Linux Forensics Tools Repository

Welcome

Welcome to the CERT Linux Forensics Tools Repository, a repository of packages for Linux distributions. Currently, Fedora and Centos/RHEL are provided in the respository. See here for the Fedora version support table and here for the CentOS/RHEL version support table. If you are interested in porting the repository to other versions of Linux, please see the Contribute section.

The CERT Linux Forensics Tools Repository provides many useful packages for cyber forensics acquisition and analysis practitioners. If you have suggestions for tools to add to the repository, please see the Contribute section.

The CERT Linux Forensics Tools Repository is not a standalone repository, but rather an extension of the supported systems. Tools can be installed as needed or all at once using the CERT-Forensics-Tools meta package.

Also described here is ADIA, the VMware-based Appliance for Digital Investigation and Analysis. ADIA is a Fedora-based VMware guest intended to be installed under VMware Workstation, Player, or Fusion. It is not a Live CD. See the ADIA section for more details.

NOTICE - IMPORTANT Items Shown In Red

Important items are now shown in red. Pay attention to them because they are important.

Contents

NOTICE - New RPM Signing Key - February, 2016

On February 19, 2016, a new RPM signing key was created to replace the previous key which expired on February 22, 2016. You can find this new key here. The fingerprint for this key is:

26A0 829D 5C01 FC51 C304 9037 E97F 3E0A 87E3 60B8

All packages for Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 were resigned with this new key.

If you have previously installed the repository, you need to do the following as root for Fedora 22 and 23:

dnf update cert-forensics-tools-release
dnf update

or the following for Fedora 20 and 21 and CentOS/RHEL 6 and 7:

yum update cert-forensics-tools-release
yum update

Answer yes to installing the new key with the fingerprint as noted above and an expiration date of 2018-04-07. Once you have done this, subsequent updates should proceed as usual.

If you have not previously installed the repository, follow the directions here for Fedora or here for CentOS/RHEL.

End of Life Announcements

As of December 31, 2015, developoment will cease for the following systems:

  • Fedora 17
  • Fedora 18
  • Fedora 19
  • CentOS/RHEL 5

Repository files will continue to be available but development and improvements will cease as of this date.

Repository RSYNC Server

The CERT Linux Forensics Tools Repository rsync server is available at the following URL for Fedora

rsync://linux-repository-rsync-server.cert.org/fedora

and the following URL for CentOS

rsync://linux-repository-rsync-server.cert.org/centos

Much thanks goes to the Software Engineering Institute's Information Technology department for engineering this capacity.

The repository now contains packages that are shared between supported OSes and Architectures. To reduce the size of the repository, these packages are hard-linked rather than copied. To reduce the size of your mirror of the repository, make certain to use the -H option to preserve these hard links.

Announcements

July 27, 2016

Plaso
Plaso, version 1.4.0 release 4, was installed in the Fedora 20, 21, 22, 23, and 24 repositories for all supported architectures, and in the CentOS/RHEL 6 and 7 repositories for the x86_64 architecture.

Dfvfs
Dfvfs, version 20160727 release 1, was installed in the Fedora 20, 21, 22, 23, and 24 repositories for all supported architectures, and in the CentOS/RHEL 7 repositories for the x86_64 architecture.

dfDateTime
dfDateTime, version 20160706 release 1, was installed in the CentOS/RHEL 6 repository for the x86_64 architecture.

July 24, 2016

Undbx
undbx, version 0.21 release 1, was installed in the CentOS/RHEL 7 repository for the x86_64 architecture.

July 22, 2016

Fmem-kernel-modules-common
Fmem-kernel-modules-common, version 1.6 release 1.2, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Foremost
Foremost version 1.5.7 release 13.1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libewf
Libewf, version 20160718 release 20140608.1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all architectures.

