WLS 3.6 Released!

WLS 3.6 is here! Aside from the continual improvements to the core, here are a few highlights for this release.

ARP – New!

• Periodically log the ARP table

DNS Cache – New!

• Periodically log the DNS cache

CertificateMonitor

• Log certificate information as specified by Extension FriendlyName OR OID
  • Useful for logging extra information such as the Certificate Template Information

FileMetadata enhancements

• Added AlternateDataStreamFileMetadata
  • Specify alternate FileMetadata settings to be used for files found in AlternateDataStreams
• Added ImpSSDeep hash
  • Fuzzy hash of all PE imported libraries and function names
• Added GetSectionNames
  • Log the section names as defined in the PE header of the file
• Added ZoneFields parameter to FileMetadata
  • Log new zone data provided by Edge, Chrome, etc. Known available fields are HostIpAddress, HostUrl, ReferrerUrl, ZoneId.
  • Learn more here: http://cyberforensicator.com/2018/06/26/where-did-it-come-from-forensic-analysis-of-zone-identifier/
• Filtering to prevent specific metadata from being collected

Local Users – New!

• Periodically log users with specified parameters and their groups
• Periodically log groups with specified parameters and their users

Misc

• Added detection for IMAGE_DEBUG_TYPE_REPRO which affects the TimeDateStamp in the file header
• Enhanced support for alternate data streams and symlinks
• Enhanced support for version information including languages and codepages
• Support for TLS 1.1 with .NET 4.5+
• Support for TLS 1.2 with .NET 4.6+

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like licensing or other information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Article Link: https://digirati82.com/2018/09/20/wls-3-6-released/