Release Notes 
=============

Detailed description of changes is available in the CHANGES.current and
CHANGES files. The summary below just contains a brief overview of the changes
made in each release.

DFF-1.2.0 summary:

Features:
---------

  User Interfaces:
  ----------------

* Batch script : It is now possible to provide batch script directly as a 
parameter when invoking dff.py using the switch "-b" followed by the local file 
containing commands. This functionality uses the "batch" module.

* Filter : To enable finding and filtering abilities through the GUI, a 
dedicated interface has been developed to ease the creation of queries. Most 
useful filters are provided, and it is also possible to query extended 
attributes.

* Preview : A new widget providing a graphical representation of the currently 
selected node. When a node is selected, this widget automatically selects the 
most appropriate viewer. Pictures, text, html and video files are currently 
supported. If there's no available viewer, the hexadecimal viewer will be used.
If you create or add any other viewer associated with a different file type, it
will be automatically used by the widget.

* Attributes pane : When double clicking on an attribute in the tree of 
Attributes pane, a popup is displayed, allowing to copy the argument.

* Module Browser : A new widget has been developed to provide a new way to 
browse, view and apply modules.

* Task manager widget : When double-clicking on a module in the task manager,
the output is now provided in a dedicated tab.

  Modules:
  --------

* Web viewer : This graphical module renders web pages and tries to reconstruct 
them, if corresponding linked image or css file are found in the dump. 
Currently, navigation between local files is disabled in order to forbid 
external browsing. For security reasons, JavaScript is also disabled by default.

* Find : This shell module gives the ability to search and filter directly in 
the console. As required arguments, it takes a query and the node from
where the search will start. In order to have a human readable representation of
the query, a string describing the filter has to be provided. As optional 
arguments, 'save_result' option will automatically create links to matched nodes
. By default, matches are not displayed but this can be enabled by providing the
"verbose" switch.

* Batch scripting : Reads a local file which contains DFF commands (one per 
line) and execute them. It also accepts comments using the '#' character. 
This module eases tests and developments by avoiding recurrent operation like 
choosing, configuring and launching a module and provides to users a way to 
automatize some tasks.

* Partition : 
  - Add creation of unallocated areas in a dedicated folder. 
  - Two new arguments: 
    * sector size (to manage 4k sectors for example)
    * start offset of the MBR. 
  - Results of the module has been enhanced to provide all unallocated 
    spaces information. 
  - Attributes of created nodes provide more detailed information.

* Fatfs : Fatfs module has been enhanced to support more forensics features. 
  - Module now creates several nodes representing:
    * reserved sectors
    * unallocated space (based on the first FAT cluster status)
    * filesystem slack space (size of the underlying file minus total 
      sectors found in the boot sector).
  - The generated tree has also been enhanced so as to base the name of 
    the entry node (root of the module) on the volume label (if not present, 
    NONAME is used).
  - All FATs (even if there are 5 FATs) are also created as nodes with 
    their own attributes (allocated and free clusters). This enables to quickly
    define if there are differences between FATs, based on their clusters 
    status, by comparing their md5 hash, or by using the 'diff' module. 
  - The module now provides its progression.

* EWF : The ewf module has been rewritten to support the v2 API of the library 
developed by Joachim Metz (libewf).


* AFF : The module now supports afflib before version 3.6.11. Version is 
obtained during the build process and provided to the preprocessor.


  Build:
  ------

* All dependencies are now correctly checked before starting compilation. 
Dedicated CMake modules have been created to find bfio, pff, ewf, afflib and 
tre libraries. If not found, related modules won't be compiled. This permits to
compile DFF even if dependencies are not installed. On Windows platforms, 
version of the compiler is better managed to include the right headers.

  API:
  ----

* Datatypes : Code in charge of magic library is now fully developed in C++ 
resulting in faster processing.

* UID Object System : This release has been the occasion to associate unique 
identifier to some objects of the API. Currently it only concerns fso and nodes
objects. This also let you obtain fso and nodes by their ID at run time.

* FSO : 
  - Each fso objects are linked together in a tree way. It is possible to know
    dependencies between modules in charge of the creation of node.
  - Add a new method to obtain a Node from its id 
  - Add a new methode to have access to all created nodes as a list.

