): usage now sorts scanners
2012-04-21 Simson Garfinkel <[email protected]>
* src/scan_exif.cpp: renamed from scan_be_exif.cpp
* src/scan_exiv2.cpp: renamed from scan_exif.cpp
2012-04-20 Simson Garfinkel <[email protected]>
* src/bulk_extractor.cpp: scan_be_exif now enabled by default.
2012-04-20 Simson Garfinkel <[email protected]>
* configure.ac: incremented to 1.3-devel_003
* src/scan_exif.cpp (scan_exif): disabled by default now.
* src/scan_be_exif.cpp (scan_be_exif): enabled by default.
2012-03-27 Simson Garfinkel <[email protected]>
* src/scan_base64.cpp: changed startup code to be called in Phase 1. (Why didn't I do that before?)
* src/scan_winprefetch.cpp (class PrefetchDecoder): now stops if string has fewewr than 8 characters
2012-03-27 Simson Garfinkel <[email protected]>
* src/cppmutex.h: added stdlib.h
* src/scan_headers.flex: updated scanner for years in 201x
2012-03-26 Simson Garfinkel <[email protected]>
* configure.ac: increased devel to 002
* src/scan_zip.cpp (scan_zip): changed sanity check so that compr_size and uncompr_size need to be <0, not <=0.
2012-03-19 Simson Garfinkel <[email protected]>
* src/scan_accts.flex: YEAR now accepts dates in years 2010-2009
2012-03-12 Simson Garfinkel <[email protected]>
* src/bulk_extractor_i.h (class scanner_params): moved #include <tr1/unordered_map> to bulk_extractor_i.h
2012-03-03 Simson Garfinkel <[email protected]>
* src/scan_winprefetch.cpp (PrefetchDecoder::identifyBuf): patches provided by Ketil Froyn and Luis Garcia fixes behavior under for Windows 7 Super Prefetch.
2012-02-22 Simson Garfinkel <[email protected]>
* configure.ac: changed revision to 1.3-devel_001
2012-03-09 Simson Garfinkel <[email protected]>
* src/threadpool.cpp (threadpool::win32_init): created for administrative simplification.
* src/threadpool.h (class cppmutex): moved cppmutex to this file.
* src/feature_recorder.h: replaced #include "cppmutex.h" with #include "threadpool.h"
2012-03-06 Simson Garfinkel <[email protected]>
* src/xml.cpp (xml::close): removed dtd making
2012-03-05 Simson Garfinkel <[email protected]>
* src/cppmutex.h: added cppmutex.h
* src/feature_recorder.h (class feature_recorder): replaced pthread_mutex_t with cppmutex, a C++ cover class for mutexes.
* src/bulk_extractor.cpp (phase1): added #ifdef HAVE_LOCALTIME_R to cover systems that do not have localtime_r.
* src/aftimer.h (aftimer::eta_time): changed from 'when' to 't' for consistency.
2012-02-21 Simson Garfinkel <[email protected]>
* src/scan_aes.cpp (scan_aes): added check -- if sp.buf.bufsize<WINDOW_SIZE, don't scan.
2012-02-15 Simson Garfinkel <[email protected]>
* python/Makefile.am (EXTRA_DIST): version 1.2.0 released.
2012-02-11 Simson Garfinkel <[email protected]>
* src/regex_list.h (class regex_list): removed globbing
2012-02-05 Simson Garfinkel <[email protected]>
* src/scan_zip.cpp (scan_zip): now detects decmopression bomb attack and changes mode of operation so that buffers are hashed prior to being decompressed and the same buffer will only be hashed just one.
2012-02-04 Simson Garfinkel <[email protected]>
* src/feature_recorder_set.cpp (scan_zip): alert_recorder is now in feature_recorder_set.
2012-02-03 Simson Garfinkel <[email protected]>
* src/feature_recorder.cpp (feature_recorder::banner_stamp): banner_stamp moved to feature_recorder
* src/bulk_extractor.h: opt_banner_file moved to feature_recorder
* src/bulk_extractor.cpp (main): outdir now an instance variable
* src/feature_recorder_set.h (class feature_recorder_set): outdir now an instance variable
* src/feature_recorder_set.cpp (feature_recorder_set::feature_recorder_set): outdir now an instance variable
* src/feature_recorder.h (class feature_recorder): outdir now an instance variables
* src/feature_recorder.cpp (feature_recorder::feature_recorder): outdir now an instance variable
* src/scan_net.cpp (class packet_carver): outdir now read from feature recorder.
* src/scan_wordlist.cpp (wordlist_split_and_dedup): outdir now read from feature recorder.
* src/MANY - outdir is no longer global.
2012-02-01 Simson Garfinkel <[email protected]>
* src/bulk_extractor.cpp (main): added -G to specify page size
2012-01-29 Simson Garfinkel <[email protected]>
* src/xml.h (class xml): added svn_version to DFXML output.
* src/scan_net.cpp: now carries its own ipv6 implementation.
2012-01-27 Simson Garfinkel <[email protected]>
* configure.ac: advanced version number to 1.2.0RC1
GNUC_HAS_DIAGNOSTIC_PRAGMA now set in configure.ac
* src/bulk_extractor.cpp (main): the -s (context-sensitive stop
list) option is removed. The -r (alert list) and -w (stop list)
will now take a list of regular expressions, a list of globs or
feature files.
* src/feature_recorder.cpp (feature_recorder::make_histogram): removed get_line_offset(); no longer needed
2012-01-20 Simson Garfinkel <[email protected]>
* src/scan_email.flex: eliminated an increment in LexerInput()
validate_email now inline.
find_domain_in_email now inline.
find_domain_in_url now inline
2012-01-18 Simson Garfinkel <[email protected]>
* src/scan_aes.cpp (scan_aes): scan_aes now runs in 15% the time of the original version. It is now, therefore, enabled by default.
