BitCurator Environment Releases

From BitCurator
Jump to: navigation, search

This page details the current release. Looking for past releases? Visit the BitCurator_Environment_Release_History page.

The BitCurator environment uses open source and public domain digital forensics, data triage, and metadata processing tools. Software developed by the BitCurator team is licensed under the GNU General Public License Version 3. Other software included in the BitCurator environment may be covered by other open source licenses and attribution terms.

If you can't find the information about the BitCurator software you need on this page, check our FAQ or join the BitCurator Users listserv.

Current Release: 1.8.16 (January 26th, 2018)

The default username ("bcadmin") and password ("bcadmin") are the same for both the Virtual Machine and the Live CD. You must change the password when deploying BitCurator on a dedicated host!

Virtual Machine

BitCurator Virtual Machine (Release 1.8.16)

This file is approximately 2.7GB. You can find directions on how to install the BitCurator virtual machine using Oracle's virtualization software VirtualBox here. If you wish to create your own virtual machine, or create a VM for another virtualization platform, please use the ISO installation media below.

Installation ISO CD/DVD Image

BitCurator ISO (Release 1.8.16)

The BitCurator ISO image is a customized version of Ubuntu Linux 16.04.3 LTS (64-bit). The ISO can be run as a live CD, or used to install BitCurator on a dedicated machine. You can also create your own BitCurator virtual machine using the ISO image (for example, if you wish to use VMWare rather than VirtualBox).

To install BitCurator as as stand-alone operating system, visit this page.

Want to put BitCurator on a bootable USB stick? If you're using a Windows machine, download our ISO image and use Rufus with these instructions.

Source Code

Our GitHub repository includes BitCurator-specific reporting tools, 3rd party open source tools, and technical documentation. Most releases post-0.2.0 are marked with tags.

Technical Requirements

The BitCurator environment may be run as either a dedicated operating system or as a virtual machine using virtualization tools such as VirtualBox or VMware. The instructions on this page will assist you in installing, configuring, and using the BitCurator environment for both cases.

BitCurator should run on any hardware capable of running modern Ubuntu. Using BitCurator in a production environment? Digital forensics tools are computationally intensive. We recommend running BitCurator on a machine with - at minimum - an Intel Core i7 or AMD Ryzen 1700 (or better) processor, 16GB RAM, and a solid-state hard drive for the main OS.

The BitCurator VirtualBox image is distributed with a configuration file set to two processing cores and 2GB of RAM. Although it is not recommended, you may be able to reduce the amount of RAM and number of processor cores to run the environment on older hardware.

For large disk images, data-intensive tasks, and simplified access to a range of hardware write-blockers, the environment should be installed on the host machine as a dedicated operating system.

Tools in the BitCurator Environment

The BitCurator virtual machine includes a unique interface to execute open source forensics tools. The BitCurator interface produces human-readable reports using the output of tools such as fiwalk and bulk_extractor. BitCurator also includes 3rd-party tools for disk imaging, data triage, private and individually identifying information (PII) discovery, filesystem analytics and reporting, and metadata export. The BitCurator environment is configured with scripts that automate actions that can be run against live filesystems, connected devices, and disk images for file analysis prior to (or in lieu of) imaging.

BitCurator currently includes the following tools:

Software produced by the BitCurator team:

  • BitCurator Reporting Tool: A GUI-driven (and optionally command-line) tool for running forensics tools in sequence to produce human- and machine-readable reports.
  • BitCurator Disk Image Access Tool: A GUI interface to browse raw and forensically-packaged disk images, export files and deleted items, and view disk image metadata.
  • BitCurator Mounter: A Qt GUI application to list currently attached devices along with technical details. Allows users to mount fixed and removable media according to the current mount policy.
  • BitCurator Read-Only AppIndicator: A Ubuntu AppIndicator allowing users to switch the system mount policy between "Read Only" and "Read/Write" for any attached media prior to mounting.

Disk imaging

  • Guymager: Multi-threaded open-source forensic disk imaging tool.
  • dcfldd: A forensics-focused rewrite of dd.
  • cdrdao: A CD imaging tool.

Forensic analysis and metadata generation

  • bulk_extractor: A stream-based tool for disk image analysis.
  • bulk_extractor Viewer (BEViewer): The GUI front-end for bulk-extractor
  • DFXML tools: A set of C and Python programs to process Digital Forensics XML.
  • fiwalk: File system analysis and DFXML export.
  • The Sleuth Kit: A suite of forensics tools, utilities, and APIs.
  • libewf: Open-source support for the Expert Witness format.
  • AFFLIB: Open-source library for the Advanced Forensic Format.
  • pyExifToolGUI: A GUI front-end for Exiftool. Allows editing of image metadata.

