The CERT Linux Forensics Tools Repository - LiFTeR
|
Welcome to the CERT Linux Forensics Tools Repository (LiFTeR), a repository of packages for Linux distributions.
Currently,
Fedora
and
CentOS/RHEL
are provided in the respository.
See here for the Fedora version support table and here for the CentOS/RHEL version support table.
If you are interested in porting the repository to other versions of Linux, please see the Contribute section.
The CERT Linux Forensics Tools Repository provides many useful packages for cyber forensics acquisition and analysis practitioners.
If you have suggestions for tools to add to the repository, please see the Contribute section.
The CERT Linux Forensics Tools Repository is not a standalone repository, but rather an extension of the supported systems.
Tools can be installed as needed or all at once using the CERT-Forensics-Tools meta package.
Also described here is ADIA, the VMware-based Appliance for Digital Investigation and Analysis.
ADIA is a Fedora-based VMware guest intended to be installed under
VMware
Workstation,
Player, or
Fusion.
It is not a Live CD.
See the ADIA section for more details.
Important items are now shown in red.
Pay attention to them because they are important.
|
|
On April 3, 2020, two years were added to the existing RPM signing key.
You can find this new key with its new expiration date
here.
The fingerprint for this key is:
26A0 829D 5C01 FC51 C304 9037 E97F 3E0A 87E3 60B8
No packages need to be resigned since they were signed with the related private key that never expires.
Simply runing either:
sudo dnf update cert-forensics-tools-release
sudo dnf update
for Fedora or CentOS/RHEL 8, or:
sudo yum update cert-forensics-tools-release
sudo yum update
for CentOS/RHEL 6 and 7.
It will suffice to install the key with the new expiration date and then update any other packages that have changed in the repository.
If you have not previously installed the repository, follow the directions here
for Fedora or here for CentOS/RHEL.
As of June 11, 2021 developoment will cease for the following systems:
Repository files will continue to be available but development and improvements will cease as of these dates.
The CERT Linux Forensics Tools Repository
rsync server is available at the following URL for Fedora:
rsync://linux-repository-rsync-server.cert.org/fedora
and the following URL for CentOS:
rsync://linux-repository-rsync-server.cert.org/centos
Much thanks goes to the Software Engineering Institute's Information Technology department for engineering this capacity.
The repository now contains packages that are shared between supported OSes and Architectures.
To reduce the size of the repository, these packages are hard-linked rather than copied.
To reduce the size of your mirror of the repository, make certain to use the -H option to preserve these hard links.
This section lists and explains how to enable the supported repositories on one of the supported operating system versions and architectures.
To add the tools repository on your Fedora system, install the repository rpm appropriate for your version of Fedora.
Find the CERT Forensics GPG key here to verify the rpm before installing it.
Once you've installed one of these release repository packages, you can do either of the following:
Use the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.
This table lists the Fedora versions and architectures for which packages are provided in the repository and their support status.
Please note that support for new versions of Fedora is intended to be provided within 2 weeks from the final release of that version.
To add the tools repository to your CentOS/RHEL 6, 7 or 8 system, follow these steps:
-
Update your system to current for CentOS/RHEL 6 or 7 with the following:
sudo yum -y update
or for CentOS 8 with the following:
sudo dnf -y update
-
Reboot if necessary.
-
Install and update the Extra Packages for Enterprise Linux (EPEL) repository for CentOS/RHEL 6 or 7 with the following:
sudo yum -y install epel-release
sudo yum -y update epel-release
or for CentOS 8 with the following:
sudo dnf -y install epel-release
sudo dnf -y update epel-release
or for RHEL 8 with the following:
sudo dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf -y update epel-release
-
Enable the Software Collections SIG library with the following:
- If the host is a CentOS 6 or 7 x86_64 system, install the centos-release-scl-rh package from the Extras repository.
Use the following:
sudo yum -y install centos-release-scl-rh
- If the host is a RHEL 6 x86_64 system, enable the SCL repository with the following:
sudo subscription-manager repos --enable=rhel-server-rhscl-6Server-rpms-stable
- Finally, do this for RHEL 7 x86_64 system:
sudo subscription-manager repos --enable=rhel-server-rhscl-7Server-rpms-stable
-
If the host is a CentOS 8 system, enable the PowerTools repository with the following:
sudo dnf config-manager --set-enabled PowerTools
-
If the host is a RHEL 8 system, enable the Code Ready Builder repository.
Consult your system documentation for the appropriate name of this repository.
Here is an example:
sudo dnf config-manager --set-enabled codeready-builder
-
Again as root, install the repository rpm appropriate for your version of CentOS/RHEL.
Find the CERT Forensics GPG key here to verify the rpm before installing it.
Install them as root with the following, after first selecting the appropriate architecture:
-
Finally, do either of the following:
- For CentOS/RHEL 6 or 7, do the following:
-
Install all of the packages provided in the repository with:
sudo yum install CERT-Forensics-Tools
-
Install only the packages you need.
For example, you can install the AFF tools with:
sudo yum install afftools
- For CentOS/RHEL 8, do the following:
-
Install all of the packages provided in the repository with:
sudo dnf install CERT-Forensics-Tools
-
Install only the packages you need.
For example, you can install the AFF tools with:
sudo dnf install afftools
Use the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.
The CERT Linux Forensics Tools Repository is not availble for Ubuntu.
However, there are repositories that are available for Ubuntu that contain many of the same tools.
In fact, the LiFTeR maintainers monitor these repositories for new and updated tools and typically install these new and updated tools in LiFTeR.
Here are the repositories with many of the same tools as LiFTeR:
This article documents how to install Fedora 33 in Windows Subsystem for Linux Version 2 (WSL2) for Windows 10.
The author of this page has followed these instructions and successfully installed Fedora 33 in this manner.
Further, and the reason this is noted here, it also works to install the CERT Linux Forensics Tools Repository for Fedora 33 on this Fedora 33/WSL2-based system, including the optional
Trusty Wolf COPR repository.
Finally, if you install an X Windows client on Windows 10, X Windows-based applications will run in that Fedora 33-based system and display on your Windows 10 monitor.
This scheme provides another mechanism for integrating Windows and Linux that may provide significant benefits to the digital artifact analyst.
ADIA is CERT's
Appliance for
Digital
Investigation and
Analysis.
Appliances are provided for VMware and VirtualBox.
Instructions are provided for running ADIA under QEMU.
This version of ADIA has been built with CentOS 7.7.1908.
The design goals for ADIA are the following:
- Provide pre-built tools for installation and use
- Keep tools up-to-date.
- Keep desktop up-to-date.
- Make tools easy to use.
- Help users navigate and use command-line tools correctly and efficiently.
- Resolve and provide all dependencies.
- All LiFTeR tools are installed in ADIA.
- Do the right thing forensically
- The Webmin GUI system administration tool is installed and operational for typical system administration tasks.
The next table shows the ADIA versions currently available, along with their architectures, hypervisors, checksums, and signatures.
This document explains how to install, operate, and maintain ADIA.
| ADIA - The Appliance for Digital Investigation and Analysis |
| Version |
Architecture |
Hypervisor |
Appliance OVA Image File |
SHA256 Checksum |
Signature |
| CentOS 7 |
x86_64 |
VMware |
Link |
8cb73f15cc6b00d30ce492b106dde34d13c0f28c5735e1b747333a8d2e610b22 |
Link |
| CentOS 7 |
x86_64 |
VirtualBox |
Link |
2233c72ff3d1c1ae1c8d884a0fc5b45dc4ab473553193605fac0c0a5ab603201 |
Link |
ADIA has been tested and works on VMware Workstation 15 under Windows 10 Education and VMware Fusion 11 under Mac OS X Mojave (10.14).
We expect that it will work in other configurations but they remain untested.
To install ADIA under VMware, do the following:
- Download the VMware-based OVA.
- Optionally check the PGP/GPG Signature and the SHA256 checksum from the table above.
- Start VMware.
- Navigate to the downloaded OVA and select it.
- Used Open with and select VMware Workstation then select Import.
- If you get an Import Failed error message, select
Retry to continue.
- Select the Continue button to continue.
- When the import finishes, select the
Finish button to continue.
- Enable Shared Folders with
Virtual Machine→Settings...→ then select Shared Folders.
- Optionally share a folder to ADIA. On a Windows-based computer system, we recommend C:\Forensics.
- Start the virtual machine.
- Optionally update the hardware version of the newly created virtual machine.
- The virtual machine will boot and automatically login as examiner (with password
forensics).
- Adjust the screen resolution as appropriate.
- If your network requires a proxy server to update the system, configure that now.
- In the terminal window on the main desktop, enter the following commands:
- Update packages:
sudo yum clean all; sudo yum -y update
- Update the examiner desktop:
sudo manage-examiner-login -S -v
- Restart the system:
sudo reboot
Installing ADIA under VMware requires about 12GB of disk space.
ADIA has been tested and works on VirtualBox 6.1.6 under Windows 10 Education.
We expect that it will work in other configurations but they remain untested.
If you boot ADIA under VirtualBox and you do not see the login window, halt the system and increase the amount of video memory.
Testing indicates that 16MB of video memory is insufficient but a minimum of 32GB does allow ADIA to work correctly.
Note that you will need to also have the VirtualBox Extension Pack installed to run ADIA.
To install ADIA under VirtualBox, do the following:
- Download the VirtualBox-based OVA.
- Optionally check the PGP/GPG Signature and the SHA256 checksum from the table above.
- Start VirtualBox.
- Select
File-→Import Appliance....
- Navigate to the downloaded OVA and select it.
- Select
Continue.
- Select
Import.
- To share folders with the host, you may need to specify a different shared folder.
As distributed, ADIA assumes that files are shared with the host at the path C:\Forensics.
If this does not match your system and you wish to use shared folders, you will need to adjust this.
Select
Machine→Settings...→Shared Folders to make this change.
- When the virtual machine has been imported, double click on it to boot it.
- The virtual machine will boot and automatically login as examiner (with password forensics).
- You will have to re-install the VirtualBox Additions in the guest when you update the kernel.
- To enable cut and paste between the host and the guest, follow these directions.
- The virtual machine will boot and automatically login as examiner (with password
forensics).
- Adjust the screen resolution as appropriate.
- If your network requires a proxy server to update the system, configure that now.
- In the terminal window on the main desktop, enter the following commands:
- Update packages:
sudo yum clean all; sudo yum -y update
- Update the examiner desktop:
sudo manage-examiner-login -S -v
- Restart the system:
sudo reboot
- After the system reboots and logs in as examiner, do the following:
- Update the VirtualBox Guest Additions.
Here is one resource that explains how to do this.
Please note that this update includes a reboot.
Installing ADIA under VirtualBox requires about 12GB of disk space.
ADIA has been tested and works on QEMU under Ubuntu 18.04.
We expect that it will work in other configurations but they remain untested.
To install ADIA under QEMU, do the following:
- Download the VirtualBox-based OVA.
- Optionally check the PGP/GPG Signature and the SHA256 checksum from the table above.
- Rename the downloaded OVA file to ADIA.tar:
mv ADIA-CentOS7-x86-64-2017-12-01-VirtualBox.ova ADIA.tar
- Untar the TAR file:
tar xvf ADIA.tar
- Convert the vmdk file to qcow2 format with the following:
qemu-img convert -f vmdk -O qcow2 ADIA-disk001.vmdk ADIA.qcow2
- You can now remove the unneeded files:
rm ADIA-disk001.vmdk ADIA.ovf ADIA.tar
- Start the Virtual Machine Manager.
- Create a new virtual machine.
- Select Import Existing disk image and select the disk you create above.
- Select linux for the OS type.
- Select CentOS 7 for the version.
- Adjust the memory size and number of CPUs as appropriate.
- Name the virtual machine, ADIA for example.
- Adjust the network as appropriate.
- When the virtual machine has been imported, it automatically boots.
- The virtual machine will boot and automatically login as examiner (with password
forensics).
- Disregard any VirtualBox errors. The VirtualBox additions will be remove shortly and these errors will go away.
- Adjust the screen resolution as appropriate.
- If your network requires a proxy server to update the system, configure that now.
- In the terminal window on the desktop run the following commands:
- Disable VirtualBox services:
sudo systemctl disable vboxadd.service
- Remove VirtualBox Guest Additions with:
sudo /usr/sbin/vbox-uninstall-guest-additions
- Update packages:
sudo yum clean all; sudo yum -y update
- Update the examiner desktop:
sudo manage-examiner-login -S -v
- Install the ACPI daemon:
sudo yum -y acipd
- Restart the system:
sudo reboot
Installing ADIA under QEMU requires about 15GB of disk space
The
examiner account, which is the default and automtically logged into account for ADIA,
consists of several packages and a script that isused to create/reset this account to it's default state.
With these packages, changes to ADIA can be reflected in the examiner's desktop.
One such example is the addition of a tool to set of tools available to the analyst.
When this tool is added, documentation for that tool can also be added to the examiner's Tool Documentation folder, a folder which appears by default on
the examiner's desktop.
By updating the packages on ADIA, the documentation also reflects the addition of this new tool.
To this end, there is second repository that defines the set of packages used to manage the examiner's desktop environment.
The table below lists the examiner desktop release RPMs for the supported architectures.
These release RPMs contains references to the CERT-supplied RPMs for the examiner login and Webmin.
Install the rpm for CentOS to enable access via yum.
Find the CERT Forensics GPG key here.
To request support or report bugs, send mail to
Have questions? See the Frequently Asked Questions page.
If you'd like to contribute, update, or help maintain a package in the CERT Forensics Tools Repository, please send mail to
Here are the areas where help is most needed:
- Suggestions of packages to add to the repository.
Please provide a URL for the source code.
A pointer to a source RPM would be best.
- Support for other versions of Linux, specifically Ubuntu.