http://open-source-security-software.net/project/CDQR/releases.atom 2024-11-18T18:25:32.353451+00:00 python-feedgen CDQR 1.05 2016-03-22T14:57:11+00:00 ## What's New Added Do All The Things! parser (datt) - This enables all parsers for Plaso (version appropriate) and disables the partion/shadow copy options. This is meant to assist in processing extracted artifacts and not entire images. - This can be used on individual files as well as all files in a folder - example: "cdqr.exe -p datt c:\logs\eventlogs" or "cdqr.exe -p datt c:\logs\eventlogs\security.evt" Now supports Plaso 1.4! - Adjusted default parsers for Plaso 1.4 - Added compatibility for Plaso 1.3 and Plaso 1.4 - Removes references to parsers no longer found in Plaso - Includes the new MFT, USNJRNL, and Fire_fox_cache version 2 parsers found in Plaso 1.4 2016-03-22T14:57:11+00:00 CDQR 2.01 2016-03-22T14:58:47+00:00 ## What's New - Ability to parse Mac images - Ability to parse Linux images - 14 Reports for DATT: ` Event Logs, File System, MFT, UsnJrnl, Internet History, Prefetch, Registry, Scheduled Tasks, Persistence, System Information, AntiVirus, Firewall, Mac, and Linux ` - 12 Reports for Win: ` Event Logs, File System, MFT, UsnJrnl, Internet History, Prefetch, Registry, Scheduled Tasks, Persistence, System Information, AntiVirus, Firewall ` - 7 Reports for Mac and Lin: ` File System, Internet History, System Information, AntiVirus, Firewall, Mac, and Linux ` - Improved the way existing log files and results directories are handled - Ability to create an export file 2016-03-22T14:58:47+00:00 CDQR 3.00 2017-01-01T00:55:02+00:00 ## What's New - Supports Plaso 1.5.x!! - New "Login" Report that incorporates login information for Windows and Linux - ElasticSearch output mode supported - Supports .zip file source input detection and handling - Python version works on Windows, Linux and Mac - Improvements to support the [CCF-VM](https://github.com/rough007/CCF-VM) release - NOTE: Ensure line endings are correct 2017-01-01T00:55:02+00:00 CDQR 3.0.1 2017-02-03T00:41:25+00:00 Bug fixed that was removing leading forward slash "/" 2017-02-03T00:41:25+00:00 CDQR 3.1 2017-02-13T05:27:16+00:00 ## What's New - New "Appcompat" Report that seperates the Appcompat results into a dedicated report - Improved report format for appcompat, event log, file system, mft, prefetch, and scheduled tasks reports - Easier to read - More pivot points - Allows additional sorting options (looking at you Appcompat entry order) 2017-02-13T05:27:16+00:00 CDQR 3.1.1 2017-02-16T00:36:58+00:00 ## What's New - Optimized the final report parsing algorithm to decrease report generation time - Fixed a bug where some event log reports had an extra carriage return causing blank lines to appear between actual lines 2017-02-16T00:36:58+00:00 CDQR 3.1.2 2017-02-17T02:56:24+00:00 ## What's New - Added descriptions for security related EID's in the Event Log Report 2017-02-17T02:56:24+00:00 CDQR 3.1.3 2017-03-11T21:23:06+00:00 ## What's New - Fixed bug when selecting Plaso directory 2017-03-11T21:23:06+00:00 CDQR 4.0.0 2017-07-24T03:56:41+00:00 * More Output Options than ever * 2 ElasticSearch outputs * TimeSketch * Kibana * Compressed line delimited JSON file * Now faster than ever with new Multi-Threading support for all reports * Additional improvements to support the [CCF-VM](https://github.com/rough007/CCF-VM) release * Easier to use * Better accepts .zip files as input * Easier to read and more detailed logging enabled * Direct Plaso Database file support (Use the --plaso_db function to read directly from Plaso Database file) ``` cdqr.py --plaso_db artifacts.db ``` 2017-07-24T03:56:41+00:00 CDQR 4.1.0 2017-10-30T13:31:14+00:00 ## What's New * Adding Plaso v20170930 support ## Where to get Plaso 20170930 [https://github.com/log2timeline/plaso/releases/tag/20170930](https://github.com/log2timeline/plaso/releases/tag/20170930) ## Upgrade Plaso from 1.5.1 to 20170930 script for CCF-VM 2.x: ``` sudo add-apt-repository -y universe sudo add-apt-repository -y ppa:gift/stable sudo apt -y purge python-artifacts python3-artifacts plaso plaso-data plaso-tools