Linux Forensics Tools Repository - LiFTeR

Welcome

Welcome to the CERT Linux Forensics Tools Repository (LiFTeR), a repository of packages for Linux distributions. Currently, Fedora and Centos/RHEL are provided in the respository. See here for the Fedora version support table and here for the CentOS/RHEL version support table. If you are interested in porting the repository to other versions of Linux, please see the Contribute section.

The CERT Linux Forensics Tools Repository provides many useful packages for cyber forensics acquisition and analysis practitioners. If you have suggestions for tools to add to the repository, please see the Contribute section.

The CERT Linux Forensics Tools Repository is not a standalone repository, but rather an extension of the supported systems. Tools can be installed as needed or all at once using the CERT-Forensics-Tools meta package.

Also described here is ADIA, the VMware-based Appliance for Digital Investigation and Analysis. ADIA is a Fedora-based VMware guest intended to be installed under VMware Workstation, Player, or Fusion. It is not a Live CD. See the ADIA section for more details.

NOTICE - IMPORTANT Items Shown In Red

Important items are now shown in red. Pay attention to them because they are important.

Contents

NOTICE - New RPM Signing Key - April, 2018

On April 6, 2018, two years were added to the existing RPM signing key. You can find this new key with its new expiration date here. The fingerprint for this key is:

26A0 829D 5C01 FC51 C304 9037 E97F 3E0A 87E3 60B8

No packages need to be resigned since they were signed with the related private key that never expires. Simply runing either:

sudo dnf update cert-forensics-tools-release
sudo dnf update

for Fedora 22 through 27, or

sudo yum update cert-forensics-tools-release
sudo yum update

for CentOS/RHEL 6 and 7 will suffice to install the key with the new expiration date and then update any other packages that have changed in the repository.

If you have not previously installed the repository, follow the directions here for Fedora or here for CentOS/RHEL.

End of Life Announcements

As of May 31, 2018, developoment will cease for the following systems:

  • Fedora 22

Repository files will continue to be available but development and improvements will cease as of this date.

Repository RSYNC Server

The CERT Linux Forensics Tools Repository rsync server is available at the following URL for Fedora

rsync://linux-repository-rsync-server.cert.org/fedora

and the following URL for CentOS

rsync://linux-repository-rsync-server.cert.org/centos

Much thanks goes to the Software Engineering Institute's Information Technology department for engineering this capacity.

The repository now contains packages that are shared between supported OSes and Architectures. To reduce the size of the repository, these packages are hard-linked rather than copied. To reduce the size of your mirror of the repository, make certain to use the -H option to preserve these hard links.

Repository RPMS

This section lists and explains how to enable the supported repositories on one of the supported operating system versions and architectures.

Fedora Support Table

To add the tools repository on your Fedora system, install the repository rpm appropriate for your version of Fedora. Find the CERT Forensics GPG key here to verify the rpm before installing it.

Once you've installed one of these release repository packages, you can do either of the following:

  • Install all of the packages provided in the repository with the following. Note, for Fedora 22 through 27, use dnf instead of yum.
    yum install CERT-Forensics-Tools
  • Install only the packages you need. For example, you can install the AFF tools with:
    yum install afftools
Use the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.

This table lists the Fedora versions and architectures for which packages are provided in the repository and their support status. Please note that support for new versions of Fedora is intended to be provided within 2 weeks from the final release of that version.

Fedora Linux Repository Support
Release X86 RPMS X86_64 RPMS Source RPMS Status
27 View View View Actively being developed
26 View View View Actively being developed
25 View View View Actively being developed
24 View View View Actively being developed
23 View View View Actively being developed
22 View View View Development will end on 2018-05-31
21 View View View Development has ended as of 2017-12-01
20 View View View Development has ended as of 2017-08-15
19 View View View Development has ended as of 2015-12-31
18 View View View Development has ended as of 2015-12-31
17 View View View Development has ended as of 2015-12-31

CentOS/RHEL Support Table

To add the tools repository to your CentOS/RHEL system, follow these steps:

  1. Install and update the Extra Packages for Enterprise Linux (EPEL) repository with the following:
    sudo yum -y install epel-release
    sudo yum -y update epel-release
  2. If the host is either a CentOS/RHEL 6.7 or 6.8 x86_64, install the centos-release-scl-rh fom the Extras repository. This repository is the Software Collections SIG. Use the following:
    sudo yum -y install centos-release-scl-rh
  3. Again as root, install the repository rpm appropriate for your version of CentOS/RHEL. Find the CERT Forensics GPG key here to verify the rpm before installing it. Install them as root with the following, after first selecting the appropriate architecture:


  4. Finally, do either of the following:

    • Install all of the packages provided in the repository with:
      sudo yum install CERT-Forensics-Tools
    • Install only the packages you need. For example, you can install the AFF tools with:
      sudo yum install afftools
      Use the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.


CentOS/RHEL Linux Repository Support
Release X86 RPMS X86_64 RPMS Source RPMS Status
7 Not Supported View View Actively being developed
6 View View View Actively being developed
5 View View View Development has ended as of 2015-12-31

ADIA

The next table shows the ADIA versions currently available, along with their architectures, hypervisors, checksums, and signatures. This document explains how to install, operate, and maintain ADIA.

ADIA - The Appliance for Digital Investigation and Analysis
Version Architecture Hypervisor Appliance OVA Image File SHA256 Checksum Signature
CentOS 7 x86_64 VMware Link 0c903a1c346332f8d2a5a28d528c98a2f8cba34bab72010f93cc24fe2f5ae9f6 Link
CentOS 7 x86_64 VirtualBox Link 52f428fea4e9b59445e5dd597931a5d9d11a50939484c460e630d967518e77bb Link

Installation - VMware

ADIA has been tested and works on VMware Workstation 14 under Windows 10 Education and VMware Fusion 10 under Mac OS X High Sierra (10.13). We expect that it will work in other configurations but they remain untested.

To install ADIA under VMware, do the following:

  1. Download the VMware-based OVA
  2. Optionally check the PGP/GPG Signature and the SHA256 checksum from the table above.
  3. Start VMware.
  4. Select File->Import....
  5. Navigate to the downloaded OVA and select it.
  6. Import the virtual machine.
  7. If you get an Import Failed error message, select Retry to continue.
  8. Select the Continue button to continue.
  9. When the import finishes, select the Finish button to continue.
  10. Enable Shared Folders with Virtual Machine->Settings...-> then select Shared Folders.
  11. Optionally share a folder to ADIA. On a Windows-based computer system, we recommend C:\Forensics.
  12. Start the virtual machine.
  13. Optionally update the hardware version of the newly created virtual machine.
  14. The virtual machine will boot and automatically login as examiner (with password forensics).
  15. This version of ADIA uses the the MATE Desktop Environment.

Installing ADIA under VMware requires about 8Gb of disk space.

Installation - Virtual Box

ADIA has been tested and works on Virtual Box 5.2.8 under Windows 10 Education and under Mac OS X High Sierra (10.13). We expect that it will work in other configurations but they remain untested. Note that you will need to also have the Virtual Box Extension Pack installed to run ADIA.

To install ADIA under Virtual Box, do the following:

  1. Download the Virtual Box-based OVA
  2. Optionally check the PGP/GPG Signature and the SHA256 checksum from the table above.
  3. Start Virtual Box.
  4. Select File->Import Appliance....
  5. Navigate to the downloaded OVA and select it.
  6. Select Continue.
  7. Select Import.
  8. To share folders with the host, you may need to specify a different shared folder. As distributed, ADIA assumes that files are shared with the host at the path C:\Forensics. If this does not match your system and you wish to use shared folders, you will need to adjust this. Select Machine->Settings...->Shared Folders to make this change.
  9. When the virtual machine has been imported, double click on it to boot it.
  10. The virtual machine will boot and automatically login as examiner (with password forensics).
  11. This version of ADIA uses the the MATE Desktop Environment.
  12. You will have to re-install the Virtual Box Additions in the guest when you update the kernel.
  13. To enable cut and paste between the host and the guest, following these directions.

Installing ADIA under Virtual Box requires about 8Gb of disk space.

The ADIA Examiner Login

The examiner account, which is the default and automtically logged into account for ADIA, consists of several packages and a script that isused to create/reset this account to it's default state. With these packages, changes to ADIA can be reflected in the examiner's desktop.

One such example is the addition of a tool to set of tools available to the analyst. When this tool is added, documentation for that tool can also be added to the examiner's Tool Documentation folder, a folder which appears by default on the examiner's desktop. By updating the packages on ADIA, the documentation also reflects the addition of this new tool.

To this end, there is second repository that defines the set of packages used to manage the examiner's desktop environment. The table below lists the examiner desktop release RPMs for the supported architectures. These release RPMs contains references to the CERT-supplied RPMs for the examiner login and Webmin. Install the rpm for CentOS to enable access via yum. Find the CERT Forensics GPG key here.

Support and bug-reports

To request support or report bugs, send mail to

Frequently Asked Questions

Have questions? See the Frequently Asked Questions page.

Want to contribute?

If you'd like to contribute, update, or help maintain a package in the CERT Forensics Tools Repository, please send mail to Here are the areas where help is most needed: