This page contains a history of the major features for each release (starting with 2.20).

4.4.1 (Aug 9, 2017)

More detailed list can be found in the NEWS.txt file.

  • Beta version of new central repository feature has been added for correlating artifacts across cases; results are displayed using an Interesting Artifacts branch of the Interesting Items tree and an Other Data Sources content viewer.
  • Results viewer (top right area of desktop application) sorts are persistent and can be applied to either the table viewer or the thumbnail viewer.
  • The View Source File in Directory context menu item now works correctly.
  • Tagged image files in the HTML report are now displayed full-size.
  • Case deletion is now done using a Case menu item and both single-user and general (not auto ingest) multi-user cases can be deleted.
  • Content viewers (bottom right area of desktop application) now resize correctly.
  • Some potential deadlocks during ingest have been eliminated.
  • Assorted performance improvements, enhancements, and bug fixes.

4.4.0 (May 30, 2017)

More detailed list can be found in the NEWS.txt file.

  • Keyword search regular expressions now work with spaces.
  • A sparse VHD file can be created when analyzing a local drive (USB) so that you don't need to acquire first.
  • Ingest filters allow you to run the ingest modules only a subset of files during triage
  • Ingest profiles allow you to pick an ingest filter and set of ingest modules to make it eaiser to preprogram for triage
  • User can edit keyword lists.
  • Import/export of interesting files set membership rules.
  • Fix resolution issue with high DPI systems
  • Updated Recent Activity ingest module to use RegRipper 2.8 plugins.
  • Ability to customize HTML report logo.
  • Assorted small enhancements and bug fixes.

4.3.0 (Jan 18, 2017)

More detailed list can be found in the NEWS.txt file.

  • Support for slack space on files (as separate virtual files) to enable keyword searching and other analysis.
  • Simple mode for the file extension mismatch module that focuses on only only multimedia and executable files to reduce false positives.
  • New view in tree that shows the MIME types.
  • Tagged items are highlighted in table views.
  • Ordering of columns is saved when user changes them.
  • Support for Android devices with preloaders (uses backup GPT)
  • Support for images with no file systems (all data is added as unallocated space)
  • User can bulk add list of keywords to a keyword list.
  • New "Experimental" module (activate via Tools, Plugins) with auto ingest feature.
  • Assorted bug fixes and minor enhancements.

4.2.0 (Oct 26, 2016)

More detailed list can be found in the NEWS.txt file.

  • Credit card account search.
  • Encoding/decoding of extracted files to avoid anti-virus alerts/quarantine.
  • Ingest history used to warn before doing redundant analysis.
  • Options panel for managing custom tag names.
  • Options panel for setting external viewer associations.
  • Keyboard shortcut for applying Bookmark tags.
  • Improved PhotoRec carver ingest module cancellation responsiveness.
  • Results content viewer formats dates.
  • Update to PostgreSQL 9.5.
  • Assorted bug fixes and minor enhancements.

4.1.1 (Aug 18, 2016)

More detailed list can be found in the NEWS.txt file.

  • Bug fix to enable some Python modules to run again.

4.1.0 (July 20, 2016)

More detailed list can be found in the NEWS.txt file.

  • New list view in Timeline tool
  • VMWare virtual machine files (vmdk) and Microsoft Virtual Hard Drives (vhd) can be added as data sources.
  • New ingest module detects vmdk and vhd files embedded in other data sources and adds them as data sources.
  • Text associated with blackboard artifacts is indexed and searched for keywords.
  • Custom (user-defined) blackboard artifact and attribute types are displayed in the UI and included in reports.
  • File size and MIME type conditions can be specified for interesting files set membership rules.
  • Assorted bug fixes and minor enhancements.

4.0.0 (Nov 2, 2015)

  • Multi-user cases supported that allow collaboration using network-based services.
  • Image Gallery feature released.
  • Assorted minor fixes and enhancements

3.1.3 (June 26, 2015)

  • New Embedded File Extractor module that incorporates ZIP file module and extracts images from Office documents
  • Views area counts updates when ZIP files and such are found
  • Updates to python scripting for Python 2.7, scripts are reloaded each time ingest is run, and errors are better shown.
  • Updated right click actions to be consistent across all file types
  • Changed logic of Interesting Files module to look for substrings of parent path.
  • Lots of minor fixes and enhancements

3.1.2 (Mar 4, 2015)

Improvements:

  • New PhotoRec carving ingest module
  • Regripper output is available as a report instead of TOOL_OUTPUT artifact
  • Updated version of RegRipper
  • New STIX/Cybox report module (manually run after image has been analyzed)
  • File type module supports user defined file types and can alert when they are found
  • More artifacts are extracted from registry
  • Metadata tab in lower right now also shows istat (TSK) output for more metadata details
  • User docs were moved online (http://sleuthkit.org/autopsy/docs/user-docs/3.1/)