The Sleuth Kit
Sleuthkit, version 4.2.0 release 6, was installed in the Fedora 20, 21, 22, 23, 24 and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Testdisk
Testdisk, version 7.0 release 3.1, was installed in the CentOS/RHEL 6 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc24-{i686,x86_64}, version 1.1.r17 release 3, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc24-{i686,x86_64}, version 1.6 release 3, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc23-{i686,x86_64}, version 1.1.r17 release 21, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc23-{i686,x86_64}, version 1.6 release 21, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc22-{i686,x86_64}, version 1.1.r17 release 36, were installed in the Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc22-{i686,x86_64}, version 1.6 release 36, were installed in the Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

July 15, 2016

Fedora 24
Fedora 24 is now supported in the repository for the i686 and x86_64 architectures.

Libpff
Libpff, version 20160110 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libvshadow
Libvshadow, version 20160110 release 2, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

DFF
DFF, version 1.3.6 release 20160630.1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 7 repositories for all supported architectures.

Libbde
Libbde, version 20160418 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libbfio
Libbfio, version 20160418 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 5, 6, and 7 repositories for all supported architectures.

Libevt
Libevt, version 20160421 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libevtx
Libevtx, version 20160421 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Liblnk
Liblnk, version 20160420 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libmsiecf
Libmsiecf, version 20160421 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libfsntfs
Libfsntfs, version 20160418 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libolecf
Libolecf, version 20160423 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libpst
Libpst, version 0.6.66 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libregf
Libregf, version 20160424 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libsmraw
Libsmraw, version 20160424 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libvhdi
Libvhdi, version 20160424 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules, version 1.1.r17 release 8 was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules, version 1.6 release 8 was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc24-{i686,x86_64}, version 1.1.r17 release 1, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc24-{i686,x86_64}, version 1.6 release 1, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc24-{i686,x86_64}, version 1.1.r17 release 2, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc24-{i686,x86_64}, version 1.6 release 2, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc23-{i686,x86_64}, version 1.1.r17 release 20, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc23-{i686,x86_64}, version 1.6 release 20, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-el6-{i686,x86_64}, version 1.1.r17 release 24, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-el6-{i686,x86_64}, version 1.6 release 24, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-el5-{i686,x86_64}, version 1.1.r17 release 15, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-el5-{i686,x86_64}, version 1.6 release 14, were installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-common, version 1.1.r17 release 2, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Snort
Snort, version 2.9.8.3 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Snort-openappid
Snort-openappid, version 2.9.8.3 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Snort-sample-rules
Snort-sample-rules, version 2.9.8.3 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Dfvfs
Dfvfs, version 20160510 release 1, was installed in the Fedora 20, 21, 22, 23, and 24 repositories for all supported architectures, and in the CentOS/RHEL 7 repositories for the x86_64 architecture.

Libfwnt
Libfwnt, version 20160418 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

dfDateTime
dfDateTime, version 20160706 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 7 repositories for all supported architectures.

SiLK
SiLK, version 3.12.2 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

SiLK
SiLK, version 3.12.2 release 2, was installed in the Fedora 20, 21, 22, 23, and 24 forensics-sip repositories for all supported architectures, and in the CentOS/RHEL 6 and 7 forensics-sip repositories for the x86_64 architecture.

Distorm3
Distorm3, version 3.3.4 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

The Volatility Framework
Volatility, version 2.5 release 4, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

The Volatility Community Plugns
Volatility-community-plugins, version 20160708 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Exfat-utils
EXfat-utils, version 1.2.3 was installed in the Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

nDPI
nDPI version 1.8 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Xplico
Xplico version 1.1.1 release 2, was installed in the Fedora 20, 21, 22, 23, 24, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Python-registry
Python-registry, version 1.2.0 release 2, was installed in the Fedora 20, 21, 22, 23, and 24 repositories for all supported architectures, and in the CentOS/RHEL 6 and 7 repositories for the x86_64 architecture.

Valabind
Valabind, version 0.10.0 release 1, was installed in the Fedora 20, 21, 22 23, 24, for the i386 and x86_64 architectures, and the CentOS/RHEL 7 repositories for the x86_64 architecture.

