Artifacts
- AirDrop | macOS: Added support for recovering available recipients, including contacts and nearby users.
- Chrome | All platforms: Updated support to recover information about Chrome Extensions from additional locations.
- Facebook Messenger | iOS: Groups now list sender names instead of IDs.
- Firefox | Windows: Updated support for recovering favIcons.
- GroupMe | Android: Added support for groups, accounts and contacts. [5.40.3]
- GroupMe | iOS: Added support for accounts, groups, messages, and contacts. [5.35.1]
- Installed Applications | iOS: Added support for displaying version number and the install date. [iOS 10]
- KnowledgeC | iOS: Added support for reporting when a device is locked or unlocked.
- McAfee | Windows: Added support to pull A/V logs from McAfee anti-virus providers.
- Notes | iOS: Added support for parsing embedded attachments from notes. [iOS 13]
- Pictures | All platforms: Picture artifacts that had incorrect or missing extensions can now be parsed (previously, these pictures were always carved). This allows the artifact to retain date/timestamps, file paths, and previews in the Artifacts explorer.
- Prefetch Files | Windows: Added support for recovering application paths. [Windows 10-XP]
- Prefetch Files | Windows: Prefetch artifacts that are parsed are now displayed as such (previously, all were labeled as being carved).
- Recycle Bin | Windows: Added parsing support for items recovered from $RECYCLE.BIN.
- ScreenTime | iOS: Added support for recovering visited domains.
- Signal | iOS: Updated support to recover the sender ID. [2.43.3.1]
- Skype | iOS: Updated support for recovering contacts and group chats in the latest versions. [8.53.102]
- TextFree | Android: Updated support to retrieve group and attachment information. [8.53.1+]
- TextNow | Android: Updated support to recover attachments in chat and call, including pictures, videos and voicemail. [6.49.0.1]
- Tinder | iOS: Updated support to retrieve information on all matches and viewed users. [11.1.1]
- Tumblr | Android: Added parsing support for blogs and tags. [10.0]
- Tumblr | Android: Added parsing support for chat messages. [14.8]
- Unified Logs | iOS: Added support for recovering the unified logs on iOS.
- Updated artifact keychain regex to process any keychain ending in “.plist” and with “keychain” in the name, regardless of case. Also added custom hit validation for both general and internet passwords.
- VK | Android: Updated parsing support for recovering messages and user information. [5.47]
- VK | iOS: Updated parsing support for recovering messages and user information. [5.47]
- WickrMe | iOS: Added support for passcode-based decryption.
- Windows Defender | Windows: Added support for recovering logs that contain lists of files that triggered (or didn’t trigger) antivirus filters.
- Yahoo | iOS: Updated support for webmail messages. [6.0.8+]
Bug fixes
- In the KnowledgeC Application Activities artifact for iOS, some activity descriptions, types, and URLs were not being displayed. -MA-1345
- In the KnowledgeC Application Intents artifact for iOS, bundle IDs were not being displayed. -MA-1346
- In unallocated space, the end of some pictures weren’t being detected due to the picture metadata. -COMP-694
- The DHCP Server fragment in the Operating System Information artifact was labelled incorrectly. The fragment has been renamed to DHCP DNS Server(s) to more accurately describe its contents. -COMP-617
- The User Account artifact for Windows indicated that accounts are password protected even when they’re not. -COMP-176
- Using GroupMe Accounts for Android, the login timestamp changed if the user switched over to another account. -MA-1421
- When parsing group Facetime data from the call log database, the user’s location of recovery was not displayed. [iOS 13] -MA-1295
- When searching a zipped filesystem on macOS 10.13 and 10.14, deleted account and identifier hits were lost. -COMP-637
- When using AirDrop for macOS, hits were lost when attempting large outgoing transfers. -COMP-627
- With macOS version 10.11, login history entries from the previous year were displaying the current year. -COMP-682