Linux Forensics Tools Repository

Linux Forensics Tools Repository: Announcements

April 20, 2018: The following changes have been made:

libfwsi{,-devel,-python,-python3}-20180408-1.(fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libfwsi{,-devel,-python}-20180408-1.el6.{i686,x86_64}.rpm- Libfwsi is a library to access the Windows Shell Item format. Here are the changes:
- Improved Python bindings
- Fixed issues in m4/libclocale.m4
- Made changes to setup.py for sdist
- Applied updates
- Worked on tests
- Made changes to URI and URI sub shell items
xlsxwriter-1.0.4-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and xlsxwriter-1.0.2-1.el7.x86_64.rpm - XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format. XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more. See here for a list of the changes since the last version (1.0.2).
pfring-7.0.0-1846.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1846.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.16-300 for FC27
- 4.15.15-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.16-300 for FC27
- 4.15.15-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.16-200 for FC26
- 4.15.15-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.16-200 for FC26
- 4.15.15-200 for FC26

April 10, 2018: The following changes have been made:

pfring-7.0.0-1833.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1833.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.

April 6, 2018: The following changes have been made:

cert-forensics-tools-release-{6,7,22,23,24,25,26,27}-13.noarch.rpm - cert-forensics-tools-release is the package that connects a Fedora- and CentOS/RHEL-based computer system to the CERT Linux Forensics Tools Repository (LiFTeR). This package has been changed to include a new Forensics team key which is also available here.
pfring-7.0.0-1826.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1826.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.14-300 for FC27
- 4.15.13-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.14-300 for FC27
- 4.15.13-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.14-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.14-200 for FC26

April 2, 2018: The following changes have been made:

yara-python-3.7.1-1.x86_64.el6.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. This version was rebuilt because of an update to yara in CentOS/RHEL 6.

March 30, 2018: The following changes have been made:

dtfabric-20180325-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm - Dtfabric is a project to manage data types and structures, as used in the libyal projects.
dfvfs-20180326-1.(fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
pfring-7.0.0-1816.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1816.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
sleuthkit{,-devel,-libs}-4.6.0-3.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. See here for the changes since the last version (4.5.0) released to this repository. In this release, the file /usr/share/java/sleuthkit-4.6.0.jar was moved from sleuthkit-devel to sleuthkit.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.12-301 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.12-301 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.12-201 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.12-201 for FC26

March 26, 2018: The following changes have been made:

bro{,-core,ctl}-2.5.3-1.2.el7.x86_64.rpm and libbroccoli{,-devel}-2.5.3-1.2.el7.x86_64.rpm - Bro was recomplied for CentOS/RHEL 7 to use PF_Ring. See the instructions here that explains this capability. Note that since PF_Ring does not support Fedora, Bro for those systems were not recompiled.

March 23, 2018: The following changes have been made:

libevt{,-devel,-python,-python3,-tools}-20180317-1.(fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libevt{,-devel,-python,-tools}-20180317-1.el6.{i686,x86_64}.rpm - Libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
snort-2.9.11.1-2.{el6,el7}.x86_64.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. This release was recomplied to use PF_Ring.
snort-openappid-2.9.11.1-2.{el6,el7}.x86_64.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- Here is the OpenAppId Detector Developer Guide .
To install snort-openappid on your system, you must first remove snort. Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
This release was recomplied to use PF_Ring.
dfdatetime-20180318-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
bro{,-core,ctl}-2.5.3-1.1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libbroccoli{,-devel}-2.5.3-1.1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm - Bro is a powerful network analysis framework that is much different from the typical IDS you may know. While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 15 years of research, Bro has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally in particular by many scientific environments for securing their cyberinfrastructure. Bro's user community includes major universities, research labs, supercomputing centers, and open-science communities.
pfring-7.0.0-1804.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1804.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
guymager-0.8.8-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. See here for the list of changes.
ddrescue-1.23-1.{fc22,fc23,fc24,fc25,fc26,fc27el6,el7}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. See here for the changes since the last version (1.22) released to this repository.
analyzeMFT-2.0.19.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - AnalyzeMFT is a tool that fully parses the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple formats. See here for the changes since the previously installed version 2.0.19.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.10-300 for FC27
- 4.15.9-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.10-300 for FC27
- 4.15.9-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.10-200 for FC26
- 4.15.9-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.10-200 for FC26
- 4.15.9-200 for FC26

March 16, 2018: The following changes have been made:

silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.1-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.16.1‑2.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.16.1‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root. This package was rebuilt to use libfixbuf 1.8.0.
analysis-pipeline-5.7-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). This package was rebuilt to use silk 3.16.1.
silk-ipset{-devel,-lib,-tools}-3.16.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.8-300 for FC27
- 4.15.7-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.8-300 for FC27
- 4.15.6-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.7-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.7-200 for FC26
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.43.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.23.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-43.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.23.1 for EL6

March 9, 2018: The following changes have been made:

apfs-fuse-20180303-1.{fc24,fc25,fc26,fc27,el7}.x86_64.rpm - APFS-Fuse is a read-only FUSE driver for the new Apple File System. This is from the README:
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental. It may not be able to read all files, it may return wrong data, or it may simply crash. Use at your own risk. But since it's read-only, at least the data on your apfs drive should be safe.
dislocker{,-libs}-0.7.1-7.{el6,el7}.{i686,x86_64}.rpm and fuse-dislocker-0.7.1-7.{,el6,el7}.{i686,x86_64}.rpm - Dislocker reads BitLocker encrypted partitions under a Linux system. The driver has the capability to read/write on:
- Windows Vista, 7, 8, 8.1 and 10 encrypted partitions - that's AES-CBC, AES-XTS, 128 or 256 bits, with or without the Elephant diffuser, encrypted partitions;
- BitLocker-To-Go encrypted partitions - that's USB/FAT32 partitions.
The core driver is composed of a library, with multiple binaries (see the NOTES section below) using this library. Two binaries are of interest when wanting to decrypt a BitLocker encrypted partition:
1. dislocker-fuse: binary using FUSE to dynamically decrypt the BitLocker-ed partition. You have to give it a mount point where, once keys are decrypted, a file named dislocker-file appears. This file is a virtual NTFS partition, so you can mount it as any NTFS partition and then read from or write to it. Note that writing to the NTFS virtual file will change the underlying BitLocker partition's content.
2. dislocker-file: binary decrypting a BitLocker encrypted partition into a flat file. This file has to be given through command line and, once dislocker-file is finished, will be an NTFS partition. It won't have any link to the original BitLocker partition. Therefore, if you write to this file, the BitLocker volume won't change, only the NTFS file will. Note that this may take a long time to create that file, depending on the size of the encrypted partition. But afterward, once the partition is decrypted, the access to the NTFS partition will be faster. Another thing to think about is the size on your disk this binary needs: the same size as the volume you're trying to decrypt. Nevertheless, once the partition is decrypted, you can mount your file as any NTFS partition.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.6-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.6-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.6-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.6-200 for FC26
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.40.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-693.21.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-40.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-693.21.1 for EL7
pfring-7.0.0-1797.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1797.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.

March 1, 2018: The following changes have been made:

pfring-7.0.0-1788.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1788.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.4-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.4-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.4-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.4-200 for FC26
sleuthkit{,-devel,-libs}-4.6.0-2.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. See here for the changes since the last version (4.5.0) released to this repository.
pytsk3-20180228-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit.
yara-python-3.7.1-1.x86_64.el7.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. This version was rebuilt because of an update to yara in CentOS/RHEL 7.

February 21, 2018: The following changes have been made:

fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.3-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.3-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.15.3-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for LiME:
- 4.15.3-200 for FC26

February 16, 2018: The following changes have been made:

exfat-utils-1.2.8-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. See here for the list of changes since the last released version (1.2.7).
ddrescueview-0.4.a3-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm - Ddrescueview is a small tool that allows the user to graphically examine ddrescue's log files in a user friendly GUI application. The Main window displays a block grid with each block's color representing the block types it contains. Many people know this type of view from defragmentation programs. The program is written in Object Pascal using the Lazarus IDE.
libfplist{,-devel}-20180125-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Libfplist is a library for plist formats. Note: this is a library only - there are no tools provided by these packages.
libfwevt{,-devel}-20180124-1.{fc22,fc23,fc24,fc25,fc26,fc27el6,el7}.{i686,x86_64}.rpm - Libfwevt is a library for Windows XML Event Log (EVTX) data types. Note: this is a library only - there are no tools provided by these packages.
radare2{,-devel}-2.3.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and radare2{,‑devel}‑2.3.0‑1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
acr-1.4-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - ACR tries to replace autoconf functionality generating a full-compatible 'configure' script (runtime flags). But using shell-script instead of m4. This means that ACR is faster, smaller and easy to use.
python-radare2-2.3.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and python‑radare2‑2.3.0‑1.el7.x86_64.rpm- Python-Radare are bindings that allow Radare to be used from Python.
pfring-7.0.0-1764.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1764.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.18-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.18-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.18-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.18-200 for FC26

February 9, 2018: The following changes have been made:

fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.16-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.16-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.16-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.16-200 for FC26

February 2, 2018: The following changes have been made:

pfring-7.0.0-1736.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1736.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.42.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.20.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-42.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.20.1 for EL6
python{2,3}-certifi-2018.1.18-1.{fc22,fc23,fc24,fc25,fc26,fc27el7}.noarch.rpm - Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. This package was built to support plaso.
libsmraw{,-devel,-python,-python3,-tools}-20180123-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libsmraw{,-devel,-python,-tools}-20180123-1.el6.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes.
libwrc{,-devel,-python,-python3,-tools}-20180124-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, libwrc{,-devel,-python,-tools}-20180124-1.el6.{i686,x86_64}.rpm , and ibwrc{,-devel,-python,-python3,-tools}-20180124-1.el7.x86_64.rpm - Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
plaso-20180127-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, plaso-20180127-1.el7.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. See the release announcement here.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 21, 22, 23, 24, 25, 26, and 27 for the i686 and x86_64 architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.

January 26, 2018: The following changes have been made:

pfring-7.0.0-1727.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1727.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.14-300 for FC27
- 4.14.13-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.14-300 for FC27
- 4.14.13-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.14-200 for FC26
- 4.14.13-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.14-200 for FC26
- 4.14.13-200 for FC26
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.39.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-693.17.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-39.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-693.17.1 for EL7

January 19, 2018: The following changes have been made:

pfring-7.0.0-1707.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1707.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
artifacts-20180115-1.(fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - Artifacts is a free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
libguytools-2.0.5-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Libguytools is a package of subroutines and header files needed to build and operate guymager. The changes are:
- Moved to Qt5
- Adapted to Debian 8 (Jessie)
guymager-0.8.7-2.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. This release was rebuilt for libguytools-2.0.5 .
libfwnt{,-devel,-python,-python3}-20180117-1.(fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm and libfwnt{,-devel,-python}-20180117-1.el6.noarch.rpm - LibFWNT, is a library for Windows NT data types. See here for the list of changes.

January 12, 2018: The following changes have been made:

libsmdev{,-devel,-python,-python3,-tools}-20171112-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libsmdev{,-devel,-python,-tools}-20171112-1.el6}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
libfvde{,-devel,-python,-python3,-tools}-20180108-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libfvde{,-devel,-python,-tools}-20180108-1.el6.{i686,x86_64}.rpm - Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
dfdatetime-20180110-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
libfplist{,-devel}-20180108-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Libfplist is a library for plist formats. Note: this is a library only - there are no tools provided by these packages.
pfring-7.0.0-1684.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1684.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.

January 5, 2018: The following changes have been made:

pfring-7.0.0-1677.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1677.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
dfdatetime-20171228-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
dfvfs-20171230-2.(fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
sleuthkit{,-devel,-libs}-4.5.0-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. See here for the changes since the last version (4.4.2) released to this repository.
pytsk3-20171108-2.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit.
plaso-20171231-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, plaso-20171231-1.el7.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. See the release announcement here.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 21, 22, 23, 24, 25, 26, and 27 for the i686 and x86_64 architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
analysis-pipeline-5.7-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the list of changes for this release.
dd_rescue-1.99.8-1.{,fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. See here for the changes since the last version (1.99.5) released to this repository.
libodraw{,-devel,-tools}-20171105-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libodraw{,-devel,-tools}-20171105-1.el6.{i686,x86_64}.rpm - Libodraw is a library to access to optical disc (split) RAW image files (bin/cue, iso/cue).
nDPI{,-devel}-2.3-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

See here for the list of supported protocols.
radare2{,-devel}-2.2.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and radare2{,‑devel}‑2.2.0‑1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
valabind-0.10.0-4.el7.x86_64.rpm - Valabind is a tool to parse vala or vapi files to transform them into swig interface files, C++, NodeJS-ffi, or GIR. With swig, you can create language bindings for any API written in vala or C with a vapi interface. It can also generate bindings for C++. This release was built for CentOS/RHEL 7 to build Python-Radare2 .
python-radare2-2.1.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and python‑radare2‑2.2.0‑1.el7.x86_64.rpm- Python-Radare are bindings that allow Radare to be used from Python.
xplico-1.2.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. See here for the changes since the last version (1.2.0) released to this repository.
yaf{,-devel}-2.9.3-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Volatility-2.6-2.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility is the official version of Volatility 2.6 that has been patched to January 2, 2018. You can read about this version here Since the Volatility-community-plugins contain the mimikatz plugin, that plugin is no longer packaged with Volatility.
python{2,3}-ssdeep-3.2-1.(fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and python2-ssdeep-3.2-1.{el6,el7}.{i686,x86_64}.rpm - Python-SSDeep is a Python wrapper for ssdeep by Jesse Kornblum, which is a library for computing context triggered piecewise hashes (CTPH). Also called fuzzy hashes, CTPH can match inputs that have homologies. Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
Volatility-community-plugins-20180102-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation. These plugins are installed in /usr/share/volatility/plugins/community/ and to use them you need to specify this location on the command line thusly:
volatility --plugins=/usr/share/volatility/plugins/community ...
Note: The following plugins were removed the el6: BartoszInglot, ESET_Browserhooks, LoicJaquemet, ThomasChopitea, TranVienHa, and YingLi.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.11-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.11-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.11-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.11-200 for FC26
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.38.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-693.11.6 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-38.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-693.11.6 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.41.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.18.7 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-41.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.18.7 for EL6
snort-2.9.11.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.11.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.11.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- Here is the OpenAppId Detector Developer Guide .
To install snort-openappid on your system, you must first remove snort. Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf

December 29, 2017: The following changes have been made:

pfring-7.0.0-1664.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1664.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.7-300 for FC27
- 4.14.8-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.7-300 for FC27
- 4.14.8-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.8-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.8-200 for FC26
dfvfs-20171228-1.(fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.

December 21, 2017: The following changes have been made:

fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.5-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.5-200 for FC26
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.6-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.6-200 for FC26
dfvfs-20171216-1.(fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
bencode-2.0.0-1.(fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm - Bencode re-packages the existing bencoding and bdecoding implemention from the ‘official’ BitTorrent client as a separate, light-weight package for re-using them without having the entire BitTorrent software as a dependency.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.6-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.6-300 for FC27
xlsxwriter-1.0.2-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and xlsxwriter-1.0.2-1.el7.x86_64.rpm - XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format. XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
pfring-7.0.0-1659.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1659.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.

December 15, 2017: The following changes have been made:

fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.5-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.5-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.4-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.4-200 for FC26
pfring-7.0.0-1616.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1616.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.

December 13, 2017: The following changes have been made:

fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.14.3-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for LiME:
- 4.14.3-300 for FC27
pfring-7.0.0-1600.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1600.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
dfdatetime-20171129-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
yara-python-3.7.0-1.x86_64.el7.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. This version was rebuilt because of an update to yara in CentOS/RHEL 7.

December 8, 2017: The following changes have been made:

fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.16-302 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.16-302 for FC27
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.16-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.16-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.16-202 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.16-202 for FC26
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.16-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.16-200 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.49.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.16-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-49.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.16-100 for FC25
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.37.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-693.11.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-37.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-693.11.1 for EL7
pfring-7.0.0-1592.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1592.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
dfvfs-20171203-1.(fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.

December 1, 2017: The following changes have been made:

pfring-7.0.0-1569.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1569.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.15-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.15-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.15-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.15-200 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.48.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.15-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-48.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.15-100 for FC25
Fedora 21 - Updates to Fedora 21 for both the i686 and x86_64 CPU architectures has ceased.
ADIA - This item is the VMware and VirtualBox-based forensic appliances built with CentOS 7 for the x86_64 architecture. See here for more details. The release coonsistes of the following:
- The latest CERT Forensics Key is installed.
- All packages have been updated as of December 1, 2017.
- SElinux is disabled.
- Mate Desktop is the defaut desktop.