Radare
Radare, version 2.0.10.4 release 1, was installed in the Fedora 20, 21, 22, 23, 24 for the i386 and x86_64 architectures, and the CentOS/RHEL 7 repositories for the x86_64 architecture.

Python-Radare
Python-Radare, version 2.0.10.4 release 1, was installed in the Fedora 20, 21, 22, 23, 24 for the i386 and x86_64 architectures, and the CentOS/RHEL 7 repositories for the x86_64 architecture.

Radare-Extras
Radare-Extras, version 2.0.10.4 release 1, was installed in the Fedora 20, 21, 22, 23, 24 for the i386 and x86_64 architectures, and the CentOS/RHEL 7 repositories for the x86_64 architecture.

Disktype
Disktype version 9-19.1 was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Netsa-rayon
Netsa-rayon, version 1.4.3 release 2 was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Analysis-pipeline
Analysis-pipeline, version 5.4.1 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

June 24, 2016

LiME
Lime-kernel-modules-fc22-{i686,x86_64}, version 1.1.r17 release 35, were installed in the Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc22-{i686,x86_64}, version 1.6 release 35, were installed in the Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc23-{i686,x86_64}, version 1.1.r17 release 19, were installed in the Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc23-{i686,x86_64}, version 1.6 release 19, were installed in the Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-el7-{i686,x86_64}, version 1.1.r17 release 22, were installed in the Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-el7-{i686,x86_64}, version 1.6 release 22, were installed in the Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Repository RPMS

This section lists and explains how to enable the supported repositories on one of the supported operating system versions and architectures.

Fedora Support Table

To add the tools repository on your Fedora system, install the repository rpm appropriate for your version of Fedora. Find the CERT Forensics GPG key here to verify the rpm before installing it.

Once you've installed one of these release repository packages, you can do either of the following:

  • Install all of the packages provided in the repository with the following. Note, for Fedora 22 through 24, use dnf instead of yum.
    yum install CERT-Forensics-Tools
  • Install only the packages you need. For example, you can install the AFF tools with:
    yum install afftools
Use the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.

This table lists the Fedora versions and architectures for which packages are provided in the repository and their support status. Please note that support for new versions of Fedora is intended to be provided within 2 weeks from the final release of that version.

Fedora Linux Repository Support
Release X86 RPMS X86_64 RPMS Source RPMS Status
24 View View View Actively being developed
23 View View View Actively being developed
22 View View View Actively being developed
21 View View View Actively being developed
20 View View View Actively being developed
19 View View View Development has ended as of 2015-12-31
18 View View View Development has ended as of 2015-12-31
17 View View View Development has ended as of 2015-12-31
16 View View View Development has ended as of 2014-01-16
15 View View View Development has ended as of 2013-06-27
14 View View View Development has ended as of 2013-02-05
13 View View View Development has ended as of 2012-05-31
12 View View View Development has ended as of 2011-11-08
11 View Not Supported View Development has ended as of 2011-06-30
10 View Not Supported View Development has ended as of 2010-11-01
9 View Not Supported View Development has ended as of 2010-06-30
8 View Not Supported List Development has ended as of 2010-06-30

CentOS/RHEL Support Table

To add the tools repository to your CentOS/RHEL system, follow these steps:

  • First, install these packages depending on your version of CentOS/RHEL and architecture:
    CentOS/RHEL 5.X i386 and x86_64
    cd /tmp
    wget http://download1.fedora.redhat.com/pub/epel/5/`uname -m`/epel-release-5-4.noarch.rpm
    rpm -Uvh epel-release-5-4.noarch.rpm
    wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.`uname -m`.rpm
    rpm -Uhv rpmforge-release-0.5.3-1.el5.rf.`uname -m`.rpm
    yum update epel-release rpmforge-release
    
    CentOS/RHEL 6.0-6.4 i386 and x86_64
    cd /tmp
    wget http://download1.fedora.redhat.com/pub/epel/6/`uname -m`/epel-release-6-8.noarch.rpm
    rpm -Uvh epel-release-6-8.noarch.rpm
    wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.`uname -m`.rpm
    rpm -Uhv rpmforge-release-0.5.3-1.el6.rf.`uname -m`.rpm
    yum update epel-release rpmforge-release
    