2012-01-16 Simson Garfinkel <[email protected]>
* src/feature_recorder_set.cpp (feature_recorder_set::dump_stats): seconds scanners in states changed to scanner_times
2012-01-13 Simson Garfinkel <[email protected]>
* src/bulk_extractor.h: removed gnuexif
* src/bulk_extractor.cpp (scanners_builtin): removed gnuexif info.
* src/scan_gnuexif.cpp: removed file.
* src/xml.cpp (xml::add_DFXML_build_environment): removed gnuexif support.
* configure.ac (HAVE_LIBEWF_H): removed gnuexif support.
2011-12-29 Simson Garfinkel <[email protected]>
* configure.ac: removed check for libpcap because we don't actually use it.
* src/scan_net.cpp: removed #include for libpcap because we didn't actually use it.
* Makefile.am (EXTRA_DIST): added m4/ax_pthread.m4 to EXTRA_DIST.
2011-12-25 Simson Garfinkel <[email protected]>
* src/scan_exif.cpp (scan_exif): removed md5hex_4k since the code was already in sbuf_t.
2011-12-20 Simson Garfinkel <[email protected]>
* src/sbuf.h (class sbuf_t): whoops. should have been assert(bufsize>=pagesize), not vice-versa
(class pos0_t): stoi64() moved to pos0_t.
2011-12-18 Simson Garfinkel <[email protected]>
* src/sbuf.h (class sbuf_t): When we create a new sbuf with the + operator, we need to also add +i to the pos0.
(class sbuf_t): + now asserts that bufsize cannot be smaller than pagesize.
* src/scan_exif.cpp (md5hex_4k): Whoops. Should be hashing min of the pagesize and 4096, not max.
2011-12-14 Simson Garfinkel <[email protected]>
* src/xml.cpp: now works with older and newer versions of exiv2
2011-12-01 Simson Garfinkel <[email protected]>
* src/histogram.cpp (HistogramMaker::add): looks for \000 in utf16 strings converted to utf8 and erases them (We were getting them in histograms)
2011-11-26 Simson Garfinkel <[email protected]>
* src/scan_wordlist.cpp (wordlist_split_and_dedup): no longer adds zero-length words to wordlist
* src/feature_recorder.cpp (feature_recorder::make_histogram): histograms no longer banner stamp or version stamp if there is no corresponding feature.
2011-11-25 Simson Garfinkel <[email protected]>
* src/scan_net.cpp (pcap_writepkt): changed file extension from .dmp to .pcap for packets
2011-11-23 Simson Garfinkel <[email protected]>
* src/bulk_extractor.cpp (phase1): added -Y start-end notation in addition to -Y start notation.
* src/bulk_extractor.cpp (phase1): added -A offset to add an offset.
* src/feature_recorder.cpp (feature_recorder::write): added support for opt_offset_add to allow output to be shifted (for parallelizing across multiple systems.)
* src/sbuf.h (class pos0_t): removed snprintf; now uses stringstream.
(operator +): changed most functions to take const & rather than a new object.
* src/feature_recorder.cpp (feature_recorder::write): now always writes out the second \t for the context, even if there is no context.
2011-11-21 Simson Garfinkel <[email protected]>
* configure.ac: advanced to beta9
added AC_PROG_CC AC_PROG_CXX and AC_PROG_INSTALL
* src/Makefile.am (.flex.o): FlexLexer.h moved to MyFlexLexer.h to support CentOS where an out-of-date flex is installed.
2011-11-16 Simson Garfinkel <simsong@FC15>
* src/bulk_extractor.cpp (process_path): fixed handling of /h and /r with -p option
2011-11-12 Simson Garfinkel <[email protected]>
* configure.ac: removed pcap.h tests becuase its not needed
increased to beta4
2011-11-05 Simson Garfinkel <[email protected]>
* src/scan_email.flex (Host): now only writes domains>0.
* src/scan_zip.cpp (scan_zip): zip components with no name are now given <NONAME>
* src/scan_winprefetch.cpp (scan_winprefetch): modified to only write out prefect files with non-zero exec name
* src/scan_net.cpp (scan_net): significant update --- I don't need libpcap to do packet carving!
2011-11-09 Simson Garfinkel <[email protected]>
* configure.ac: updated to beta3
2011-11-08 Simson Garfinkel <[email protected]>
* src/image_process.cpp (sbuf_alloc): added a new iterator method it->pos0() returns the pos0 of the sbuf to be allocated by it->sbuf_alloc()
(sbuf_alloc): changed calloc to malloc for performance
(process_aff::sbuf_alloc): now thorws bad_alloc if an exception is encountered
(process_ewf::sbuf_alloc): now thorws bad_alloc
(process_raw::sbuf_alloc): now thorws bad_alloc
2011-11-07 Simson Garfinkel <simsong@alphonse-mucha>
* src/bulk_extractor.cpp: removed scanner_enabled().
* src/Makefile.am (bulk_extractor_SOURCES): removed checkpoint.h
* src/bulk_extractor.cpp (main): checkpoint removed; restarting now done through dfxml file.
(phase1): do_phase1 renamed phase1; just_phase1 renamed do_phase1. phase1 and phase2 flags removed. Now automatic.
(main): -2 option removed
2011-11-04 Simson Garfinkel <[email protected]>
* src/image_process_fts.cpp (process_dir::process_dir): added E01 detection.