Bug#702470: sleuthkit: sleuthkit is 3 versions behind upstream

Douglas Calvert dfc at douglasfcalvert.net
Wed Mar 6 22:48:53 UTC 2013

Package: sleuthkit
Version: 3.2.3-2
Severity: normal

 Thank you for maintaining this package in debian. Can you package the
latest upstream? Thanks in advance.

Features added since package available in debian:

---------------- VERSION 4.0.2 --------------
New Features:
- Added fiwalk tool from Simson. Not supported in Visual Studio yet.

Bug Fixes:
- Fixed fcat to work on NTFS files (still doesn't support ADS though).
- Fixed HFS+ support in tsk_loaddb / SQLite -- root directory was not added.
- NTFS code now looks at all MFT entries when listing directory
contents. It used to only look at unallocated entries for orphan
files. This fixes an image that had allocated files missing from the
directory b-tree.
- NTFS code uses sequence number when searching MFT entries for all files.
- Libewf detection code change to support v2 API more reliably (ID: 3596212).
- NTFS $SII code could crash in rare cases if $SDS was multiple of block size.

- Added new API to TskImgDB that returns the base name of an image.
- Numerous performance improvements to framework.
- Removed requirement in framework to specify module extension in
pipeline configuration file.
- Added blackboard artifacts to represent both operating system and
network service user accounts.

Java Bindings:
- added more APIs to find files by name, path and where clause
- added API to get currently processed dir when image is being added,
- added API to return specific types of children of image, volume
system, volume, file system.
- moved more common methods up to Content interface
- deprecated context of blackboard attributes,
- deprecated SleuthkitCase.runQuery() and SleuthkitCase.closeRunQuery()
- fixed ReadContentInputStream bugs (ignoring offset into a buffer,
implementing available() )
- methods that are lazy loading are now thread safe
- Hash class is now thread-safe
- use more PreparedStatements to improve performance
- changed source level from java 1.6 to 1.7
- Throw exceptions from C++ side better

---------------- VERSION 4.0.1 --------------
New Features:
- Can open raw Windows devices with write mode sharing.
- More DOS partition types are displayed.
- Added fcat tool that takes in file name and exports content
(equivalent to using ifind and icat together).
- Added new API to TskImgDB that returns hash value associated with
carved files.
- performance improvements with FAT code (maps and dir_add)
- performance improvements with NTFS code (maps)
- added AONLY flag to block_walk
- Updated blkls and blkcalc to use AONLY flag -- MUCH faster.

Bug Fixes:
- Fixed mactime issue where it could choose the wrong timezone that did
  not follow daylight savings times.
- Fixed file size of alternate data streams in framework.
- Incorporated memory leak fixes and raw device fixes from ADF Solutions.

---------------- VERSION 4.0.0 --------------
New Features:
- Added multithreaded support
- Added C++ wrapper classes
- Added JNI bindings / Java data model classes
- 3314047: Added utf8-specific versions of 'toid' methods for img,vs,fs types
- 3184429: More consistent printing of unset times (all zerso instead of 1970)
- New database design that allows for multiple images in the same database
- GPT volume system tries other sector sizes if first attempt fails.
- Added hash calculation and lookup to AutoDB and JNI.
- Upgraded SQLite to 3.7.9.
- Added Framework in (windows-only)
- EnCase hash support
- Libewf v2 support (it is now non-beta)
- First file in a raw split or E01 can be specified and the rest of the files
  are found.
- mactime displays times as 0 if the time is not set (isntead of 1970)
- Changed behavior of 'mactime -y' to use ISO8601 format.
- Updated HFS+ code from ATC-NY.
- FAT orphan file improvements to reduce false positives.
- TskAuto better reports errors.
- Upgrade build projects from Visual Studio 2008 to 2010.

Bug Fixes:
- Relaxed checking when conflict exists between DOS and GPT partitions.
Had a Mac image that was failing to resolve which partition table
to use.

-- System Information:
Debian Release: 7.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.8-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sleuthkit depends on:
ii  file                5.11-2
ii  libc6               2.13-38
ii  libdate-manip-perl  6.37-1
ii  libgcc1             1:4.7.2-5
ii  libstdc++6          4.7.2-5
ii  libtsk3-3           3.2.3-2
ii  perl                5.14.2-18

sleuthkit recommends no packages.

Versions of packages sleuthkit suggests:
ii  autopsy  2.24-1

-- no debconf information

More information about the forensics-devel mailing list