导航

[DFNews] 邮件取证软件Nuix更新v4.2,多项重要更新

Posted on 2013-02-19 09:11  YiDiscovery  阅读(2987)  评论(1编辑  收藏  举报

澳大利亚取证软件厂商Nuix近日推出了Nuix程序的重要更新,版本由4.0更新至4.2,Change log如下。

Version 4.0.0 to Version 4.2.0

Important Changes in 4.2.x

  • The name of the nuix_desktop.exe has changed to nuix_app.exe.
  • Ruby scripts are now run with an interpreter compatible with Ruby 1.9.3. If your scripts rely on features of 1.8.x which have been dropped in 1.9.x, or if they contain non-ASCII characters, they may need to be changed slightly. See Additional Information for Ruby for further information.

Extraction

  • Added support for processing the following file formats:
    • Autonomy IDOL db (.idx) load files
    • iPhone call history database files
    • iPhone voicemail database files
    • PGP/MIME-encrypted emails are decrypted when the key and password are provided.
    • S/MIME-encrypted emails are decrypted when the key and password are provided.
    • UUEncode (.uue) files
    • ext4 filesystem images.
    • Android SMS databases.
    • Android call / contact databases.
    • Cellebrite XML reports.
    • XRY 6.0 logical image files (.xry).
    • VCard Text Contact Files (.vcf) and XML Contact Files (.vcf, .xml).
  • Added support for carving unallocated space and unidentified data items.
  • Added support for detecting, but not fully processing, the following file formats:
    • XXEncode (.xxe) files
    • Palm database files (.pdb) files
    • Mobi eBook (.mobi, .prc, .azw, .azw3) files
    • FictionBook eBook (.fb2) files
    • Sony BBeb eBook (.lrf) files
    • GIMP xcf image (.xcf) files
    • AutoCAD Shape, Slide and Slide Library (.sld, .shx, .slb) files
    • CAXA Cad (.cax) files
    • AOL Personal Filing Cabinet email (.pfc) files
    • Corel Draw and Corel Graphics files embedded within Office documents
    • Microsoft Form objects
    • Informed Form Data (.ifm) files
    • Informed Form Template (.itp) files
    • AppleSingle archive files (can extract the contained file and some metadata but not the resource fork.)
    • AppleDouble header files (can extract some metadata but not the resource fork.)
    • Android Dalvik class files (.dex, .odex)
    • Android ADB backup files (.backup)
    • Android package files (.apk)
    • Android resource files
    • Java serialized object streams
    • Google Drive document placeholders (.gdoc, .gdraw, .gsheet, .gslides)
    • OpenType fonts files (.otf)
    • Microsoft DirectDraw Surface image files (.dds)
  • Improved the currency entity extraction.
    • The extractor now finds all currencies using a symbol in the Unicode "Symbol, Currency" (Sc) category, e.g. the Indian Rupee sign.
    • Currency magnitudes are also extracted, e.g. where previously "$100 millones" would only return "$100" it now will return "$100 millones".
    • Many new currency suffixes are supported, e.g. "yen", "euros", "rupees", "שקלים", "ringgits".
    • Additional languages are supported for the extractor, e.g. "790 కోట్ల డాలర్లు" will be extracted.
    • The extractor now handles many forms of negative numbers, e.g. "-$99.99B", "($88.88)", "-$ (77.77)", "-$ (77.77 billion)".
  • When extracting emails from EDB files, favour using the RFC822 email addresses from the RFC822 Received headers if present. This may minimise the extraction of X400 addresses in some situations. Note since this may change the email digest for EDB emails as a consequence.
  • Added support for extracting NTFS alternate streams and HFS+ resource forks out of disk images.
  • Added support for extracting the volume name out of ext2/3/4, HFS+, NTFS and FAT32 volumes.
  • Added deleted file recovery for disk images with NTFS volumes. Deleted items listed in the MFT are now recovered where possible.
  • Added support for extracting unallocated space out of ext2/3/4, HFS+, NTFS and FAT16/32 disk images.
  • Improved support for iOS bookmark databases. Each bookmark is split out to a child item with metadata extracted.
  • Improved support for iPhone voicemail databases. Each voicemail is split out to a child item with metadata extracted.
  • Added communication aspects to Skype database and 'chat sync' data.
  • Added communication aspects to iPhone call and SMS databases.
  • Added communication aspect to Outlook for Mac / Entourage emails and improved support for these items.
  • Improved filesystem metadata extraction for ext2/3/4 and HFS+/HFSX.
  • Improved metadata extraction for Windows portable executables.
  • Added support for extracting 7zip, CAB, ZIP and RAR archives inside Windows self-extracting executables.
  • Added support for extracting newer versions of the Firefox cache.
  • Changed classification of attachments. An attachment is always an attachment regardless of it being an E-mail.
  • Changed the type of filesystem/inaccessible and empty files from kind "System" to "No Data".
  • Lotus Notes "Personal Stationery" documents are now recognised as emails rather than "other" documents.
  • Document repositories now give a warning message if they are added from non-fixed-disk location.
  • Open Office dates that include milliseconds are now correctly processed.

