世界最先进的多语种电子邮件数据分析软件

Extraction

• Outlook items inside EDB, PST or MSG files which contained non-English characters stored inside RTF text elements, in some situations were not decoded correctly. This has been fixed.
• In rare situations, it is possible that attachments extracted from an EDB file may be truncated by a few bytes. This has been fixed.

Extraction

• Fixed a problem introduced in FBI 2.5.1 where Word 95 documents were not being properly processed.
• MD5 hashes for email messages are now computed on the email's subject, sender, To and Cc recipients, plus the text of the email and the attachment data. This should create MD5 matches for a sender's copy, and a recipient's copy for a specific email message. The previous algorithm used most of the meta-data fields in an email message, which included per-recipient information, which prevented MD5 matches from occurring.

Extraction

• Support for handling Foxmail BOX mail files.

Extraction

• Support for handling Mac OS X Mail.app's emlx files.

Analysis

• A new "skin tone" filter is available for new cases, which will be present if the "Skin tone analysis" option in the New Case wizard is enabled. This will allow an investigator to inspect images with various degrees of skin tone present, potentially very useful for quickly locating pornographic images.

Analysis

• A new "Show All Top-level items" action has been added to the View menu, and also to context menus in the text view table and the browser tree. This can be used to show for example, all email messages which contain the selected search results.

Extraction

• Support was added for the EnCase "header2" section introduced in EnCase version 4. This allows files with a missing "header" section to be processed.
• Support was added for the new header format introduced in EnCase version 5. Additional data included in these headers is not yet included but all the case metadata is handled properly.
• It is now possible to connect to a live GroupWise server as a trusted application, and to download emails from specific user accounts without requiring their password, using IMAP. See the GroupWise Integration documentation for more information.
• More deleted data can be extracted from some corrupted PST files.
• It is now possible to extract embedded OLE2 objects within a rich text body inside a Lotus Notes item.

Analysis

• A new export option to Casebook Ringtail has been added.

Extraction

• DLLs are now distinguished from EXEs by their file extension.

Reporting

• Fixed an issue with the printing where if the scrollbar was not at the top left of a view, blank space was left at the top and left of the printout.

Extraction

• Data is now extracted from Exchange EDB/STM files, for Exchange versions 5.5, 2000 and 2003 SP2. If the "Extract from slackspace of email boxes" processing option is enabled, then those unused chunks in the STM file will be exposed as deleted data elements.
• Data is now extracted from the cache from Firefox, Camino and other Mozilla Gecko-based web browsers.
• Winmail.dat attachments, which originate from Microsoft Outlook mail clients can now be processed. These will only be seen in non-PST/EDB mailboxes for emails sent by an Outlook client which enabled "rich text formatting".

Analysis

• Fixed an issue where the communication date filter would omit the first search result if there were no search results with communication dates earlier than the start date.

Reporting

• User-provided header and footer content for the report template has been separated into header.vm and footer.vm, to simplify the process of upgrading FBI in organisations which customise the template.
• Extra user-provided assets — for example, stylesheets or image files — can now be placed in the templates/Assets directory. All these files will be copied into the Assets directory of all exported reports.
• The report template is now reloaded every time an export is performed, which should assist in customising the template.

Usability

• A new look has been introduced for the item view which looks more like a document view. This new view, including the full image tab, can be printed.
• Communications are now shown on the item view.
• Matched terms are now highlighted in property names.

Extraction

• Added support for extracting data from EnCase images.
• Added support for extracting data from raw disk dumps (such as those created by 'dd' on UNIX.)
• Added support for reading files in an NTFS filesystem from disk images.
• Added support for reading files in an Ext2 filesystem from disk images.
• Temporary file creation has been greatly reduced, saving disk space but also speeding up operations where temp files used to be used heavily.
• Dramatically improved file reading performance when reading large chunks of data, which makes operations like MD5 digests around four times faster.
• For the purpose of processing NSF files, Lotus Notes Client version 7 is now supported as a pre-requisite, in addition to version 6.
• Fixed a problem introduced in FBI 2.2 with IMAP and POP data stores not being properly processed.
• Fixed a problem where embedded emails inside emails extracted from DBX, MBX and MBOX files may not have been properly extracted.
• Fixed a problem where RFC822 emails which had attachments encoded in the main body text in the old uuencoded format with trailing message body text were not processed correctly.

Analysis

• Annotations are now stored with the evidence instead of the case, such that annotations made on the evidence will be visible from all cases which contain that evidence.
• A new "Show All Descendants" action has been added to the View menu, and also to context menus in the text view table and the browser tree.

Reporting

• The user's name is now stored against all new history events.
• Exports no longer truncate the text at 100,000 characters, but include the complete text. The total text size is thus unlimited for the HTML reports, however the maximum size of the PDF and TIFF reports will depend on the memory available to the application. As a rule of thumb, 512MB allows for around 20MB of text per report.

Usability

• The F1 help feature now supports navigation using the keyboard.
• Networks now defaults to a minimum link count of 1 instead of 2, to aid in displaying very small networks.
• Pressing F1 twice no longer disables the help feature.
• When two terms with the same text but different case were highlighted, the two were treated as different terms and given different colours. This has been fixed.
• Sometimes a term would be displayed in the list of highlights down the bottom of the screen, even though it wasn't highlighted anywhere on the screen. This has been fixed.

Miscellaneous

• FBI Server now looks for a JRE instead of a JDK when starting up.
• The server is now able to scan for cases and evidence in multiple directories.
• The server now recursively scans the configured directories, so that cases can be arranged into directories and still be found during the scan.
• System usernames with unusual characters in them are no longer treated as invalid.

Extraction

• Word document properties now contain information about the last ten times the document was saved, both the name of the user who saved it and the location it was saved to.
• Compressed data is now extracted from GZip compressed files.
• FBI now scrapes HTML to try and find Hotmail and Yahoo! Mail messages which can be represented as communications.
• Updated the EXIF metadata extraction library. The new version fixes some bugs and adds support for EXIF 2.2 tags and a few more camera types.
• Some badly-formed Excel spreadsheets weren't being detected as spreadsheets. These are now detected and processed correctly.
• Header metadata is now extracted from HTML files.
• Fixed an infinite loop in HTML processing by updating the responsible third-party library.
• There was a bug in the third-party library used to index the text which caused it not to index Korean characters. This has been fixed.

Analysis

• Implemented new search fields "classification", "has-classification", "comment", "has-comment", thus allowing boolean queries against the investigator's annotations. See the Search Fields documentation for more information on these new fields.
• Plain text lists of words and phrases can now be imported into the application and used as filters.
• Implemented new search fields "digest-list" and "word-list", thus allowing these filters to work in boolean queries.
• Added support for importing digest lists in iLook format.
• Email addresses with different case were sometimes treated as different addresses on the Networks and Event Map viewers.
• An unexpected error occurred when executing saved searches containing queries or filters over annotations. This has been fixed.
• When using a communication date filter with either an open start date or an open end date, if the same range was used for two queries in a row, an unexpected error occurred. This has been fixed.

Reporting

• PNG format is now supported for the Export View action, to allow simpler embedding of exported views in web pages and office documents.
• CSV exports now properly handle cells which already contain double-quote characters.

Usability

• The Find action now properly finds dates in tables.
• International characters were displaying as empty boxes in some locations in the application. These should all be displaying properly now.
• Some areas in the application would switch to having a plain white background when the Windows theme was changed while the application was still in use. This has been fixed.

Miscellaneous

• Improved startup time when using server-based licences, by remembering the last licence server used.
• Migration of cases from pre-FBI 2.2 has been hardened against some common problems that have been seen to occur during migration.
• The version number of FBI being used is now stamped into the case and evidence files, as well as into the case history.
• FBI now prohibits opening cases created by a newer version of the software.
• FBI Desktop now looks for a JRE instead of a JDK when starting up (FBI Server still looks for a JDK.)
• FBI Server can now be run as a Windows service. See the server documentation for more information.
• Fixed an issue where occasionally the desktop application would have its server-based licence revoked while performing intensive processing.
• Fixed an issue where occasionally the desktop application would fail to detect the dongle after coming back from a software suspend (as would happen on a notebook computer.)
• Fixed an issue where the server would fail the first time after the case location was configured.