November 23, 2017: The following changes have been made:

Fedora 27 - The repository now supports Fedora 27 for the x86_64 and i386 CPU architectures. Here is the list of tools provided for Fedora 27:

2hash
aeskeyfind
analysis-pipeline
analyzeMFT
artifacts
ataraw
autopsy
bencode
binplist
bokken
CERT-Forensics-Tools
cert-forensics-tools-release
cryptcat
daq
dc3dd
dd_rescue
ddrescue
ddrescueview
ddrutility
dfdatetime
dff
dfvfs
dfwinreg
disktype
distorm3
DropboxReader
dtfabric
efilter-1
eindeutig
epub
exfat-utils
fatback
fcrackzip
fmem-kernel-modules
fred
fundl
galleta
ghostpdl
grokevt
guymager
hachoir-core
hachoir-metadata

hachoir-parser
hachoir-regex
hachoir-subfile
hachoir-urwid
hachoir-wx
ip4r
jafat
KHracker
kracked
libagdb
libbde
libbfio
libcreg
libesedb
libevt
libevtx
libewf
libexe
libfixbuf
libfplist
libfsext
libfshfs
libfsntfs
libfvde
libfwevt
libfwnt
libfwsi
libguytools
libhibr
libiconv
liblnk
libluksde
libmdmp
libmodi
libmsiecf
libnk2
libodraw
libolecf
libpff
libphdi
libpst
libqcow

libregf
libscca
libschemaTools
libsigscan
libsmdev
libsmraw
libvhdi
libvmdk
libvshadow
libvslvm
libvsmbr
libwrc
libwtcdb
lime-kernel-modules
log2timeline
md5deep
mdbtools
missidentify
mount_ewf
nDPI
netsa-python
netsa-rayon
partclone
pasco
perl-File-Mork
perl-Mac-PropertyList
perl-Parse-Evtx
perl-Parse-Win32Registry
plaso
prism
protobuf-c
pstotext
ptfinder
ptk
pyew
python-apsw
python-construct
python-dpapick
python-haystack
python-ioc_writer
python-pycoin
python-radare

python-rarfile
python-registry
pytsk3
radare
rar
registrydecoder
reglookup
regripper
regripper-plugins
rifiuti2
rifiuti
scrounge-ntfs
sfdumper
shellbags
silk
silk-ipa
silk-ipset
sleuthkit
snarf
snort
snort-sample-rules
ssdeep
stegdetect
super_mediator
tln_tools
undbx
unrar
untex
vala
valabind
videosnarf
vinetto
vmfs-tools
Volatility
Volatility-community-plugins
winevt-kb
winreg-kb
xlsxwriter
xmount
xplico
yaf

lime-kernel-modules-1.1.r17-12.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. Support for Fedora 27 x86_64 and i386 architectures was added.
fmem-kernel-modules-1.6-1.12.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. Support for Fedora 27 x86_64 and i386 architectures was added.
snort-2.9.11-1.{fc21,fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.11-1.{fc21,fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.11-1.{fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- Here is the OpenAppId Detector Developer Guide .
Note: This version of snort is not yet avaiable for Fedora 26 or 27.
snarf{,-devel,-python}-0.3.0-3.{fc21,fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system. Applications can use snarf's C and Python APIs to construct and send network alert messages, which can then be routed to multiple destinations in a configurable manner. See here for the list of changes for this release. This version uses zeromq3. Note: due to the changing package requirements of snarf, there is no support for CentOS/RHEL 6.
pfring-7.0.0-1560.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1560.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
dfdatetime-20170719-1.{fc21,fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
python-construct-2.5.2-1.(fc21,fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Python-construct is a powerful declarative parser (and builder) for binary data.
dfvfs-20171022-1.(fc21,fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
plaso-20171118-1.{fc21,fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, plaso-20171118-1.el7.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. See the release announcement here.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 21, 22, 23, 24, 25, 26, and 27 for the i686 and x86_64 architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.9-300 for FC27
- 4.13.13-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.9-300 for FC27
- 4.13.13-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.13-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.13-200 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.47.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.13-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-47.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.13-100 for FC25

November 17, 2017: The following changes have been made:

pfring-7.0.0-1557.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1557.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.46.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.12-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-46.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.12-100 for FC25
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.12-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.12-200 for FC26
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.40.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.16.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-40.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.16.1 for EL6

November 10, 2017: The following changes have been made:

fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.11-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.11-200 for FC26
fmem-kernel-modules-fc26-{x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.10-200 for FC26
lime-kernel-modules-fc26-{x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.10-200 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.45.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.11-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-45.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.11-100 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.44.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.8-100 for FC25
- 4.13.10-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-44.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.8-100 for FC25
- 4.13.10-100 for FC25
pfring-7.0.0-1535.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1535.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
libfwsi{,-devel,-python,-python3}-20171103-1.(fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libfwsi{,-devel,-python}-20171103-1.el6.{i686,x86_64}.rpm- Libfwsi is a library to access the Windows Shell Item format. See here for the list of changes.
liblnk{,-devel,-python,-python3,-tools}-20171101-1.(fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20171101-1.el6.{i686,x86_64}.rpm- Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libsmdev{,-devel,-python,-python3,-tools}-20171105-1.{fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libsmdev{,-devel,-python,-tools}-20171105-1.el6}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
libsmraw{,-devel,-python,-python3,-tools}-20171105-1.{fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libsmraw{,-devel,-python,-tools}-20171105-1.el6.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes.
yaf{,-devel}-2.9.1-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
artifacts-20171107-1.(fc21,fc22,fc23,fc24,fc25,fc26,el7}.noarch.rpm - Artifacts is a free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. This package was built to support plaso.
python{2,3}-certifi-2016.9.26-2.{fc21,fc22,fc23,fc24,fc25,el7}.noarch.rpm - Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. This package was built to support plaso.
python{2,3}-future-0.16.0-4.{fc21,fc22,fc23}.noarch.rpm - Future is the missing compatibility layer between Python 2 and Python 3. It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead. This package was built to support plaso.
python{2,3}-idna-2.5-1.{fc21,fc22,fc23,el7}.noarch.rpm - IDNA provides support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891. This is the latest version of the protocol and is sometimes referred to as “IDNA 2008”. This package was built to support plaso.
python{2,3}-pefile-2017.5.26-2.{fc21,fc22,fc23,fc24}.noarch.rpm and python-pefile-2017.5.26-2.el7.noarch.rpm- PEFile is a Portable Executable reader module. This package was built to support plaso.
plaso-20170930-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, plaso-201709301-1.el7.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. See the release announcement here.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 21, 22, 23, 24, 25, and 26 for i686 and x86_64 architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
libfixbuf{,-devel}-1.8.0-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes. Libsmraw contains supports for multiple (split) RAW naming schemes.
yaf{,-devel}-2.9.2-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or
analysis-pipeline-5.6-4.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the list of changes for this release. This package was rebuilt to use libfixbuf 1.8.0.
libschemaTools{,-devel}-1.2.1-2-{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - libschemaTools is a library that provides a standard representation of data records. It is built on fixbuf, using IPFIX information elements. It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source. SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records. See here for the list of changes for this release. This package was rebuilt to use libfixbuf 1.8.0.
pyfixbuf-0.2.1-2.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf is a Python API for libfixbuf, an implementation of the IPFIX protocol used for building, collecting, and exporting processes. Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX. Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.). See this page for a list of problems fixed in this and all releases. This package was rebuilt to use libfixbuf 1.8.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.0-3.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version. This package was rebuilt to use libfixbuf 1.8.0.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.16.0‑4.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.16.0‑4.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root. This package was rebuilt to use libfixbuf 1.8.0.
super_mediator-1.5.3-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. See here for the list of changes for this release. This package was rebuilt to use libfixbuf 1.8.0.

October 27, 2017: The following changes have been made:

yaf{,-devel}-2.9.0-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. See here for the changes since the last released version (2.8.4).
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-693.5.2 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-693.5.2 for EL7
super_mediator-1.5.3-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. See here for the list of changes for this release.
pfring-7.0.0-1513.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1513.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.

October 22, 2017: The following changes have been made:

pfring-7.0.0-1506.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1506.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
yaf{,-devel}-2.8.4-3.{el6,el7}.x86_64.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. This package has been rebuilt for a new version of pf_ring. To install PF_Ring on your CentOS/RHEL system, please follow the directions found here.

October 20, 2017: The following changes have been made:

fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.39.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.13.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-39.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.13.2 for EL6
pfring-6.6.0-1459.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1459.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.43.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.5-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-43.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.5-100 for FC25
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.5-200 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.5-200 for FC26

October 6, 2017: The following changes have been made:

libbde{,-devel,-python,-python3,-tools}-20170902-1.{fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20170902-1.el6.{i686,x86_64}.rpm- Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
libolecf{,-devel,-python,-python3,-tools}-20170825-1.(fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libolecf{,-devel,-python,-tools}-20170825-1.el6.{i686,x86_64}.rpm- Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
libvshadow{,-devel,-python,-python3,-tools}-20170902-1.{fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libvshadow{,-devel,-python,-tools}-20170902-1.el6.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. This version uses the external version of libbfio to support DFF, the Digital Forensics Framework.
pyparsing{,-doc}-2.2.0-1.{el6,el7}.noarch.rpm and python3-pyparsing-2.2.0-1.el7.noarch.rpm - Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions. The module provides a library of classes that client code uses to construct the grammar directly in Python code. Pyparsing is provided by RedHat for Fedora 21. Pyparsing is needed by plaso.
sleuthkit{,-devel,-libs}-4.4.2-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. See here for the changes since the last version (4.4.1) released to this repository.
libfvde{,-devel,-python,-python3,-tools}-20170930-1.{fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libfvde{,-devel,-python,-tools}-20170930-1.el6.{i686,x86_64}.rpm - Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.42.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.14-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-42.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.14-200 for FC25
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.13.4-200 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 4.13.4-200 for FC26
guymager-0.8.7-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. See here for the list of changes.

September 29, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.41.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.13-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-41.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.13-200 for FC25
pfring-6.6.0-1435.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1435.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
xplico-1.2.0-3.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. This version adds the missing documetation file /usr/share/doc/xplico-1.2.0/README.md .
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.14-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.14-300 for FC26
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.38.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.10.3 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-38.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.10.3 for EL6

September 22, 2017: The following changes have been made:

fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.13-300 for FC26
- 4.12.12-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.13-300 for FC26
- 4.12.12-300 for FC26
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.37.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.10.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-37.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.10.2 for EL6

September 15, 2017: The following changes have been made:

fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-693.2.2 for EL7
- 3.10.0-693.2.1 for EL7
- 3.10.0-693.1.1 for EL7
- 3.10.0-693 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-693.2.2 for EL7
- 3.10.0-693.2.1 for EL7
- 3.10.0-693.1.1 for EL7
- 3.10.0-693 for EL7
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.11-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.11-300 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.40.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.11-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-40.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.11-200 for FC25

September 8, 2017: The following changes have been made:

snarf{,-devel,-python}-0.2.4-2.el6.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system. Applications can use snarf's C and Python APIs to construct and send network alert messages, which can then be routed to multiple destinations in a configurable manner. This version was rebuilt for CentOS/RHEL 6 to solve a dependency problem.
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.9-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.9-300 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.39.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.9-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-39.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.9-200 for FC25
pfring-6.6.0-1401.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1401.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.

September 1, 2017: The following changes have been made:

pfring-6.6.0-1396.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1396.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.

August 25, 2017: The following changes have been made:

fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.8-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.8-300 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.38.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.8-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-38.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.8-200 for FC25
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.10.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.10.1 for EL6

August 18, 2017: The following changes have been made:

fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.12.5-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for LiME:
- 4.12.5-300 for FC26

August 11, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.37.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.12-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-37.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.12-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.47.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.12-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-47.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.12-100 for FC24
yara-python-3.6.3-1.{i386,x86_64}.{el6,el7}.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. This version was rebuilt because of an update to yara in CentOS/RHEL 6 and 7.
artifacts-20170727-1.(fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.noarch.rpm - Artifacts is a free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. This package was built to support plaso.
binplist-0.1.5-1.(fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Binplist is a binary property list (plist) parser module written in python.
dfdatetime-20170719-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
dfvfs-20170723-1.(fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
libfsntfs{,-devel,-python,-python3,-tools}-20170315-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm and libfsntfs{,-devel,-python,-tools}-20170315-1.el6.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS). See here for the list of changes.
libfwnt{,-devel,-python,-python3}-20170115-1.(fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.noarch.rpm and libfwnt{,-devel,-python}-20170115-1.el6.noarch.rpm - LibFWNT, is a library for Windows NT data types. See here for the list of changes. This package is needed by dfvfs and plaso.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.71-1.1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. See here for the list of changes.
libscca{,-devel,-python,-python3,-tools}-20170205-1.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libscca{,-devel,-python,-tools}-20170205-1.el6.x86_64.rpm - Libscca is a library to access the Windows Prefetch File (SCCA) format. See here for the list of changes.
libsmraw{,-devel,-python,-python3,-tools}-20170803-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libsmraw{,-devel,-python,-tools}-20170803-1.el6.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes.
libvshadow{,-devel,-python,-python3,-tools}-20170715-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libvshadow{,-devel,-python,-tools}-20170715-1.el6.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. This version uses the external version of libbfio to support DFF, the Digital Forensics Framework.
libwrc{,-devel,-python,-python3,-tools}-20170304-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libwrc{,-devel,-python,-tools}-20170304-1.el6.{i686,x86_64}.rpm - Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
epub-0.5.2-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i386,x86_64}.rpm - Epub is the distribution and interchange format standard for digital publications and documents based on Web Standards. Epub defines a method for representing, packaging, and encoding structured and semantically enhanced web content - including XHTML, CSS, SVG, images, and other resources - for distribution in a single-file format. Epub allows publishers to produce and send a single digital publication file through distribution and offers interoperability between consumers software / hardware for unencrypted reflowable digital books and other publications. Epub is a helper application for recoll.
ghostpdl-9.21-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico.
nDPI{,-devel}-2.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

See here for the list of supported protocols.
xplico-1.2.0-3.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. This version was recompiled for nDPI-2.0 and add python3.6 list of valid Python executables.
perl-File-Mork-0.4-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el6,el7}.noarch.rpm - perl-File-Mork is a module to read Mozilla URL history files.
perl-Mac-PropertyList-1.412-1{fc20,fc21,fc22,fc23.f24,fc25,fc26,el7}.noarch.rpm - perl-Mac-PropertyList is a low-level interface to the Mac OS X Property List (plist) format. See here for the list of changes
perl-Alien-wxWidgets-0.67-6.el7.x86_64.rpm - perl-Alien-wxWudgets can be used to detect and get configuration settings from an installed wxWidgets.
perl-Wx-0.9928-3.el7.x86_64.rpm - perl-Wx is a wrapper for the wxWidgets (formerly known as wxWindows) GUI toolkit. This module comes with extensive documentation in HTML format; you can download it from http://wxperl.sourceforge.net.
perl-Parse-Win32Registry-1.0-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el6,el7}.noarch.rpm - perl-Parse-Win32Registry is a module for parsing Windows Registry files, allowing you to read the keys and values of a registry file without going through the Windows API. It provides an object-oriented interface to the keys and values in a registry file. Registry files are structured as trees of keys, with each key containing further subkeys or values. The module is intended to be cross-platform, and run on those platforms where Perl will run. It supports both Windows NT registry files (Windows NT, 2000, XP, 2003, Vista, 7) and Windows 95 registry files (Windows 95, 98, Millennium Edition). It is intended to be used to parse offline registry files. If a registry file is currently in use, you will not be able to open it. However, you can save part or all of a currently loaded registry file using the Windows reg command if you have the appropriate administrative access.
pfring-6.6.0-1377.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1377.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
python-apsw-3.19.3-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
python-haystack-0.42-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el6,el7}noarch.rpm - Python-Haystack is an heap analysis framework, focused on searching and reversing of C structure in allcoated memory.
python-rarfile-3.0-1.{fc20,fc21,fc22,fc213,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Python-rarfile is a Python module for RAR archive reading. See here for the list of changes since the last release version (2.6);
regripper-plugins-20170809-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. This package is taken from the plugins directory at the Github source code site as of 2017-08-09..
radare{,-devel}-2.1.6.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm and radare{,‑devel}‑2.1.6.0‑1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
python-radare-2.1.6.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm and python‑radare‑2.1.6.0‑1.el7.x86_64.rpm- Python-Radare are bindings that allow Radare to be used from Python.
rifiuti2-0.6.1-1.{fc20,fc21,fc22,fc213,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.

July 27, 2017: The following changes have been made:

Fedora 26 - The repository now supports Fedora 26 for the i386 CPU architecture. Support for the x86_64 architecture was previously announced. Here is the list of tools provided for Fedora 26:

2hash
aeskeyfind
analysis-pipeline
analyzeMFT
artifacts
ataraw
autopsy
bencode
binplist
bloom
bokken
CERT-Forensics-Tools
cert-forensics-tools-release
cryptcat
daq
dc3dd
ddrescue
dd_rescue
ddrescueview
ddrutility
dfdatetime
dff
dfvfs
dfwinreg
disktype
distorm3
DropboxReader
dtfabric
efilter-1
eindeutig
epub
exfat-utils
fatback
fcrackzip
ffmpeg
fmem-kernel-modules
fred
fundl
fuse-exfat
galleta
ghostpdl
grokevt
guymager
hachoir-core
hachoir-metadata

libschemaTools
libsigscan
libsmdev
libsmraw
libvhdi
libvmdk
libvshadow
libvslvm
libvsmbr
libwrc
libwtcdb
lime-kernel-modules
log2timeline
md5deep
mdbtools
missidentify
mount_ewf
nDPI
netsa-python
netsa-rayon
opencore-amr
partclone
pasco
perl-File-Mork
perl-Mac-PropertyList
perl-Parse-Evtx
perl-Parse-Win32Registry
plaso
prism
pstotext
ptfinder
ptk
pyew
python-apsw
python-construct
python-dpapick
python-haystack
python-ioc_writer
python-pycoin
python-radare
python-rarfile
python-registry
pytsk3
radare
rar

registrydecoder
reglookup
regripper
regripper-plugins
rifiuti
rifiuti2
scrounge-ntfs
sfdumper
shellbags
silk
silk-ipa
silk-ipset
sleuthkit
snarf
snort
snort-sample-rules
ssdeep
stegdetect
super_mediator
tln_tools
undbx
unrar
untex
valabind
videosnarf
vinetto
vmfs-tools
vo-amrwbenc
Volatility
Volatility-community-plugins
winevt-kb
winreg-kb
x264
x265
xlsxwriter
xmount
xplico
xvidcore
yaf

lime-kernel-modules-1.1.r17-11.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. Support for Fedora 26 i386 architecture was added.
fmem-kernel-modules-1.6-1.11.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. Support for Fedora 26 i386 architecture was added.

July 26, 2017: The following changes have been made:

fmem-kernel-modules-fc26-{x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.11-300 for FC26
lime-kernel-modules-fc26-{x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.11-300 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.11-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.11-200 for FC25
yara-python-3.6.3-1.{fc24,fc25}.x86_64.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. This version was rebuilt because of an update to yara in Fedora 24 and 25.
pfring-6.6.0-1372.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1372.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.

