As of May 31, 2023, maintenance of this repository has resumed.
Maintenance will continue at least through the end of calendar year 2023.
Thanks for your patience, encouragement, and support of LIFTeR!
LIFTeR
The CERT Linux Incident Response and Forensics Tools Repository
Welcome to the CERT Linux Incident Response and Forensics Tools Repository (LIFTeR), a repository of packages for Linux distributions.
Currently, we provide tools for
Fedora,
CentOS/RHEL, and
Amazon Linux 2
in this respository.
Use the following links to jump to the support tables for Fedora, CentOS/RHEL, and Amazon Linux 2.
If you are interested in porting LIFTeR to other versions of Linux, please see the Contribute section.
LIFTeR provides many useful packages for acquiring and analyzing digital assets.
If you have suggestions for tools to add to LIFTeR, please see the Contribute section.
LIFTeR is not a standalone repository, but rather it is an extension of the supported systems.
You can install tools as needed or all at once using the CERT-Forensics-Tools meta package.
Also described on this page is ADIA, the VMware-based Appliance for Digital Investigation and Analysis.
ADIA is a Fedora-based VMware guest intended to be installed under
VMware
Workstation,
Player, or
Fusion.
It is not a Live CD.
See the ADIA section for more details.
Important items are shown in red.
Pay attention to them because they are important.
|
|
On Friday, March 25, 2022, a new RPM Signing Key was created.
The new key works correctly with CentOS 9 whereas the previous key did not.
You can find this new key with its new expiration date
here.
The following is the fingerprint for this key:
BFB0 6016 F0BB C076 AE53 49F2 21AA 2DED 0E4C 8CFF
For Fedora or CentOS/RHEL 8 or 9, run the following to update the key and tools:
sudo dnf update cert-forensics-tools-release
sudo dnf update
For CentOS/RHEL 7 or Amazon Linux 2 run the following to update the key and tools:
sudo yum update cert-forensics-tools-release
sudo yum update
If you have not previously installed the repository, follow the directions
Fedora,
CentOS/RHEL, or
Amazon Linux 2.
As of October 1, 2022, developoment ceased for the following systems:
As of June 1, 2023, developoment ceased for the following systems:
LIFTeR files will continue to be available but development and improvements ceased.
As of Wednesday, December 14, 2022, LIFTeR is no longer available to mirror via RSYNC.
If you wish to mirror LIFTeR, please mirror via https.
If you have any questions with this change or issues related to it, please use the Support and bug-reports link.
This section lists and explains how to enable each of the supported operating system versions and architectures.
To add the tools repository on your Fedora system, install the appropriate repository RPM appropriate for your version of Fedora.
Use the CERT Forensics GPG key to verify the RPM before installing it.
If you are new to the LIFTeR, you must install the old key on your system with the following:
sudo rpm --import https://www.cert.org/forensics/repository/forensics-expires-2022-04-03.asc
Once you've installed one of these release repository packages, you can do either of the following:
Use the Fedora Linux Repository RPMS table below to list the contents of the folders to see which packages are available for the supported systems and architectures.
This table lists the Fedora versions and architectures that have packages are provided in the repository and their support status.
Support for new versions of Fedora is intended to be provided within two weeks of the final release of that version.
Entries labeled Latest are the latest RPMs for a release and architecture.
You can also list RPMs by first letter and by group.
Entries labeled All list all RPMs in that category, including their version and release, build date, URL for the package,
and a brief summary of the package.
CentOS 8 has reached End Of Life as of December 31, 2021.
Use these instructions to upgrade a CentOS 8 to CentOS 8 Stream system.
To add the tools repository to your CentOS/RHEL 7, 8 Stream, or 9 Stream system, follow these steps:
-
Update your system to be current for CentOS/RHEL 7 with the following:
sudo yum -y update
Or update to be current for CentOS 8 Stream or CentOS 9 Stream with the following:
sudo dnf -y update
-
Reboot if necessary.
-
Install and update the Extra Packages for Enterprise Linux (EPEL) repository with the following:
- CentOS/RHEL 7
sudo yum -y install epel-release
sudo yum -y update epel-release
- CentOS 8 Stream
sudo dnf -y install epel-release
sudo dnf -y update epel-release
- RHEL 8 Stream
sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf -y update epel-release
- CentOS 9 Stream
sudo dnf -y install epel-release epel-next-release
sudo dnf -y update
-
Enable the Software Collections SIG library with the following:
- If the host is a CentOS 7 x86_64 system, install the centos-release-scl-rh package from the Extras repository.
Use the following:
sudo yum -y install centos-release-scl-rh
- Use the following for a RHEL 7 x86_64 system:
sudo subscription-manager repos --enable=rhel-server-rhscl-7Server-rpms-stable
-
If the host is a CentOS 8 Stream system, enable the PowerTools repository with the following -
note: For Rocky Linux 8 and AlmaLinux 8, this repository is named powertools:
sudo dnf config-manager --set-enabled PowerTools
-
If the host is a RHEL 8 system, enable the Code Ready Builder repository.
Consult your system documentation for the appropriate name of this repository.
The following are some examples of commands to run depending on your system:
sudo dnf config-manager --set-enabled codeready-builder
sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
-
If the host is a RHEL 9 system, enable all needed repositories with the following:
sudo dnf config-manager --set-enabled appstream baseos epel epel-next extras-common crb
- If you are new to the LIFTeR, you must install the old key on your system with the following:
sudo rpm --import https://www.cert.org/forensics/repository/forensics-expires-2022-04-03.asc
-
Again as root, install the repository RPM appropriate for your version of CentOS/RHEL.
Use the CERT Forensics GPG key to verify the RPM before installing it.
Select the appropriate architecture and then install the repository RPM as root with the following:
- Python virtual environments are used in many tools in LIFTeR, so make certain that
pip is propoerly configured to make use of any proxy server, if needed.
Adjust /etc/pip.conf as needed.
- Finally, do either of the following:
- For CentOS/RHEL 7, follow this procedure:
-
Install all of the packages provided in the repository with the following:
sudo yum install CERT-Forensics-Tools
-
Install only the packages you need.
For example, you can install the AFF tools with the following:
sudo yum install afftools
- For CentOS/RHEL 8 or CentOS/HEL 9 Stream, follow this procedure:
-
Install all of the packages provided in the repository with the following:
sudo dnf install CERT-Forensics-Tools
-
Install only the packages you need.
For example, you can install the AFF tools with the following:
sudo dnf install afftools
Use the CentOS/RHEL Linux Repository RPMS table below to list the contents of the folders and see which packages are available for the supported systems and architectures.
To add the tools repository to your Amazon Linux 2 system, follow these steps:
-
Update your system to be current for Amazon Linux 2 with the following:
sudo yum -y update
-
Reboot if necessary.
-
Install and update the Extra Packages for Enterprise Linux (EPEL) repository for Amazon Linux 2 with the following:
sudo env http{,s}_proxy=proxy-if-necessary amazon-linux-extras install epel -y
-
Enable the Software Collections SIG library by doing the following:
-
Add the repository definitions file with the following:
sudo yum-config-manager --add-repo http://mirror.centos.org/centos/7/sclo/x86_64/rh
- Import the PGP key with the following:
sudo env http{,s}_proxy=proxy-if-necessary rpm --import https://www.centos.org/keys/RPM-GPG-KEY-CentOS-SIG-SCLo
- If you are new to the LIFTeR, you must install the old key on your system with the following:
sudo rpm --import https://www.cert.org/forensics/repository/forensics-expires-2022-04-03.asc
-
Again as root, install the repository RPM.
Use the CERT Forensics GPG key to verify the RPM before installing it.
Install them as root with the following:
- Finally, do either of the following:
- Install all packages provided in the repository with the following:
sudo yum install CERT-Forensics-Tools
- Install only the packages you need.
For example, you can install the AFF tools with the following:
sudo yum install afftools
Use the Amazon Linux Repository RPMS table below to list the contents of the folders and see which packages are available for the supported systems and architectures.
LIFTeR is not available for Ubuntu.
However, there are repositories that are available for Ubuntu that contain many of the same tools.
In fact, the LIFTeR maintainers monitor these repositories for new and updated tools and typically install them in LIFTeR.
The following repositories have many of the same tools as LIFTeR:
Jim Perrin's article entitled
Using Fedora 33 with Microsoft's WSL2 describes how to install Fedora 33 in the Windows Subsystem for Linux Version 2 (WSL2) for Windows 10.
We have followed these instructions and successfully installed Fedora 33.
These instructions also work to install LIFTeR for Fedora 33 on this Fedora 33/WSL2-based system, including the optional
Trusty Wolf COPR repository.
Finally, if you install an X Windows client on Windows 10, X Windows-based applications will run in that Fedora 33-based system and display
on your Windows 10 monitor.
This scheme provides another mechanism for integrating Windows and Linux that may offer significant benefits when analyzing digital artifacts.
ADIA is CERT's
Appliance for
Digital
Investigation and
Analysis.
Appliances are provided for VMware and VirtualBox.
Instructions are also provided for running ADIA under QEMU.
This version of ADIA was built with CentOS 7.7.1908.
The following are the design goals for ADIA:
- Provide pre-built tools for installation and use
- Keep tools up-to-date.
- Keep desktop up-to-date.
- Make tools easy to use.
- Help users navigate and use command-line tools correctly and efficiently.
- Resolve and provide all dependencies.
- Install all LIFTeR tools in ADIA.
- Do the right thing forensically
- The Webmin GUI system administration tool is installed and operational for typical system administration tasks.
The ADIA table below lists the current ADIA versions available, along with their architectures, hypervisors, checksums, and signatures.
This document explains how to install, operate, and maintain ADIA.
ADIA - The Appliance for Digital Investigation and Analysis |
Version |
Architecture |
Hypervisor |
Appliance OVA Image File |
SHA256 Checksum |
Signature |
CentOS 7 |
x86_64 |
VMware |
Link |
f6f647d5a7d17aa985f6880284be7b9706bef6e616306fb54d0285ad372c532d |
Link |
CentOS 7 |
x86_64 |
VirtualBox |
Link |
47dbad6cbabda1b167f246bea462e441b82b0fd77ddbbc4b332dd1f5b42fbbd9 |
Link |
ADIA has been tested and works on VMware Workstation 16 under Windows 10 Education and VMware Fusion 12 under Mac OS X Monterey (12.3).
We expect that it will work in other configurations, but they remain untested.
Installing ADIA under VMware requires about 12Gb of disk space.
To install ADIA under VMware, follow this procedure:
- Download the VMware-based OVA.
- Optionally check the PGP/GPG Signature and the SHA256 checksum from the table above.
- Start VMware.
- Navigate to the downloaded OVA and select it.
- Used Open with and select VMware Workstation then select Import.
- If you get an Import Failed error message, select
Retry
to continue.
- Select the Continue button to continue.
- When the import finishes, select the
Finish
button to continue.
- Enable Shared Folders with
Virtual Machine→Settings...→
then select Shared Folders
.
- Optionally share a folder to ADIA. On a Windows-based computer system, we recommend C:\Forensics.
- Start the virtual machine.
Optionally update the hardware version of the newly created virtual machine.
- The virtual machine will boot and automatically login as examiner (with password
forensics
).
- Adjust the screen resolution as appropriate.
- If your network requires a proxy server to update the system, configure that now.
- In the terminal window on the main desktop, enter the following commands:
- Update packages:
sudo yum clean all; sudo yum -y update
- Update the examiner desktop:
sudo manage-examiner-login -S -v
- Restart the system:
sudo reboot
ADIA has been tested and works on VirtualBox 6.1.6 under Windows 10 Education.
We expect that it will work in other configurations but they remain untested.
If you boot ADIA under VirtualBox and you do not see the login window, halt the system and increase the amount of video memory.
Testing indicates that 16MB of video memory is insufficient but a minimum of 32GB does allow ADIA to work correctly.
The VirtualBox Extension Pack must also be installed to run ADIA.
To install ADIA under VirtualBox, follow this procedure:
- Download the VirtualBox-based OVA.
- Optionally check the PGP/GPG Signature
and the SHA256 checksum from the ADIA table above.
- Start VirtualBox.
- Select
File-→Import Appliance...
.
- Navigate to the downloaded OVA and select it.
- Select
Continue
.
- Select
Import
.
- To share folders with the host, you may need to specify a different shared folder.
As distributed, ADIA assumes that files are shared with the host at the path C:\Forensics.
If this folder does not match your system and you wish to use shared folders, you will need to adjust it
select
Machine→Settings...→Shared Folders
to make this change.
- Once the virtual machine has been imported, double click on it to boot it.
- The virtual machine will boot and automatically login as examiner (with the password forensics).
- Reinstall the VirtualBox Additions in the guest when you update the kernel.
- To enable cut and paste between the host and the guest,
follow these instructions.
- The virtual machine will boot and automatically login as examiner (with the password
forensics
).
- Adjust the screen resolution as appropriate.
- If your network requires a proxy server to update the system, configure that now.
- In the terminal window on the main desktop, enter the following commands:
- Update packages:
sudo yum clean all; sudo yum -y update
- Update the examiner desktop:
sudo manage-examiner-login -S -v
- Restart the system:
sudo reboot
- After the system reboots and logs in as examiner, do the following:
- Update the VirtualBox Guest Additions.
The Itek blow post entitled
CentOS 7 VirtualBox Guest Additionals Installations, explains how to do this.
(This update includes a reboot.)
Installing ADIA under QEMU requires about 15 GB of disk space.
ADIA has been tested and works on QEMU under Ubuntu 18.04.
We expect that it will work in other configurations but they remain untested.
To install ADIA under QEMU, following this procedure:
- Download the VirtualBox-based OVA.
- Optionally check the PGP/GPG Signature and the SHA256 checksum from
the ADIA table above.
- Rename the downloaded OVA file to ADIA.tar with:
mv ADIA-CentOS7-x86-64-2017-12-01-VirtualBox.ova ADIA.tar
- Untar the TAR file with:
tar xvf ADIA.tar
- Convert the vmdk file to qcow2 format with:
qemu-img convert -f vmdk -O qcow2 ADIA-disk001.vmdk ADIA.qcow2
- You can now remove the unneeded files:
rm ADIA-disk001.vmdk ADIA.ovf ADIA.tar
- Start the Virtual Machine Manager.
- Create a new virtual machine.
- Select Import Existing disk image and select the disk you create above.
- Select linux for the OS type.
- Select CentOS 7 for the version.
- Adjust the memory size and number of CPUs as appropriate.
- Name the virtual machine, ADIA for example.
- Adjust the network as appropriate.
- Once the virtual machine has been imported, it automatically boots.
- The virtual machine will boot and automatically login as examiner (with password
forensics
).
- Disregard any VirtualBox errors. The VirtualBox additions will be remove shortly and these errors will go away.
- Adjust the screen resolution as appropriate.
- If your network requires a proxy server to update the system, configure that now.
- In the terminal window on the desktop run the following commands:
- Disable VirtualBox services with:
sudo systemctl disable vboxadd.service
- Remove VirtualBox Guest Additions with:
sudo /usr/sbin/vbox-uninstall-guest-additions
- Update packages with:
sudo yum clean all; sudo yum -y update
- Update the examiner desktop with:
sudo manage-examiner-login -S -v
- Install the ACPI daemon with:
sudo yum -y acipd
- Restart the system with:
sudo reboot
The
examiner account, which is ADIA's default and automatically logged into account,
consists of several packages and a script that is used to create/reset this account to it's default state.
Using these packages, changes to ADIA can be reflected in the examiner's desktop.
An example of such a package is adding a tool to set of tools available to the analyst.
When a tool is added, the documentation for that tool can also be added to the examiner's Tool Documentation folder, a folder that appears by default on
the examiner's desktop.
By updating the packages on ADIA, the documentation also reflects the addition of the new tool.
To this end, there is a second repository that defines the set of packages used to manage the examiner's desktop environment.
The table below lists the examiner desktop release RPMs for the supported architectures.
These released RPMs contains references to the CERT-supplied RPMs for the examiner login and Webmin.
Install the RPM for CentOS to enable access via yum.
Use the CERT Forensics GPG key.
To request support or report bugs, send mail to
Have questions? See the Frequently Asked Questions page.
If you'd like to contribute, update, or help maintain a package in LIFTeR, please send mail to
The following areas need the most help:
- Suggestions of packages to add to the LIFTeR.
Please provide a URL for the source code; a pointer to a source RPM would be best.
- Support for other versions of Linux, specifically Ubuntu.