* Node : All attributes methods of Node have been refactored and are faster.
  - Add a new  method which return its extension if available. 
  - Testing compatibility with a module has been extended by checking the 
    extension besides its type. Indeed, sometimes, it was not accurate to only
    rely on results provided by magic to auto detect compatible modules. 
    For example, VmWare configuration files are detected as text by magic.

* VFS : 
  - Now have an UID Object System. 
  - New method to obtain fso by their ids. 
  - New method to obtain nodes by their ids.
  - New method to access all applied modules of type fso. 
  - All orphaned nodes (nodes which don't have a related fso), are also managed
    by the VFS.

* Search : Search API has been totally rewritten in an object oriented way, 
using TRE library.
  - Search objects provide methods to set pattern syntax:
    * fixed
    * wildcard 
    * approximate (use TRE library)
    * regexp patterns (use TRE library)
  - Search are faster and relies on a modified version of fastsearch 
    functions implemented in Python (BoyerMoore + Bloom filters).

* Filter : As mentioned, the main feature of this release is filtering 
capability. It has been directly implemented in the API to provide Filter object
  - Several methods enable to set the query, to compile it and return matching
    nodes. Filter objects are "event aware" in order to give the possibility to
    stop the process but also to inform about progression and the number of 
    matched nodes.
  - It is possible to apply a query recursively or only in one folder.

* VFile : Objects are compliant with the new search API but is still 
compatible with the old one. 
  - Extends their ability by matching patterns based on :
    * regular expressions 
    * approximate search strings.
  - VFile is also "event aware" meaning that it could receive external 
    message to stop heavy processing such as searches.

* ConfigManager : Provides a way to unregister configuration
of modules at run time. It is mostly used by the loader when a module is 
reloaded.

* VTime : 
  - Comparison operators have been implemented in vtime
  - Can be now created with a string as parameter or a timestamps
  - Timestamps can be Unix or Microsoft based (64 bits) allowing auto 
    conversion.

* Loader : 
  - When a module can not be loaded properly, traceback is saved and 
    encountered errors are summed up at the end of loading. 
  - Unregisters the configuration of the module if this one is reloaded 
    at run time.

* Mimetree : A new object is provided to extract mime types from compiled magic 
file (version 7 and 8 are managed). The result is a two level tree containing 
main categories (such as images) and at the second level subcategories (such as 
jpeg).


Bug Fixes :
-----------

  GUI:
  ----

* Interpreter :  When huge processing were done in the GUI interpreter, it 
froze the whole interface. Execution of Python code is now done in a dedicated 
thread and edition is disabled until thread has finished.

* Attributes column selector : In some cases, the selection of attributes to be
added as column could lead to crashes. This bug has been fixed but this part has
to be improved since it currently only provides attributes selection based on 
the first node found.

* Evidence dialog : Resizing the dialog was not properly handled resulting in 
inappropriate widgets size.

* Taskmanager : there was a typo error which led to the unavailability of the 
results of modules

* Menu : Opening folders in a new tab did not work properly.

  Modules:
  --------

* NTFS : 
  - Add a NULL pointer check forgotten prior to MFT entry header validation 
  - Fixes an integer overflow in attributes analysis. This second fix adjusts
    regular items detected as deleted ones.

* Carver :
   - Previous version of the carver worked with wildcard but this feature has
     been temporary disabled because there was a bug in the old search API. 
   - The module is currently rewritten to be compliant with the new search API
     and to provide more accurate results.

* Load : Arguments were not properly obtained because they differ from those 
defined in the configuration resulting in errors when using the module.

* Viewer Hexadecimal : 
  - Slider operations are now implemented in pixel and string view
  - It's now possible to trigger the cursor or its area to navigate within the
    page view.
  - QGraphicsView is now instantiated with parent widget 

* Hash : When several hash algorithms were provided, they were processed in 
serial way. They are now processed in parallel, digests are updated for each 
read buffer.

* Partition : 
  - Fix an overflow with total_blocks resulting in bad size settings. 
  - FileMapping are better handled and manages odd cases such as file having
    less sectors than defined in partition entry.

* Player : Fixes a bug based on phonon when opening multiple audio source. It 
seems Phonon can only handle one audio stream at a time.

  API:
  ----

* Attributes : Fixes memory leak due to ownership of objects return from the API
to Python.

* DataType : Fixes multi-thread concurrent access crash by locking in the right 
places.
