v1.4.5-beta.1

Changes since v1.4.4-beta.1

• Bump to 1.4.5-beta.1
• feat(chrome): port ChromeKatz CookieMonster locator + tree walker

v1.4.4-beta.1

Changes since v1.4.3-beta.1

• Bump to 1.4.4-beta.1
• fix(chrome): drop heuristic in-process extractors, keep discovery only

v1.4.3-beta.1

Changes since v1.4.2-beta.1

• Bump to 1.4.3-beta.1
• docs(chrome): document --chrome-process-scan + acknowledge ChromeKatz
• feat(chrome): in-process scanner + --chrome-process-scan opt-in flag
• feat(chrome): port CanonicalCookie struct layouts + tree walker from ChromeKatz
• feat(paging): page-walk-based user region enumerator (chrome feature only)

v1.4.2-beta.1

Changes since v1.4.1

• Bump to 1.4.2-beta.1
• docs(chrome): refresh module + user docs to match shipping state
• refactor(chrome): extract decrypt_layer + run_chrome_hybrid for readability
• fix(lsass): unify IV heuristics + reject pointer-table candidates
• refactor(chrome): share one disk handle across the hybrid pipeline
• fix(lsass): bound IV recovery search and reject UTF-16 strings
• fix(chrome): try every candidate masterkey per ABE layer
• fix(lsass): recover IV from .data when global is paged out
• feat(chrome): --chrome-password flag (repeatable) for password candidates
• feat(chrome): wire chrome into run_vmfs path + try every LSA password for user MK decrypt
• feat(chrome): auto-extract ABE static keys from elevation_service.exe via PE pattern-scan
• feat(chrome): Chrome v20 ABE — static keys reverse-engineered from elevation_service.exe
• feat(chrome): v20 App-Bound Encryption — Edge cookies decrypt end-to-end
• fix(chrome): replace standard PBKDF2 with DPAPI's custom XOR-feedback derive
• fix(chrome): DPAPI blob AES-CBC uses all-zero IV; add v10 GCM AAD support
• fix(chrome): preserve raw bytes for SQLite TEXT columns
• feat(chrome): compose memory + disk DPAPI MKs in --chrome --disk path
• feat(chrome): on-disk DPAPI MK decryption — user (NT hash) + system (DPAPI_SYSTEM)
• feat(chrome): wire LSASS-cached DPAPI masterkeys into disk extraction
• fix(chrome): match encrypted_value as TEXT or BLOB
• fix(chrome): DPAPI HMAC key must be SHA1(masterkey), not raw masterkey
• docs(chrome): document --chrome flag + chrome feature in user docs
• feat(chrome): CLI wiring — --chrome + --chrome-json, disk profile discovery on run_sam
• feat(chrome): stdout (grouped) + JSON output formatters
• feat(chrome): Firefox NSS scaffold (logins.json parser + key4.db reader; NSS derive TODO)
• feat(chrome): hybrid keyring + composed resolver (mem MK cache + fallback)
• feat(chrome): heuristic cookie scanner + memory orchestrator over ProcessSource
• feat(chrome): heuristic password triple scanner (UTF-16LE URL + creds)
• feat(chrome): signature table schema + wildcard scanner (empty initial set)
• feat(chrome): memory module skeleton + process classification (browser/network)
• feat(chrome): App-Bound Encryption (v20) two-layer DPAPI + key unwrap
• feat(chrome): disk extraction orchestrator (Local State -> blob -> SQLite)
• feat(chrome): profile discovery on NTFS (Chromium family + FileTree trait)
• feat(chrome): v10/v11 AES-GCM blob decrypt + scheme classifier
• feat(chrome): DPAPI blob parse + AES-256/SHA-512 decrypt (roundtrip-tested)
• feat(chrome): Local State JSON parser (v10/v11 + v20 key extraction)
• feat(chrome): sqlite WAL replay (committed frames overlay base pages)
• feat(chrome): sqlite B-tree walk (leaf + interior) + overflow chain
• fix(chrome): bounds-check sqlite record decoder against truncated/negative payloads
• feat(chrome): sqlite varint + record (serial type) decoder
• feat(chrome): sqlite file header + page accessor + mini fixture
• feat(chrome): scaffold module, types, base64 + epoch utils, --chrome flag
• Fix LZNT1 off-by-one and relax Kerberos kvno carve filter

v1.4.1

Changes since v1.4.0

• Bump to 1.4.1
• Support FLAT and VMFS extents in VMDK descriptor parser
• Fix 5 bugs found during code review
• Fix Kerberos ticket carving misses on Win10 1607+ and all x86 variants

v1.4.0

Changes since v1.3.0

• Merge dev into main for v1.4.0 release
• Fix macOS x86_64 runner: macos-13 retired, use macos-26-intel
• Add ARM builds (aarch64, armv7, armv5/v6)
• Move loader to tools/, bundle in ESXi release archive
• Document Python loader for ESXi VIB bypass, add VIB field to bug template
• Fix vmkatz_loader.py header: document Python 2.7+ compatibility
• Reorganize README: move detailed docs to docs/
• Add Python in-memory ELF loader for ESXi VIB bypass
• Add Kerberos ticket carving from LSASS memory
• Add BitLocker FVEK extraction from VM memory snapshots
• Include file path in mmap fallback warning message
• Add pread fallback when mmap fails (e.g. ESXi 6.5 VMkernel)