python-plaso forensics-all sudo rm -rf /usr/lib/python2.7/dist-packages/plaso sudo apt -y -f install sudo apt -y autoremove sudo apt -y autoclean sudo -H pip uninstall PyYAML sudo -H pip uninstall artifacts sudo apt -y update;sudo apt-get -y dist-upgrade sudo apt -y install python-plaso plaso-tools sudo shutdown -r "now" ``` ## Upgrade Plaso from 1.5.1 to 20170930 script for non-CCF-VM Ubuntu 16.04 installations: ``` sudo add-apt-repository -y universe sudo add-apt-repository -y ppa:gift/stable sudo apt -y purge python-artifacts python3-artifacts plaso plaso-data plaso-tools python-plaso forensics-all sudo apt -y -f install sudo apt -y autoremove sudo apt -y autoclean sudo apt -y update;sudo apt-get -y dist-upgrade sudo apt -y install python-plaso plaso-tools sudo shutdown -r "now" ``` 2017-10-30T13:31:14+00:00 CDQR 4.1.1 2018-01-14T21:54:16+00:00 ## What's New * Adding [Plaso 20171231](https://github.com/log2timeline/plaso/releases/tag/20171231) support * Now using ".plaso" extention to match TimeSketch output (makes it easier to import into TimeSketch through its web UI) * Improved logging 2018-01-14T21:54:16+00:00 CDQR 4.1.3 2018-03-11T19:31:14+00:00 ## What's New * Adding [Plaso 20180127](https://github.com/log2timeline/plaso/releases/tag/20180127) support * Various improvements for ELK 6.x compatibility * Improved logging 2018-03-11T19:31:14+00:00 CDQR 4.1.4 2018-04-01T01:09:04+00:00 ## What's New * Updated and aligned `win` `lin` `mac` and `datt` parser lists with Plaso 20180127 2018-04-01T01:09:04+00:00 CDQR 4.1.5 2018-04-06T05:43:09+00:00 ## What's New * Updated and aligned all parsers and reports with Skadi 2018.1 2018-04-06T05:43:09+00:00 CDQR v0.90 2018-05-02T06:31:56+00:00 AIL Framework initial release v0.90 2018-05-02T06:31:56+00:00 CDQR v1.0 2018-05-11T14:33:40+00:00 AIL Framework version 1.0 released including a migration from Python 2 to Python 3. - Redis level-db has been moved to [ARDB](https://github.com/yinqiwen/ardb) - UI improvement including the ability to get paste in raw format - New Base64 detection module to find and decode Base64 data (and save extracted files including metadata) - New API key detection module such as Google, AWS or alike - New bitcoin address detection and validation module - Improved X.509 certificate detection (Keys module) - Many bug fixes 2018-05-11T14:33:40+00:00 CDQR 4.1.6 2018-05-27T01:20:30+00:00 ## What's New * Updated and aligned with Skadi 2018.2 * Updated to support Plaso v20180524 2018-05-27T01:20:30+00:00 CDQR v1.1 2018-06-06T08:26:49+00:00 A new release of the AIL Framework includes new functionalities such as tagging and classification relying on [MISP taxonomies](https://www.misp-project.org/taxonomies.html) and [galaxy](https://www.misp-project.org/galaxy.html). For more information, have a look at the [AIL wiki](https://github.com/CIRCL/AIL-framework/wiki/Tags). - Tagging can now be used in the UI and also the modules are automatically tagging based on detection/analysis. - Tags are now displayed while browsing important pastes and in search results. - A bug in duplicate modules detection has been fixed to avoid empty hash creation. - Duplicate hashes are now persistent and stored on disk. 2018-06-06T08:26:49+00:00 CDQR v1.2 2018-06-20T09:01:19+00:00 AIL Framework version 1.2 has been released including TheHive and MISP integration. - AIL Framework is now capable of auto-publishing (based on tags) event in [MISP](https://www.misp-project.org) or alerts in [TheHive](https://www.thehive-project.org/). Events or cases can be created on request when browsing pastes. - A new submit interface to ease the submission and processing of data in AIL Framework. - Introduction of a false-positive or true-positive on tag to allow the classification of information. This will be used later to improve automatic classification of information processed. - [GDPR document released](https://www.circl.lu/assets/files/information-leaks-analysis-and-gdpr.pdf) about the use of AIL in the scope of processing personal information. 