Extraction

• Implemented a brand new text extractor for Word, Excel and PowerPoint documents. The new text extraction has the following benefits:
  • Dramatic speed improvements for these document types. On typical documents of these types:
    • Word and Excel processing is now around 10 times faster;
    • PowerPoint processing is now around 20 times faster;
  • Microsoft Office is no longer required in order to extract these document types, and Office dialogs will no longer appear for these document types (however, having Office installed can still help with extracting other supported document types such as Microsoft Works documents.)
  • International text in Word and Excel is now processed correctly even if the investigator has chosen not to extract embedded images;
  • Cell formulae in Excel are now processed, both the text of the original formula as well as the resulting cell value;
  • Comments in PowerPoint slide shows are now processed.
• Added support for some early access versions of Lotus Notes 6.
• Filenames which contain non-ASCII characters are now handled correctly when added as top-level case evidence.
• Case metadata (case name, investigator name, etc.) containing non-ASCII characters is now handled correctly.

Reporting

• When exporting an item with a really long name, export would completely halt. This has been fixed.

Usability

• The investigator's full name is now used as the default investigator name when creating a new case, if the operating system knows it.

Miscellaneous

• Tweaked the font used on the item viewer so that CJK characters display correctly on the title.
• Updated the included JDK to 5.0 Update 6.

Extraction

• EXIF and other advanced metadata is now extracted from JPEG files.
• EnCase image files are now recognised, but not processed.
• PST, DBX, MBX and MBOX files greater than 2 gigabytes in size were not opened correctly for processing. This has been fixed.

Analysis

• The Networks screen now allows filtering based on which communication types (direct/indirect/hidden) have been used between each pair of entities.
• Lists of known digests can now be loaded into the application and used as filters. Lists of digests need to be imported, but import is initially provided for plaintext lists, as well as HashKeeper (HKE+HSH) and NSRL (NSRLFile.txt) formats.

Reporting

• A copyright notice can now be added to the export reports. GUIDs now appear on all per-item reports, effectively giving the reports unique IDs.
• Page numbers now appear on all PDF and TIFF reports.

Usability

• Added a new action to quickly lock and unlock all nodes in the Networks screen.
• Several networks display modes and actions have moved into a new Networks menu.
• New Networks display option to disable the truncation of text on nodes, if it is desired. The truncation is no longer disabled when a node is locked, as truncation is able to be changed globally.
• Networks display options for nodes and edges are now remembered between sessions.
• Networks now automatically adjusts the minimum link count filter until the graph shows less than the number of nodes configured in the global preferences.
• Several usability issues were fixed with the New Case wizard, to make it easier to use the wizard entirely with the keyboard.
• Export preferences are now saved between exports, and between sessions.
• Launching a file from the item viewer or the browser now results in a warning dialog unless the file is of a known, safe file type.

Miscellaneous

• Added the ability to use standard DNS to locate the FBI server (more information.)
• Updated the included JDK to 5.0 Update 5.

Analysis

• Multiple investigators can now collaborate on a single case if they are working on the same network and a server is running which knows about the case. See the Collaboration section of the documentation for more information.

Reporting

• Information about containing communications for each item was added to the per-item reports.
• Memory usage during export has been significantly reduced, allowing much larger export runs to complete without running out of memory (tested to around 1,000,000 exported items.)
• Per-item export reports done later in an export run would sometimes overwrite earlier reports with the same name, if the binary data files were not written due to a failure or the user simply selecting not to export the binary data. This has been fixed.
• When exports were performed with binary data, history was being recorded for every data file exported. This was ultimately a waste of database space and has been fixed such that only the start and end event of the export itself are being recorded in the history.
• Exports where images had the same filename would show the wrong image in only the PDF and the TIFF reports. This has been fixed.

Miscellaneous

• Log chatter has been cut down significantly during export, to make it easier to find real problems.
• Memory usage of large cases has been significantly reduced (the improvements apply to new cases.)
• Cases which moved were failing to load binary data for the purpose of export and displaying full images. This has been fixed and cases can be moved around as originally possible.
• Fixed an issue where the USB dongle would get the wrong ID when other USB devices were attached before it. Licencing should now work regardless of the order in which USB devices are attached.
• Fixed an incompatibility with 2.2.0, 2.2.1 and 2.2.2 cases which was introduced in FBI 2.2.3, where binary content of files could not be obtained.