v1.4.0-rc.2

Changes since v1.3.0-beta.1

• Fix macOS x86_64 runner: macos-13 retired, use macos-26-intel
• Add Cross.toml pinning ARM targets to :main edge images
• Bump to 1.4.0, add ARM builds (aarch64, armv7, armv5/v6)
• Fix Python availability claim: included in ESXi 6.x+, not all versions
• Move loader to tools/, bundle in ESXi release archive
• Fix vmkatz_loader.py header: document Python 2.7+ compatibility
• Reorganize README: move detailed docs to docs/
• Document Python loader for ESXi VIB bypass, add VIB field to bug template
• Merge branch 'mmap-fallback' into dev
• Add Python in-memory ELF loader for ESXi VIB bypass
• Add volatility-kerberos acknowledgement for ticket carving inspiration
• Add Kerberos ticket carving from LSASS memory
• Add transparent BitLocker disk decryption using FVEK from memory
• Add BitLocker FVEK extraction from VM memory snapshots
• Include file path in mmap fallback warning message
• Add pread fallback when mmap fails (e.g. ESXi 6.5 VMkernel)
• Bump version to 1.3.0
• Fix potential panics: bounds-check QEMU reads, guard VHDX division by zero
• Sort orphan VMDK extents in discovery to pick lowest-numbered first
• Improve mmap failure error message with file size context
• Remove read_to_end fallback from VMware layer
• Centralize mmap and file_size helpers for block device compatibility
• Add VMFS-5 support to raw VMFS parser
• Fix QEMU savevm detection and mmap on block devices (LVM volumes)
• Update README: mark VHDX as tested (Win2003R2, Win2012R2)
• Update README: document SAM account status and DPAPI dedup
• Improve DPAPI and SAM display: account status, key dedup, NTFS 8.3 fix
• Demote empty LSA secret warning to debug level
• Fix DPAPI hashcat mode: distinguish local (15300/15900) from domain (15310/15910)
• Log warnings on I/O errors in file discovery instead of silently skipping
• Clean up magic numbers and improve readability

v1.3.0

Changes since v1.2.2

• Bump version to 1.3.0
• Fix potential panics: bounds-check QEMU reads, guard VHDX division by zero
• Sort orphan VMDK extents in discovery to pick lowest-numbered first
• Improve mmap failure error message with file size context
• Remove read_to_end fallback from VMware layer
• Centralize mmap and file_size helpers for block device compatibility
• Add VMFS-5 support to raw VMFS parser
• Fix QEMU savevm detection and mmap on block devices (LVM volumes)
• Update README: mark VHDX as tested (Win2003R2, Win2012R2)
• Update README: document SAM account status and DPAPI dedup
• Update README for QEMU savevm, embedded .vmsn, BitLocker, and legacy LSA support
• Improve DPAPI and SAM display: account status, key dedup, NTFS 8.3 fix
• Demote empty LSA secret warning to debug level
• Fix DPAPI hashcat mode: distinguish local (15300/15900) from domain (15310/15910)
• Log warnings on I/O errors in file discovery instead of silently skipping
• Clean up magic numbers and improve readability
• Add changelog generation to release workflow
• Fix legacy LSA secret decryption (pre-Vista / Windows 2003)
• Fall back to legacy LSA key when PolEKList is missing despite modern revision
• Detect BitLocker-encrypted partitions and warn the user
• Fix embedded .vmsn memory and hide machine account passwords
• Add QEMU/KVM/Proxmox savevm state parser and improve System process discovery
• Unify Kerberos credential extraction for x64/x86
• Unify MSV session and credential extraction for x64/x86
• Refactor LSASS providers: extract shared helpers and unify x64/x86 code paths
• Add GitHub issue templates for bug reports and feature requests
• Handle Kerberos ISO passwords, SmartCard PINs, and MSV CredentialKeys
• Add x86 EPROCESS offsets for Vista/Win7/Win8/8.1 and fix Vista x86 classification

v1.3.0-beta.1

Changes since v1.2.2

• Add changelog generation to release workflow
• Bump version to 1.3.0-beta.1 and support pre-release tags in CI
• Merge branch 'main' into dev
• Update README for QEMU savevm, embedded .vmsn, BitLocker, and legacy LSA support
• Fix legacy LSA secret decryption (pre-Vista / Windows 2003)
• Fall back to legacy LSA key when PolEKList is missing despite modern revision
• Detect BitLocker-encrypted partitions and warn the user
• Fix embedded .vmsn memory and hide machine account passwords
• Add QEMU/KVM/Proxmox savevm state parser and improve System process discovery
• Unify Kerberos credential extraction for x64/x86
• Unify MSV session and credential extraction for x64/x86
• Refactor LSASS providers: extract shared helpers and unify x64/x86 code paths
• Add GitHub issue templates for bug reports and feature requests
• Handle Kerberos ISO passwords, SmartCard PINs, and MSV CredentialKeys
• Add x86 EPROCESS offsets for Vista/Win7/Win8/8.1 and fix Vista x86 classification

v1.2.2

- Support VBox 5.x-7.x PGM saved state versions in .sav parser
- Flip EPT scanning to opt-in (--ept) — disabled by default since most VMs don't use VBS
- Validate GPT entry size before allocation and slice access
- Fix VDI parent resolution and coalesce_pages overflow
- Cap QCOW2 L1 table allocation and fix VMware tag parsing
- Harden SAM/ESE/VMFS/NTFS parsers against malformed inputs
- Remove dev-only examples from published repo