BFIP Changelog

2/29/2024 BFIP-V5.1 Release

Breakpoint Processing Engine:

    • Disabled logging of deleted file entry renames during normal parsing of file-systems, and will now only be written to log if verbose messaging is enabled. This will significantly reduce file-size of baseline BFIP log file, and improve processing speed.

.

General Improvements:

    • Added explicit fields for either Create New Case or Add to Existing Case to limit confusion or error when using prior unified section.
    • Added dyonically updating ‘Current Working Case File’
    • Various Minor UI Adjustments
    • Added check at beginning of full carve and import process to see if an additional instance of Griffeye is already running with warning to close before proceeding.

Griffeye Import Options:

    • Added support for new Griffeye EXIF AI Detector Plugin
    • Added support for new Thorn CSAM Classifier

Lace Carving Options:

    • Added controls for Lace ‘Shadow Copy Limit’
    • Added controls for Lace ‘CPU Count’

BFIP API-Mode:

    • Updates to API-Mode UI to unify with recent changes to normal BFIP UI.
    • Resolved bug verbose messaging defaulting to True when not specified in API call.
    • Documentation Updated

.

1/26/2024 BFIP-V5.0 Release

Breakpoint Processing Engine:

    • Enhancements:
      • New Feature! APFS Snapshots now supported for recovery of additional historic/deleted files not present in current APFS file-system.
      • Updates to JSON libraries for improvements in JSON write speeds.
      • Updated TSK libraries to 4.12.1
    • Fixes:
      • Resolved issue where MD5 value incorrectly written to JSON for allocated files showing ‘0’ value.
    • JSON Updates:
      • Unused MD5 field completely stripped from Unallocated JSON for cleaner output.
      • Update to path displayed for Single Volume disks containing no partition tables so root folder structure now shows as beginning following sourceID in folder path view in Griffeye.
      • Update to ‘FilePath’ field stripping ‘FileName’ from end of this string.  Eliminates each individual file showing in ‘Folders’ view in Griffeye and ensures display of filenames and file paths are formatted consistent with native Griffeye import engines.

General Improvements:

    • Big visual refresh
    • Large rework of UI and Case Processing setup flow.
    • Legacy ‘Basic Mode’ radials for processing modes deprecated.
    • Advanced Source Setup renamed and now default workflow for adding sources and designating processing mode selection.
    • Improvements to Case File/Path Selection process and logic to address issues caused when users created multiple levels of folders with identical names.
    • New auto-update check API added. BFIP will now query breakpointforensics.com to see if new version is available and offer to download update if available. (Can also be triggered from ‘right-click’ menu.
    • Improved support for multi-monitor environments.  Secondary settings windows now check for current location of main program window and will open to same position as main window.

11/04/2023 BFIP-V4.4.1 Release

  • Fixes:
    • Resolved exception that could occur with Griffeye CLI commands resulting in ERROR: Unrecognized command or argument related to conflict with the user-entered Griffeye case path.
    • Resolved issue identified with VICs JSONs generated from Axiom that could cause JSON validation to fail when BFIP searched for valid JSONs to add to import queue.

10/17/2023 BFIP-V4.4 Release

  • General Improvements:
    • Adjustment to minor UI elements for better user experience.
    • Further cleanup of messaging under non-verbose mode.
    • Lots of additional minor fixes and cleanups.
  • Breakpoint Processing Engine Enhancements:
    • Added ability to now have Allocated and Flagged Deleted Files recovered natively with Breakpoint processing Engine rather than relying on Griffeye for non-carved content. Allows for complete replacement of native Griffeye File recovery engine.
    • Improved Logic for how forensic images with multiple partitions of content are handled for more reliable data recovery.
    • Improved speed of Active File recovery and APFS file recovery.
    • Massive reduction in generation time for JSON file for allocated files across all file-systems including APFS file carving.
    • Added option to force full carving of an APFS pool to recovery additional files.
    • Reduced Timeout Wait period for archive unpacking from 15 minutes to 4 minutes before determining archive corrupt/invalid and moving on.
    • Updated thread status section in UI to allow wrapping of long status entries across two lines.
    • Updated various file system and image parsing libraries.
  • Breakpoint Processing Engine Fixes:
    • Resolved Bug where ‘allocated’ pdf files may be skipped in APFS file extraction.
    • Resolved potential crash in recovery of allocated files and APFS process when encountering illegal characters.
    • Improvements to progress meters for extraction of allocated files to avoid confusing regression of calculation at times.

