Release Notes: The ability to start in non-graphical mode by passing "live 3" as a boot parameter. An updated version of Guymager (0.3.1). Two Windows tools to copy Win32 memory (including Vista): win32dd and mantech mdd. The memory analysis tool Volatility was added. The registry analysis tool regripper was added. aeskeyfinder and rsakeyfinder were added. A better starting Web page and a better description of the tools on the CD. An updated version (0.40) of the Perl library Parse-win32Registry. Version 3.3.4 of afflib. Many other updates.
Release Notes: The CD is now based on the Debian Live Project. There is a graphical user interface by default (xfce4). A new graphical tool, GuyMager, is used for forensic copy. GuyMager supports Encase ewf images (through libewf), and it makes intelligent use of multi-core CPUs in a way that compressed copies will be done faster than uncompressed ones. A new low interaction honeypot, Amun, was added.
Release Notes: This release adds a new set of tools that allow an investigator to capture the memory from another host trough the Firewire bus, even if the target host is an MS Windows box. A new tool to retrieve images from Thumbs.db (MS win thumbnails cache) was added. Rdd, a new forensic image acquisition tool, was added. A lot of other tools were added and upgraded.
Release Notes: A PXE boot feature was added to search keywords in large scale networks. An MS eventlog viewer and a registry viewer were added. mwcollect and nepenthes were added to ease malware hunting. Lots of packages were added.
Release Notes: This release is based on Knoppix 3.9 with the slow USB (UB) driver removed. A lot of new packages were added, including mork.pl, a tool to read firefox history, fccu-docprop to read MS OLE doc properties, and dd_rhelp to ease the use of dd_rescue. Most of the packages were upgraded to the latest versions, including The Sleuthkit.
Release Notes: This release adds a new kernel with the slow and buggy low-performance USB block device driver removed. It adds /dev/sdx again. NTFS write support has been removed because it was too dangerous for forensic purposes. All LUNs for SCSI devices are now probed to support most USB multi card readers. Automatic DMA activation is done at boot time to speed IDE disks. The USB2 high speed driver is automatically loaded now; there's no need for "modprobe ehci-hcd".
Release Notes: This release is based on Knoppix 3.8.1. It includes the Sleuthkit 2.01. dcfldd is included. A lot of packages were added.
Release Notes: The brand new SleuthKit 2.0 was added. There is support for LVM and hfsplus. Tools added include lshw, scsitools, glark, mdbtools, gpsd, and more.