Extraction

• MP3 (audio/mpeg) and Ogg (application/ogg) file formats are now recognised.
• Outlook MSG (application/vnd.ms-outlook-msg) file format is now recognised and processed.
• Outlook OST (offline storage files) file format is now recognised and processed.
• Improved handling of PDF documents which were not well-formed.
• Additional deleted PST blocks can now be detected, which may allow for the extraction of more deleted PST items.
• Embedded messages attached to a message in a PST file could not be exported. This now works correctly for new cases.

Analysis

• Compound cases can now be created, effectively merging the content from multiple loaded cases.

Reporting

• PNG images were not showing thumbnails in the PDF and TIFF reports. This has been fixed.

• PDF and TIFF reports would fail if any exported items had a "&" or "<" in the ID. These are now being properly escaped.

Usability

• Case directories are now represented as leaf nodes in the file chooser, and are thus openable without navigating inside the directory. Case directories will have the FBI case icon displayed on them, to distinguish them from ordinary directories.

• Cases which are opened from read-only locations now prevent the user modifying their settings, instead of just throwing errors when the case is saved.

• The Networks view now zooms out the sizes of the nodes and edges when the graph is zoomed out. This reduces node clutter and makes the zoomed out view more useful for exporting the view.

• Creating new cases and exports no longer creates an empty directory if the operation is cancelled.

Miscellaneous

• Two copies of FBI2 can now be run at the same time without fighting over access to log files and temporary files. The log directory now allocates a subdirectory for each invocation of the program, stamped with the time and date at which the process was started.

• The dongle code now handles device instance IDs which were generated in mixed case instead of the standard uppercase.

Extraction

• Text of older revisions in a Word document is now extracted.
• Evidence belonging to a case can be arranged into groups at the time of creating the case, and a custom name and description can be attached to these groups.
• Colour depth of images is now stored as a property.
• The PST extractor has been completely re-written not to use MAPI, but to open PST files in raw binary mode. The improvements from the previous extractor are:
  • Extracted items are not limited to emails, but also include calendar, task, journal, contact and other PST item types.
  • Password protected PST files can now be opened and processed successfully.
  • Both PST 97-2002 and PST 2003 files are handled, both unencrypted and compressible encryption are supported. High encryption files are not presently handled.
  • No longer require Outlook installed to process PST files. Previously, Outlook 2003 was required to process PST 2003 files.
  • All PST item meta-data information is extracted and available for searching.
  • Complete support for embedded messages and OLE attachments (as is the case for the MAPI version).
  • Scanpst is no longer used for extracted deleted content. This is now handled by searching for orphaned block and item tables, and hunting for orphaned PST item blocks. Orphaned PST item blocks are stored under the "Orphaned Items" top-level folder. Slackspace items are restored into their original location.
  • Internationalised content is handled, in both PST 97-2002 and 2003 files.

Analysis

• The concept of "Flags" was replaced with the concept of "Classifications". Multiple classifications can be selected on a single item of data, and all classifications will appear in the reports.
• The investigator can now add arbitrary comments to items of data. These comments can then be used as a filter when performing a search, and will appear in all reports.

Reporting

• Low ASCII (less than 0x20) characters in the text would occasionally make the report generation fail. This has been fixed.

Usability

• Caching of loaded data is now being used to gain massive performance benefits when viewing full images and exporting data.
• The viewer now remembers whether the investigator prefers to look at thumbnails, or the full images.
• The "Recent Cases" menu now automatically cleans out cases which no longer exist.
• For new cases loaded with 2.2, it is possible to return all items which were identified as deleted content (extracted from slackspace), with the following query: "deleted:1". Currently, this will return deleted emails from PST and DBX mailboxes, and their associated attachments. The "deleted:0" query will return all non-deleted content. The deleted attribute can also be selected as a column in the text table view.
• For new cases loaded with 2.2, it is possible to return all items which were identified as being encrypted, with the following query: "encrypted:1". This will return encrypted PDF, office documents and PST files. The "encrypted:0" query will return all non-encrypted content. The encrypted attribute can also be selected as a column in the text table view.

Miscellaneous

• Updated the included JDK to 5.0 Update 4, which fixes a number of crashing issues, and a few minor bugs like errors appearing in the logs when closing a tab.