3/1/2023 BFIP-V4.3.1 Release

  • General Improvements:
    • New Advanced Source Configuration Menu/Workflow
      • Allows for highly granular control of Source ID names and the use of various Processing Modes all in a single run. For example, say you have 3 forensics images but want to do different levels of processing on them. Now you can use Lace for Item 1, use Breakpoint Processing Engine for Item 2, and just do a Standard Import for Item 3, or any combination of these.
    • New Advanced workflow queue status indicator.
    • Refreshed UI and minor reorganization to several UI elements for better user experience.
    • Brand new per thread status section in UI providing detailed per source status when conducting Hyper-Carves of several sources.
    • Lots of additional minor fixes and cleanups.
    • Initial Code for Breakpoint Processing Engine API-Mode Implementation
  • Breakpoint Processing Engine Enhancements:
    • Reduced Timeout Wait period for archive unpacking from 15 minutes to 4 minutes before determining archive corrupt/invalid and moving on.
    • -New validation process for located JSON files that attempts to open JSON and checks for ProjectVIC header string before adding to import queue.
    • 7Zip Libraries updated to 22.01
  • Breakpoint Processing Engine Fixes:
    • Removed Source ID Prefix from File Path field in generated JSON to eliminate Double Source ID values in newer versions of Griffeye.
    • Mitigation for PhotoRec failing to parse some Android-Based Physical Images incorrectly resulting in multiple duplicate whole disk carves.
    • Fix to prevent attempted duplicate Standard Import of APFS images that have already been processed with BPE APFS Processor.
  • Known Issues:
    • Griffeye CLI Bug: Enabling/Disabling Griffeye Bain Plugins via CLI and Griffeye Config JSON is not consistently respected as of Analyze DI 22.3.1. Griffeye has replicated this issue and it is queued for a fix in future release.

11/14/2022 BFIP4Griffeye-V4.2.1 Release

  • Breakpoint Processing Engine Enhancements:
    • Initial Support for parsing APFS (Apple File System) images entirely within the BFIP, ‘Breakpoint Processing Engine’. 

*FileVault encryption not supported in initial release. *

*APFS Snapshots not supported in Initial Release. *

  • APFS support includes recovery of images, videos, documents, pdf, and archives (zip, rar,7z, and dmg).  

*Extracting embedded media from archives requires ‘Extract from Compressed Archives’ to be enabled in Griffeye Import Settings. *

  • Numerous enhancements to disk analysis modules around new APFS support and identification of Pool Volumes.
  • Enhancements to VICS JSON Builder around APFS support.
  • Improvements to progress indicators during file recovery.
      • PhotoRec carving of ‘Unallocated’ now skipped if partition is identified as APFS Pool, and now leverages new APFS file recovery module instead since APFS containers do not contain ‘Unallocated’ space.
  • Breakpoint Processing Engine Fixes:
    • Resolved: Nikon .NEF files failed to be added to VICS JSON. 
  • General Improvements:
    • Improved efficiency when adding additional sources to existing case.  When running full import process an initial check is conducted to see if an existing Griffeye (.ANCF) file can be located in the designated Case Name/Location field.  If an existing .case file is present, it will skip calling the Case Initializer process, and immediately start next carving/import process.
    • Cleanup of lots of extraneous status and debugging messages in output console with many moved to new ‘Verbose Messaging’ mode.
    • Cleanup of logs generated under the ‘BPE Carved Files/[sourceID]’ folders.  Source specific logs are no longer stored in the root of the sources folder, and have been moved to a new subfolder titled ‘Logs’.
    • Adjustment to size validation checks to avoid attempts to import pictures as possible forensic images, that have been given a ‘bin’ extension (often found in Cellebrite VICS exports).
  • Advanced Settings:
    • New ‘Verbose Messaging’ toggle, (off by default).  Enables verbose/debug messaging in console and additional logging. 

8/26/2022 BFIP4Griffeye-V4.1.2 Release

+General

-Adjustment to how initial startup messages are handled that increases overall platform stability.

+Breakpoint Processing Engine

-Adjustment to how maximum number of carving threads is computed and allotted to the thread pool.

+JSON Creation

-Added additional exception handling and logging on a per media entry basis to increase stability and prevent entire Json build from failing if a problematic file is encountered.
-Additional Code Cleanup.

7/02/2022 BFIP4Griffeye-V4.1 Release

+Breakpoint Processing Engine

-Minor adjustment/fix to post-carve folder merge procedure to address possible error relating to duplicate files in target location that could occur in rare situations.

6/29/2022 BFIP4Griffeye-V4.1 Release

+Breakpoint Processing Engine

-Hotfix for bug in partition analysis function that could result in partition slot numbers being skipped on some MBR formatted drives.

+General
-Start and Carve Buttons will now be disabled while any carving/processing functions are actively running to eliminate accidental activation and processing conflicts.

6/14/2022 BFIP4Griffeye-V4 RC2 Release

+Case Setup
-Resolved issue when selecting existing case file to add to that resulted in duplicate case file being created.

+Forensic Image Locate Function
– Added size check for files with supported forensic image function to avoid adding invalid files that also contain forensic image extension
to the case. Currently skips forensic images under 5MB.

+Lace
– Added forensic image support for aa, aff, smart, and vmdk

+Breakpoint Processing Engine
-Adjustment to JSON builder code that could result in conflict when building several jsons with Hypercarve enabled.

-Carved files and JSON output parent folder renamed to ‘BPE Carved Files’

-Minor code cleanup

+Archive Unpacker

– Unpacking can get stuck sometimes if a carved/recovered archive is particularly corrupted. Added
timeout for single archive extraction of max 30 minutes. If single archive extraction
exceeds timeout, BFIP will terminate current archive extraction attempt, log the termination and problem file,
and move to next.

+General
-Right Click ‘Help’ function added/changed that now directs to online support request/ticket page.

-Added confirmation prompt for window close/quit events to avoid accidentally closing program.

Prior Releases:

5/24/2022

+Added Right Click Menu with Cut, Copy, Paste Available in input boxes

+Integrated User Manual

+Addition of Breakpoint Processing Engine
– Conducts an intelligent Disk Analysis first and identifies each unique partition and filesystem type.
Then conducts individual PhotoRec passes for each partition.

– Passes recovered data to custom JSON generator to build out JSON containing notable metadata and fields (ie. Physical Location, Unallocated Status, etc)

– Conducts final imports of carved data (using JSON method), and Standard Griffeye Import directly from forensic image, including Flagged Deleted.

– Ability to select from 4 categories to carve from (images, videos, documents, archives) in new ‘Breakpoint Carving Options’ menu.

+Hypercarve added to Breakpoint Processing Engine
-Allows for Paralell Carving Processes
-Added slider to set the number of threads available to Hypercarver

+New Module added in Breakpoint Processing Engine to Unpack Carved Archives
-Utilizes 7za binary.
-Currently looks for RAR, ZIP, and 7ZIP Archives to unpack.
-Enabled in ‘Breakpoint Carving Options’ Menu by Checking ‘Archives’ under ‘Unpack Embedded Files’
-Unpacked Embedded media files are then also added to VICS JSON for later import.

+Major UI Overall and Rework of Menus
– Output Console Now auto expands when BFIP is maximized and allows several more lines to be viewable.

– Addition of new ‘Griffeye Import Settings’ menu. Exposes some of the more common Griffeye settings you may want to adjust, and limits/eliminates
prior need to use ‘Custom Import Settings’ JSON to adjust processing options.

– Addition of several tooltips to elements (more to come)

– New Menus

– Layout Overhall

– Ability to now just conduct the Carve and JSON creation phase using ‘Carve Only’ Button. Does everything except passing final JSON and forensic images
to Griffeye.

– Additional UI Scaling Adjustments to allow for universal element scaling depending on users resolution and windows scaling settings.

+Combined CaseID and Output Path File Dialogue boxes into single action to provided clearer visibility into where file will be saved and easier
selection of existing case file when adding additional sources.

+Bug Fixes and Minor Changes
– Logs now managed on per-day basis and kept in Log folder.

– New Button in main UI to jump strait to logs.

– Addition of processing time stats

– Additional minor adjustments, UI and code cleanup

2/26/2022 — Version 3.4b1

-Fix for Processing Engine Path

-Rework Advanced Settings Menu to add Processing Engine Override

2/24/2022 — Version 3.4b

-Initial Public Release