Moin! 👋
crush-forensics v0.6.0 is out.
github.com/kalink0/crush-forensics
No dramatic new format support this time, no big UI overhaul. This release is about going deeper, not wider.
Forensic Integrity — Now Tested
One thing that has been on my mind since the start of this project: how do you actually prove that a forensic tool does not touch the evidence?
The answer for crush is now a dedicated forensic test suite — currently 14 tests that verify the tool is safe to run on real evidence. Not standard unit tests. Each test is framed as a forensic property guarantee, grouped into five categories: Source Immutability, No Side Effects, Read-only Media compatibility, Known-output Verification, and Reproducibility.
Every test run also produces a forensic_audit.html — a self-contained,
printable report with SHA-256 hashes of the reference corpus.
SQLite WAL Forensics
The SQLite viewer has been significantly extended in v0.6.0, with a focus on WAL archaeology — recovering data from the Write-Ahead Log that would otherwise be invisible to standard tools.
When a -wal companion is present, crush now shows a full frame inventory
classifying every frame as Active, Superseded,
Uncommitted, or WAL slack — the last category being
salt-mismatch frames from a previous WAL cycle, per Sanderson's terminology.
Superseded and uncommitted frames are colour-coded amber and blue so the examiner
immediately sees whether overwritten or in-flight data exists.
Enabling the Show WAL history toggle appends rows decoded from non-active frames directly below the live table data, colour-coded, with a row count showing how many additional records were recovered. Double-clicking any WAL frame opens the raw page bytes in the hex viewer.
On a practical note: crush now also discovers -wal and -shm
companions when a .db file is opened directly from the filesystem —
previously these were silently skipped when not opening from inside an archive or folder.
More SQLite Improvements
Beyond WAL forensics, the SQLite viewer gained a number of improvements that make day-to-day examination faster.
Timestamp decoding is now built in: right-click any column header and
decode it as Unix seconds, Unix milliseconds, Unix microseconds, Mac Absolute Time,
Windows FILETIME, or Chrome/WebKit time — displayed as YYYY-MM-DD HH:MM:SS UTC,
with sorting still working correctly on the underlying numeric value.
Two new combo entries give quick access to schema and configuration information: DB Structure lists all tables, views, indexes, and triggers with their definitions; DB Info shows 28 PRAGMA settings with decoded values and descriptions. Database views are now browsable like tables. The SQL bar now accepts PRAGMA statements, shows syntax highlighting, and supports running only a highlighted selection — useful for stepping through a complex query piece by piece.
Paste & Decode
A small but useful addition: Tools → Paste & Decode… lets you paste raw hex, base64, or plain text and open it immediately in any supported viewer — without saving anything to disk. If you have been copying BLOB values out of a hex editor or a network capture and opening temporary files just to inspect them, this should save a few steps.
Export as .logarchive
iOS diagnostics nodes now have an "Export as .logarchive…" right-click
action. crush assembles the correct logarchive layout — diagnostics tree plus the
uuidtext/ sibling — and copies the result to a location of your choice.
The output is a standard .logarchive folder that can be opened directly
in Console.app or processed with the log CLI. As I do not have a Mac test system this functionality isn't tested yet.
Parallel Unified Log Conversion
Multi-Log Studio now splits large logarchives across multiple unifiedlog_iterator
processes — one per physical core by default — and streams entries into the viewer as each
chunk finishes. On a typical 200 MB acquisition this gives roughly a 25% reduction in
wall time. Unified Log support is still alpha, and there is more work ahead, but it is
moving in the right direction.
File Format Database
All entries in the built-in file format database have been reviewed and refined — descriptions improved, forensic context expanded, reference URLs added. Five new formats were added: Apple Keychain, Android Keystore, iOS Backup (iTunes/Finder), Windows Prefetch, and Gzip.
What's Next
The SQLite viewer is the first to receive this level of dedicated depth and tooling — and it won't be the last. The plan is to work through all parsers and viewers systematically, one at a time, done properly. A dedicated deep-dive post on the SQLite viewer is also in the works, with the same planned for other parsers and viewers down the line.
As always: feedback, issues, and pull requests are welcome on GitHub.
Just keep swimming. 🐢
No comments:
Post a Comment