July 21, 2017: The following changes have been made:

Fedora 26 - The repository now supports Fedora 26 for the x86_64 CPU architecture only. Here is the list of tools provided for Fedora 26:

2hash
aeskeyfind
analysis-pipeline
analyzeMFT
artifacts
ataraw
autopsy
bencode
binplist
bloom
bokken
CERT-Forensics-Tools
CERT-Forensics-Tools
cert-forensics-tools-release
cryptcat
daq
dc3dd
ddrescue
dd_rescue
ddrescueview
ddrutility
dfdatetime
dff
dfvfs
dfwinreg
disktype
distorm3
DropboxReader
dtfabric
efilter-1
eindeutig
epub
exfat-utils
fatback
fcrackzip
ffmpeg
fmem-kernel-modules
fred
fundl
fuse-exfat
galleta
ghostpdl
grokevt
guymager
hachoir-core

hachoir-metadata
hachoir-parser
hachoir-regex
hachoir-subfile
hachoir-urwid
hachoir-wx
ip4r
jafat
KHracker
kracked
libagdb
libbde
libbfio
libcreg
libesedb
libevt
libevtx
libewf
libexe
libfixbuf
libfplist
libfsext
libfshfs
libfsntfs
libfvde
libfwevt
libfwnt
libfwsi
libguytools
libhibr
libiconv
liblnk
libluksde
libmdmp
libmodi
libmsiecf
libnk2
libodraw
libolecf
libp0f
libpff
libphdi
libpst
libqcow
libregf

libscca
libschemaTools
libsigscan
libsmdev
libsmraw
libvhdi
libvmdk
libvshadow
libvslvm
libvsmbr
libwrc
libwtcdb
lime-kernel-modules
log2timeline
md5deep
mdbtools
missidentify
mount_ewf
nDPI
netsa-python
netsa-rayon
opencore-amr
partclone
pasco
perl-File-Mork
perl-Mac-PropertyList
perl-Parse-Evtx
perl-Parse-Win32Registry
plaso
prism
pstotext
ptfinder
ptk
pyew
python-apsw
python-construct
python-dpapick
python-haystack
python-ioc_writer
python-pycoin
python-radare
python-rarfile
python-registry
pytsk3
radare

rar
registrydecoder
reglookup
regripper
regripper-plugins
rifiuti
rifiuti2
scrounge-ntfs
sfdumper
shellbags
silk
silk-ipa
silk-ipset
sleuthkit
snarf
snort
snort-sample-rules
ssdeep
stegdetect
super_mediator
tln_tools
undbx
unrar
untex
valabind
videosnarf
vinetto
vmfs-tools
vo-amrwbenc
Volatility
Volatility-community-plugins
winevt-kb
winreg-kb
x264
x265
xlsxwriter
xmount
xplico
xvidcore
yaf

lime-kernel-modules-1.1.r17-10.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. Support for Fedora 26 x86_64 architecture was added.
fmem-kernel-modules-1.6-1.10.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. Support for Fedora 26 x86_64 architecture was added.
fmem-kernel-modules-fc26-{x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.10-300 for FC26
lime-kernel-modules-fc26-{x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.10-300 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.10-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.10-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.46.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.10-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-46.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.10-100 for FC24
pfring-6.6.0-1353.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1353.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.

July 14, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.9-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.9-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.8-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.8-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.7-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.7-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.44.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.8-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-44.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.8-100 for FC24
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-514.26.2 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-514.26.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.6.3 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.6.3 for EL6
libfsext{,-devel,-python,-python3,-tools}-20170624-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libfsext{,-devel,-python,-tools}-20170624-1.el6.{i686,x86_64}.rpm - Libfsext is a lbrary and tools to access the Extended File System (EXT). Note that this project currently only focuses on the analysis of the format.
libfshfs{,-devel,-python,-python3,-tools}-20170626-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libfshfs{,-devel,-python,-tools}-20170626-1.el6.{i686,x86_64}.rpm - Libfshfs is a lbrary and tools to access the Hierarchical File System (HFS). Note that this project currently only focuses on the analysis of the format.
libhibr{,-devel,-tools}-20170530-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libhibr{,-devel,-tools}-20170530-1.el6.{i686,x86_64}.rpm - libhibr is a lbrary and tools to access the Windows Hibernation File (hiberfil.sys) format. Note that this project currently only focuses on the analysis of the format.
libmdmp{,-devel,-tools}-20170522-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libmdmp{,-devel,-tools}-20170522-1.el6.{i686,x86_64}.rpm - Libmdmp is a library to access the Windows Minidump (MDMP) format. Note that this project currently only focuses on the analysis of the format.
libmodi{,-devel,-python,-python3,-tools}-20170527-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libmodi{,-devel,-python,-tools}-20170527-1.el6.{i686,x86_64}.rpm - Libmodi is a lbrary and tools to access the Mac OS disk image formats.
libnk2{,-devel,-python,-python3,-tools}-20170527-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libnk2{,-devel,-python,-tools}-20170527-1.el6.{i686,x86_64}.rpm - Libnk2 is a lbrary and tools to access Microsoft Outlook Nickfile (NK2) format files.
libodraw{,-devel,-tools}-20170217-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libodraw{,-devel,-tools}-20170217-1.el6.{i686,x86_64}.rpm - Libodraw is a library to access to optical disc (split) RAW image files (bin/cue, iso/cue).
libphdi{,-devel,-python,-python3,-tools}-20170529-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libphdi{,-devel,-python,-tools}-20170529-1.el6.{i686,x86_64}.rpm - Libphdi is a library to access the Parallels Hard Disk image format.
libexe{,-devel,-python,-python3,-tools}-20170123-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libexe{,-devel,-python,-tools}-20170123-1.el6.{i686,x86_64}.rpm - Libexe is a library and tools to access the executable (EXE) format.
libwtcdb{,-devel,-tools}-20170201-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm libwtcdb{,-devel,-tools}-20170201-1.el6.{i686,x86_64}.rpm - Libwtcdb is a library and tools to access the Windows (Vista/7) Explorer thumbnail cache database format (thumbcache.db).
libfplist{,-devel}-20170112-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libfplist is a library for plist formats. Note: this is a library only - there are no tools provided by these packages.
libfwevt{,-devel}-20170114-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libfwevt is a library for Windows XML Event Log (EVTX) data types. Note: this is a library only - there are no tools provided by these packages.
libagdb{,-devel,-tools}-20170201-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libagdb is a library to access the SuperFetch database format.
libcreg{,-devel,-python,-python3,-tools}-20170119-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libcreg{,-devel,-python,-tools}-20170119-1.el6.{i686,x86_64}.rpm - Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
libvsmbr{,-devel,-tools}-20170525-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libvsmbr is a library and tools to access the Master Boot Record (MBR) volume system.
libwrc{,-devel,-python,-python3,-tools}-20160419-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libwrc{,-devel,-python,-tools}-20160419-1.el6.{i686,x86_64}.rpm - Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
winevt-kb-20170527-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm - Winevt-kb is a project to build a Windows Event Log knowledge base. winevtrc is the Python module part of winevt-kb to allow reuse of Windows Event Log resources. See this resource for an explanation of the scripts included with this package - export.py, extract.py, query.py - and how to use them. Note that winevt-kb is not available for CentOS/RHEL 6 because of the old version of Python 2.
dtfabric-20170630-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm - Dtfabric is a project to manage data types and structures, as used in the libyal projects.
winreg-kb-20170525-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm - Winreg-kb-kb winreg-kb is a project to build a Windows Registry Knowledge Base. winregrc is a Python module part of winreg-kb to allow reuse of Windows Registry Resources. See these scripts that make use of package. Note that winreg-kb is not available for CentOS/RHEL 6 because of the old version of Python 2.
dfwinreg-20170706-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and dfwinreg-20170706-1.{el6,el7}.x86_64.rpm - DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects. The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
CERT-Forensics-Tools-1.0-74.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - This package was updated as follows:
- libagdb-tools
- libcreg-tools
- libexe-tools
- libfsext-tools
- libfshfs-tools
- libhibr-tools
- libmdmp-tools
- libmodi-tools
- libnk2-tools
- libodraw-tools
- libphdi-tools
- libvsmbr-tools
- libwrc-tools
- libwtcdb-tools
- winevt-kb (not for CentOS/RHEL 6)
- winreg-kb (not for CentOS/RHEL 6)
pfring-6.6.0-1334.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1334.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
yara-python-3.6.2-1.{fc24,fc25}.x86_64.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. This version was rebuilt because of an update to yara in Fedora 24 and 25.

June 30, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.6-201 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.6-201 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.43.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.6-101 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-43.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.6-101 for FC24
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-514.26.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-514.26.1 for EL7
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.16.0‑2.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.16.0‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-ipset{-devel,-lib,-tools}-3.16.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
analysis-pipeline-5.6-3.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the list of changes for this release. This package was rebuilt to use silk 3.16.0.

June 26, 2017: The following changes have been made:

partclone-0.3.6-2.el7.x86_64.rpm and partclone-0.3.6-2.el6.{i386,x86_64}.rpm- Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), exfat, xfs, vmfs3 and vmfs5. See the /usr/share/doc/partclone/ChangeLog for the list of changes in this release. This version was rebuilt because of an update to ntfs-3g in EL6 and EL7.
testdisk-7.0-4.1.el6.{i686,x86_64}.rpm and qphotorec-7.0-4.1.el6.{i386,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. These releases were built to use the latest version of libewf that is installed in this repository.

June 23, 2017: The following changes have been made:

fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-514.21.2 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-514.21.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.3.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.3.2 for EL6

June 20, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.5-200 for FC25
- 4.11.4-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.5-200 for FC25
- 4.11.4-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.42.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.5-100 for FC24
- 4.11.4-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-42.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.5-100 for FC24
- 4.11.4-100 for FC24
yara-python-3.6.0-1.{fc24,fc25}.x86_64.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. This version was rebuilt because of an update to yara in Fedora 24 and 25.
partclone-0.3.6-2.{fc24,fc25}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), exfat, xfs, vmfs3 and vmfs5. See the /usr/share/doc/partclone/ChangeLog for the list of changes in this release. This version was rebuilt because of an update to ntfs-3g in Fedora 24 and 25.

June 19, 2017: The following changes have been made:

yara-python-3.6.0-1.el7.x86_64.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. This version was rebuilt because of the update to yara in EPEL for CentOS/RHEL 7.

June 14, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.3-202 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.3-202 for FC25
partclone-0.3.6-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), exfat, xfs, vmfs3 and vmfs5. See the /usr/share/doc/partclone/ChangeLog for the list of changes in this release.
exfat-utils-1.2.7-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. See here for the list of changes since the last released version (1.2.3).
xmount-0.7.5-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following: Here are the changes for this version:
- New for version 0.7.5
  - Improved and fixed the way fsname is built.
  - Added a patch fixing a bug in libxmount_input_aewf (supplied by Guy Voncken)
- New for version 0.7.4
  - Re-enabled full OSx support
  - libxmount_input_aewf input library is now able to decompress EWF chunks in parallel, which will increase read speed
sleuthkit{,-devel,-libs}-4.4.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. See here for the changes since the last version (4.4.0) released to this repository.

June 2, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.11.3-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for LiME:
- 4.11.3-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.17-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.17-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.41.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.17-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-41.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.17-100 for FC24
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.3.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.3.1 for EL6
lime-kernel-modules-common-1.1.r17-4.noarch.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page. This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects. This repackaging increases the number of packages but decreases their size. This revision fixes a problem that resulted from the release of the 4.11 kernel for Linux.

Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-25 and CentOS 6 and 7 If you use rsync, make certain that you use the -H option to preserve those hard links.

May 26, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.16-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.16-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.40.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.15-100 for FC24
- 4.10.16-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-40.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.15-100 for FC24
- 4.10.16-100 for FC24
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-514.21.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-514.21.1 for EL7
jansson{,-devel}-2.9-1.el7.x86_64.rpm and jansson-devel-doc-2.9-1.el7.noarch.rpm - Jansson is a C library for encoding, decoding and manipulating JSON data. It features:
- Simple and intuitive API and data model
- Comprehensive documentation
- No dependencies on other libraries
- Full Unicode support (UTF-8)
- Extensive test suite
This tool was built to be used by yara-python.
yara{,-doc,-devel}-3.5.0-7.1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Note that the -devel and -doc packages split out the files needed for development and documentation respectively.
yara-python-3.5.0-7.1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts.
dislocker{,-libs}-0.7.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm and fuse-dislocker-0.7.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Dislocker reads BitLocker encrypted partitions under a Linux system. The driver has the capability to read/write on:
- Windows Vista, 7, 8, 8.1 and 10 encrypted partitions - that's AES-CBC, AES-XTS, 128 or 256 bits, with or without the Elephant diffuser, encrypted partitions;
- BitLocker-To-Go encrypted partitions - that's USB/FAT32 partitions.
The core driver is composed of a library, with multiple binaries (see the NOTES section below) using this library. Two binaries are of interest when wanting to decrypt a BitLocker encrypted partition:
1. dislocker-fuse: binary using FUSE to dynamically decrypt the BitLocker-ed partition. You have to give it a mount point where, once keys are decrypted, a file named dislocker-file appears. This file is a virtual NTFS partition, so you can mount it as any NTFS partition and then read from or write to it. Note that writing to the NTFS virtual file will change the underlying BitLocker partition's content.
2. dislocker-file: binary decrypting a BitLocker encrypted partition into a flat file. This file has to be given through command line and, once dislocker-file is finished, will be an NTFS partition. It won't have any link to the original BitLocker partition. Therefore, if you write to this file, the BitLocker volume won't change, only the NTFS file will. Note that this may take a long time to create that file, depending on the size of the encrypted partition. But afterward, once the partition is decrypted, the access to the NTFS partition will be faster. Another thing to think about is the size on your disk this binary needs: the same size as the volume you're trying to decrypt. Nevertheless, once the partition is decrypted, you can mount your file as any NTFS partition.
CERT-Forensics-Tools-1.0-73.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - This package was updated as follows:
- The dislocker suite was added for all supported systems.

May 19, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.15-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.15-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.39.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.14-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-39.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.14-100 for FC24
pfring-6.6.0-1231.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1231.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
aeskeyfind-1.0-3.(fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Aeskeyfind illustrates automatic techniques for locating 128-bit and 256-bit AES keys in a captured memory image. The program uses various algorithms and also performs a simple entropy test to filter out blocks that are not keys. It counts the number of repeated bytes and skips blocks that have too many repeats. This method works even if several bits of the key schedule have been corrupted due to memory decay. This package is useful to several activities, as forensics investigations.
CERT-Forensics-Tools-1.0-72.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - This package was updated as follows:
- The package aeskeyfind was added for all supported systems.

May 8, 2017: The following changes have been made:

nDPI{,-devel}-1.8-3.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

See here for the list of supported protocols.

This version eliminates a dependency for CentOS/RHEL 6 for the x86_64 architecture. The other revisions for all other systems and architectures are to maintain revision compatibility.

April 28, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.10-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.10-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.9-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.9-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.38.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.10-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-38.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.10-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.37.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.9-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-37.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.9-100 for FC24
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-514.16.1 for EL&
- 3.10.0-514.10.2 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-514.16.1 for EL&
- 3.10.0-514.10.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696.1.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696.1.1 for EL6
libvslvm{,-devel,-python,-python3,-tools}-20160110-2.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libvslvm{,-devel,-python,-tools}-20160110-2.el6.{i686,x86_64}.rpm - Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format. This release added the missing FUSE dependencies.
CERT-Forensics-Tools-1.0-71.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - This package was updated as follows:
- The package libvslvm-tools was added for all supported systems.

April 13, 2017: The following changes have been made:

fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-696 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-696 for EL6
Volatility-community-plugins-20170405-2.fc25.noarch.rpm - The Volatility Community Plugins for Fedora 25 had an incorrect dependency which has been fixed.

April 7, 2017: The following changes have been made:

sleuthkit{,-devel,-libs}-4.4.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. See here for the changes since the last version (4.3.0) released to this repository.
pytsk3-20170324-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit.
ddrescue-1.22-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. See here for the changes since the last version (1.21) released to this repository.
ddrutility-2.8-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to gnuddrescue. It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
- ddru_findbad
- ddru_ntfsbitmap
- ddru_ntfsfindbad
- ddru_diskutility
- ddru_diskutility
See here for the list of changes in this release.
dd_rescue-1.99.5-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. See here for the changes since the last version (1.99) released to this repository.
dc3dd-7.2.646-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,x86_64}.rpm - dc3dd is a patched version of GNU dd that includes several features useful for computer forensics.
guymager-0.8.4-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. See here for the list of changes.
dfvfs-20170324-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
libbde{,-devel,-python,-python3,-tools}-20170204-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20170204-1.el6.{i686,x86_64}.rpm- Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
libbfio,{-devel}-20170123-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,{i386,x86_64}}.rpm - Libbfio is a library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff. It is used to chain I/O to support file-in-file access. See here for the list of changes.
libesedb{,-devel,-python,-python3,-tools}-20170121-1.(fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libesedb{,-devel,-python,-tools}-20170121-1.el6.{i686,x86_64}.rpm- Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc. See here for the list of changes.
libevt{,-devel,-python,-python3,-tools}-20170120-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libevt{,-devel,-python,-tools}-20170120-1.el6.{i686,x86_64}.rpm - Libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
libevtx{,-devel,-python,-python3,-tools}-20170122-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libevtx{,-devel,-python,-tools}-20170120-1.el6.{i686,x86_64}.rpm - Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
libfwsi{,-devel,-python,-python3}-20160110-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libfwsi{,-devel,-python}-20160110-1.el6.{i686,x86_64}.rpm- Libfwsi is a library to access the Windows Shell Item format. See here for the list of changes.
libiconv{,-devel,-static,-utils}-1.15-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libiconv provides an iconv() implementation, for use on systems which don't have one, or whose implementation cannot convert from/to Unicode. Due to conflicts with other packages, notably glibc, the libiconv packages are installed in /usr/libiconf. This release makes the library files also available at /usr/libiconf/lib for the x86_64 architecture which makes the package easier to use when building packages that use libiconv.
liblnk{,-devel,-python,-python3,-tools}-20170111-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20170111-1.el6.{i686,x86_64}.rpm- Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libmsiecf{,-devel,-python,-python3,-tools}-20170116-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20170116-1.el6.{i686,x86_64}.rpm- Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
libolecf{,-devel,-python,-python3,-tools}-20170129-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libolecf{,-devel,-python,-tools}-20170129-1.el6.{i686,x86_64}.rpm- Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libqcow{,-devel,-python,-python3,-tools}-20170222-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libqcow{,-devel,-python,-tools}-20170222-1.el6.{i686,x86_64}.rpm - Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format. See here for the list of changes.
libsigscan{,-devel,-python,-python3,-tools}-20170124-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libsigscan{,-devel,-python,-tools}-20170124-1.el6.{i686,x86_64}.rpm- a href="https://github.com/libyal/libsigscan/wiki">Libsigscan is a library and tools used to binary signature scanning. See here for the list of changes.
libsmdev{,-devel,-python,-python3,-tools}-20170225-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libsmdev{,-devel,-python,-tools}-20170225-1.el6}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
libvhdi{,-devel,-python,-python3,-tools}-20170223-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20170223-1.el6.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
libvmdk{,-devel,-python,-python3,-tools}-20170226-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libvmdk{,-devel,-python,-tools}-20170226-1.el6.{i686,x86_64}.rpm - Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format. See here the list of changes.
nDPI{,-devel}-1.8-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

See here for the list of supported protocols.