2018-06-20T09:01:19+00:00 CDQR 4.1.7 2018-08-06T15:20:28+00:00 Fixed an issue with logging related to using newer versions of Plaso that are not specifically supported. This means Plaso updates won't stop CDQR from running. It will mean that the parsers used haven't been vetted for that version of Plaso. 2018-08-06T15:20:28+00:00 CDQR v1.3 2018-08-24T12:47:57+00:00 AIL Framework version 1.3 released including automatic decoding of files from unstructured data New features: - Detection of IBAN bank accounts are now included - A cleaner module for decoding files (Base64, hex encoded) from unstructured data - A new UI for browsing decoded files, their types and relationship Many bugs fixed and small improvements. 2018-08-24T12:47:57+00:00 CDQR 4.1.8 2018-09-05T20:59:43+00:00 # What's New * Added ability to send data to remote ElasticSearch server * Added ability to send username when connecting to ElasticSearch server * Added ability to use newer versions of Plaso by enabling the use of the `--no_dependencies_check` flag 2018-09-05T20:59:43+00:00 CDQR 4.1.9 2018-09-19T22:02:20+00:00 # What's New * Flipped how the no dependencies flag works 2018-09-19T22:02:20+00:00 CDQR v1.4 2018-10-02T15:36:25+00:00 AIL Framework version 1.4 released including Tor hidden services crawler and monitoring. Major new feature: - Tor hidden service crawler. AIL now includes the ability to crawl and parse output crawled from Tor hidden services. - Tor onion availability is monitored to detect up and down of hidden services. - Screenshots are captured and integrated in the analysed output. - Blurred interface functionality has been added to avoid "burning the eyes" of the security analyst with specific content. - As the collected information is part of the standard framework, all the AIL modules are available to the crawled hidden services. New features: - New export modules for statistics including credentials, phones, banking and TLDs. Many bugs were fixed. 2018-10-02T15:36:25+00:00 CDQR 4.2.0 2018-10-04T00:48:49+00:00 # What's New * Included an optional argument '-f' to allow filter files to be included 2018-10-04T00:48:49+00:00 CDQR 4.2.1 2018-10-06T10:28:59+00:00 # What's New * Included an optional argument `--ignore_archives` to not extract and inspect contents of archives found inside of artifacts list or disk image 2018-10-06T10:28:59+00:00 CDQR 4.2.2 2019-01-21T09:29:20+00:00 Compliance Updates 2019-01-21T09:29:20+00:00 CDQR 4.3 2019-01-24T05:08:29+00:00 # What's New * Completed refactor of the parsers for Plaso v20181219 and documented them at the following locations * [Mac](https://github.com/orlikoski/CDQR/blob/master/docs/parser_mac.csv) * [Lin](https://github.com/orlikoski/CDQR/blob/master/docs/parser_lin.csv) * [Win](https://github.com/orlikoski/CDQR/blob/master/docs/parser_win.csv) * [DATT](https://github.com/orlikoski/CDQR/blob/master/docs/parser_datt.csv) 2019-01-24T05:08:29+00:00 CDQR 4.4 2019-03-22T01:40:53+00:00 # What's New * Added accept all defaults option * Minor bug fixes 2019-03-22T01:40:53+00:00 CDQR v1.5 2019-04-26T13:40:46+00:00 AIL Framework version 1.5 released including major improvements in crawler, server management, bootstrap 4 support and many more.   - [UI] Server management. Check for new updates/versions and show background update progress - [update] Background update process introduced - [UI] Bootstrap 4 migration started (crawler and tags view) - Crawler includes new functionalities - Port can now be configured - Configurable crawling including one-time crawler, regular crawling and type of crawling (e.g. including HAR, screenshots, blacklist management) - All Items (pastes) are now tagged by date-range - Many bugs were fixed - And significant performance improvement in the back-end 2019-04-26T13:40:46+00:00 CDQR 5.0 2019-04-26T23:47:43+00:00 # What's New - Removed plaso version compatibility check - Added log file names for new Plaso log files - Changed processing view mode to None - Changed MFT and USNJRNL processing options - Removed from `win` parser default - Added `--mft` and `--usnjrnl` flags to use with `win` parser - Created `mft_usnjrnl` parser that only does those things - Added Plaso pass through for - artifact_filters_file - artifact_filters - artifact_definitions - custom_artifact_definitions - Made processing archives disabled by default - Updating README - Updated Version number - Updated Docker build for 5.0 - Updated Helper script for 5.0 - Source code formatting updates 2019-04-26T23:47:43+00:00 CDQR v1.6 2019-05-13T09:58:22+00:00 # Changes - [travis] Travis has his own venv where it installs "stuff". Now we detect and us it in the launcher. [Steve Clement] - [travis] Require Python 3.6 to make build faster. [Steve Clement] - [doc] Some stats on build status/gitter etc. [Steve Clement] - [hashDecoded] cleanup for the VT message + PEP. [Alexandre Dulaunoy] # Fix - [faup] fix new return types (bytes to str) [Terrtia] - [Crawler] force domains/subdomains lower case (rfc4343) [Terrtia] - [showpaste] fix: #346, avoid None screenshots. [Terrtia] - [python requirements] rename file. [Terrtia] - [crawler] typo: domains down. [Terrtia] - [travis] LAUNCH.sh needs -l to launch... [Steve Clement] - [travis] Next round of travis fixes. LAUNCH.sh is the only launch script needed. chg: [installer] Be way more quiet, watching unzips is only fun during development. chg: [installer] Make the arch one +x. [Steve Clement] - [installer] Avoid doing funky **sudo pip install** moves, it breaks python on package managed python installs, if ever, use the **--user** flag. [Steve Clement] - [travis] Try and require xenial (16.04) and see if it works better. [Steve Clement] - [travis ] There are issues on the 14.04 build system of Travis. This fixes it temporarily. [Steve Clement] - [Onion] typo. [Terrtia] # Other - Merge branch 'master' of https://github.com/CIRCL/AIL-framework. [Terrtia] - Chg; [doc crawler] use the torproject torrc. [Terrtia] 2019-05-13T09:58:22+00:00 CDQR v1.7 2019-05-24T11:36:18+00:00 # Changes - [correlation] clean files. [Terrtia] - [update v1.7] update thirdparty. [Terrtia] - [correlation] add cryptocurrency + refractor correlation. [Terrtia] - [Bitcoin] map cryptocurrency: bitcoin (DB pivot) [Terrtia] - [update v1.7] add update scripts. [Terrtia] - [pgpdump] reprocess tagged items + fix pgpdump. [Terrtia] - [Update] force update order. [Terrtia] - [PgpDump] fix graph + add new tags: pgp-signature pgp-public-key-block + avoid keys injection in pgp user_id. [Terrtia] - [decoded UI] add PgpDump UI + fix hashdecoded js. [Terrtia] - [decoded items] bootstrap 4 migration. [Terrtia] - [PgpDump] add PgpDump backend TODO: UI. [Terrtia] - [crawler] manual/auto crawler: always save screenshots. [Terrtia] - [crawler] manual/auto crawler: always save screenshots. [Terrtia] # Fix - [correlation] fix endpoint. [Terrtia] # Other - Update README.md. [Thirion Aurélien] - Merge branch 'master' of https://github.com/CIRCL/AIL-framework. [Terrtia] - Merge pull request #349 from kovacsbalu/fix-paste-encoding. [Thirion Aurélien] Fix #314 - Use default encoding error from redis. [kovacsbalu] - Fix #314 Replace char on redis encoding error. Try to use local file on other error. [kovacsbalu] - Merge pull request #350 from kovacsbalu/fix-crawler-rotation. [Thirion Aurélien] fix: [crawler] rotation - Hopp, single quote :) [kovacsbalu] - Fix crawler rotation. [kovacsbalu] Before this, crawler processed prioritized onions and after all starts prioritized regular. 2019-05-24T11:36:18+00:00 CDQR 5.1.0 2019-08-10T00:43:27+00:00 - Adding support for - Plaso v20190708 - Parser Changes - Refactored all existing parser lists (Windows, Linux, MacOS, DATT) for Plaso 20190708 - Added Android parser option - Report Changes - Added following reports - amcache - bash - android - Refactored following reports - Web History - MacOS - Linux - AntiVirus - System Information - File System - Removed Login report - Updated Docker build 2019-08-10T00:43:27+00:00 CDQR 20191128 2019-11-29T02:23:28+00:00 Docker build updates and parser argument support for Plaso v20190916 2019-11-29T02:23:28+00:00 CDQR 20191225 2019-12-26T02:55:21+00:00 Fixed the export function 2019-12-26T02:55:21+00:00 CDQR 20191226 2019-12-26T17:19:14+00:00 Fixed export function Updated Docker file Updated parsers list to address issue due to fsevent parser name change 2019-12-26T17:19:14+00:00