MetaDiver 2.0 is finally here. I hope to drop the release the alpha of 2.0 tomorrow in Downloads!
This is a huge list of features and changes for MetaDiver. It’s been a LOT of work but a lot of fun and much of the research that has gone into the code has been hugely beneficial in my forensic investigations and of course my investigations give more ideas than one person can possibly explore. There is a lot to digest and a lot of nuance I’m missing so I hope to capture it in a document sometime soon. Below is what to look for in 2.0 and a few thoughts on next steps.
I still plan to work on a paid version with features I can only get by buying some libraries that aren’t cheap not to mention all the time countless of hours of research and coding that have gone in to this deceptively simple app and it’s offspring. And you wonder why my social life sucks. Anyone want to be an unpaid tester, intern, coder?
GUI – Supports multiple source paths.
GUI – Support for individual files.
GUI – Better browse window. You can paste paths if you want or browse.
GUI – Look and feel changes, improvements.
GUI – progress now in main window. You can still use Status Window.
GUI – Rewrite of Extension Filter. Still needs work…
Core – Complete rewrite of the core for better code maintainability. Less
reliance on Shell.
Columns – Better mappings. Removed redundant and irrelevant columns.
Columns – Better culling of empty columns.
Error handling – improvements. Try try catch catch… finally.
File Props – Grabbing UTC times for file system rather than shell. You can turn localtime values as well but off by default.
Office 2007+ Docs – Direct support added. Wrote a handler for xml based docs using Open XML.
Open Office Docs – Direct support added. Wrote a handler for xml based docs using Open XML.
PDF – Dropped old core.
PDF – Replaced handler with pdf clown.net.
PDF – Complete rewrite
PDF – Grab’s magic number as string
ZIP – Added support for archive files such as zip, 7zip, arj, rar, cab, iso, vhd, etc.. using SevenZip
Review window – Now Enabled (Only supports a max of 10,000 records for now). Just export to file if you have more.
Review window – Can filter data dynamically by column.
Review window – Can export filtered views.
Exports – Better naming and handling.
Hashing – bug fixes in preventing file locks.
Replaced – Dumped old XLSX library for Open XML. Much faster and no more corrupted reports!
Dropped – ExifLib in favor of Shell32 for now due to major bugs in ExifLib.
Image Mounting using Arsenal Image Mounter (Raw, E01, vhd, vmdk)- Pretty buggy!! (Use with care. Backup your work first…just saying). This is a trial run…
#Working on fully documenting credits for open source projects, working on it for gold release.
On the way (pro)
#pst, msg handling
#archive expansion (expand child objects from zip, iso, msg..)
#case info, case path, database to write case records and retrieve.
#review window handling more than 10k records.
#shadow copy previous revisions
#more that i can’t remember…
Action list from my January Post on the RoadMap. Lets see how I did..
Better Interface. General improvements to the main window look and flow. Multiple path’s can be processed at once. Input File Filtering – The ability to select only the file extensions you want to be processed. Better output – The ability to get less bloated information to review. Image mounting – Mount RAW, E01 images (likely 2.1) The hold up is working out the code to install the virtual iscsi driver the first time.
Review window – review meta-data without having to export.
- Case Information and database to store metadata so you can reload it for review it without having to reprocess.
- Case Manager to track various cases you have processed
OpenXML is now used for Office 2010 or newer documents. OpenXML is also used to generate reports. This improves the speed of exporting to XLSX dramatically.
- Read email headers like files from PST, MSG, EML files – Probably not in 2.0 but 2.1.
- Command line version is also in the works. Probably in 2.1.
Reorganizing the guts. I’ve spent a lot of time refactoring code and just cleaning things up. This is the first time I’ve done any major refactoring since the MetaDiver proof of concept. Moved to .NET 4.5 framework. Now a requirement to run MetaDiver.
- Bug fixes
ExifLib is failing on some EXIF versions (221). Until the library is fixed or I find a better replacement fallback to Shell when parsing the EXIF header fails. Shell does a good job but won’t give you GPS.
That’s all I can remember right now… More later.
Check back soon!!