This version brings the code base used to build this package up to 2017-03-28.
partclone-0.2.90-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. See here for the list of changes in this release.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.15.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.15.0‑2.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.15.0‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-ipset{-devel,-lib,-tools}-3.15.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
analysis-pipeline-5.6-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the list of changes for this release. This package was rebuilt to use silk 3.15.0.
capstone{,-devel,-python,-python3}-3.0.4-4.{fc20,fc21}.{i686,x86_64}.rpm and capstone-java-3.0.4-4.noarch.rpm - Capstone is a lightweight multi-platform, multi-architecture disassembly framework. See here for the list of changes and future features.
capstone{,-devel,-python,-python3}-3.0.4-4.el7.x86_64.rpm - Capstone is a lightweight multi-platform, multi-architecture disassembly framework. See here for the list of changes and future features.
capstone{,-devel,-python,}-3.0.4-4.el6.(i386,x86_64}.rpm - Capstone is a lightweight multi-platform, multi-architecture disassembly framework. See here for the list of changes and future features.
pyew-2.3.0.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.
radare{,-devel}-2.1.3.0-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and radare{,‑devel}‑2.1.3.0‑1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
python-radare-2.1.3.0-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and python‑radare‑2.1.3.0‑1.el7.x86_64.rpm- Python-Radare are bindings that allow Radare to be used from Python.
Volatility-2.6-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility is the official version of Volatility 2.6. You can read about this version here Since the Volatility-community-plugins contain the mimikatz plugin, that plugin is no longer packaged with Volatility.
Volatility-community-plugins-20170405-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.noarch.rpm - The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation. These plugins are installed in /usr/share/volatility/plugins/community/. Note: The following plugins were removed the el6: PhilipHuppert, ThomasChopitea, TranVienHa, YingLi, DaveLasalle, LoïcJaquemet, and artoszInglot.
python-haystack-0.36-0.noarch.rpm - Python-Haystack is an heap analysis framework, focused on searching and reversing of C structure in allcoated memory.
python-pycoin-0.77-0.noarch.rpm - Python-Pycoin is an implementation of several utility routines that may be useful when dealing with bitcoin and some alt-coins. It has been tested with Python 2.7, 3.3, 3.4 and 3.5.
python-dpapick-0.3-0.noarch.rpm - Python-Dpapick is a Python toolkit to provide a platform-independant implementation of Microsoft's cryptography subsytem called DPAPI (Data Protection API). It can be used either as a library or as a standalone tool. It is also the first open-source tool that allows decryption of DPAPI structures in an offline way and, moreover, from another plateform than Windows. It is provided with some application probes that includes the built-in logic to retreive the corresponding secrets that are protected. For more information go here.
python-typing-3.6.1.0-0.noarch.rpm - Python-Typing is a backport of the standard library typing module to Python versions older than 3.6. Typing defines a standard notation for Python function and variable type annotations. The notation can be used for documenting code in a concise, standard format, and it has been designed to also be used by static and runtime type checkers, static analyzers, IDEs and other tools. Note: this package was installed only for Fedora 20, 21, and 22. All other versions of Fedora and CentOS provide this package.
python-M2Crypto-0.26.0-0.noarch.rpm - Python-M2Crypto is the most complete Python wrapper for OpenSSL featuring RSA, DSA, DH, EC, HMACs, message digests, symmetric ciphers (including AES); SSL functionality to implement clients and servers; HTTPS extensions to Python’s httplib, urllib, and xmlrpclib; unforgeable HMAC’ing AuthCookies for web session management; FTP/TLS client and server; S/MIME; ZServerSSL: A HTTPS server for Zope and ZSmime: An S/MIME messenger for Zope. M2Crypto can also be used to provide SSL for Twisted. Smartcards are supported through the Engine interface.
python-ioc_writer-0.3.3-0.noarch.rpm - Python-IOC_Writer is a Python library that allows for basic creation and editing of OpenIOC objects. It supports a basic CRUD (Create, Read, Update, Delete) for various items.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.8-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.8-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.6-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.6-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.5-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.5-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.8-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.8-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.10.6-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for LiME:
- 4.10.6-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.17-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.17-100 for FC24

March 20, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.13-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.13-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.13-201 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.13-201 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.13-101 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.13-101 for FC24

March 10, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.13-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.13-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.13-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.13-100 for FC24
super_mediator-1.5.2-1.{fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. See here for the list of changes for this release.
snarf{,-devel,-python}-0.3.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system. Applications can use snarf's C and Python APIs to construct and send network alert messages, which can then be routed to multiple destinations in a configurable manner. See here for the list of changes for this release. Note: due to the changing package requirements of snarf, there is no support for Fedora 20 and CentOS/RHEL 6.
CERT-Forensics-Tools-1.0-70.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - This package was updated as follows:
- The package xplico is now installed for Fedora 25.
- The package snarf is now installed for Fedora 25, 24, 23, 22, and 20, and CentOS/RHEL 6 and 7. Snarf is not available for Fedora 21.

March 3, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.11-200 for FC25
- 4.9.12-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.11-200 for FC25
- 4.9.12-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.12-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.12-100 for FC24
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-642.13.2 for EL6
- 2.6.32-642.15.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-642.13.2 for EL6
- 2.6.32-642.15.1 for EL6

February 23, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.10-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.10-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.9-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.9-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.8-201 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.8-201 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.10-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.10-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.9-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.9-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.8-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.8-100 for FC24
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-418 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-418 for EL5
pyfixbuf-0.2.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf is a Python API for libfixbuf, an implementation of the IPFIX protocol used for building, collecting, and exporting processes. Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX. Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.). See this page for a list of problems fixed in this and all releases.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.70-1.1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. See here for the list of changes.
socat-1.7.3.2-1.1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals. Socat can be used, e.g., as TCP port forwarder (one-shot or daemon), as an external socksifier, for attacking weak firewalls, as a shell interface to UNIX sockets, IP6 relay, for redirecting TCP oriented programs to a serial line, to logically connect serial lines on different computers, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts with network connections. See the change log that is part of the RPM package for a list of changes since the last version (1.7.3.0).
pfring-6.4.1-1143.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.4.1-1143.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
bokken-1.8-2.{fc20,fc21,fc22,fc23,fc24,fc24,el6,el7}.{i686,x86_64}.rpm and bokken‑1.8‑1.{el6,el7}.x86_64.rpm - Bokken is a GUI for the Pyew and Radare projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities. This release was built to correct a configuration error in the bokken script that set the shell variable BOKKEN_DIR incorrectly for systms of the x86_64 architecture.

February 10, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.7-201 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.7-201 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.7-101 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.7-101 for FC24

February 4, 2017: The following changes have been made:

fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.6-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.6-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.5-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.5-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.4-201 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.4-201 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.3-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.3-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.6-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.6-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.5-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.5-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.9.4-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 4.9.4-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.16-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.16-200 for FC24
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-514.6.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-514.6.1 for EL7
xplico-1.2.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. Here are the chanes for this version:
- Migration from PHP5 to PHP7
- CakePHP 2.8
- IMAP bug fix
- Bugfix: reported on Security Onion
pfring-6.4.1-1064.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.4.1-1064.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
yaf{,-devel}-2.8.4-2.{el6,el7}.x86_64.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. This package has been rebuilt to assert the --with-pfring configuration option. Note that this is a package that supports PR_Ring sockets. To install PF_Ring on your CentOS/RHEL system, please follow the directions found here.

January 15, 2017: The following changes have been made:

super_mediator-1.5.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. See here for the list of changes for this release.
libschemaTools{,-devel}-1.2.1-1-{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - libschemaTools is a library that provides a standard representation of data records. It is built on fixbuf, using IPFIX information elements. It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source. SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records. See here for the list of changes for this release.
analysis-pipeline-5.6-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the list of changes for this release.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.16-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.16-300 for FC25
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-642.13.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-642.13.1 for EL6

December 31, 2016: The following changes have been made:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.15-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.15-200 for FC24
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.15-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.15-300 for FC25
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-514.2.2 for EL7
- 3.10.0-514 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-514.2.2 for EL7
- 3.10.0-514 for EL7
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-417 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-417 for EL5
daq-2.0.6-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort. Changes made to support NFQ which is the new and improved way to process iptables packets.
snort-2.9.9.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-openappid-2.9.9.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- Here is the OpenAppId Detector Developer Guide .
snort-sample-rules-2.9.9.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.

December 22, 2016: The following changes have been made:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.14-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.14-200 for FC24
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.14-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.14-300 for FC25

December 15, 2016: The following changes have been made:

fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.13-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.13-100 for FC23
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.12-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.12-100 for FC23
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.13-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.13-200 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.12-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.12-200 for FC24
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.13-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.13-300 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.12-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.12-300 for FC25

December 12, 2016: The following changes have been made:

Fedora 8 - The repository files for Fedora 8 have beem removed.
Fedora 9 - The repository files for Fedora 9 have beem removed.
Fedora 10 - The repository files for Fedora 10 have beem removed.
Fedora 11 - The repository files for Fedora 11 have beem removed.
Fedora 12 - The repository files for Fedora 12 have beem removed.
Fedora 13 - The repository files for Fedora 13 have beem removed.
Fedora 14 - The repository files for Fedora 14 have beem removed.
Fedora 15 - The repository files for Fedora 15 have beem removed.
Fedora 16 - The repository files for Fedora 16 have beem removed.

December 8, 2016: The following have been released:

Fedora 25 - The repository now supports Fedora 25 for both the i686 and x86_64 CPU architectures. Here is the list of tools provided for Fedora 25:

2hash
afflib
aimage
analysis-pipeline
analyzeMFT
artifacts
ataraw
autopsy
bencode
binplist
bloom
bokken
bulk_extractor
bulk_extractor-stoplist
CERT-Forensics-Tools
cert-forensics-tools-release
cryptcat
daq
dc3dd
ddrescue
dd_rescue
ddrescueview
ddrutility
dfdatetime
dff
dfvfs
dfwinreg
disktype
distorm3
DropboxReader
efilter-1
eindeutig
epub
exfat-utils
fatback
fcrackzip
fmem-kernel-modules
fmem-kernel-modules-common
frag_find
fred

fundl
fuse-exfat
galleta
ghostpdl
grokevt
guymager
hachoir-core
hachoir-metadata
hachoir-parser
hachoir-regex
hachoir-subfile
hachoir-urwid
hachoir-wx
ip4r
jafat
KHracker
kracked
libbde
libbfio
libesedb
libevt
libevtx
libewf
libfixbuf
libfsntfs
libfvde
libfwnt
libfwsi
libguytools
libiconv
liblnk
libluksde
libmsiecf
libolecf
libp0f
libpff
libpst
libqcow
libregf
libscca

libschemaTools
libsigscan
libsmdev
libsmraw
libvhdi
libvmdk
libvshadow
libvslvm
lime-kernel-modules
lime-kernel-modules-common
log2timeline
md5deep
mdbtools
missidentify
mount_ewf
nDPI
netsa-python
netsa-rayon
partclone
pasco
perl-File-Mork
perl-Mac-PropertyList
perl-Parse-Evtx
perl-Parse-Win32Registry
plaso
prism
pstotext
ptfinder
ptk
ptk
pyew
python-apsw
python-construct
python-radare
python-rarfile
python-registry
pytsk3
radare
rar
registrydecoder

reglookup
regripper
regripper-plugins
rifiuti
rifiuti2
scrounge-ntfs
sfdumper
shellbags
silk
silk-ipa
silk-ipset
sleuthkit
snort
snort-openappid
snort-sample-rules
ssdeep
stegdetect
super_mediator
tln_tools
testdisk
undbx
unrar
untex
videosnarf
vinetto
vmfs-tools
Volatility
Volatility-community-plugins
xlsxwriter
xmount
xplico
yaf
yara
yara-python

fmem-kernel-modules-1.6-1.9.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. Support for Fedora 25 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-9.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. Support for Fedora 25 x86_64 and i686 architectures was added.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.11-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.11-300 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.11-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.11-200 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.10-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.10-200 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.8-200 for FC24
- 4.8.7-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.8-200 for FC24
- 4.8.7-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.11-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.11-100 for FC23
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.10-100 for FC23
- 4.8.8-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.10-100 for FC23
- 4.8.8-100 for FC23
libpff-20161119-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided. Libpff is used by DFF,the Digital Forensics Framework. See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.14.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.14.0‑2.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.14.0‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-5.5-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). This release was built using SiLKSiLK version 3.14.0.
silk-ipset{,-devel,-lib,-tools}-3.14.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
Volatility-community-plugins-20161202-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.noarch.rpm - The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation. These plugins are installed in /usr/share/volatility/plugins/community/.
dff-1.3.6-20161201.1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. This version is the developer version as of December 1, 2016.

To support this version, the following were also installed:
- Fedora 25 (From RPM Fusion)
  - ffmpeg-3.1.5-1.fc25.i686.rpm
  - ffmpeg-devel-3.1.5-1.fc25.i686.rpm
  - ffmpeg-libs-3.1.5-1.fc25.i686.rpm
  - lame-3.99.5-6.fc25.i686.rpm
  - lame-devel-3.99.5-6.fc25.i686.rpm
  - lame-libs-3.99.5-6.fc25.i686.rpm
  - libavdevice-3.1.5-1.fc25.i686.rpm
  - x264-devel-0.148-13.20160924git86b7198.fc25.i686.rpm
  - x264-libs-0.148-13.20160924git86b7198.fc25.i686.rpm
  - x265-devel-1.9-3.fc25.i686.rpm
  - x265-libs-1.9-3.fc25.i686.rpm
  - xvidcore-1.3.4-2.fc24.i686.rpm
  - xvidcore-devel-1.3.4-2.fc24.i686.rpm
xplico-1.1.1-6.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.x86_64.rpm - xplico is an Internet traffic decoder. Xplico needs various variables set in the /etc/php.ini file. These used to be set in the scripts provided by the package and in the script that starts Xplico. They are now set in the configuration file for the Apache Web Server. Nonetheless, when Xplico is installed, the Apache Web Server must be restarted if it was running and started otherwise.

Note also that Xplico is not avaible for Fedora 25. This is because of an incompatibility between PHP 7 which is provided with Fedora 25 and the version of CakePHP that was used to build Xplico (1.3.20).
CERT-Forensics-Tools-1.0-69.fc25.{i686,x86_64}.rpm - This package was updated as follows: The package Xplico was temporarily removed for Fedora 25. It will be re-added when it supports PHP 7.

November 14, 2016: The following have been released:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.6-201 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.6-201 for FC24
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.69-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.13.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.13.0‑2.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.13.0‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-5.5-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the changes since the last version (5.4.1).
silk-ipset{,-devel,-lib,-tools}-3.13.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
super_mediator-1.4.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. This release was rebuilt to use silk-ipset-3.13.0.
libvshadow{,-devel,-python,-tools}-20161111-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. This version uses the external version of libbfio to support DFF, the Digital Forensics Framework.
libfwnt{,-devel,-python,-python3}-20151103-1.(fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm and libfwnt{,-devel,-python}-20160418-1.el6.noarch.rpm - LibFWNT, is a library for Windows NT data types. See here for the list of changes. This package is needed by dfvfs and plaso.
libscca{,-devel,-python,-python3,-tools}-20161031-1.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libscca{,-devel,-python,-tools}-20161031-1.el6.x86_64.rpm - Libscca is a library to access the Windows Prefetch File (SCCA) format. See here for the list of changes.

November 8, 2016: The following have been released:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.8.4-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 4.8.4-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.10-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.10-100 for FC23
dfdatetime-20161104-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.

October 31, 2016: The following have been released:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.9-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.9-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.9-100 for FC23
- 4.7.8-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.9-100 for FC23
- 4.7.8-100 for FC23
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.36.3 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.36.3 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-642.11.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-642.11.1 for EL6
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-642.6.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-642.6.2 for EL6
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-416 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-416 for EL5
xplico-1.1.1-5.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.x86_64.rpm - xplico is an Internet traffic decoder. Xplico needs various variables set in the /etc/php.ini file. In all releases before this one, these variables were set only when the package was installed, and unset when the package was removed. This method did not take into account new releases of the package of which /etc/php.ini is a part. To solve this problem, the script that start xplico - /usr/sbin/xplico - has been changed to set these variables every time xplico is started and return them to their previous values when xplico is stopped. This technique makes xplico immune to changes in other packages installed on a system.
artifacts-20161022-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - Artifacts is a free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. This package was built to support plaso.
dfdatetime-20161017-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision. This package is needed by dfvfs.
libexe{,-devel,-python,-python3,-tools}-20160418-1.(fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libexe{,-devel,-python,-tools}-20160418-2.el6.{i686,x86_64}.rpm - Libexe is a library to access the executable (EXE) format. See here for the list of changes.
libwrc{,-devel,-python,-python3,-tools}-20160418-1.(fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libwrc{,-devel,-python,-tools}-20160418-2.el6.{i686,x86_64}.rpm - Libwrc is a library to access the Windows Resource Compiler (WRC) format. See here for the list of changes.
pytsk3-20160721-1.{fc20,fc21,fc22,fc23,fc24,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. Note that this version is now named pytsk3 and it obsoletes pytsk.
plaso-1.5.1-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, plaso-1.5.0-1.el7.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. See the 1.5.0 release announcement here. There is no comprehensive list of changes for 1.5.1.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64 architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso. Installation as an update and as a new install of have been successfully tested.
dfvfs-20160918-2.(fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. This version was rebuilt to use the renamed pytsk3.

October 21, 2016: The following have been released:

fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.7-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.7-100 for FC23
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.7-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.7-200 for FC24
xplico-1.1.1-4.el7.x86_64.rpm - xplico is an Internet traffic decoder. This release uses systemctl instead of systemon CentOS/RHEL 7.
xplico-1.1.1-3.el7.x86_64.rpm - xplico is an Internet traffic decoder. This release was rebuilt to use the Python 3.3 code for CentOS/RHEL 7.

October 14, 2016: The following have been released:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.6-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.6-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.6-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.6-100 for FC23
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.36.2 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.36.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-642.6.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-642.6.1 for EL6

October 7, 2016: The following have been released:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.5-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.5-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.5-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.5-100 for FC23

September 30, 2016: The following have been released:

fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.4-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.4-100 for FC23

September 23, 2016: The following have been released:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.4-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.4-200 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.3-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.3-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.3-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.3-100 for FC23
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.68-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. See here for the list of changes.
libbde{,-devel,-python,-python3,-tools}-20160731-2.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20160731-2.el6.{i686,x86_64}.rpm- Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
libesedb{,-devel,-python,-python3,-tools}-20160622-2.(fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libesedb{,-devel,-python,-tools}-20160622-2.el6.{i686,x86_64}.rpm- Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc. See here for the list of changes.
libmsiecf{,-devel,-python,-python3,-tools}-20160904-1.(fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20160904-2.el6.{i686,x86_64}.rpm - Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
libolecf{,-devel,-python,-python3,-tools}-20160918-2.(fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libolecf{,-devel,-python,-tools}-20160918-2.el6.{i686,x86_64}.rpm- Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libfvde{,-devel,-python,-python3,-tools}-20160918-1.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libfvde{,-devel,-python,-tools}-20160918-1.el6.{i686,x86_64}.rpm - Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume. See here for a list of changes since the last release (20150222).
libsmraw{,-devel,-python,-python3,-tools}-20160424-2.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libsmraw{,-devel,-python,-tools}-20160424-2.el6.{i686,x86_64}.rpm- Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. This release was rebuilt to remove debugging information and to support Python 3 where possible and practical.
dfvfs-20160918-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
dfwinreg-20160428-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and dfwinreg-20160428-1.{el6,el7}.x86_64.rpm - DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects. The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
xlsxwriter-0.9.3-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and xlsxwriter-0.9.3-1.el7.x86_64.rpm - XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format. XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
efilter-1-1.5-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and efilter-1-1.5-1.el7.x86_64.rpm - Efilter is a general purpose query language designed to be embedded in Python applications and libraries. It supports SQL-like syntax to filter your application's data and provides a convenient way to directly search through the objects your applications manages. A second use case for EFILTER is to translate queries from one query language to another, such as from SQL to OpenIOC and so on. A basic SQL-like syntax and a POC lisp implementation are included with the language, and others are relatively simple to add.
python-psutil-2.1.3-1.el6.{i686,x86_64}.rpm - Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network)in Python. This package was built to support plaso.
plaso-1.5.0-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, plaso-1.5.0-1.{el6,el7}.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. See the release announcement here.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of plaso. Installation as an update and as a new install of have been successfully tested.
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.36.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.36.1 for EL7

September 11, 2016: The following have been released:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.2-201 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.2-201 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.7.2-101 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for LiME:
- 4.7.2-101 for FC23
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-412 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-412 for EL5
fmem-kernel-modules-common-1.6-1.3.noarch.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This package contains the source code for making the FMEM kernel modules and the install-fmem script. Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7. If you use rsync, make certain that you use the -H option to preserve those hard links.
lime-kernel-modules-common-1.1.r17-3.noarch.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page. This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects. This repackaging increases the number of packages but decreases their size.

Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7 If you use rsync, make certain that you use the -H option to preserve those hard links.
yara{,-doc,-devel}-3.5.0-5.1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. This release (5.1) was rebuilt to coincide with the version from Fedora (3.5.0-5)but to eliminate some dependency problems on Fedora 23 and 24. Note also that the -devel and -doc packages split out the files needed for development and documentation respectively.

August 26, 2016: The following have been released:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.6.7-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for LiME:
- 4.6.7-300 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.6.7-200 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 4.6.7-200 for FC23
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-642.4.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-642.4.2 for EL6
analyzeMFT-2.0.19-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - AnalyzeMFT is a tool that fully parses the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple formats. See here for the changes since the previously installed version 2.0.19.

August 22, 2016: The following have been released:

yara-3.5.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Here are the changes since the last version (3.4.0):
- Match length operator (http://yara.readthedocs.io/en/v3.5.0/writingrules.html#match-length)
- Performance improvements
- Less memory consumption while scanning processes
- Exception handling when scanning memory blocks
- Negative integers in meta fields
- Added the --stack-size command-argument
- Functions import_ordinal, is_dll, is_32bit and is_64bit added to PE module
- Functions rich_signature.toolid and rich_signature.version added to PE module
- Lots of bug fixes
yara-python-3.5.0-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. Here are the changes since the last version (3.4.0):
- Match length operator (http://yara.readthedocs.io/en/v3.5.0/writingrules.html#match-length)
- Performance improvements
- Less memory consumption while scanning processes
- Exception handling when scanning memory blocks
- Negative integers in meta fields
- Added the --stack-size command-argument
- Functions import_ordinal, is_dll, is_32bit and is_64bit added to PE module
- Functions rich_signature.toolid and rich_signature.version added to PE module
- Lots of bug fixes
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.6.6-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 4.6.6-300 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.6.6-200 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for LiME:
- 4.6.6-200 for FC23
cert-forensics-tools-release-2{3,4}-12.noarch.rpm - cert-forensics-tools-release is the package that connects a Fedora-based computer system to the CERT Linux Forensics Tools Repository (LiFTeR). This package has been changed to require either a Fedora release or a Generic release to be able to install this package. Note that this feature is entitied Boolean Dependencies and as such requires a version of rpm version 4.13 or newer. See here for an explanation of Boolean Dependencies.
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.28.3 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.28.3 for EL7

August 12, 2016: The following have been released:

fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.6.5-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for LiME:
- 4.6.5-300 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.6.5-200 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for LiME:
- 4.6.5-200 for FC23
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.67-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. See here for the list of changes.

August 5, 2016: The following have been released:

opencl-headers-1.2-7.el6.noarch.rpm - OpenCL-Headers: The OpenCL registry contains specifications of the core API and the OpenCL C language; a portable intermediate representation of OpenCL programs; specifications of Khronos- and vendor-approved OpenCL extensions; and links to header files corresponding to the specifications, which are now hosted in the OpenCL-Headers Github repository.
hashcat-3.00-1-{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 160 highly-optimized hashing algorithms. Hashcat currently supports CPUs, GPUs other hardware-accelerators on Linux, Windows and OSX, and has facilities to help enable distributed password cracking.
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.28.2 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.28.2 for EL7
RPMForge -
According to this website: https://wiki.centos.org/AdditionalResources/Repositories, the RPMForge and RepoForge repositories are dead and are no longer recommended for use. To that end, all of the packages used by CentOS/RHEL 6 and 7 have been added to this repository. To remove these packages and the RPMForge repository from your system and to install the needed replacement packages from the CERT Linux Forensics Tools Repository, do the following:
```
			sudo yum -y erase `yum list installed | grep -i rpmforge | awk '{print $1}'`
			sudo yum -y install CERT-Forensics-Tools
```
This is the list of tools that have been rebuilt and added to the CERT Linux Forensics Tools Repository.
- 2hash-0.2-1.el6.{i686,x86_64}.rpm - 2hash is a tool to calculate the md5 and sha1 hashes of a file in a single read. If you’re regularly checking/calculating hashes of large files this’ll save you a lot of disk I/O.
- adns-0.2-1.el6.{i686,x86_64}.rpm - ADNS is a resolver library for C (and C++) programs, and a collection of useful DNS resolver utilities.
- cryptcat-1.2.1-1.1-{el6,el7}.{i686,x86_64}.rpm - Cryptcat is the standard netcat enhanced with twofish encryption with ports for Windows NT, BSD and Linux. Twofish is courtesy of counterpane, and cryptix. TCP/IP swiss army knife extended with twofish encryption - Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. Cryptcat has been added to the CERT Linux Forensics Tools (LFTR) Repository from the now defunct RPMForge repository.
- etherape-0.9.13-1.el6.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network. Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.
- fatback-1.3-1.el6.{i686,x86_64}.rpm - Fatback is a tool that undeletes files from FAT filesystems.
- lame{,-libs}-3.99.5-1.el6.{i686,x86_64}.rpm - LAME > is an open source MP3 encoder whose quality and speed matches commercial encoders. LAME handles MPEG1,2 and 2.5 layer III encoding with both constant and variable bitrates.
- missidentify-1.0-1.el6.{i686,x86_64}.rpm - missidentify is a program to find Win32 applications. In its default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb). The program can also be run to display all executables encountered, regardless of the extension. This is handy when looking for all of the executables on a drive. Other options allow the user to record the strings found in an executable and to work recursively. See the manual page for more information.
- mount_ewf-20090113-1.el6.noarch.rpm - Mount_ewf is a tool that mounts EWF files as mounted images using the loopback capability.
- pasco-1.0-1.el6.{i686,x86_64}.rpm - Pasco is a tool that parses the information in an index.dat file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
- perl-Data-Hexify-1.00-1.el6.noarch.rpm - perl-Data-Hexify formats arbitrary (possible binary) data into a format suitable for hex dumps in the style of xdor hexl.
- perl-File-Mork-0.3-1.el6.{i686,x86_64}.rpm - perl-File-Mork is a module to read Mozilla URL history files.
- perl-Mac-PropertyList-1.33-1.el7.noarch.rpm - perl-Mac-PropertyList is a low-level interface to the Mac OS X Property List (plist) format.
- perl-Parse-Win32Registry-0.51-1.el6.noarch.rpm - perl-Parse-Win32Registry is a module for parsing Windows Registry files, allowing you to read the keys and values of a registry file without going through the Windows API. It provides an object-oriented interface to the keys and values in a registry file. Registry files are structured as trees of keys, with each key containing further subkeys or values. The module is intended to be cross-platform, and run on those platforms where Perl will run. It supports both Windows NT registry files (Windows NT, 2000, XP, 2003, Vista, 7) and Windows 95 registry files (Windows 95, 98, Millennium Edition). It is intended to be used to parse offline registry files. If a registry file is currently in use, you will not be able to open it. However, you can save part or all of a currently loaded registry file using the Windows reg command if you have the appropriate administrative access.
- python-tidy-0.2-1.{el6,el7}.noarch.rpm - Python-tidy pleans up, regularizes, and reformats the text of Python scripts.
- rar-5.3.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Rar is a powerful archive manager. It can backup your data and reduce the size of email attachments, decompress RAR, ZIP and other files downloaded from Internet and create new archives in RAR and ZIP file format. See here for a list of changes in this version.
- socat-1.7.3.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these. These modes include generation of "listening" sockets, named pipes, and pseudo terminals. Socat can be used, e.g., as TCP port forwarder (one-shot or daemon), as an external socksifier, for attacking weak firewalls, as a shell interface to UNIX sockets, IP6 relay, for redirecting TCP oriented programs to a serial line, to logically connect serial lines on different computers, or to establish a relatively secure environment (su and chroot) for running client or server shell scripts with network connections. See the change log that is part of the RPM package for a list of changes.
- tcpflow-1.4.4-1.el7.x86_64.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. Tcpflow can also process stored tcpdump packet flows.
- tre-0.8.0-1.el6.{i686,x86_64}.rpm - Tre is a lightweight, robust, and efficient POSIX compliant regexp matching library with some exciting features such as approximate (fuzzy) matching. The matching algorithm used in TRE uses linear worst-case time in the length of the text being searched, and quadratic worst-case time in the length of the used regular expression. In other words, the time complexity of the algorithm is O(M^2N), where M is the length of the regular expression and N is the length of the text. The used space is also quadratic on the length of the regex, but does not depend on the searched string. This quadratic behaviour occurs only on pathological cases which are probably very rare in practice.
- unrar-5.3.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Unrar is a powerful archive manager. It can backup your data and reduce the size of email attachments, decompress RAR, ZIP and other files downloaded from Internet and create new archives in RAR and ZIP file format. See here for a list of changes in this version.

July 27, 2016: The following have been released:

plaso-1.4.0-4.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm, plaso-1.4.0-4.{el6,el7}.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. This release is version 1.4.0 and not a beta release as was previously installed in the repository.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64 architectures and CentOS/RHEL versions 7 for the x86_64 architecture for this version of plaso.
dfvfs-20160726-1.(fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. This version uses the source code dated 2016-03-06 to fix this error: https://github.com/log2timeline/plaso/issues/803.
dfdatetime-20160706-1.el6.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision. This package is needed by dfvfs.

July 24, 2016: The following have been released:

undbx-0.21-1.el7.x86_64.rpm - Undbx extracts, recovers and undeletes e-mail messages from Outlook Express .dbx files. This package was orphaned in RedHat EPEL and has been installed in this repository.

July 22, 2016: The following have been released:

fmem-kernel-modules-common-1.6-1.2.noarch.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This package contains the source code for making the FMEM kernel modules and the install-fmem script. Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7. If you use rsync, make certain that you use the -H option to preserve those hard links.
foremost-1.5.7-13.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, EnCase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery. Originally developed by the United States Air Force Office Special Investigation and Center for Information Systems Security Studies and Research, foremost has been opened to the general public. Send any comments, suggestions, patches, or feedback you have on this program to namikus@users.sf.net.
libewf{-devel,-tools,-python}-20160718-20140608.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm and ewftools-20160718-20140608.1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
This package is built from the libewf source code dated 20140608 but to make it the latest version, the version number was changed to the build date (20160718) and the release number changed to include the source code release date (20140608). To install this version, do the following:
1. Disable the forensics-test repository with this command: sudo yum-config-manager --disable forensics-test
2. Save the list of installed libewf tools with this command: LIBEWF=`rpm -qa|grep 'ewf.*2014060801'|sed 's/-2014.*//`
3. Remove this list of installed libewf tools with this command: sudo rpm -ev $LIBEWF --nodeps
4. Install the new versions of these libewf tools with this command: sudo yum -y install $LIBEWF
5. Update all packages with this command: sudo yum -y update
sleuthkit{,-devel,-libs}-4.2.0-4.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. This release was brought up to current with the version of code in github dated 2016-07-18. Also, the code for srch_strings was reverted to the 4.1.3 version, fixing the double free error.
testdisk-7.0-3.1.el6.{i686,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. This release was built to use the latest version of libewf that is installed in this repository.
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.6.4-301 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for LiME:
- 4.6.4-301 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.6.4-201 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for LiME:
- 4.6.4-201 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.14-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.14-200 for FC22

July 15, 2016: The following have been released:

Fedora 24 - The repository now supports Fedora 24 for both the i686 and x86_64 CPU architectures. Here is the list of tools provided for Fedora 24:

2hash
a52dec
afflib
aimage
analysis-pipeline
analyzeMFT
artifacts
ataraw
autopsy
bencode
binplist
bloom
bokken
bulk_extractor
bulk_extractor-stoplist
CERT-Forensics-Tools
cert-forensics-tools-release
cryptcat
daq
dc3dd
ddrescue
dd_rescue
ddrescueview
ddrutility
dfdatetime
dff
dfvfs
dfwinreg
disktype
distorm3
DropboxReader
eindeutig
epub
exfat-utils
faad2
fatback
fcrackzip
ffmpeg
fmem-kernel-modules
fmem-kernel-modules-common
frag_find

fred
fundl
galleta
ghostpdl
grokevt
guymager
hachoir-core
hachoir-metadata
hachoir-parser
hachoir-regex
hachoir-subfile
hachoir-urwid
hachoir-wx
ip4r
jafat
KHracker
kracked
lame
libbde
libbfio
libesedb
libevt
libevtx
libewf
libfixbuf
libfsntfs
libfvde
libfwnt
libfwsi
libguytools
libiconv
liblnk
libluksde
libmad
libmsiecf
libolecf
libp0f
libpff
libpst
libqcow
libregf

libscca
libschemaTools
libsigscan
libsmdev
libsmraw
libvhdi
libvmdk
libvshadow
libvslvm
lime-kernel-modules
lime-kernel-modules-common
log2timeline
md5deep
mdbtools
missidentify
mount_ewf
nDPI
netsa-python
netsa-rayon
partclone
pasco
perl-File-Mork
perl-Mac-PropertyList
perl-Parse-Evtx
perl-Parse-Win32Registry
plaso
prism
pstotext
ptfinder
ptk
pyew
python-apsw
python-construct
python-radare
python-rarfile
python-registry
pytsk
radare
radare-extras
rar
registrydecoder

reglookup
regripper
regripper-plugins
rifiuti
rifiuti2
scrounge-ntfs
sfdumper
shellbags
silk
silk-ipa
silk-ipset
sleuthkit
snort
snort-openappid
snort-sample-rules
ssdeep
stegdetect
super_mediator
tln_tools
testdisk
undbx
unrar
untex
valabind
videosnarf
vinetto
vmfs-tools
Volatility
Volatility-community-plugins
xlsxwriter
xmount
xplico
xvidcore
yaf
yara
yara-python

libpff-20160110-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided. Libpff is used by DFF,the Digital Forensics Framework. See here for the list of changes.
libvshadow{,-devel,-python,-tools}-20160110-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. This version uses the external version of libbfio to support DFF, the Digital Forensics Framework.
dff-1.3.6-20160630.1.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. This version is the developer version as of June 30, 2016.

To support this version, the following were also installed:
- Fedora 24 (From RPM Fusion)
  - ffmpeg-libs-2.8.7-1.fc24.{i386,x86_64}.rpm
  - ffmpeg-2.8.7-1.fc24.{i386,x86_64}.rpm
  - ffmpeg-devel-2.8.7-1.fc24.{i386,x86_64}.rpm
  - lame-devel-3.99.5-5.fc24.{i386,x86_64}.rpm
  - libavdevice-2.8.7-1.fc24.{i386,x86_64}.rpm
  - x264-devel-0.148-7.20160614gita5e06b9.fc24.{i386,x86_64}.rpm
  - x265-devel-1.9-1.fc24.{i386,x86_64}.rpm
  - x265-libs-1.9-1.fc24.{i386,x86_64}.rpm
  - xvidcore-1.3.4-2.fc24.{i386,x86_64}.rpm
  - xvidcore-devel-1.3.4-2.fc24.{i386,x86_64}.rpm
- Fedora 23 (From RPM Fusion)
  - libbfio-devel-20160108-1.fc23.{i386,x86_64}.rpm
  - libbfio-20160108-1.fc23.{i386,x86_64}.rpm
  - libavdevice-2.8.7-1.fc23.{i386,x86_64}.rpm
  - ffmpeg-libs-2.8.7-1.fc23.{i386,x86_64}.rpm
  - ffmpeg-devel-2.8.7-1.fc23.{i386,x86_64}.rpm
- CentOS 7 (From NUX)
  - faac-1.28-6.0.el7.nux.x86_64.rpm
  - fdk-aac-0.1.4-1.x86_64.rpm
  - ffmpeg-devel-2.6.8-3.el7.nux.x86_64.rpm
  - ffmpeg-libs-2.6.8-3.el7.nux.x86_64.rpm
  - libavdevice-2.6.8-3.el7.nux.x86_64.rpm
  - x264-libs-0.142-11.20141221git6a301b6.el7.nux.x86_64.rpm
  - x265-libs-1.9-1.el7.nux.x86_64.rpm
  - xvidcore-1.3.2-5.el7.nux.x86_64.rpm
libbde{,-devel,-python,-tools}-20160418-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
libbfio{-devel,-python}-20160108-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,{i386,x86_64}}.rpm - Libbfio is a library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff. It is used to chain I/O to support file-in-file access.
libevt{,-devel,-python,-tools}-20160421-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
libevtx{,-devel,-python,-tools}-20160421-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
liblnk{,-devel,-python,-tools}-20160420-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20160421-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
libfsntfs{,-devel,-python,-tools}-20160418-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS). See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20160423-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.66-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. See here for the list of changes.
libregf{,-devel,-python,-tools}-20160424-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libregf contains libraries and tools to access the Windows NT Registry File files. See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20160424-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20160424-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
fmem-kernel-modules-1.6-1.8.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. Support for Fedora 24 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-8.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. Support for Fedora 24 x86_64 and i686 architectures was added.
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.6.3-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for LiME:
- 4.6.3-300 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.1.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.5.7-300 for FC24
- 4.5.5-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-1.noarch.rpm - Support for the following kernels were added for LiME:
- 4.5.7-300 for FC24
- 4.5.5-300 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.5.7-202 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 4.5.7-202 for FC23
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-642.3.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-642.3.1 for EL6
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-411 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-411 for EL5
lime-kernel-modules-common-1.1.r17-2.noarch.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page. This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects. This repackaging increases the number of packages but decreases their size.

Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7 If you use rsync, make certain that you use the -H option to preserve those hard links.
snort-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-openappid-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
- Here is the OpenAppId Detector Developer Guide .
snort-sample-rules-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
dfvfs-20160706-1.(fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64 architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of dfvfs.
libfwnt{,-devel,-python,-python3}-20160418-1.(fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm and libfwnt{,-devel,-python}-20160418-1.el6.noarch.rpm - LibFWNT, is a library for Windows NT data types. See here for the list of changes. This package is needed by dfvfs.
dfdatetime-20160706-1.{fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision. This package is needed by dfvfs.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.2-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.12.2‑2.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.12.2‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
distorm3-3.3.4-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Distorm3 is a lightweight, easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX. Distorm3 is used by The Volatility Framework. The changes are listed here.
Volatility-2.5-4.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility is the official version of Volatility 2.5. It also contains the mimikatz plugin. This release was build using the code as of 2016-07-08.
Volatility-community-plugins-20160708-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation. These plugins are installed in /usr/share/volatility/plugins/community/.
exfat-utils-1.2.4-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. See here for the list of changes since the last released version (1.2.3).
nDPI{,-devel}-1.8-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

See here for the list of supported protocols.
xplico-1.1.1-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. This release was rebuilt to work with nDPI-1.8.
python-registry-1.2.0-1.{fc20,fc21,fc22,fc23,fc23,el6,el7}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry.
valabind-0.10.0-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and valabind‑0.10.0‑1.el7.x86_64.rpm - Valabind is a tool to parse vala or vapi files to transform them into swig interface files, C++, NodeJS-ffi, or GIR. With swig, you can create language bindings for any API written in vala or C with a vapi interface. It can also generate bindings for C++.
radare{,-devel}-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and radare{,‑devel}‑2.0.10.4‑1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
python-radare-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and python‑radare‑2.0.10.4‑1.el7.x86_64.rpm- Python-Radare are bindings that allow Radare to be used from Python.
radare-extras-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and radare‑extras‑2.0.10.4‑1.el7.x86_64.rpm- Radare-Extras are are extra plugins for radare2.
disktype-9-19.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - Disktype detects the content format of a disk or disk image. This version is based on the standard version with support for exfat, LUKS, f2fs, btrfs, and EXT 2, 3, and 4, all courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA. This version was rebuilt to increment the release number to be higher (19.1) than the current version provided for either Fedora (19) or CentOS/RHEL (12).
netsa-rayon-1.4.3-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython,/a> (for GUI output). See here for a list of changes. This release was rebuilt to use Syhinx version 1.2.2 to produce the documentation.
analysis-pipeline-5.4.1-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the changes since the last version (5,4).

June 24, 2016: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.13-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.13-200 for FC22
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.5.7-200 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 4.5.7-200 for FC23
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.22.2 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.22.2 for EL7

June 10, 2016: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.12-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.12-200 for FC22
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.5.6-200 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for LiME:
- 4.5.6-200 for FC23
analysis-pipeline-5.4-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).

June 7, 2016: The following have been released:

netsa-python-1.5-1.{fc20,fc21,fc22,fc23,el6,el7}.{i386,x86_64}.rpm, netsa_silk-1.5-1.{fc20,fc21,fc22,fc23,el6,el7}.{i386,x86_64}.rpm - Netsa-python is a library of Python routines and frameworks that the NetSA team at CERT has found helpful when developing analyses using the SiLK toolkit. Of particular note are the netsa.script NetSA Scripting Framework, which provides a standard framework for writing scripts that process flow data, and the netsa.util.shell command line processing system, which provides tools for managing extremely complicated collections of shell processes that should fail or succeed together (extremely useful when working with named pipes). Netsa-python is compatible with Python versions 2.4 and greater. See here for a list of the changes since the last release which was version 1.4.3.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.11-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.11-200 for FC22
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-642.1.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-642.1.1 for EL6
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.5.5-201 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for LiME:
- 4.5.5-201 for FC23

May 27, 2016: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.10-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.10-200 for FC22
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-642 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-642 for EL6

May 26, 2016: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.9-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.9-200 for FC22

May 16, 2016: The following have been released:

CERT-Forensics-Tools-1.0-68.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i686,x86_64}.rpm - This package was updated as follows:
- The package fuse-exfat was incorrectly obsoleted by CERT-Forensics-Tools. This incorrect obsoleting directive was removed since it was already in exfat-utils, where it belongs.

May 13, 2016: The following have been released:

silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.1-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.12.1‑2.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.12.1‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-410 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-410 for EL5
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.9-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.9-300 for FC23
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.18.2 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.18.2 for EL7

May 9, 2016: The following have been released:

fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-573.26.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-573.26.1 for EL6
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.8-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.8-200 for FC22
libewf{-devel,-tools,-python}-2014060801-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm, ewftools-2014060801-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. These packages have been installed in the forensics-test repository. To use this repository, you will need to enable it with this command: sudo yum-config-manager --enable forensics-test.
sleuthkit{,-devel,-libs}-4.2.0-4.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. This release was brought up to current with the version of code in github dated 2015-10-07. Also, the code for srch_strings was reverted to the 4.1.3 version, fixing the double free error. These packages have been installed in the forensics-test repository. To use this repository, you will need to enable it with this command: sudo yum-config-manager --enable forensics-test. Note: if you install libewf-2014060801 you will need this version of The Sleuth Kit.

April 29, 2016: The following have been released:

fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.8-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.8-300 for FC23

April 21, 2016: The following have been released:

fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.7-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.7-300 for FC23
yaf{,-devel}-2.8.4-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. See here for the changes since the last released version (2.8.2).
partclone-0.2.88-1.{fc22,fc21,fc20}.x86_64.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. See here for the list of changes in this release. This version is being released due to changes dictated by the ntfs-3g, version 2016.2.22, which was released on April 21, 2016 for Fedora 22. All other versions were rebuilt to maintain release numbering consistency.

April 14, 2016: The following have been released:

partclone-0.2.88-1.el7.x86_64.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. See here for the list of changes in this release. This version is being released due to changes dictated by the ntfs-3g, version 2016.2.22, which was released on April 14, 2016 for CentOS/RHEL 7. This version will be installed on all other supported OSes and architectures by April 22, 2016.
partclone-0.2.71-5.el6.{i386,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. See here for the list of changes in this release. This version is being released due to changes dictated by the ntfs-3g, version 2016.2.22, which was released on April 14, 2016 for CentOS/RHEL 6. This version will be installed on all other supported OSes and architectures by April 22, 2016.

April 11, 2016: The following have been released:

fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.6-301 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.6-301 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.6-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.6-201 for FC22
partclone-0.2.88-1.fc23.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. See here for the list of changes in this release. This version is being released due to changes dictated by the ntfs-3g, version 2016.2.22, which was released on April 10, 2016 for Fedora 23. This version will be installed on all other supported OSes and architectures by April 22, 2016.

April 8, 2016: The following have been released:

silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.0-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.12.0‑2.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.12.0‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-5.3.2-2.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). This version was rebuilt to use the latest version of SiLK, specifically 3.12.0.
silk-ipset{,-devel,-lib,-tools}-3.12.0-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
super_mediator-1.3.0-2.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. This release was rebuilt to use silk-ipset-3.12.0.
yaf{,-devel}-2.8.2-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. See here for the changes since the last released version (2.8.1).
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.13.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.13.1 for EL7
byacc-1.9.20130304-3.el6.{i386,x86_64}.rpm - BYacc is a parser generator utility that reads a grammar specification from a file and generates an LR(1) parser for it. The parsers consist of a set of LALR(1) parsing tables and a driver routine written in the C programming language. It has a public domain license which includes the generated C. Byacc was installed on CentOS/RHEL 6 so that libewf could be built.
libewf-{,devel,python}-20160209-2.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm, ewftools-20160209-2.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. This version fixes the error that results when the deflate compression method (which is the default) is selected.

These packages have been installed in the forensics-test repository. To use the, you will need to enable this repository in the /etc/yum.repos.d/cert-forensics-tools.repo file and you must be root to do this.

March 24, 2016: The following have been released:

ddrescue-1.21-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Here are the changes for this version (1.21):
- mapbook.cc (Mapbook): Fix iobuf alignment. (Reported by Heikki Tauriainen).
- Removed short option names '-1' and '-2'.
- Allow only regular files for '--log-rates' and '--log-reads'.
- Option '-D, --odirect' now works also in fill mode.
- rescuebook.cc (copy_block): Return 1 on unaligned read error. Set e_code on any error if verify_on_error.
- Option '-X, --exit-on-error' has been extended to all phases.
- Assigned short name '-Z' to option '--max-read-rate'.
- mapbook.cc (update_mapfile): 'fsync' the mapfile every 5 minutes.
- Rescuebook: Show full range of sizes from non-tried to finished.
- rescuebook.cc (show_status): Show percent rescued.
- configure: Avoid warning on some shells when testing for g++.
- Makefile.in: Detect the existence of install-info.
libguytools-2.0.4-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libguytools is a package of subroutines and header files needed to build and operate guymager. The changes are:
- Removed arch specific code in toolsignal.cpp.
guymager-0.8.1-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. See here for the list of changes.
libsigscan{,-devel,-python,-python3,-tools}-20160312-1.{fc20,fc21,fc22,fc23,el7}.{i686,x86_64}.rpm and libsigscan{,-devel,-python,-tools}-20160312-1.el6.{i686,x86_64}.rpm- a href="https://github.com/libyal/libsigscan/wiki">Libsigscan is a library and tools used to binary signature scanning. See here for the list of changes.
libsmdev{,-devel,-python,-python3,-tools}-20160320-1.{fc20,fc21,fc22,fc23,el7}.{i686,x86_64}.rpm and libsmdev{,-devel,-python,-tools}-20160320-1.el6.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
dfvfs-20160306-1.(fc20,fc21,fc22,fc23,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, and 23 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.6-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.6-300 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.6-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.6-200 for FC22
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-573.22.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-573.22.1 for EL6
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-409 for EL5
- 2.6.18-408 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-409 for EL5
- 2.6.18-408 for EL5

March 18, 2016: The following have been released:

fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.5-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.5-300 for FC23
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.4-301 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.4-301 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.5-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.5-200 for FC22
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.4-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.4-200 for FC22
super_mediator-1.3.0-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. See here for the changes since the last released version (1.2.1).

March 11, 2016: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.3-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.3-201 for FC22

March 4, 2016: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.3.6-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 4.3.6-201 for FC22
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.3-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.3-300 for FC23
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.4.2-301 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 4.4.2-301 for FC23
ghex{,-devel,libs}-3.18.0-1.el7.x86_64.rpm - The Ghex hex editor was installed for RHEL/CentOS 7. The previous version for RHEL/CentOS 7 (2.24) required packages that are no longer provided as part of the standard RHEL/CentOS 7 distribution. This version does not require those packages.

February 26, 2016: The following have been released:

fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.10.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.10.1 for EL7
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.3.5-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for LiME:
- 4.3.5-200 for FC22
analysis-pipeline-5.3.2-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the changes to the Version 5 release of analysis-pipeline.

February 12, 2016: The following have been released:

fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.3.5-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for LiME:
- 4.3.5-300 for FC23
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-573.18.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-573.18.1 for EL6
libewf-{,devel,python}-20160209-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm, ewftools-20160209-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files.

These packages have been installed in the forensics-test repository. To use the, you will need to enable this repository in the /etc/yum.repos.d/cert-forensics-tools.repo file and you must be root to do this.
yaf{,-devel}-2.8.1-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. See here for the changes since the last released version (2.8.0).
libschemaTools{,-devel}-1.2.0-1-{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - libschemaTools is a library that provides a standard representation of data records. It is built on fixbuf, using IPFIX information elements. It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source. SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
analysis-pipeline-5.3.1-3.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the changes to the Version 5 release of analysis-pipeline.

February 7, 2016: The following have been released:

libvslvm{,-devel,-python,-python3,-tools}-20160110-1.{fc20,fc21,fc22}.{i686,x86_64}.rpm, libvslvm{,-devel,-python,-python3,-tools}-20160110-1.el7.x86_64.rpm, and libvslvm{,-devel,-python,-tools}-20160110-1.el6.{i686,x86_64}.rpm - Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format. See here for the list of changes.
dfvfs-20160203-1.(fc20,fc21,fc22,fc23,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, and 23 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
xlsxwriter-0.8.4-1.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm and xlsxwriter-0.8.4-1.{el6,el7}.x86_64.rpm- XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format. XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more, including:
- 100% compatible Excel XLSX files.
- Full formatting.
- Merged cells.
- Defined names.
- Charts.
- Autofilters.
- Data validation and drop down lists.
- Conditional formatting.
- Worksheet PNG/JPEG images.
- Rich multi-format strings.
- Cell comments.
- Integration with Pandas.
- Textboxes.
- Memory optimization mode for writing large files.
It supports Python 2.5, 2.6, 2.7, 3.1, 3.2, 3.3, 3.4, 3.5, Jython and PyPy and uses standard libraries only. The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
plaso-1.4-3.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm, plaso-1.4-3.{el6,el7}.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. This release adds the missing artifacts and python-requests dependencies.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, and 23 for i686 and x86_64 architectures and CentOS/RHEL versions 7 for the x86_64 architecture for this version of plaso.

February 5, 2016: The following have been released:

fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.3.4-300 for FC23
- 4.3.3-303 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for LiME:
- 4.3.4-300 for FC23
- 4.3.3-303 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.3.4-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for LiME:
- 4.3.4-200 for FC22
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.4.5 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.4.5 for EL7
splunk-6.3.2-aaff59bb082c-linux-2.6-x86_64.rpm and splunk-6.3.2-aaff59bb082c.i386.rpm - This version of Splunk was added to the Splunk repository for Fedora 20 through 23 and Fedora 6 and 7 for the i386 and x86_64 architectures. Follow these instructions after upgrading to this version. Make sure that you following these instruction after upgrading but before rebooting. If you do not following these instructions your system may hang when it reboots.
libbde{,-devel,-python,-tools}-20160110-1.{fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
libevt{,-devel,-python,-tools}-20160107-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
libevtx{,-devel,-python,-tools}-20160107-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
libfwsi{,-devel,-python}-20160110-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libfwsi is a library to access the Windows Shell Item format. See here for the list of changes.
liblnk{,-devel,-python,-tools}-20160107-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20160107-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20160107-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libqcow{,-devel,-tools,-python}-20160123-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format. See here for the list of changes.
libregf{,-devel,-python,-tools}-20160107-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libregf contains libraries and tools to access the Windows NT Registry File files. See here for the list of changes.
libsigscan{,-devel,-python,-tools}-20160108-1.{fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Libsigscan is a library and tools used to binary signature scanning. See here for the list of changes.
libsmdev{,-devel,-python,-tools}-20160109-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20160108-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20160108-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
libvmdk{,-devel,-python,-tools}-20160119-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format. See here the list of changes.
libvshadow{,-devel,-python,-tools}-20160110-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
dfwinreg-20160116-1.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm and dfwinreg-20160116-1.{el6,el7}.x86_64.rpm- DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects. The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
libscca{,-devel,-python,-python3,-tools}-20160108-1.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm and libscca{,-devel,-python,-python3,-tools}-20160108-1.{el6,el7}.x86_64.rpm - Libscca is a library to access the Windows Prefetch File (SCCA) format. See here for the list of changes.
plaso-1.4-2.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm, plaso-1.4-2.{el6,el7}.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. This release adds the missing artifacts and python-requests dependencies.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, and 23 for i686 and x86_64 architectures and CentOS/RHEL versions 7 for the x86_64 architecture for this version of plaso.
libfsntfs{,-devel,-python,-tools}-20160108-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS). See here for the list of changes.

January 8, 2016: The following have been released:

super_mediator-1.2.1-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. See here for the changes since the last released version (1.1.3).
yaf{,-devel}-2.8.0-1.{fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. See here for the changes since the last released version (2.7.1).
libesedb{,-devel,-python,-tools}-20151213-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc. See here for the list of changes.
libevt{,-devel,-python,-tools}-20151206-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
libevtx{,-devel,-python,-tools}-20160103-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
liblnk{,-devel,-python,-tools}-20151205-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20151220-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20151223-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libqcow{,-devel,-tools,-python}-20151219-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format. See here for the list of changes.
libsmdev{,-devel,-python,-tools}-20151219-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20151219-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20151220-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
libvshadow{,-devel,-python,-tools}-20151220-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. See here for the list of changes.
dfvfs-20151227-1.(fc20,fc21,fc22,fc23,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, and 23 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
libregf{,-devel,-python,-tools}-20151223-1.(fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libregf contains libraries and tools to access the Windows NT Registry File files. See here for the list of changes.
exfat-utils-1.2.3-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. See here for the list of changes since the last released version (1.2.0).
nDPI{,-devel}-1.7.1-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

See here for the list of supported protocols.
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.2.8-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 4.2.8-300 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.2.8-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for LiME:
- 4.2.8-200 for FC22
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.4.4 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.4.4 for EL7

December 18, 2015: The following have been released:

fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-327.3.1 for EL7
- 3.10.0-327 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-327.3.1 for EL7
- 3.10.0-327 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-573.12.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-573.12.1 for EL6
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.2.7-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for LiME:
- 4.2.7-300 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.2.7-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 4.2.7-200 for FC22
regripper-28000000-5.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is contains version 2.8 of the regripper tool. The plugins are packaged separately. This release contains version 08-26-13 of the auto_rip.pl. See here for more details about this script. This version is based on on the December 16, 2015 version of the regripper code.
regripper-plugins-20151216-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. This package is taken from the plugins directory at the Github source code site.
libfsntfs{,-devel,-python,-tools}-20151205-1.(fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS). See here for the list of changes.
libsmdev{,-devel,-python,-tools}-20151216-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20151005-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20150105-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
pytsk-20150406-4.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. This version was rebuilt to use The Sleuth Kit version 4.2.0 for all systems except CentOS/RHEL 5 which uses The Sleuth Kit version 4.1.3. In addition, it was rebuilt to specify the correct version of CC for Fedora 23.
dfvfs-20151218-1.(fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 17, 18, 19, 20, 21, 22, and 23 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
ghostpdl-9.18-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico.
super_mediator-1.1.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. See here for the changes since the last version (1.1.2).
Fedora 19 Support for Fedora 19 i686 and x86_64 architectures - Updates to Fedora 19 for both the i686 and x86_64 CPU architectures has ceased.
Fedora 18 Support for Fedora 18 i686 and x86_64 architectures - Updates to Fedora 18 for both the i686 and x86_64 CPU architectures has ceased.
Fedora 17 Support for Fedora 17 i686 and x86_64 architectures - Updates to Fedora 17 for both the i686 and x86_64 CPU architectures has ceased.