    CentOS/RHEL 6.5-6.7 x86_64
    cd /tmp
    wget http://download1.fedora.redhat.com/pub/epel/6/`uname -m`/epel-release-6-8.noarch.rpm
    rpm -Uvh epel-release-6-8.noarch.rpm
    wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.`uname -m`.rpm
    rpm -Uhv rpmforge-release-0.5.3-1.el6.rf.`uname -m`.rpm
    yum update epel-release rpmforge-release
    yum install centos-release-scl
    
    CentOS/RHEL 7.0.1406-7.2.1511 x86_64
    cd /tmp
    wget http://dl.fedoraproject.org/pub/epel/7/`uname -m`/e/epel-release-7-5.noarch.rpm
    rpm -Uvh epel-release-7-5.noarch.rpm
    wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.`uname -m`.rpm
    rpm -Uhv rpmforge-release-0.5.3-1.el7.rf.`uname -m`.rpm
    yum update epel-release rpmforge-release
    
  • Next, again as root, install the repository rpm appropriate for your version of CentOS/RHEL. Find the CERT Forensics GPG key here to verify the rpm before installing it. Install them as root with the following, after first selecting the appropriate architecture:


  • Finally, do either of the following:

    • Install all of the packages provided in the repository with:
      yum install CERT-Forensics-Tools
    • Install only the packages you need. For example, you can install the AFF tools with:
      yum install afftools
      Use the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.


CentOS/RHEL Linux Repository Support
Release X86 RPMS X86_64 RPMS Source RPMS Status
7 Not Supported View View Actively being developed
6 View View View Actively being developed
5 View View View Development has ended as of 2015-12-31

ADIA

The next table shows the ADIA versions currently available.

Presently, ADIA for the i386 and x86_64 architectures for Fedora 17 have been developed and are now available. Both are available for VMware and VirtualBox. This document explains how to install, operate, and maintain ADIA.

ADIA for CentOS 7 x86_64 is in the final stages of development and testing. It is expected to be announced in April, 2016. Watch this space for the announcement.

ADIA - The Appliance for Digital Investigation and Analysis
Fedora Version Architecture Virtualization Software Appliance ISO Image File SHA256 Checksum Signature
17 i386 VMware Link e22d633cd0d3504284dcca44dfeb247d5854ab107e2e87fe05f3320fe1de9e94 Link
17 x86_64 VMware Link 24bf04ad4d356da0e14251d2c6c1ff1efb16edd3b512ecc37aa54b7c23c05234 Link
17 i386 VirtualBox Link e0432e34cca672e39741afee988cde34c9296b5b854bc1cd945422821d716d57 Link
17 x86_64 VirtualBox Link a9d96f4913afdca2d4dee5ed6440cdf4b8b42ffd887797a257cb30868b2be676 Link

The ADIA Examiner Login

The examiner account, which is the default and automtically logged into account for ADIA, iscomprised of several packages and a script used to create/reset this account to it's default state. With these packages, changes to ADIA can be reflected in the examiner's desktop.

One such example is the addition of a tool to set of tools available to the analyst. When this tool is added, documentation for that tool can also be added to the examiner's Tool Documentation folder, a folder which appears by default on the examiner's desktop. By updating the packages on ADIA, the documentation also reflects the addition of this new tool.

To this end, there is second repository that defines the set of packages used to manage the examiner's desktop environment. The table below lists the examiner desktop release RPMs for the supported architectures. These release RPMs contains references to the CERT-supplied RPMs for the examiner login, Adobe Acrobat, and Webmin. Install the rpm for your version of Fedora to enable access via yum. Find the CERT Forensics GPG key here.

Support and bug-reports

To request support or report bugs, send mail to

Frequently Asked Questions

Have questions? See the Frequently Asked Questions page.

Want to contribute?

If you'd like to contribute, update, or help maintain a package in the CERT Forensics Tools Repository, please send mail to Here are the areas where help is most needed: