Linux Forensics Tools Repository

Welcome

Welcome to the CERT Linux Forensics Tools Repository, a repository of packages for Linux distributions. Currently, Fedora and Centos/RHEL are provided in the respository. See here for the Fedora version support table and here for the CentOS/RHEL version support table. If you are interested in porting the repository to other versions of Linux, please see the Contribute section.

The CERT Linux Forensics Tools Repository provides many useful packages for cyber forensics acquisition and analysis practitioners. If you have suggestions for tools to add to the repository, please see the Contribute section.

The CERT Linux Forensics Tools Repository is not a standalone repository, but rather an extension of the supported systems. Tools can be installed as needed or all at once using the CERT-Forensics-Tools meta package.

Also described here is ADIA, the VMware-based Appliance for Digital Investigation and Analysis. ADIA is a Fedora-based VMware guest intended to be installed under VMware Workstation, Player, or Fusion. It is not a Live CD. See the ADIA section for more details.

NOTICE - IMPORTANT Items Shown In Red

Important items are now shown in red. Pay attention to them because they are important.

NOTICE - New RPM Signing Key - February, 2016
End Of Life Announcement
Repository RSYNC Server
Announcements
Fedora Repository RPMS
Fedora Support Table
CentOS/RHEL Support Table
ADIA
The ADIA Examiner Login
Support and bug-reports
Issues and Workarounds
Frequently Asked Questions
Want to contribute?

NOTICE - New RPM Signing Key - February, 2016

On February 19, 2016, a new RPM signing key was created to replace the previous key which expired on February 22, 2016. You can find this new key here. The fingerprint for this key is:

26A0 829D 5C01 FC51 C304 9037 E97F 3E0A 87E3 60B8

All packages for Fedora 20 through 26, and CentOS/RHEL 6 and 7 were resigned with this new key.

If you have previously installed the repository, you need to do the following as root for Fedora 22 through 26:

dnf update cert-forensics-tools-release dnf update

or the following for Fedora 20 and 21 and CentOS/RHEL 6 and 7:

yum update cert-forensics-tools-release yum update

Answer yes to installing the new key with the fingerprint as noted above and an expiration date of 2018-04-07. Once you have done this, subsequent updates should proceed as usual.

If you have not previously installed the repository, follow the directions here for Fedora or here for CentOS/RHEL.

End of Life Announcements

As of December 31, 2015, developoment will cease for the following systems:

Fedora 17
Fedora 18
Fedora 19
CentOS/RHEL 5

Repository files will continue to be available but development and improvements will cease as of this date.

Repository RSYNC Server

The CERT Linux Forensics Tools Repository rsync server is available at the following URL for Fedora

rsync://linux-repository-rsync-server.cert.org/fedora

and the following URL for CentOS

rsync://linux-repository-rsync-server.cert.org/centos

Much thanks goes to the Software Engineering Institute's Information Technology department for engineering this capacity.

The repository now contains packages that are shared between supported OSes and Architectures. To reduce the size of the repository, these packages are hard-linked rather than copied. To reduce the size of your mirror of the repository, make certain to use the -H option to preserve these hard links.

Announcements

July 21, 2017

Fedora 26
Fedora 26 is now supported in the repository for the i686 and x86_64 architectures.

LiME
Lime-kernel-modules-fc26-x86_64, version 1.1.r17 release 2, were installed in the Fedora 20, 21, 22, 23, 24, 25, 26, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc26-x86_64, version 1.6 release 2, were installed in the Fedora 20, 21, 22, 23, 24, 25, 26, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc25-{i686,x86_64}, version 1.1.r17 release 35, were installed in the Fedora 20, 21, 22, 23, 24, 25, 26, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc25-{i686,x86_64}, version 1.6 release 35, were installed in the Fedora 20, 21, 22, 23, 24, 25, 26, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc24-{i686,x86_64}, version 1.1.r17 release 46, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc24-{i686,x86_64}, version 1.6 release 46, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Pfring
PFRing, version 6.6.0 release 1353, was installed in the CentOS/RHEL 6 and 7 repositories for the x86_64 architecture.

Pfring-dkms
PFRing-dkms, version 6.6.0 release 1353, was installed in the CentOS/RHEL 6 and 7 repositories for the x86_64 architecture.