Extraction

• Processing and storage of thumbnails was made optional.
• De-duplication of loaded data is now possible (and optional.)
• It is now possible to disable storage and indexing of text content, for cases where only image data is being audited.
• More file types are now detected:
  • Microsoft Access databases (application/vnd.ms-access);
  • Adobe Photoshop drawings (application/vnd.adobe-photoshop);
  • Microsoft icons (image/ico);
  • WAV sound files (audio/wav);
  • AVI video files (video/avi);
  • MPEG video files (video/mpeg);
  • Microsoft ASF video files (video/vnd.ms-asf);
  • QuickTime video files (video/quicktime);
  • Shockwave Flash animations (application/x-shockwave-flash);
  • GZip compressed files (application/x-gzip);
  • BZip2 compressed files (application/x-bzip2);
  • 7-Zip compressed files (application/x-7z-compressed).
  • Java class files (application/java-class);
  • Microsoft shortcuts (application/vnd.ms-shortcut);
• File types such as audio and video files where stripping the text is meaningless, no longer have their text extracted.
• Performance of text extraction has been greatly improved.
• Negative date values in Office documents are now omitted.
• Empty string values in Office documents are now omitted.
• PST properties have been renamed to be title-cased and prefixed with "Mapi". For example, the PR_MESSAGE_FLAGS property is now Mapi-Message-Flags. This improves readability in both the UI and the exported reports.
• Extracting an MBOX file was generating two Message-ID headers for the first email in the mailbox, and now just generates the correct header.

Analysis

• Bulk actions such as exporting and flagging now operate over the selected items, and are in addition, now possible from the Browser tab, the Thumbnails view, and the Item view.
• Searching now supports queries which consist only of "NOT" clauses (e.g. "NOT from:example.com")
• Searching now supports filtering by communication date.
• A new Search menu allows searches to be loaded and saved, for re-use across multiple cases.
• Some search terms (e.g. "advertise") would not highlight correctly in the text and property viewers even though the terms were found. This has been fixed.

Reporting

• The new History tab details the actions performed on a case. Searches can now be re-executed via the History tab.
• Printing and exporting the view are now possible from the Statistics tab.
• Individual reports can now be generated for each exported item.
• PDF and TIFF reports are now supported in addition to HTML, and multiple formats can be generated for a single export.
• CSV format is now supported for the summary report.
• Exports can now be performed without taking copies of the original files, and just generating the reports.
• Exports can now include duplicates of the exported items as well as the original items themselves.
• Reports now include any annotations (flags) which were made on an item.
• Reports now include an optional comment which is entered for each export.
• Reports now print properties in the same format as the text view table.
• Exporting into an existing empty directory was failing, and now works as expected.
• CSV exports now correctly escape cells which contain special characters, and handle empty cells better.
• An unexpected error occurred when trying to save views to an existing file, or to a nonexistent directory. This has been fixed, and trying to export to nonexistent directories is now detected earlier (and prohibited.)
• PDF reports displayed hash ("#") symbols in place of any non-Latin characters. This issue has been fixed, but the "Arial Unicode MS" font needs to be installed in order to use non-Latin characters in PDF reports. This font is distributed with recent versions of Microsoft Office, and is also available for download from various web sites.

Usability

• The checkboxes on the text view were replaced with a more intuitive "selection toggle."
• Sorting now occurs in a new thread and uses less CPU time. Sorting can now be cancelled by pressing Escape or by changing the sort with the mouse.
• Sorting now uses a proper Latin text collator when sorting on text columns, which produces more accurate sorting of accented characters ("é" now reliably sorts alongside "e".)
• Sorting now sorts empty cells last regardless of the sorting order.
• The item view now shows properties in alphabetical order, and scrolls to the first property with a highlighted match.
• The item view now shows properties in the same format as the text view table.
• The popup menu on the browser tree now allows files to be opened with applications other than the system default ("Open With...")
• The Search tab title now shows the search string which was entered.
• The Browser tab title now shows the name of the currently-selected item.
• Default processing settings are now remembered when creating a new case.
• Application sometimes remained active after the window was closed, and now shuts down correctly.
• The table would generate errors when displaying or sorting values which were of the wrong type for their column (e.g. strings in a date column.) These values now sort as if the cell is empty, and display as strings.
• When double-clicking a graph edge in Networks, the resulting title on the search tab was often very long. This title is now correctly truncated.

Miscellaneous

• Updated the included JDK to 5.0 Update 3, which should improve GUI performance.