Welcome to the CERT Linux Forensics Tools Repository, a repository of packages for Linux distributions. Currently, Fedora and Centos/RHEL are provided in the respository. See here for the Fedora version support table and here for the CentOS/RHEL version support table. If you are interested in porting the repository to other versions of Linux, please see the Contribute section.
The CERT Linux Forensics Tools Repository provides many useful packages for cyber forensics acquisition and analysis practitioners. If you have suggestions for tools to add to the repository, please see the Contribute section.
The CERT Linux Forensics Tools Repository is not a standalone repository, but rather an extension of the supported systems. Tools can be installed as needed or all at once using the CERT-Forensics-Tools meta package.
Also described here is ADIA, the VMware-based Appliance for Digital Investigation and Analysis. ADIA is a Fedora-based VMware guest intended to be installed under VMware Workstation, Player, or Fusion. It is not a Live CD. See the ADIA section for more details.
Important items are now shown in red. Pay attention to them because they are important.
On February 19, 2016, a new RPM signing key was created to replace the previous key which expired on February 22, 2016.
You can find this new key here.
The fingerprint for this key is:
26A0 829D 5C01 FC51 C304 9037 E97F 3E0A 87E3 60B8
All packages for Fedora 20, 21, 22, 23, and CentOS/RHEL 6 and 7 were resigned with this new key.
If you have previously installed the repository, you need to do the following as root for Fedora 22 and 23:
dnf update cert-forensics-tools-release
or the following for Fedora 20 and 21 and CentOS/RHEL 6 and 7:
yum update cert-forensics-tools-release
Answer yes to installing the new key with the fingerprint as noted above and an expiration date of 2018-04-07. Once you have done this, subsequent updates should proceed as usual.
As of December 31, 2015, developoment will cease for the following systems:
Repository files will continue to be available but development and improvements will cease as of this date.
The CERT Linux Forensics Tools Repository rsync server is available at the following URL for Fedora
and the following URL for CentOS
Much thanks goes to the Software Engineering Institute's Information Technology department for engineering this capacity.
The repository now contains packages that are shared between supported OSes and Architectures. To reduce the size of the repository, these packages are hard-linked rather than copied. To reduce the size of your mirror of the repository, make certain to use the -H option to preserve these hard links.
September 23, 2016
September 11, 2016
Fmem-kernel-modules-common, version 1.6 release 1.3, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.
August 26, 2016
AnalyzeMFT, version 2.0.19 release 1, was installed in the Fedora 20, 21, 22, 23, 24, and CentOS/RHEL 6 and 7 repositories for all supported architectures.
August 22, 2016
To add the tools repository on your Fedora system, install the repository rpm appropriate for your version of Fedora. Find the CERT Forensics GPG key here to verify the rpm before installing it.
|Fedora 24||Fedora 23||Fedora 22||Fedora 21|
|Fedora 20||Fedora 19||Fedora 18||Fedora 17|
|Fedora 16||Fedora 15||Fedora 14||Fedora 13|
|Fedora 12||Fedora 11||Fedora 10||Fedora 9||Fedora 8|
Once you've installed one of these release repository packages, you can do either of the following:
yum install CERT-Forensics-Tools
yum install afftools
This table lists the Fedora versions and architectures for which packages are provided in the repository and their support status.
Please note that support for new versions of Fedora is intended to be provided within 2 weeks from the final release of that version.
|Fedora Linux Repository Support|
|Release||X86 RPMS||X86_64 RPMS||Source RPMS||Status|
|24||View||View||View||Actively being developed|
|23||View||View||View||Actively being developed|
|22||View||View||View||Actively being developed|
|21||View||View||View||Actively being developed|
|20||View||View||View||Actively being developed|
|19||View||View||View||Development has ended as of 2015-12-31|
|18||View||View||View||Development has ended as of 2015-12-31|
|17||View||View||View||Development has ended as of 2015-12-31|
|16||View||View||View||Development has ended as of 2014-01-16|
|15||View||View||View||Development has ended as of 2013-06-27|
|14||View||View||View||Development has ended as of 2013-02-05|
|13||View||View||View||Development has ended as of 2012-05-31|
|12||View||View||View||Development has ended as of 2011-11-08|
|11||View||Not Supported||View||Development has ended as of 2011-06-30|
|10||View||Not Supported||View||Development has ended as of 2010-11-01|
|9||View||Not Supported||View||Development has ended as of 2010-06-30|
|8||View||Not Supported||List||Development has ended as of 2010-06-30|
To add the tools repository to your CentOS/RHEL system, follow these steps:
sudo yum -y install epel-release
sudo yum -y update epel-release
sudo yum -y install centos-release-scl-rh
sudo yum install CERT-Forensics-Tools
sudo yum install afftoolsUse the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.
|CentOS/RHEL Linux Repository Support|
|Release||X86 RPMS||X86_64 RPMS||Source RPMS||Status|
|7||Not Supported||View||View||Actively being developed|
|6||View||View||View||Actively being developed|
|5||View||View||View||Development has ended as of 2015-12-31|
The next table shows the ADIA versions currently available.
Presently, ADIA for the i386 and x86_64 architectures for Fedora 17 have been developed and are now available. Both are available for VMware and VirtualBox. This document explains how to install, operate, and maintain ADIA.
ADIA for CentOS 7 x86_64 is in the final stages of development and testing. It is expected to be announced in October, 2016. Watch this space for the announcement.
|ADIA - The Appliance for Digital Investigation and Analysis|
|Fedora Version||Architecture||Virtualization Software||Appliance ISO Image File||SHA256 Checksum||Signature|
The examiner account, which is the default and automtically logged into account for ADIA, iscomprised of several packages and a script used to create/reset this account to it's default state. With these packages, changes to ADIA can be reflected in the examiner's desktop.
One such example is the addition of a tool to set of tools available to the analyst. When this tool is added, documentation for that tool can also be added to the examiner's Tool Documentation folder, a folder which appears by default on the examiner's desktop. By updating the packages on ADIA, the documentation also reflects the addition of this new tool.
To this end, there is second repository that defines the set of packages used to manage the examiner's desktop environment.
The table below lists the examiner desktop release RPMs for the supported architectures.
These release RPMs contains references to the CERT-supplied RPMs for the examiner login,
Install the rpm for your version of Fedora to enable access via yum.
Find the CERT Forensics GPG key here.
To request support or report bugs, send mail to
Have questions? See the Frequently Asked Questions page.
If you'd like to contribute, update, or help maintain a package in the CERT Forensics Tools Repository, please send mail to Here are the areas where help is most needed: