Welcome to the CERT Linux Forensics Tools Repository (LiFTeR), a repository of packages for Linux distributions. Currently, Fedora and Centos/RHEL are provided in the respository. See here for the Fedora version support table and here for the CentOS/RHEL version support table. If you are interested in porting the repository to other versions of Linux, please see the Contribute section.
The CERT Linux Forensics Tools Repository provides many useful packages for cyber forensics acquisition and analysis practitioners. If you have suggestions for tools to add to the repository, please see the Contribute section.
The CERT Linux Forensics Tools Repository is not a standalone repository, but rather an extension of the supported systems. Tools can be installed as needed or all at once using the CERT-Forensics-Tools meta package.
Also described here is ADIA, the VMware-based Appliance for Digital Investigation and Analysis. ADIA is a Fedora-based VMware guest intended to be installed under VMware Workstation, Player, or Fusion. It is not a Live CD. See the ADIA section for more details.
Important items are now shown in red. Pay attention to them because they are important.
On April 6, 2018, two years were added to the existing RPM signing key. You can find this new key with its new expiration date here. The fingerprint for this key is:
26A0 829D 5C01 FC51 C304 9037 E97F 3E0A 87E3 60B8
No packages need to be resigned since they were signed with the related private key that never expires. Simply runing either:
sudo dnf update cert-forensics-tools-release sudo dnf update
for Fedora 22 through 28, or
sudo yum update cert-forensics-tools-release sudo yum update
for CentOS/RHEL 6 and 7 will suffice to install the key with the new expiration date and then update any other packages that have changed in the repository.
If you have not previously installed the repository, follow the directions here for Fedora or here for CentOS/RHEL.
As of December 1, 2018, developoment will cease for the following systems:
Repository files will continue to be available but development and improvements will cease as of this date.
The CERT Linux Forensics Tools Repository rsync server is available at the following URL for Fedora
rsync://linux-repository-rsync-server.cert.org/fedora
and the following URL for CentOS
rsync://linux-repository-rsync-server.cert.org/centos
Much thanks goes to the Software Engineering Institute's Information Technology department for engineering this capacity.
The repository now contains packages that are shared between supported OSes and Architectures. To reduce the size of the repository, these packages are hard-linked rather than copied. To reduce the size of your mirror of the repository, make certain to use the -H option to preserve these hard links.
To add the tools repository on your Fedora system, install the repository rpm appropriate for your version of Fedora. Find the CERT Forensics GPG key here to verify the rpm before installing it.
Once you've installed one of these release repository packages, you can do either of the following:
yum install CERT-Forensics-Tools
yum install afftools
This table lists the Fedora versions and architectures for which packages are provided in the repository and their support status. Please note that support for new versions of Fedora is intended to be provided within 2 weeks from the final release of that version.
To add the tools repository to your CentOS/RHEL system, follow these steps:
sudo yum -y install epel-release sudo yum -y update epel-release
sudo yum -y install centos-release-scl-rh
sudo yum install CERT-Forensics-Tools
sudo yum install afftools
The CERT Linux Forensics Tools Repository is not availble for Ubuntu. However, there are repositories that are available for Ubuntu that contain many of the same tools. In fact, the LiFTeR maintainers monitor these repositories for new and updated tools and typically install these new and updated tools in LiFTeR.
Here are the repositories with many of the same tools as LiFTeR:
ADIA is CERT's Appliance for Digital Investigation and Analysis. Appliances are provided for VMware and VirtualBox. Instructions are provided for running ADIA under QEMU. The design goals for ADIA are the following: Provide pre-built tools for installation and use Keep tools up-to-date. Keep desktop up-to-date. Make tools easy to use. Help users navigate and use command-line tools correctly and efficiently. Resolve and provide all dependencies. All LiFTeR tools are installed in ADIA. Do the right thing forensically Media mounted read-only The Webmin GUI system administration tool is installed and operational for typical system administration tasks.
The design goals for ADIA are the following:
The next table shows the ADIA versions currently available, along with their architectures, hypervisors, checksums, and signatures. This document explains how to install, operate, and maintain ADIA.
ADIA has been tested and works on VMware Workstation 14 under Windows 10 Education and VMware Fusion 10 under Mac OS X High Sierra (10.13). We expect that it will work in other configurations but they remain untested.
To install ADIA under VMware, do the following:
File->Import...
Retry
Finish
Virtual Machine→Settings...→
Shared Folders
forensics
Installing ADIA under VMware requires about 8Gb of disk space.
ADIA has been tested and works on VirtualBox 5.2.8 under Windows 10 Education and under Mac OS X High Sierra (10.13). We expect that it will work in other configurations but they remain untested. Note that you will need to also have the VirtualBox Extension Pack installed to run ADIA.
To install ADIA under VirtualBox, do the following:
File-→Import Appliance...
Continue
Import
Machine→Settings...→Shared Folders
Installing ADIA under VirtualBox requires about 8Gb of disk space.
ADIA has been tested and works on QEMU under Ubuntu 18.04. We expect that it will work in other configurations but they remain untested. Note: You will need an folder with at leat 15Gb of free space for these files. To install ADIA under QEMU, do the following:
To install ADIA under QEMU, do the following:
Installing ADIA under QEMU requires about 8Gb of disk space.
The examiner account, which is the default and automtically logged into account for ADIA, consists of several packages and a script that isused to create/reset this account to it's default state. With these packages, changes to ADIA can be reflected in the examiner's desktop.
One such example is the addition of a tool to set of tools available to the analyst. When this tool is added, documentation for that tool can also be added to the examiner's Tool Documentation folder, a folder which appears by default on the examiner's desktop. By updating the packages on ADIA, the documentation also reflects the addition of this new tool.
To this end, there is second repository that defines the set of packages used to manage the examiner's desktop environment. The table below lists the examiner desktop release RPMs for the supported architectures. These release RPMs contains references to the CERT-supplied RPMs for the examiner login and Webmin. Install the rpm for CentOS to enable access via yum. Find the CERT Forensics GPG key here.
To request support or report bugs, send mail to You need Javascript to be able to see contact details.
Have questions? See the Frequently Asked Questions page.
If you'd like to contribute, update, or help maintain a package in the CERT Forensics Tools Repository, please send mail to You need Javascript to be able to see contact details. Here are the areas where help is most needed: