New features include:I can personally attest to the benefits of the tsk_loaddb tool. It very quickly creates a sqlite database containing file system metadata for each volume in the forensic image. The database can be queried for any data sought in a fraction of the time it takes to read a file system itself.
• New tsk_recover tool that extracts files from an image to a local directory.
• New tsk_loaddb tool that dumps file system metadata to SQLite database.
• New tsk_getimes tool that collects MAC time data on all file systems (equivalent to fls -m on a series of volumes)
• New tsk_comparedir tool that compares a directory to an image to detect rootkits.
• New C++ TskAuto class that makes it easier to create automated tools that analyze all files.
• Name cleanup out of libraries and into tools.
• img_cat -e and -s flags.
• Changed how default NTFS $Data attribute is named.
• HFS+ Case sensitive flag in fsstat.
Bug fixes include:
• FAT performance
• Crash fix for corrupt NTFS file
• Adding attribute runs on fragmented files with multiple attributes of the same type.
A knowledge of basic sqlite commands is essential to take advantage of the database, but with that knowledge, it is quite easy to script tools for your use. For example, I wrote a shell script that reads the database and automatically mounts all the partitions read-only for quick evaluation. This, of course, is only one small way that data can be used.
For a concise overview of all the tools that TSK has to offer, take a look at the wiki located here.