Week in Review : Encryption, Speed, and Spring Cleaning (Feb 2–7, 2026)

Written By JTRX

This week brought major improvements across the forensic imaging pipeline, logical file extraction, and encryption management — plus a new automatic partition health check system.

  • E01/EWF imaging now auto-detects and images encrypted (LUKS) drives

  • Fixed a parallelism deadlock in the Logical File Extractor, restoring full multi-threaded throughput

  • Automatic NTFS partition health checks with UI status badges

  • Encryption Manager gains encryption “lock” support, auto-unlock toggle, duplicate key prevention, and disconnect-safe operations

  • NTFS repair pipeline with progressive auto-fix capability

  • Early scaffolding for on-device AI chat assistant


Forensic Imaging Gets Smarter

This week there were significant improvements to the E01/EWF imaging pipeline. The Drive Imager now detects encrypted (LUKS) source drives and can image them directly through their decrypted mapper paths — no manual prep required. I also added proper ewfverify engine support so verification honors the user's engine choice end-to-end, and fixed a hash mismatch that occurred when turbo/quick images stored only MD5 (SHA1/SHA256/BLAKE3 were being compared against zero values). I added initial support for full-volume and per-partition imaging modes, bringing our imaging flexibility closer to what investigators actually need in the field.

Logical File Extraction: 100% Throughput Restored

The Logical File Extractor (LFE) hit a parallelism wall this week — a thread-safety deadlock in The Sleuth Kit's C-layer block cache was causing 100% disk utilization hangs during multi-threaded extraction (I’m using CGO). The initial serialization fix dropped throughput by roughly 50% what it should have been. The final solution — per-worker TSK filesystem handles — eliminated all shared C state from the read path and restored full parallel throughput. I also added a new extraction mode toggle (Preserve Structure vs. Organize by Category), a visual category tile selector for choosing which file types to extract, and the initial LFE profile system for reusable filter presets.

Automatic Partition Health Checks

I implemented automatic NTFS filesystem health checking — one of the larger changes this cycle at over 2,200 lines across 21 files. When a drive connects, the system now runs a quick health check on each partition and stores the results. Health status badges surface in the Investigation UI so examiners immediately know if a filesystem has issues before starting extraction. The underlying partition_health_checks table, CRUD layer, and migration are all in place, alongside a new quick_health_check.go engine.

Encryption Manager Updated

  • The encryption subsystem saw a wave of reliability and UX improvements:

  • Lock Encrypted Device: Users can now lock (close) unlocked drives directly from the Settings panel — previously a missing counterpart to unlock.

  • Auto-Unlock Toggle: Stored keys can be flagged for auto-unlock so drives are automatically decrypted on future connections.

  • Duplicate Key Prevention: Unlocking with "Save password" toggled on now updates existing vault entries instead of creating duplicates.

  • Device Path Validation: A new validation.go module standardizes mapper name prefixes (sns-luks-*, luks-evidence-*) and blocks arbitrary mapper paths from being closed — a defense-in-depth security improvement with full test coverage.

  • Disconnect-Safe Operations: Lock/unlock operations now use background contexts so they run to completion even if the browser disconnects mid-request.

  • Audit Trail: Lock operations are now recorded in the VAULT database alongside unlocks.

Database & Codebase Cleanup

I invested in paying down some tech debt this week. Both authoritative database context documents were rewritten against the live VAULT.db — verifying all 81 tables, 294 indexes, 73 triggers, and 5 views. We removed 14 legacy SQL migration files and the deprecated processing table, cutting roughly 1,000 lines of dead code. A foreign key mismatch in extraction_operations was caught and corrected with a safe migration. Schema version history (v1–v62) is now fully documented.

NTFS Repair Tooling

I advanced the NTFS filesystem repair pipeline with a new progressive auto capability. The repair mechanisms are using ntfsfix and ntfs-3g. There is a smart mode that will progressively attempt repairs.

AI Chat Infrastructure (Experimental)

I laid the groundwork for an on-device AI assistant with an initial UI scaffolding. This is early-stage and experimental, but the architecture is in place for future investigator-facing AI features.

By the Numbers

  • ~50 non-merge commits across the week

  • ~12,000+ lines changed across Go backend, web UI, database migrations, and documentation

  • Version 35.0 of the core architecture documentation created

  • 9 files, 566 insertions for the encryption validation module alone

  • 21 files, 2,255 insertions for partition health checks

    It was a dense week. The platform's forensic capabilities are expanding steadily, and I’m focused on making each feature reliable before moving on. More to come.

JTRX