Other utilities

  • ClamAV / ClamTK: Virus scanning.
  • FSlint: Duplicate file identification and deletion.
  • sdhash: File similarity tool using similarity digests.
  • HFS Utilities: Utilities providing access to legacy HFS file systems, such as HFS Explorer.
  • FIDO: Format Identification for Digital Objects.
  • readpst: A utility for reading and exporting the contents of PST files.
  • recoll: An indexing tool.
  • GTK Hash: A cryptographic hashing tool.
  • Bless Hex Editor: A hex editor with power-user features
  • GHex: A simple hex viewer/editor
  • Nautilus scripts: Support for various interactions with files and file systems.
  • Safe Mount: Software write-blocking for digital media.

Release Notes

Abbreviated release notes for past releases. Full release notes for specific releases may be found in the bitcurator-users group archive (!forum/bitcurator-users)

  • 1.8.16 (January 26, 2018)
    • BitCurator reporting tool fix to eliminate "endless spinning" when processing disk images containing files with unrecognized Unicode characters
    • Updated xlsx outputs, now tracking current API for OpenPyXL 2.5.0
    • Updated Bagger to 2.7.7
    • Kernel updates and security patches tracking Ubuntu 16.04.3
    • Support library version updates
  • 1.8.12 (August 25, 2017)
    • Updates to core Ubuntu 16.04.3 (final Ubuntu 16.04LTS point release)
    • Support library version updates
  • 1.8.0 (March 17, 2017)
    • Launchers for Timothy Ryan Walsh's Brunnhilde and Richard Lehane's Siegfried (along with the tools themselves) are now included by default. They can be found in the "Forensics and Reporting" folder on the Desktop, or invoked directly from a terminal.
    • HFSExplorer updated to latest pre-release for Brunnhilde compatibility
    • Desktop folders have been renamed to more appropriately reflect the tools they encompass. "Imaging Tools" is now "Imaging and Recovery". "Forensics Tools" is now "Forensics and Reporting". "Accession Tools" is now "Packaging and Transfer".
    • nwipe (via DBAN) now included to simplify secure erasure of attached media
    • Updated Quickstart guide to reflect recent changes and tool organization. Legacy screenshots updated.
    • VirtualBox guest additions updated to 5.1.18 (VM only)
    • Various support library updates
  • 1.7.22 (July 14th, 2016)
    • First Ubuntu 16.04 LTS based release
    • Improved support for modern storage devices (including SSDs)
    • Bagger to version 2.7.1
    • Now includes "dumpfloppy" ( in "Imaging Tools"
    • Latest version of bagit-python (using GitHub sources) included
    • The Sleuth Kit (TSK) libraries updated to improve NTFS volume handling, among many other fixes
    • Ubuntu "hardinfo" package now linked in "Additional Tools" (appears as "System Profiler and Benchmark") to assist in responding to problems and bug reports
    • FITS updated to 0.10.2
    • FIDO updated to 1.3.4
    • Updated VirtualBox Guest Additions to most recent (5.1.0)
  • 1.6.18 (June 23rd, 2016)
    • Fixes an issue with read-only drive mounting where certain floppy and SCSI drives were not remounted properly
    • Now includes "dumpfloppy" ( in "Imaging Tools"
    • Latest version of bagit-python (using GitHub sources) included
    • The Sleuth Kit (TSK) libraries updated to improve NTFS volume handling, among many other fixes
    • Ubuntu "hardinfo" package now linked in "Additional Tools" (appears as "System Profiler and Benchmark") to assist in responding to problems and bug reports
    • FITS updated to 0.10.2
    • FIDO updated to 1.3.4
  • 1.2.1 (January 3, 2014)
    • USB 3.0 device access (when installed as the host OS) restored
    • Startup services cleaned up
    • bulk_extractor rebuilt to accommodate Java update
  • 1.2.0 (October 30, 2014)
    • Weekly fstrim cron job disabled to prevent unwanted changes to the contents of SSDs
    • Devices are now mounted with the loop option by default
    • VirtualBox 4.3.20 updates
    • PREMIS report generation updates (improved event support and vocab fixes) in BitCurator reporting tool
    • ssdeep updated to 2.12 (corrects bugs in signature generation code and other updates from 2.10)
    • hashdb updated to 1.1.2
    • XlsxWriter updated to 0.6.4
    • Guymager updated to latest build of 0.7.4
    • DFXML libraries updated to latest GitHub sources
    • Removed unneeded OpenCL library preventing BitCurator from booting on certain systems
    • fixed a minor application launch issue with BEViewer
    • disktype added with patches for E01 and other disk image formats
    • Ubuntu core and kernel updates
  • 1.1.0 (October 30, 2014)
    • BitCurator Reporting Tool directory selection dialogue updated in Run All to prevent crash on first run
    • objectIdentifierType / Value entries in BitCurator PREMIS output fixed
    • VirtualBox guest additions updated to 4.3.18
    • FITS updated to 0.8.3
    • gnome-sushi included to preview various file formats (left-click on file and hit the space bar; preview pops up)
    • VLC newly included to play and examine metadata in A/V media files
    • TestDisk newly included (damaged/lost partition recovery)
    • PhotoRec newly included (damaged/lost file recovery)
    • Minor updates to Nautilus scripts (typo fixes)
  • 1.0 (September 5, 2014)
    • Improved version of the BitCurator Disk Image Access tool.