July 14, 2017

LiME
Lime-kernel-modules-fc25-{i686,x86_64}, version 1.1.r17 release 34, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc25-{i686,x86_64}, version 1.6 release 34, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc25-{i686,x86_64}, version 1.1.r17 release 33, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc25-{i686,x86_64}, version 1.6 release 33, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc25-{i686,x86_64}, version 1.1.r17 release 32, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc25-{i686,x86_64}, version 1.6 release 32, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc24-{i686,x86_64}, version 1.1.r17 release 45, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc24-{i686,x86_64}, version 1.6 release 45, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc24-{i686,x86_64}, version 1.1.r17 release 44, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc24-{i686,x86_64}, version 1.6 release 44, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-el7-{i686,x86_64}, version 1.1.r17 release 34, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-el7-{i686,x86_64}, version 1.6 release 34, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-el6-{i686,x86_64}, version 1.1.r17 release 35, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-el6-{i686,x86_64}, version 1.6 release 35, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Libfsext
Libfsext, version 20160110 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libfshfs
Libfshfs, version 20170626 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libhibr
Libhibr, version 20170530 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libmdum
Libmdmp, version 20170522 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libmodi
Libmodi, version 20170527 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libnk2
Libnk2, version 20170605 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libodraw
Libodraw, version 20170217 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libphdi
Libphdi, version 20170529 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libexe
Libexe, version 20170123 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libwtcdb
Libwtcdb, version 20170201 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libfplist
Libfplist, version 20170112 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libfwevt
Libfwevt, version 20170114 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libagdb
Libagdb, version 20170710 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libcreg
Libcreg, version 20170119 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libvsmbr
Libvsmbr, version 20170525 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Libwrc
Libwrc, version 20160419 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

Winevt-kb
Winevt-kb, version 20170527 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architecture.

DTFabric
DTFabric, version 20170630 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 7 repositories for all supported architecture.

Winreg-kb
Winreg-kb, version 20170525 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 7 repositories for all supported architecture.

DFWinreg
DFWinreg, version 20170706 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and 25 repositories for all supported architectures and the CentOS/RHEL 6 and 7 repositories for the x86_64 architecture.

CERT-Forensics-Tools
CERT-Forensics-Tools, version 1.0 release 74, was installed in the Fedora 20, 21, 22, 23, 24, and 25, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

Pfring
PFRing, version 6.6.0 release 1334, was installed in the CentOS/RHEL 6 and 7 repositories for the x86_64 architecture.

Pfring-dkms
PFRing-dkms, version 6.6.0 release 1334, was installed in the CentOS/RHEL 6 and 7 repositories for the x86_64 architecture.

Yara-python
Yara-python, version 3.6.2 release 1, was installed in the Fedora 24 and 25 repositories for all supported architecture.

June 30, 2017

LiME
Lime-kernel-modules-fc25-{i686,x86_64}, version 1.1.r17 release 31, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc25-{i686,x86_64}, version 1.6 release 31, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-fc24-{i686,x86_64}, version 1.1.r17 release 43, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-fc24-{i686,x86_64}, version 1.6 release 43, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-el7-{i686,x86_64}, version 1.1.r17 release 33, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-el7-{i686,x86_64}, version 1.6 release 33, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

SiLK
SiLK, version 3.16.0 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

SiLK
SiLK, version 3.16.0 release 2, was installed in the Fedora 20, 21, 22, 23, 24, and 25 forensics-sip repositories for all supported architectures, and in the CentOS/RHEL 6 and 7 forensics-sip repositories for the x86_64 architecture.

SiLK-IPset
SiLK-IPset, version 3.16.0 release 1, was installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Analysis-pipeline
Analysis-pipeline, version 5.6 release 3, was installed in the Fedora 20, 21, 22, 23, 24, 25, and CentOS/RHEL 6 and 7 repositories for all supported architectures.

June 26, 2017

Partclone
Partclone, version 0.3.6 release 2, was installed in the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Testdisk
Testdisk, version 7.0 release 4.1, was installed in the CentOS/RHEL 6 repositories for all supported architectures.

June 23, 2017

LiME
Lime-kernel-modules-el7-{i686,x86_64}, version 1.1.r17 release 32, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-el7-{i686,x86_64}, version 1.6 release 32, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

LiME
Lime-kernel-modules-el6-{i686,x86_64}, version 1.1.r17 release 34, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Fmem
Fmem-kernel-modules-el6-{i686,x86_64}, version 1.6 release 34, were installed in the Fedora 20, 21, 22, 23, 24, 25, and the CentOS/RHEL 6 and 7 repositories for all supported architectures.

Repository RPMS

This section lists and explains how to enable the supported repositories on one of the supported operating system versions and architectures.

Fedora Support Table

To add the tools repository on your Fedora system, install the repository rpm appropriate for your version of Fedora. Find the CERT Forensics GPG key here to verify the rpm before installing it.

Once you've installed one of these release repository packages, you can do either of the following:

Install all of the packages provided in the repository with the following. Note, for Fedora 22 through 26, use dnf instead of yum.
yum install CERT-Forensics-Tools
Install only the packages you need. For example, you can install the AFF tools with:
yum install afftools

Use the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.

This table lists the Fedora versions and architectures for which packages are provided in the repository and their support status. Please note that support for new versions of Fedora is intended to be provided within 2 weeks from the final release of that version.

Fedora Linux Repository Support
Release	X86 RPMS	X86_64 RPMS	Source RPMS	Status
26	Not Supported	View	View	Actively being developed
25	View	View	View	Actively being developed
24	View	View	View	Actively being developed
23	View	View	View	Actively being developed
22	View	View	View	Actively being developed
21	View	View	View	Actively being developed
20	View	View	View	Developoment will end as of 2017-08-15
19	View	View	View	Development has ended as of 2015-12-31
18	View	View	View	Development has ended as of 2015-12-31
17	View	View	View	Development has ended as of 2015-12-31

CentOS/RHEL Support Table

To add the tools repository to your CentOS/RHEL system, follow these steps:

Install and update the Extra Packages for Enterprise Linux (EPEL) repository with the following:
sudo yum -y install epel-release
sudo yum -y update epel-release
If the host is either a CentOS/RHEL 6.7 or 6.8 x86_64, install the centos-release-scl-rh fom the Extras repository. This repository is the Software Collections SIG. Use the following:
sudo yum -y install centos-release-scl-rh
Again as root, install the repository rpm appropriate for your version of CentOS/RHEL. Find the CERT Forensics GPG key here to verify the rpm before installing it. Install them as root with the following, after first selecting the appropriate architecture:

CentOS/RHEL 5 CentOS/RHEL 6 CentOS/RHEL 7
Finally, do either of the following:
- Install all of the packages provided in the repository with:
  sudo yum install CERT-Forensics-Tools
- Install only the packages you need. For example, you can install the AFF tools with:
  sudo yum install afftools
  Use the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.

CentOS/RHEL Linux Repository Support
Release	X86 RPMS	X86_64 RPMS	Source RPMS	Status
7	Not Supported	View	View	Actively being developed
6	View	View	View	Actively being developed
5	View	View	View	Development has ended as of 2015-12-31

ADIA

The next table shows the ADIA versions currently available.

Presently, ADIA for the i386 and x86_64 architectures for Fedora 17 have been developed and are now available. Both are available for VMware and VirtualBox. This document explains how to install, operate, and maintain ADIA.

ADIA for CentOS 7 x86_64 is in the final stages of development and testing. It is expected to be announced in June, 2017. Watch this space for the announcement.

ADIA - The Appliance for Digital Investigation and Analysis
Fedora Version	Architecture	Virtualization Software	Appliance ISO Image File	SHA256 Checksum	Signature
17	i386	VMware	Link	`e22d633cd0d3504284dcca44dfeb247d5854ab107e2e87fe05f3320fe1de9e94`	Link
17	x86_64	VMware	Link	`24bf04ad4d356da0e14251d2c6c1ff1efb16edd3b512ecc37aa54b7c23c05234`	Link
17	i386	VirtualBox	Link	`e0432e34cca672e39741afee988cde34c9296b5b854bc1cd945422821d716d57`	Link
17	x86_64	VirtualBox	Link	`a9d96f4913afdca2d4dee5ed6440cdf4b8b42ffd887797a257cb30868b2be676`	Link

The ADIA Examiner Login

The examiner account, which is the default and automtically logged into account for ADIA, iscomprised of several packages and a script used to create/reset this account to it's default state. With these packages, changes to ADIA can be reflected in the examiner's desktop.

One such example is the addition of a tool to set of tools available to the analyst. When this tool is added, documentation for that tool can also be added to the examiner's Tool Documentation folder, a folder which appears by default on the examiner's desktop. By updating the packages on ADIA, the documentation also reflects the addition of this new tool.

To this end, there is second repository that defines the set of packages used to manage the examiner's desktop environment. The table below lists the examiner desktop release RPMs for the supported architectures. These release RPMs contains references to the CERT-supplied RPMs for the examiner login, Adobe Acrobat, and Webmin. Install the rpm for your version of Fedora to enable access via yum. Find the CERT Forensics GPG key here.