3.1.1 (Nov 4, 2014)

Improvements:

  • New time line feature
  • New Interesting Files module
  • Added support for Python modules
  • Updated HTML report
  • Media Content viewer uses blackboard artifacts and detects PNG by sig.
  • New logo

Bug Fixes:

  • Adding local disk errors
  • ZIP files inside of RAR files are properly extracted

3.1.0 (Aug 20, 2014)

Numerous changes are in this release. Here are the big items:

  • Multi-threaded pipelines
  • File type ingest module
  • File extension mismatch ingest module
  • Android ingest module
  • KML report module
  • Tags can be deleted
  • Hash databases can be created and maintained

3.0.10 (Apr 10, 2014)

This is a bug fix release. It adds the correct Windows dlls for the 64-bit installer.

3.0.9 (Feb 3, 2014)

This is a new feature and bug fix release. Nearly all work done by Basis Technology.

See the NEWS.txt file for more details.

  • Regular expression keyword search works on file names.
  • Fixed thunderbird parser for subject and dates
  • Fixed errors in hex viewer
  • New "EnCase-style" report that lists files and metadata in tab delimited file
  • Removed xdock definitions -> some claim this helps with memory problems
  • More lazy loading to help performance with big folders and sets of files
  • Times can be displayed in local time or GMT
  • Changed report wizard to make one report at a time
  • Updated SQLite to 3.8.0
  • Enhanced reporting on keyword search module errors
  • report improvements (only regnerate if data exists)
  • more error messages if recent activity module fails
  • more error checking in recent activity module and don't bail as quickly
  • Cleanup of recent activity module
  • better handle if ingest module throws exception during init()
  • do not run ingest if any module faile to init()
  • Added FILE_DONE event to ingest manager
  • Added search engine parsers for linkedin, twitter, and facebook
  • HTML text is better formatted
  • Report generation performance
  • HTML parser is skipped for files bigger than 50MB.

3.0.8 (Oct 16, 2013)

This fixes a broken installer from 3.0.7 that caused Keyword Search to not work on some systems. No other features in this release.

3.0.7 (Sep 25, 2013)

This is a new feature and bug fix release. Nearly all work done by Basis Technology.

See the NEWS.txt file for more details.

Improvements:

  • 64-bit support (JavaFX for video)
  • Multi-select
  • different sized thumbnails
  • Custom tags persist across runs of the app
  • RegRipper is run on each hive and raw output is available.
  • Metadata content viewer

Bug Fixes:

  • Several -> Didn't keep good track in this file.
  • TSK Bug fixes, including fix for showing deleted NTFS files in wrong parent folder.
  • Error messages from adding disk to database are better displayed.
  • RecentActivity better reports errors parsing data

3.0.6 (Jun 19, 2013)

This is a new feature and bug fix release. All work done by Basis Technology.

Improvements:

  • Logical files and folders support
  • New file views in directory tree to view: deleted, executable, archive files and files by size
  • ext4 and yaffs2 support (via TSK 4.1.0)
  • Improvements to tagging of files and keyword search results
  • Any file and folder can be selectively ingested using the directory tree view

Bug Fixes:

  • Keyword Search: fix when Solr does not cleanly shutdown
  • fix for "Process Unallocated Space" option doesn't do anything
  • fixed result viewer for "File Search by MD5 Hash"
  • fix Solr, Timeline and RecentActivity issues with java 7.0.21
  • Views->Recent Files showing inconsistent results when clicked many times
  • reduced memory usage in Timeline

See the NEWS.txt file for more details.

3.0.5 (Mar 26, 2013)

This is a new feature and bug fix release. All work done by Basis Technology.

Improvements:

  • New ingest module for ZIP and other archive formats
  • Timeline (Beta)
  • improved image loading in Media View and Thumbnail View (faster loading, handles large files better)
  • Uses more signatures instead of extensions (keyword search and exif modules)
  • Updated Ingest Message Inbox

Bug Fixes:

  • fixed memory leaks in "Add Image"
  • The "media view" tab is inactive for deleted files (#165)
  • fixed directory tree history being reset when tree is refreshed.

See the NEWS.txt file for more details.

3.0.4 (Jan 23, 2013)

This is a bug fix and feature update release. All work done by Basis Technology.

Improvements:

  • File tagging.
  • Error notification in lower right.

Bug Fixes:

  • DLL installation issues fixed.
  • Out of memory configuration changed.
  • Issue that caused duplicate keyword search results.
  • Crash when generating HTML and Excel reports with special characters.
  • MS Office text extraction
  • EXIF data not being extracted

See the NEWS.txt file for more details.

3.0.3 (Jan 8, 2013)

This is a bug fix and feature update release. All work done by Basis Technology.

Improvements:

  • Upgrade to Solr4.0 / Tika 1.2: Improved performance and highlighting
  • Remake of reporting UI and functionality
  • Significant increase in reporting speed
  • New option to keep the most specific file viewer (default) or the lastly used viewer active.

Bug Fixes:

  • Fixed bug that caused the ends of large amounts of text to not be indexed (occurs mostly in unallocated space). All users should upgrade.

See the NEWS.txt file for more details.

3.0.2 (Dec 20, 2012)

This is a bug fix and feature update release. All work done by Basis Technology.

Improvements:

  • New feature to extract unallocated space as a single file.
  • Hashkeeper database support
  • Can add comments to bookmarks and bookmarks are reported.
  • Queuing time is reduced during ingest.
  • Jump to arbitrary pages in thumbnail view.
  • Changed flow of add image wizard to configure modules while database is being populated.
  • Changed HTML report layout.

Bug Fixes:

  • Fixed keyword search interval (did not run until end)
  • Fixed domain type in Web Downloads adata.
  • Added hash and keyword search results to report.
  • Fixed UI issue whereby NSRL was always being looked up.

See the NEWS.txt file for more details.

3.0.1 (Nov 15, 2012)

This is a bug fix and feature update release. All work done by Basis Technology.

Improvements:

  • Significant performance improvements when adding images.
  • Slight improvements in UI performance for large number of results.
  • Improved stability when running ingest on multiple images.
  • Removed limit on number of results displayed.
  • Thumbnail viewer - added paging and removed limit of images.
  • Better HTML report navigation, handling large reports better.
  • Updated Add image wizard to support local devices.

Bug Fixes:

  • Fixed reading content from multiple file attributes (NTFS, HFS).
  • Added ability to extract contents of the unalloc files.
  • Enable user to select any image file extension when opening image.
  • Thunderbird parser module fixes.
  • Reporting fixes: added missing artifacts (keyword search, hash hits, file bookmarks).

See the NEWS.txt file for more details.

3.0.0 (Oct 15, 2012)

The following enchancements were done since the last beta by Basis Technology. Refer to the below history for all of the things that went into making 3.0.

Improvements:

  • Upgraded versions of libraries
  • Internal ingest framework enhancements

Bug Fixes:

  • UI fixes in content and result viewers
  • UI fixes in Hash Database and Keyword Search options.
  • Excel report export produced corrupt files sometimes.
  • Fixed issue where SOLR would not always launch.

See the NEWS.txt file for more details.

3.0.0b5 (Sept 14, 2012)

Development by Basis Technology. New Features:

  • Extract non-English strings from unknown file types.
  • Extract more data from HTML files.
  • Extract EXIF data
  • Basic bookmark support
  • Body file report module

Bug Fixes:

  • Better memory footprint of keyword search
  • Media player occasionaly crashes

See the NEWS.txt file for more details.

3.0.0b4 (July 3, 2012)

Development by Basis Technology and 42Six Solutions. Funded by US Army Intelligence Center of Excellence (USAICoE). New Features:

  • MBOX / Thunderbird parsing module
  • Better lnk file parsing

Bug Fixes:

  • Included needed jar file for Recent Activity (Issue #52).
  • Fixed error handling from ingest (Issue #53)

See the NEWS.txt file for more details.

3.0.0b3 (June 13, 2012)

Development by Basis Technology and 42Six Solutions. Funded by US Army Intelligence Center of Excellence (USAICoE). New Features:

  • Ingest manager runs triage/ingest task after disk is added.
  • Keyword search (indexed via SOLR)
  • Recent activity extract (web artifacts, recent documents, devices, etc.)
  • Improved UI

See the NEWS.txt file for more details.

3.0.0b2 (Nov 9, 2011)

Development by Basis Technology. New Features:

  • New database design
  • Hashlookup / calculation
  • Minor overall improvements
  • NOTE: Cases created with b1 are not supported in b2 (different DB)

See the NEWS.txt file for more details.

3.0.0b1 (Aug 16, 2011)

Initial release. Development by Basis Technology.

  • Windows only
  • Directory tree
  • File Search
  • Table and thumbnail viewer

Version 2.24 (Mar 31, 2010)

Minor bug fixes (HFS directories). See the CHANGES.txt file for more details.

Version 2.23 (Feb 18, 2010)

Minor bug fixes (sorter issues). See the CHANGES.txt file for more details.

Version 2.22 (Jan 13, 2010)

Minor bug fixes and updates. See the CHANGES.txt file for more details.

Version 2.21 (Feb 2, 2009)

Minor bug fixes.

Version 2.20 (Oct 19, 2008)

This release contains minor feature upgrades to maintian compatability with TSK 3.0.0. TSK 3.0.0 has new tools, flags, and better handling and viewing of deleted files.