IsoBuster 3.6 Beta Released!

June 2, 2015

After an extensive development cycle with lots of coding and testing, I'm proud to announce a new IsoBuster version. IsoBuster 3.6 continues to detect new and various file systems, so that investigators can quickly decide how to continue. Furthermore the EXT file system has been fully implemented. All files and folders are shown, extraction, finding lost files and folders etc. EXT is probably the most popular Linux file system and it is also used a lot in embedded systems such as TVs, NAS drives, setup boxes, media players and the likes. IsoBuster now also fully supports parsing Rimage made optical discs with a manifest file, so that you don't need to run Rimage software to decrypt encrypted files (provided you know the password). But that's not all, there is also support for GC, Atari, High Sierra and a ton of other improvements, not to mention a few bug fixes as well. Give it a try and let us know if you run into issues:

Here's a list of all the goodies:

Changes / New:

  • Support for the Linux EXT file system
  • Support for Rimage mastered CD/DVD discs with manifest file
  • Support for Nintendo GameCube file system
  • Support for GEMDOS / Atari - ST FAT12-16 variant
  • Support for High Sierra on CD-ROM (the predecessor to ISO9660)
  • Implemented internal device caching, especially used during File System recognition. Many file systems start from similar addresses. Caching avoids having to re-read blocks for every file-system that is checked
  • Detect if the Nintendo Wii file system is present and show an icon for it (*)
  • Detect if the Linux RomFS file system is present and show an icon for it (*)
  • Detect if the Unix/Linux JFS file system is present and show an icon for it (*)
  • Detect if the Unix/Linux ZFS file system is present and show an icon for it (*)
  • Detect if the Unix/Linux Minix file system is present and show an icon for it (*)
  • Detect if the Linux BtrFS file system is present and show an icon for it (*)
  • Detect if the Linux SquashFS file system is present and show an icon for it (*)
  • Detect if the Linux CramFS file system is present and show an icon for it (*)
  • Detect if the Linux BeFS (BFS) file system is present and show an icon for it (*)
  • Detect if the Microsoft ReFS file system is present and show an icon for it (*)
  • New and much faster way to find deleted files and folders in an NTFS file system

(*) Full exploration of this file system is not implemented but now an investigator can see if it is present

Improvements:

  • Extra tests to make sure a child folder doesn't have subfolders that are a parent folder, creating circular links, in buggy or recovered file systems
  • Added a 'Paranoid mode' when creating managing IBP/IBQ image files, to make sure all data is flushed to the destination without system caching, and structures are updated regularly
  • Allow to complete a managed image file from media of which the layout doesn't fully match, but the risk is manageable [Professional]
  • Allow to complete a managed image file from another non-managed image file [Professional]
  • Improved speed when updating the IBP managed image file
  • Added various extraction type switches via the command line: /ET: A, IBP, WAV, RAW, R2U, RUN, DLL
  • Added new file system switches via the command line: /EF: see the various newly implemented file systems
  • Added Pinnacle Studio mastered DVDs to the IFO/VOB recognition sequence ("PCLE UDFLib")
  • Added ability (via right mouse click) to see the properties-window-text as text in a memo field (for easy copy and paste)
  • Support for underscores in function names in the libewf.dll, so that Borland bcc32 built dlls can be used as well
  • Always display FileName:StreamName, with or without [ADS] appended, for NTFS Alternate Data Streams
  • Removed registration dialog nag when doing a surface scan on BD media
  • Improvements in the Extract From-To functionality, dialog and warnings
  • Make sure testing for encrypted partitions only happens once, not every time the visual node is created (e.g. when switching devices in GUI)
  • Do not read extra blocks to test for partition encryption if there are enough cached blocks
  • Updated the 'Agent' string when doing an online query, to check for a new version, to be more compatible with modern servers and systems
  • Reverse the order of AVDP parsing, LBA 512 first rather than 256 first, in case of a CeQuadrat made UDF disc, to deal with CeQuadrat UDF bugs
  • Get the proper volume name for CeQuadrat made UDF CD-R discs
  • After an image file has been made, save its filename to the recently opened image files, so that it can be opened immediately from the recent image files' list
  • Improved .GI image file interpretation, specifically improvements in finding the header size
  • Show files and folders with the System property in another color
  • Show special files, file entries that are not used in the classical way by Unix/Linux file systems, in another color
  • Show Windows overlay icons and add the shortcut overlay icon to EXT symbolic link files
  • Added checkbox to options to uncheck using CD-Text in filenames, when audio tracks are extracted
  • The file-exists dialog now also allows to auto-rename a file, instead of over-writing or ignoring the file (non-Windows file systems allow duplicate but caps-sensitive names in the same folder)
  • New dialog to auto-rename filenames that are illegal in Windows but OK in other non-Windows file systems
  • Auto-rename folders, during extraction, when they contain illegal Windows-filename characters or a Windows-reserved file/folder name.
  • Show Endianess in UFS, XFS, ISO and SquashFS and other File System properties
  • Improvements in drag&drop functionality and the use of the temporary folder. Better clean-up afterwards
  • Possibility to always get the RETRY SELECT ABORT error dialog (instead of RETRY OMIT ABORT) on file extraction
  • Various improvements, changes and re-writes in the core code / engine, as this is a living project and to deal with the ever growing new functionality
  • Various GUI improvements

Fixes:

  • Fixed GUI issue that caused incorrect values to be displayed in certain error messages
  • Fixed possible hang when EWF image files are loaded
  • Fixed that sometimes the sanitizing part after finding missing files and folders on a FAT volume could take 'forever', due to bad FAT records
  • Fixed data-corruption issue, introduced in 3.5, while extracting files with more than 10 extents (fragments would be extracted in the wrong order)
  • Fixed it so that when an IBP/IBQ is made twice in a row from the same media (without a refresh) the bitmap is still fully written out to the IBP
  • Avoid exception error on bad IBP without (enough) bitmap data (rare test case)
  • Fixed extraction of named streams of an NTFS folder (not file)

Download this version here.

Please tell people about it, like it in facebook, share it via facebook or via twitter, post it on forums etc. Stuff like that is really appreciated. Start with clicking the "Recommend" button below if you're on Facebook.

Peter Van Hove,
Founder and CEO