December 4, 2015: The following have been released:

CERT-Forensics-Tools-1.0-67.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i686,x86_64}.rpm - This package was updated as follows:
- For CentOS/RHEL 7, the hexedit replaced the ghex program.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.2.6-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 4.2.6-201 for FC22
snort-2.9.8.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-openappid-2.9.8.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
- Here is the OpenAppId Detector Developer Guide .
snort-sample-rules-2.9.8.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.

November 30, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.13-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.13-100 for FC21
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.2.6-301 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for LiME:
- 4.2.6-301 for FC23

November 20, 2015: The following have been released:

distorm3-3.1-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Distorm3 is a lightweight, easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX. Distorm3 is used by The Volatility Framework. The changes are listed here. This version is build from distorm3 version 3.1 which is needed to address the issue noted here.
Volatility-2.5-3.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility is the official version of Volatility 2.5. It also contains the mimikatz plugin. This release was also built with Distorm3 version 3.1 as noted above.
Volatility-community-plugins-20151112-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.noarch.rpm - The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation. These plugins are installed in /usr/share/volatility/plugins/community/.
CERT-Forensics-Tools-1.0-66.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i686,x86_64}.rpm - This package was updated to add the following packages:
- Added Volatility-community-plugins.
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.2.6-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for LiME:
- 4.2.6-300 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.2.6-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for LiME:
- 4.2.6-200 for FC22

November 13, 2015: The following have been released:

Fedora 23 - The repository now supports Fedora 23 for both the i686 and x86_64 CPU architectures. Here is the list of tools provided for Fedora 23:

2hash
afflib
aimage
analysis-pipeline
analyzeMFT
artifacts
ataraw
autopsy
bencode
binplist
bloom
bokken
bulk_extractor
bulk_extractor-stoplist
CERT-Forensics-Tools
cert-forensics-tools-release
cryptcat
daq
dc3dd
ddrescue
dd_rescue
ddrescueview
ddrutility
dff
dfvfs
dino
disktype
distorm3
DropboxReader
eindeutig
epub
exfat-utils
fatback
fcrackzip
ffmpeg
fmem-kernel-modules
frag_find
fred

fundl
fuse-exfat
galleta
ghostpdl
grokevt
guymager
hachoir-core
hachoir-metadata
hachoir-parser
hachoir-regex
hachoir-subfile
hachoir-urwid
hachoir-wx
ip4r
ipa
jafat
KHracker
kracked
lame
libbde
libbfio
libesedb
libevt
libevtx
libewf
libfixbuf
libfsntfs
libfvde
libfwsi
libguytools
libiconv
liblnk
libluksde
libmsiecf
libolecf
libp0f
libpff
libpst

libqcow
libregf
libsigscan
libsmdev
libsmraw
libvhdi
libvmdk
libvshadow
lime-kernel-modules
log2timeline
LogAnalysisToolKit
md5deep
mdbtools
missidentify
mount_ewf
nDPI
netsa-python
netsa-rayon
partclone
pasco
perl-File-Mork
perl-Mac-PropertyList
perl-Parse-Evtx
perl-Parse-Win32Registry
plaso
prism
pstotext
ptfinder
ptk
pyew
python-apsw
python-construct
python-radare
python-rarfile
python-registry
pytsk
radare
rar

registrydecoder
reglookup
regripper
regripper-plugins
rifiuti
rifiuti2
scrounge-ntfs
sfdumper
shellbags
silk
silk-ipa
silk-ipset
sleuthkit
snort
snort-openappid
snort-sample-rules
ssdeep
stegdetect
super_mediator
tln_tools
testdisk
undbx
unrar
untex
videosnarf
vinetto
vmfs-tools
Volatility
x264
x265
xmount
xplico
yaf
yara
yara-python

fmem-kernel-modules-1.6-1.7.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. Support for Fedora 23 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-7.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. Support for Fedora 23 x86_64 and i686 architectures was added.
nDPI{,-devel}-1.7-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

See here for the list of supported protocols. Note that RHEL/CentOS 5 is not supported due to issues with autoconf.
xplico-1.1.1-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. This release was rebuilt to work with nDPI-1.6. All other suported systems were upgraded for release version consistency. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support. Here are the changes since the last version (1.1.0):
- Whatsapp OS and Phone number
- Added MGCP dissector
- IMAP bug fixed
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-573.8.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-573.8.1 for EL6
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-407 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-407 for EL5

November 6, 2015: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.2.5-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for LiME:
- 4.2.5-201 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.10-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.10-100 for FC21
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-229.20.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-229.20.1 for EL7

October 30, 2015: The following have been released:

super_mediator-1.1.2-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. See here for the changes since the last version (1.1.1).

October 23, 2015: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.2.3-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 4.2.3-200 for FC22
libfsntfs{,-devel,-python,-tools}-20150906-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS). See here for the list of changes.
dfvfs-20151008-1.(fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 17, 18, 19, 20, 21, and 22 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
libbfio{,-devel,-python,-tools}-20150927-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Libbfio is a library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff. It is used to chain I/O to support file-in-file access. See here for the list of changes.
libevtx{,-devel,-python,-tools}-20150928-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
libfixbuf{,-devel}-1.7.1-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
pyfixbuf-0.2.0-3.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf is a Python API for libfixbuf, an implementation of the IPFIX protocol used for building collecting and exporting processes. PyFixBuf can be used to write applications, often called mediators, that collect and export IPFIX. Mediators are useful in modifying, filtering, or adding to the content of the message before forwarding to another IPFIX collection point, or in converting IPFIX to another format (text, database, JSON, etc.). This release was rebuilt to use libfixbuf-1.7.1.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.11.0.1-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.11.0.1‑2.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.11.0.1‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-4.4.1-3.{fc17,fc18,fc9,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). This version was rebuilt to use the latest version of SiLK, specifically 3.11.0.
silk-ipset{,-devel,-lib,-tools}-3.11.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
super_mediator-1.1.1-3.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. This release was rebuilt to use libfixbuf-1.7.1 and silk-ipset-3.11.0.
yaf{,-devel}-2.7.1-3.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. This release was rebuilt to use libfixbuf-1.7.1.
libfvde{,-devel,-tools}-20151013-1.{fc17,fc18,fc9,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume. See here for a list of changes since the last release (20150222).
Volatility-2.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility uses the code as available from here as of 2015-10-20 which is identified as Volatility 2.5. It also contains the mimikatz plugin.

October 16, 2015: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.10-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.10-200 for FC22

October 9, 2015: The following have been released:

sleuthkit{,-devel,-libs}-4.2.0-2.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. This release was brought up to current with the version of code in github dated 2015-10-07. Also, the code for srch_strings was reverted to the 4.1.3 version, fixing the double free error.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.8-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.8-200 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.8-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.8-100 for FC21

October 2, 2015: The following have been released:

ADIA-FC17-{i686,x86-64}-{VMware,VirtualBox}.iso - These items are VMware and VirtualBox-based forensic appliances built with Fedora 17 for the i686 and x86_64 architectures. Please note that they are not a live CDs. See here for more details. The changes made are the folloing:
- Latest CERT Forensics Key installed.
- All packages updated as of September 24, 2015.
- SElinux disabled on all releases.
snort-2.9.7.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-openappid-2.9.7.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
- Here is the Open Source Detectors Developers Guide here.
snort-sample-rules-2.9.7.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.

September 25, 2015: The following have been released:

dd_rescue-1.99-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previously distributed version (1.46):
- Version 1.99 brings updates to the ddr_crypt plugin: It adds hardware acceleration for ARMv8 CPUs/SOCs (even if in 32bit mode) -- this is a 10x speedup on AES en/decryption operations. (An Cortex-A57 at 2.1GHz (Exy7420) does ~1GB/s with AES128-CTR.) The ddr_crypt plugin xattr support has been extended and it has an option to process openSSL compatible Salted__ files. A bug in CTR initialization has been fixed. The main program sees improved write error retry logic and better fault injection logic (support for ranges, using absolute positions). There are now more variants of Android binaries.
ddrescue-1.20-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Here are the changes for this version:
- 'logfile' has been renamed to 'mapfile' everywhere.
- Changed short name of option '--synchronous' to '-y'.
- Changed long name of option '-d' to '--idirect'.
- Added new option '-D, --odirect'.
- Added new option '-J, --verify-on-error'.
- Added new option '--max-read-rate'.
- rescuebook.cc (copy_block): Copy arbitrary blocks with '--idirect'.
- Include only bad_sector blocks in 'errsize'.
- rescuebook.cc (show_status): Show the estimated remaining time.
- io.cc (format_time): Show time in days, hours, minutes and seconds.
- Added per sector location data to fill mode.
- mapbook.cc: Added emergency save of the mapfile.
- Show device name with '--ask' or '-vv' on Haiku.
- mapfile.cc (read_mapfile): Read read-only mapfiles from stdin.
- ddrescuelog.cc: Allow multiple mapfiles for '-t, --show-status'.
- ddrescuelog.cc (create_mapfile): '-' writes mapfile to stdout.
- ddrescue.texi: Added new chapter 'Optical media'.
- ddrescue.texi: Documented maximum size of the rescue domain.
- configure: Option '--enable-linux' renamed to '--enable-non-posix'.
- Makefile.in: Added new targets 'install*-compress'.
- File 'ddrescue.h' renamed to 'mapbook.h'.
- File 'logbook.cc' renamed to 'mapbook.cc'.
- File 'logfile.cc' renamed to 'mapfile.cc'.
- Files linux.{h,cc} renamed to non_posix.{h,cc}.
libbde{,-devel,-python,-tools}-20150905-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
liblnk{,-devel,-python,-tools}-20150830-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libfsntfs{,-devel,-python,-tools}-20150829-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS). See here for the list of changes.
dfvfs-20150915-1.(fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 17, 18, 19, 20, 21, and 22 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
artifacts-20150409-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.noarch.rpm - Artifacts is a free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. This package was built to support plaso.
python-dpkt-1.8-2.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and python-dpkt-1.8-2.{el6,el7}.x86_64.rpm - Python-dpkt is a fast, simple packet creator and parser, with definitions for the basic TCP/IP protocols, for Python. This package was built to support plaso.
python-pefile-1.2.10_139.2.{fc17,fc18,fc19,el6,el7}.{i686,x86_64}.rpm - Python-pefile is a multi-platform Python module to parse and work with This version was built to support plaso. Portable Executable (aka PE) files. Most of the information contained in the PE headers is accessible as well as all sections' details and their data. This package was built to support plaso.
python-psutil-2.1.3-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network)in Python. This package was built to support plaso.
python-tornado-3.2.1-3.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Python-tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. By using non-blocking network I/O, Tornado can scale to tens of thousands of open connections, making it ideal for long polling, WebSockets, and other applications that require a long-lived connection to each user. This package was built to support plaso.
python-ipython{,-console,-doc,-gui,-notebook,-sphinx,-tests)-2.4.1-8.fc20.{i686,x86_64}.rpm - IPython is an enhanced interactive Python shell. This package was built to support plaso.
python-requests-2.3.0-3.fc20.{i686,x86_64}.rpm - Python-requests is an Apache2 Licensed HTTP library, written in Python, for human beings. Python’s standard urllib2 module provides most of the HTTP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web. It requires an enormous amount of work (even method overrides) to perform the simplest of tasks. This package was built to support plaso.
plaso-1.3.0-2.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm, plaso-1.3.0-1.{el6,el7}.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. This release adds the missing artifacts and python-requests dependencies.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, and 22 for i686 and x86_64 architectures and CentOS/RHEL versions 7 for the x86_64 architecture for this version of plaso. For Fedora 17, 18, and 19 and CentOS/RHEL 5 and 6 for the i686 and x86_64 architectures, all dependencies are satisfied but not all available packages mee the minimum requirements for plaso. Effort to satisfy these out-of-date dependencies will be expended when there is a specific request to do so.
sleuthkit{,-devel,-libs}-4.2.0-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. See here for the list of changes in this release.
pytsk-20150406-3.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. This version was rebuilt to use The Sleuth Kit version 4.2.0 for all systems except CentOS/RHEL 5 which uses The Sleuth Kit version 4.1.3.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.7-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.7-200 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.7-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.7-100 for FC21
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-573.7.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-573.7.1 for EL6
yara-3.4.0-2.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Here are the changes since the last version (3.3.0):
- Short-circuit evaluation for conditions
- New yr_rules_save_stream/yr_rules_load_stream APIs.
- load() and save() methods in yara-python accept file-like objects
- Improvements to the PE and ELF modules
- Some performance improvements
- New command-line option --print-module-data
- Multiple bug fixes.
In addition, release 2 was built with openssl-devel
yara-python-3.4.0-2.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. Here are the changes since the last version (3.3.0):
- Short-circuit evaluation for conditions
- New yr_rules_save_stream/yr_rules_load_stream APIs.
- load() and save() methods in yara-python accept file-like objects
- Improvements to the PE and ELF modules
- Some performance improvements
- New command-line option --print-module-data
- Multiple bug fixes.
In addition, release 2 was built with openssl-devel

September 18, 2015: The following have been released:

silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-5.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
The SiLK analysis suite has been recompiled to make use of the default UTC time rather than local time. Please be aware of the following changes that will need to be made to any existing analytics or workflows if you would like to continue to make use of local time rather than UTC.
- Any analytic or workflow that makes use of a SiLK tool that outputs time (e.g., rwcut, rwcount, etc.) will need to be changed to use the --timestamp-format=local switch in the SiLK command(s).
- Additionally, the TZ environment variable or system clock will need to be set to the local time zone that is desired.
- Any analytic or workflow that makes use of a SiLK tool that takes time as an input (e.g., rwfilter, rwcount, etc.) will need to be changed to convert local time to UTC. On a *nix system, this can be done by making use of the date(1) program. See the man page for complete documentation.
An example command that can be used to convert a local date time to UTC for use in the --start-date switch is:
date -ud <local date time> +%Y/%m/%dT%H
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.10.2‑6.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.10.2‑6.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root. These packages have also been recomplied to make use of the default UTC time rather than local time. See above.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.6-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.6-201 for FC22
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-229.14.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-229.14.1 for EL7

September 11, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.6-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.6-100 for FC21
libvhdi{,-devel,-python,-tools}-20150905-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
libpff-20131028-2.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided. Libpff is used by DFF - the Digital Forensics Framework. See here for the list of changes. This version was rebuilt to reference libbfio externally rather than the internal version provided with libpff.
ffmpeg{-libs,-devel}-2.6.4-1.fc22.{i686,x86_64}.rpm - FFmpeg is a complete, cross-platform solution to record, convert and stream audio and video. It includes libavcodec - the leading audio/video codec library. These packages have been made available in are support of dff.
libavdevice-2.6.4-1.fc22.{i686,x86_64}.rpm - Libavdevice is a complementary library to libavf "libavformat". It provides various "special" platform-specific muxers and demuxers, e.g. for grabbing devices, audio capture and playback etc. These packages have been made available in are support of dff.
dff-1.3.5.20150908-2.{fc17,fc18,fc19,fc20,fc21,fc22,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. This version is the developer version as of September 8, 2015.

September 4, 2015: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.6-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.6-200 for FC22
exfat-utils-1.2.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. Here are the changes from the previous version (1.0.1):
- 1.2.0 (2015-08-26)
  - * Switched from SCons to autotools.
  - * Added musl libc support [Brendan Heading].
  - Worked around "FS is larger than device" error for memory cards formatted by Panasonic Lumix cameras.
  - Worked around "unknown entry type 0xe1" error for memory cards formatted by Sony cameras.
- 1.1.1 (2014-11-15)
  - Fixed mkfs crash on some sectors-per-cluster (-s option) values.
- 1.1.0 (2014-07-08)
  - Relicensed the project from GPLv3+ to GPLv2+.
  - OpenBSD support [Helg Bredow].
  - Improved I/O errors handling.
  - Implemented fsync() and fsyncdir().
  - Fixed crash on Mac OS X 10.5 caused by non-standard use of realpath(). Also fixed TrueCrypt disks unmounting.
  - Avoid extra erase on writes to the end of a file. This should improve linear write speed.
  - Allow arbitrary changing of lower 9 bits of mode. Allow owner/group changing to the same owner/group. This fixes rsync.
  - Fixed buffers overflows when handling lengthy file names.
  - Fixed "real size does not equal to size" error on volumes with pagefile.sys.
  - Fixed negative IUsed in "df -i" output.
In addition, because exfat-utils now includes mount.exfat and mount.exfat-fuse, exfat-utils obsoletes fuse-exfat.
CERT-Forensics-Tools-1.0-65.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - This package was updated to add the following packages:
- Obsoleted fuse-exfat for Fedora 17-22 and CentOS 6 and 7.

August 21, 2015: The following have been released:

partclone-0.2.80-1.{fc17,fc18,fc19,fc20,fc21,fc22,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. See here for the list of changes in this release.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.5-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.5-200 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.5-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.5-100 for FC21

August 14, 2015: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.4-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.4-200 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.4-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.4-100 for FC21
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-573.3.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-573.3.1 for EL6
Fedora 20 Support for Fedora 20 i686 and x86_64 architectures - Updates to Fedora 20 for both the i686 and x86_64 CPU architectures has ceased.

August 7, 2015: The following have been released:

daq-2.0.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort. See here for the changes in 2.0.6.
snort-2.9.7.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-openappid-2.9.7.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
- Here is the Open Source Detectors Developers Guide here.
snort-sample-rules-2.9.7.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.3-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.3-201 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.3-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.3-100 for FC21
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-573.1.1 for EL6
- 2.6.32-573 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-573.1.1 for EL6
- 2.6.32-573 for EL6
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-229.11.1 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-229.11.1 for EL7

July 31, 2015: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.1.3-200 for FC22
- 4.1.2-200 for FC22
- 4.0.8-300 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for LiME:
- 4.1.3-200 for FC22
- 4.1.2-200 for FC22
- 4.0.8-300 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.0.8-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 4.0.8-200 for FC21
plaso-1.3.0-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm, plaso-1.3.0-1.{el6,el7}.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Go here to read about all of the changes and features in this release.
dfvfs-20150730-1.(fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.
libfwsi{,-devel,-python}-20150701-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfwsi is a library to access the Windows Shell Item format. See here for the list of changes.
python-pefile-1.2.10_139.2.{el6,el7}.x86_64.rpm - Python-pefile is a multi-platform Python module to parse and work with Portable Executable (aka PE) files. Most of the information contained in the PE headers is accessible as well as all sections' details and their data. This version was built for CentOS/RHEL 6 and 7 to support plaso.
python-construct-2.5.2-1.fc22.{i686,x86_64}.rpm - Python-construct is a powerful declarative parser (and builder) for binary data. Support was added for Fedora 22.

