Thursday, December 26, 2013

Daily Blog #186: ANJP v3 Beta Release Announcement

Hello Reader,
         I'm happy to announce a pretty big milestone for us in the G-C labs, ANJP v3 Beta! If you've been watching the forensic lunch you know about the new features and capabilities we've been adding as we work our way to a commercial tool release to go along side our free parser. We think that this beta release is a pretty significant step forward towards that goal.

What's new in V3?
  • We've ported the GUI from win32 to WX which means once we figure out the details we'll have GUI compiled versions of ANJP for Mac and Linux alongside windows.
  • Rather than just dump out text files, which it still can do, you can now export directly to Excel xlsx files
  • The GUI has been extended beyond just "select files and process" to include a report viewing option that will allow you to:
    • View, search and export the MFT
    • View, search and export the USNJrnl
    • View, search and export the $logfile
    • View transactional based events such as file creation, deletion and renames 
    • View change based events such as timestamp changes, what was burned to CD and more
  • We've developed a XML based rules engine that we've populated with some sample rules. The rules engine is still under development to expose all the underlying options within the MFT/USN/$Logfile but its very functional right now.
  • You can now specify your owl rules or IOCs and the parser will show you what matches. 
  • Adding rules will not require you to reparse the data!
  • Full Unicode Support
  • Fixes for weird one off journals we've been sent (Thanks for those who've done so!)

What's left to do?
  • Finish the development of the rules engine for MFT and USN operations
  • Fully document the rules creation process and parameters
  • Full image access with a perl port of lib tsk
 If you want to sign up for this beta go here:
https://docs.google.com/forms/d/1GzOMe-QHtB12ZnI4ZTjLA06DJP6ZScXngO42ZDGIpR0/viewform

 If you want to start testing our perl-tsk port go here:
https://github.com/wsdookadr/Tsk-XS

Our plan is to take the module once completed to CPAN so the DFIR perl developers of the world can come back into equal footing with our python brethren.

Also tomorrow we are having an open Forensic Lunch where anyone can join the video chat room and talk about 2013 and the year to come in DFIR. I'll hope you'll join me:
https://plus.google.com/u/0/b/105962155502598586194/events/cf6g55kk25m08pm8afb7ct1mb9k