Analysis

  • Added automatic classifiers for predictively coding documents into relevant and irrelevant categories.
  • Added the ability to redact PDFs to remove sensitive content.
  • Added a Markup tab into the Preview pane to view and edit PDF redactions and highlights.
  • Added a Binary tab into the Preview pane to show a hex view of the binary for the item.
  • Added a History tab into the Preview pane to show any history events for the item.
  • New filtered tag metadata identifier that only returns the sub-tags of a specified parent.
  • New item flag metadata identifiers for Inlined, Poisoned, Bad Extension, Partially Processed, Identification Disabled, Text-stripped, Material, Immaterial, Top-level, Not Top-level, Loose File, Not Loose File, Licence Restricted, Reloaded, Family Inline and Suppressed Immaterial Children.
  • The execution speed of the clustering algorithm has been increased.
  • New "selected" metadata identifiers for cluster IDs, cluster pivots, and cluster pivot resemblances.
  • The Filtered Items pane in the Document Navigator now supports filtering by clusters.
  • The ability to remove cluster runs from the GUI is now available. This functionality can be accessed via the top-level Items menu, or by right-clicking items in the Results pane.
  • When a user requests more items during a fast review job, the next batch now contains an item and its family items, as well as the item's chained near-duplicates and their family items provided they are included in the review job.
  • Added a Clusters drop-down menu to the Preview Pane to show the clusters the item belongs to.
  • History now prints using the template-based printing system instead of printing an image of the table.
  • "Show All Top-level Items" option now excludes items above top-level from the result.
  • In the document navigator, added controls for hiding selected panels or all empty panels and expanding a single panel to full view.
  • The System Diagnostics dependency check now recognises Office 2013.
  • Disabling all default search fields is no longer possible.
  • The tag tree is now shown collapsed rather than fully expanded in the add tags dialog.
  • Added the physical_file flag to allow searching for items that were the "physical" files within the case. These correspond to the highest items in the data tree which have binary, and typically correspond to those files which were used as input evidence to the case. These items can be retrieved for cases loaded with 4.2 or later, using the query flag:physical_file.
  • Added a Shingles option in the "View by:" menu of the Results pane. It reports the item counts for the shingles associated with the currently selected items. Various filters are made available.
  • Added per-item history for the following operations:
    • item-related operations (add, remove, reserve, release, complete) on Fast Review jobs
    • legal exports
    • item exports
    • annotation exports
    • digest list exports
    • shingle list exports
    • case subset exports
  • Item sets can now only be modified (details edited or items added) within the case in which they are created.
  • Added support for search macros to help simplify and break up complicated queries. Search macros reside in the user's profile under "Nuix/Search Macros". Any file placed under there with a .macro extension will be loaded as a search macro and can be used in queries. For example, "test.macro" could be executed by querying "$test" and the contents of "test.macro" will be used as the actual query.
  • Fixed an issue where using no default search fields would result in an error when running searches. Now it just returns no results for fragments of the query where the field has been omitted.

