General improvements for Report
i've written previously, tips about the missing parts in the report.
I would like to make a summary of what should be added to the validity of forensic evidence purposes.
1) You should put all details of the file: HASH, Creation date, Modification date, last Accessed date, file/folder position in memory unit (path), eventually a link for the metafile report (if: jpg, doc, etc...)
2) One option to add "Thumbnail list (with link to the file/evidence)" for graphics file (jpg, bmp, png, etc...)
3) It's important that the hash of the files is not only SHA-1, but:
- or SHA-1 + MD5 (contextually)
- or SHA-256
- or latest version (es. SHA-512)
SHA-1 is being retired for most government uses; the U.S. National Institute of Standards and Technology (NIST) says, "Federal agencies should stop using SHA-1 for...applications that require collision resistance as soon as practical, and must use the SHA-2 family of hash functions for these applications after 2010".
The SHA-1 value is already being generated for all items added to a case. You can view it by right clicking on an item in the case and selecting properties.
For the next patch release (which will be this week, fingers crossed) we'll also add SHA-256 and an option to have them displayed in the report.
New build is out today with an option to include SHA-256 (and SHA-1) in the report.
Any news for new features in Report?
Have a look at the V1.1 beta release.
MD5 in now calculated for the case items, and there is the option to include them into the report. The full path can also be included in the report.
But we should also add more date / time details before the final V1.1 release.
Tags for this Thread