WLS 3.6 is here! Aside from the continual improvements to the core, here are a few highlights for this release.
ARP – New!
- Periodically log the ARP table
DNS Cache – New!
- Periodically log the DNS cache
- Log certificate information as specified by Extension FriendlyName OR OID
- Useful for logging extra information such as the Certificate Template Information
- Added AlternateDataStreamFileMetadata
- Specify alternate FileMetadata settings to be used for files found in AlternateDataStreams
- Added ImpSSDeep hash
- Fuzzy hash of all PE imported libraries and function names
- Added GetSectionNames
- Log the section names as defined in the PE header of the file
- Added ZoneFields parameter to FileMetadata
- Log new zone data provided by Edge, Chrome, etc. Known available fields are HostIpAddress, HostUrl, ReferrerUrl, ZoneId.
- Learn more here: http://cyberforensicator.com/2018/06/26/where-did-it-come-from-forensic-analysis-of-zone-identifier/
- Filtering to prevent specific metadata from being collected
Local Users – New!
- Periodically log users with specified parameters and their groups
- Periodically log groups with specified parameters and their users
- Added detection for IMAGE_DEBUG_TYPE_REPRO which affects the TimeDateStamp in the file header
- Enhanced support for alternate data streams and symlinks
- Enhanced support for version information including languages and codepages
- Support for TLS 1.1 with .NET 4.5+
- Support for TLS 1.2 with .NET 4.6+
For more information on WLS, click “WLS Information” at the top, or here: WLS Information
If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.