Export

  • Added the ability to export a case subset into an existing case.
  • Added the ability to include clustering information when exporting a case subset.
  • Changed the legal exporter to order items exported from a production set based on their document ID.
  • Changed wording of "Export messages as" to "Convert mail, contacts, calendars to" to reflect what really happens when this option is selected.
  • Changed ringtail export item classification. Items which are E-mails are now marked as attachments if they are themselves attached to another item. Previously being an E-mail overrode being an attachment. Thus only the top level item will be marked as E-mail, all other items below it will be attachments.
  • There is no longer a requirement to have Ghostscript installed to generate TIFF files for export.

Scripting

  • Ruby scripts are now run with an interpreter compatible with Ruby 1.9.3. If your scripts rely on features of 1.8.x which have been dropped in 1.9.x, or if they contain non-ASCII characters, they may need to be changed slightly. See Additional Information for Ruby for further information.
  • When running a script from the command-line, a script which returns a numeric value will cause the process to return that value as the exit code. This allows any scripting language to generate failure exit codes (previously only possible in Ruby.) In Ruby, the existing exit n method still works.
  • Added ItemTypeUtility, ItemType, ItemKind and related methods, replacing methods relating to item types which were returning strings.
  • Added additional Case.searchUnsorted methods which run faster due to not needing to score the results nor sort them. One is for the case where you just want to do set maths on the results. The other returns results as they come in for fast feedback.
  • Added Item.getLocalisedName() and Item.getLocalisedPathName() to return the localised placeholder name (e.g Unnamed Image) when the item's name is blank.
  • Added Item.matchesSearch to check if an item matches a search.
  • Added Case.generateClusterRun(name, resemblanceThreshold, items) to create a cluster run.
  • Added Case.getStatistics() which returns an object for performing statistics on the case.
  • Added Processor.scanForNewChildItems and Processor.reloadFromSourceData.
  • Added Processor.whenItemProcessed(callback) which invokes callback when items are processed.
  • Added Processor.whenCleaningUp(callback) which invokes callback when the processor starts cleaning up.
  • Deprecated the last few methods in the API which returned java.util.Date, replaced by equivalents which return org.joda.time.DateTime.
  • Case metadata now has the name set automatically if the script didn't provide it.
  • Multiple connections to the same case can now be made in the same process without the use of a Nuix Server to share the case. This allows running a script which opens the case itself while the case is still open in the application. Behaviour is as if another user made the changes (they won't reflect immediately, but will eventually be refreshed.)
  • Added ItemSet.addItemsDeduplicatedBy which allows for custom deduplication in Item Sets similar to ItemUtility.deduplicate(Collection<Item> items, ItemExpression<?> expression).
  • Fixed a bug where Item.getTopLevelItemDate() would return a date for items above the top-level item, instead of returning null.

Miscellaneous

  • The name of the nuix_desktop.exe has changed to nuix_app.exe.
  • The evidence and investigator time zone components now list all available time zones.
  • The case databases are now compacted when items are deleted to reduce disk usage.
  • When asked for a username and password on the console, you will be told which server is asking.
  • The Recent Cases menu now shows the cases by name instead of directory.
  • Cases can now be opened read-only (you just can't make any changes.)
  • Added GUI options for turning off item counts for links in the preview pane and when adding tags.
  • Added a GUI option for turning off counts in the Clusters drop-down menu of the Preview Pane.
  • Added GUI option for turning off ancestry/tag/comment column in results list.
  • Added GUI option for setting the default value for Show/Hide Immaterial Items for the results view pane.
  • The Find dialog now remembers its settings for the next time it comes up.
  • The case settings entered when creating a new case or exporting to a case now copy the name from the directory, as long as the name hasn't been manually edited first.
  • When printing to a file (e.g. using Windows' XPS printer), cancelling would throw up an unexpected error dialog. This is now silently handled the same as other forms of cancellation.
  • History records are now sorted more strictly by the start date.