July 17, 2015: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.0.7-300 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for LiME:
- 4.0.7-300 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.0.7-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 4.0.7-200 for FC21

July 10, 2015: The following have been released:

libfixbuf{,-devel}-1.7.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
pyfixbuf-0.2.0-2.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf is a Python API for libfixbuf, an implementation of the IPFIX protocol used for building collecting and exporting processes. PyFixBuf can be used to write applications, often called mediators, that collect and export IPFIX. Mediators are useful in modifying, filtering, or adding to the content of the message before forwarding to another IPFIX collection point, or in converting IPFIX to another format (text, database, JSON, etc.). This release was rebuilt to use libfixbuf-1.7.0.
super_mediator-1.1.1-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. See here for the changes since the last version (1.1.1).
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-3.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. This release was rebuilt to use libfixbuf-1.7.0.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.10.2‑4.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.10.2‑4.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
yaf{,-devel}-2.7.1-2.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. This release was rebuilt to use libfixbuf-1.7.0.
yaf{,-devel}-2.2.1-10.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter. Note that this version of Yaf is only available for CentOS/RHEL 5. This release was rebuilt to use libfixbuf-1.7.0.
dino-1.5-2.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.noarch.rpm - Dino, the drop in network observer, is a lightweight front end for network visualization. Project:DINO, short for Drop In Network Observer, uses the open source network monitoring tools SiLK and SNORT to create an easy to use dashboard for situational awareness. It is built on PHP and Open Flash Chart, it is designed to be run on Linux systems and has been tested on Fedora, Redhat and Ubuntu. DINO queries flow records stored by SiLK and creates graphs of things like top talkers, incoming/outgoing traffic/hourly traffic/top ports and snort alerts with the related flows records. This release was rebuilt to use libfixbuf-1.7.0.
libevt-{,devel,python,tools}-20150706-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20150630-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libregf{,-devel,-python,-tools}-20150704-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libregf contains libraries and tools to access the Windows NT Registry File files. See here for the list of changes.
CERT-Forensics-Tools-1.0-64.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - This package was updated to add the following packages:
- Obsoleted snarf for CentOS/RHEL 7

July 2, 2015: The following have been released:

fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.0.5-300 for FC22
- 4.0.6-300 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for LiME:
- 4.0.5-300 for FC22
- 4.0.6-300 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.0.6-200 for FC21
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.0.5-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for LiME:
- 4.0.6-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for LiME:
- 4.0.5-200 for FC21
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-229.7.2 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-229.7.2 for EL7
bokken-1.8-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and bokken‑1.8‑1.{el6,el7}.x86_64.rpm - Bokken is a GUI for the Pyew and Radare projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
- Removed pyew entirely. Its support has been in a non-official deprecated state for the past two years but we were trying not to do it. Pyew has some dependencies that makes harder to package it, it's missing a lot of features from r2, plus it sees very few releases.
- Removed other almost useless features in their current form: Strings repr and Interactive mode. We expect to bring those at some point in a proper way.
- Added r2 console. It crashes here and there but we think it's rather usable.
- Added interactive Python console.
- Rearranged and simplified some tabs: Strings, Relocs and File info.
- Some additional cleanups and fixes.
Note: Although bokken was installed for CentOS/RHEL6, it does not work correctly due to a bug in the librsvg2 library.
radare{,-devel}-2.0.9.9-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and radare{,‑devel}‑2.0.9.9‑1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
valabind-0.9.2-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and valabind‑0.9.2‑1.el7.x86_64.rpm - Valabind is a tool to parse vala or vapi files to transform them into swig interface files, C++, NodeJS-ffi, or GIR. With swig, you can create language bindings for any API written in vala or C with a vapi interface. It can also generate bindings for C++.
python-radare-2.0.9.9-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and python‑radare‑2.0.9.9‑1.el7.x86_64.rpm- Python-Radare are bindings that allow Radare to be used from Python.
dd_rescue-1.98-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previously distributed version (1.46):
- It has a few improvements such as a few cleanups, a fault injection framework for testing and significantly improved speed of the pseudo RNG. But the important feature is the addtion of a crypt plugin. You can insert it into the plugin chain to de/encrypt data using the AES family of algorithms. (More are planned for the future.) You can use 128/192/256 bit keys and optionally use a higher number of rounds to have an increased security margin. Keys (and IVs) can be generated, saved, retrieved or generated from password and salt. Please be aware that despite diligent testing this is a new plugin -- so be prepared that there will be some changes and bugfixes to it in the near future.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.10.2‑2.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.10.2‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-ipset{,-devel,-lib,-tools}-3.10.2-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
liblnk{,-devel,-python,-tools}-20150617-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20150629-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libvmdk{,-devel,-python,-tools}-20150516-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format. See here the list of changes.
dfvfs-20150630-1.(fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.
daq-2.0.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort. See here for the changes in 2.0.5.
snort-2.9.7.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-openappid-2.9.7.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
- Here is the Open Source Detectors Developers Guide here.
snort-sample-rules-2.9.7.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
nDPI{,-devel}-1.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

See here for the list of supported protocols. Note that RHEL/CentOS 5 is not supported due to issues with autoconf.
xplico-1.1.0-3.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. This release was rebuilt to work with nDPI-1.6. All other suported systems were upgraded for release version consistency. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
pytsk-20150406-4.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. This version was primarily rebuilt to fix problems caused by GCC Version 5 on Fedora 22. The other systems were rebuilt to keep release consistency.
python-xlwt-1.0.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Python-xlwt is a library for generating spreadsheet files that are compatible with Excel 97/2000/XP/2003, OpenOffice.org Calc, and Gnumeric. Python-xlwt has full support for Unicode. Excel spreadsheets can be generated on any platform without needing Excel or a COM server. See here for a list of changes since the previously released version (0.7.4).
Volatility-2.4-9.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility uses the code as available from here as of 2015-06-30. It also contains the mimikatz plugin.
super_mediator-1.1.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. See here for the changes since the last version (0.3.0).

June 12, 2015: The following have been released:

fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-504.23.4 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-504.23.4 for EL6

June 5, 2015: The following have been released:

Fedora 22 - The repository now supports Fedora 22 for both the i686 and x86_64 CPU architectures. Here is the list of tools provided for Fedora 22:

hachoir-urwid
hachoir-wx
ip4r
jafat
KHracker
kracked
lame
libbde
libbfio
libesedb
libevt
libevtx
libewf
libfixbuf
libfvde
libfwsi
libguytools
libiconv
liblnk
libluksde
libmsiecf
libolecf
libp0f
libpff
libpst
libqcow
libregf
libsigscan
libsmdev
libsmraw
libvhdi
libvmdk
libvshadow
lime-kernel-modules
log2timeline
LogAnalysisToolKit
md5deep
mdbtools
missidentify
mount_ewf
nDPI
netsa-python
netsa-rayon
partclone
pasco
perl-File-Mork
perl-Mac-PropertyList
perl-Parse-Evtx

perl-Parse-Win32Registry
plaso
prism
pstotext
ptfinder
ptk
pyew
python-apsw
python-rarfile
python-registry
pytsk
rar
registrydecoder
reglookup
regripper
regripper-plugins
rifiuti
rifiuti2
scrounge-ntfs
sfdumper
shellbags
silk
silk-ipa
silk-ipset
sleuthkit
snort
snort-openappid
snort-sample-rules
ssdeep
stegdetect
super_mediator
tln_tools
undbx
unrar
untex
videosnarf
vinetto
vmfs-tools
Volatility
x264
x265
xmount
xplico
xvidcore
yaf
yara
yara-python

ssdeep-2.13-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
bokken-1.7-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm - Bokken is a GUI for the Pyew and Radare projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.19.7-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 3.19.7-200 for FC21
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-406 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-406 for EL5
fmem-kernel-modules-1.6-1.5.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. Support for Fedora 22 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-5.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. Support for Fedora 22 x86_64 and i686 architectures was added.

May 15, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.19.7-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 3.19.7-200 for FC21
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-229.4.2 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-229.4.2 for EL7

May 11, 2015: The following have been released:

libewf-{,devel,tools}-20100226-1.{fc21}.{i686,x86_64}.rpm, ewftools-20140608-1.{fc21}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. This package contains the Version 1 API for the libewf tools and is needed to build the libewf-20140608 package.
libewf-{,devel,python}-20140608-1.{fc21}.{i686,x86_64}.rpm, ewftools-20140608-1.{fc21}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.

Note: Version 20140608 is the latest production of libewf but there is a later version (20141129), an experimental version, in the repository. We have received a report that version 20141129 has a bug and cannot handle split E01 files correctly. The report noted this error in the plaso timeline tool. The bug report is here.

If you wish to install the 20140608 version of libewf, do the following, all as root
rpm -ev $(rpm -qa | grep 'ewf.*20150105*') --nodeps yum -y install {ewftools,libewf-python,libewf}-20140608-2
Then edit /etc/yum.repos.d/cert-forensics-tools.repo so that the beginning of the file looks like the following:
[forensics] name=CERT Forensics Tools Repository baseurl=http://www.cert.org/forensics/repository/fedora/cert/$releasever/$basearch enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-cert-forensics-2016-02-22 gpgcheck=1 proxy=_none_ deltarpm=0 exclude=ewftools* libewf*
This will install the last stable version of libewf which fixes the split E01 bug.

Note that when a new version of libewf becomes available, you will need to removed these chnages to /etc/yum.repos.d/cert-forensics-tools.repo. Watch this page for that announcement.

May 1, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.19.5-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 3.19.5-200 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.19.5-100 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for LiME:
- 3.19.5-100 for FC20
partclone-0.2.71-4.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the latest version of libntfs-3g.so for Fedora 20 and CentOS 6 and 7. All other versions were rebuilt to maintain release consistency.
testdisk-6.14-3.3.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. This release was built to use the latest version of libntfs-3g.so..

Apr 24, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.19.4-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
- 3.19.4-200 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.19.4-100 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for LiME:
- 3.19.4-100 for FC20
lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 3.14.27-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.14.27-100 for FC19
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-504.16.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-504.16.2 for EL6
partclone-0.2.71-3.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the latest version of libntfs-3g.so for Fedora 21. All other versions were rebuilt to maintain release consistency.
libpff-20131028-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided. Libpff is used by DFF - the Digital Forensics Framework. See here for the list of changes.

Apr 17, 2015: The following have been released:

dfvfs-20150414-1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20150413-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libesedb-{,devel,python,tools}-20150409-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc. See here for the list of changes.
sleuthkit{,-devel,-libs}-4.1.3-6.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. The changes from the previous version - 4.1.3-5 - was to add a patch to support pytsk for CentOS/RHEL 7. All other versions were updated to this release for consistency.
pytsk-20150406-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.

Apr 10, 2015: The following have been released:

fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.19.3-100 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for LiME:
- 3.19.3-100 for FC20
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-404 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-404 for EL5

Apr 3, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.19.3-200 for FC21
- 3.19.2-201 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 3.19.3-200 for FC21
- 3.19.2-201 for FC21
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-229.1.2 for EL7
- 3.10.0-229 for EL7
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-229.1.2 for EL7
- 3.10.0-229 for EL7

March 27, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.19.1-201 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 3.19.1-201 for FC21
snort-openappid-2.9.7.2-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following programs added to the /usr/bin directory. See here for more details.
- u2openappid
- u2streamer
- snort_dump_packets_control
Volatility-2.4-8.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility uses the code as available from here as of 2015-03-23. It also contains the mimikatz plugin.
daemonize-1.7.3-7.{el5,el6,el7}.{i686,x86_64}.rpm - Daemonize daemonize runs a command as a Unix daemon. As defined in W. Richard Stevens' 1990 book, Unix Network Programming (Addison-Wesley, 1990), a daemon is a process that executes 'in the background' (i.e., without an associated terminal or login shell) either waiting for some event to occur, or waiting to perform some specified task on a periodic basis.
libvmdk{,-devel,-python,-tools}-20150325-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format. See here the list of changes.
python-construct-2.5.2-1.fc21.{i686,x86_64}.rpm - Python-construct is a powerful declarative parser (and builder) for binary data. Support was added for Fedora 21.

March 20, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.18.9-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 3.18.9-200 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.18.9-100 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for LiME:
- 3.18.9-100 for FC20
libmsiecf{,-devel,-python,-tools}-20150314-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
libregf{,-devel,-python,-tools}-20150315-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - libregf contains libraries and tools to access the Windows NT Registry File files. See here for the list of changes.
umview-0.8.2-1.1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm and libumlib{,-devel}-0.8.2-1.1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - UMview is a user-mode implementation of View-OS. Processes are run with a controlling daemon that captures all the system calls (at present using the ptrace() system call) and uses dynamically loadable modules to change their semantic.
fuseext2-0.3-1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Fuxeext2 is a module for the FUSE kernel service allows any FUSE-enabled user to mount Second Extended file systems, e.g. disk images. The module has been initially written for UMView, the user-mode implementation of View-OS.

March 13, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.18.8-201 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 3.18.8-201 for FC21
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-504.12.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-504.12.2 for EL6
snort-2.9.7.2-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.7.2-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.7.2-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
luajit{,-devel}-202-9.{fc17,fc18,el6,el7}.{i686,x86_64}.rpm - Luajit is a just-in-time compiler for the LUA programming language. Building snort-openappid for Fedora 17 and 18 and CentOS/RHEL 6 and 7 required luajit-devel.

March 6, 2015: The following have been released:

silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.1-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.10.1‑2.{fc17,fc18,fc19,fc20,fc21}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.10.1‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
libguytools-2.0.3-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libguytools is a package of subroutines and header files needed to build and operate guymager. The changes are:
- Corrected problem with trailing backslashes
- Switched to my new developer email address (Guy Voncken )
guymager-0.7.4-2.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. This version has been rebuilt to use version 2.0.3 of libguytools.
dfvfs-20150303-1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.
emacs-gettext{,-el}-0.18.1.1-7.7.noarch.rpm, gettext{,-common-devel,-devel,-libs}-0.18.1.1-7.7.noarch.rpm - The Gettext utilities are a set of tools that provides a framework to help other GNU packages produce multi-lingual messages. These tools include a set of conventions about how programs should be written to support message catalogs, a directory and file naming organization for the message catalogs themselves, a runtime library supporting the retrieval of translated messages, and a few stand-alone programs to massage in various ways the sets of translatable strings, or already translated strings. A special GNU Emacs mode also helps interested parties in preparing these sets, or bringing them up to date. These packages have been built for CentOS/RHEL 6 in support of the libfvde packages.
libfvde{,-devel,-tools}-20150222-1.{fc17,fc18,fc9,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume. Here are the changes from the last version (20130305):
- 20150222
  - Code clean up
  - Worked on documenation
  - Changes for handling 0x001a metadata with different plist key sequence
- 20150106
  - 2015 update
- 20141226
  - changes for updated dependencies
- 20141130
  - code clean up
- 20141120
  - code clean up
- 20141018
  - removed README.macosx
- 20141017
  - changes for deployment

February 27, 2015: The following have been released:

yara-3.3.0-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Here are the changes since the last version (2.1.0):
- Added support for negative integers and floating point numbers
- Implemented operators , <, =, <= for strings
- Implemented word boundary anchors (\b, \B) in regular expressions
- New features in PE module
- Math module
- New --print-namespace command line argument
- Better error handling in low memory conditions
- BUGFIX: at operator not working with certain strings containing wildcards
- BUGFIX: precedence of bitwise operators was incorrect
- BUGFIX: incorrect imphash result for certain PE files importing functions by ordinal
- BUGFIX: handle and memory leaks
- BUGFIX: multiple segfaults
yara-python-3.3.0-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. Here are the changes since the last version (2.1.0):
- Added support for negative integers and floating point numbers
- Implemented operators , <, =, <= for strings
- Implemented word boundary anchors (\b, \B) in regular expressions
- New features in PE module
- Math module
- New --print-namespace command line argument
- Better error handling in low memory conditions
- BUGFIX: at operator not working with certain strings containing wildcards
- BUGFIX: precedence of bitwise operators was incorrect
- BUGFIX: incorrect imphash result for certain PE files importing functions by ordinal
- BUGFIX: handle and memory leaks
- BUGFIX: multiple segfaults
dfvfs-20150224-1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.
pyfixbuf-0.2.0-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf is a Python API for libfixbuf, an implementation of the IPFIX protocol used for building collecting and exporting processes. PyFixBuf can be used to write applications, often called mediators, that collect and export IPFIX. Mediators are useful in modifying, filtering, or adding to the content of the message before forwarding to another IPFIX collection point, or in converting IPFIX to another format (text, database, JSON, etc.). See here for a list of changes.
python-registry-1.1.0-2.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry. Python-registry is written in pure Python, making it portable across all major platforms. This release brings python-registry up to date as of 2015-02-26.

February 20, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.18.6-200 for FC21 (added in release 7 of this package)
- 3.18.7-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 3.18.6-200 for FC21 (added in release 7 of this package)
- 3.18.7-200 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.18.6-100 for FC20 (added in release 26 of this package)
- 3.18.7-100 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for LiME:
- 3.18.6-100 for FC20 (added in release 26 of this package)
- 3.18.7-100 for FC20
ddrutility-2.7-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to gnuddrescue. It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
- ddru_findbad
- ddru_ntfsbitmap
- ddru_ntfsfindbad
- ddru_diskutility
Here are the changes since the last release (2.6):
- ddru_ntfsfindbad 1.5 released:
  - Fixed possible program crash if partition boot sector error
  - Better partition boot sector error output
- ddru_ntfsbitmap 1.5 released:
  - Fixed possible program crash if partition boot sector error
  - Better partition boot sector error output
dfvfs-20150217-1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.
python-registry-1.1.0-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry. Python-registry is written in pure Python, making it portable across all major platforms.
shellbags-0.5.5-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - Shellbags Microsoft Windows uses a set of registry keys known as "shellbags" to maintain the size, view, icon, and position of a folder when using Explorer. Shellbags persist information for directories even after the directory is removed, which means that they can be used to enumerate past mounted volumes, deleted files, and user actions. See Using shellbag information to reconstruct user activities for an overview of the investigative value of shellbags.

February 13, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.18.5-201 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 3.18.5-201 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.18.5-101 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for LiME:
- 3.18.5-101 for FC20
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-402 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-402 for EL5
Volatility-2.4-6.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility uses the code as available from here as of 2015-02-09
libbde{,-devel,-python,-tools}-20150204-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.

February 6, 2015: The following have been released:

libsigscan{,-devel,-python,-tools}-20150125-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libsigscan is a library and tools used to binary signature scanning. See here for the list of changes.
libbde{,-devel,-python,-tools}-20150124-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
dfvfs-20150203-1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

January 31, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.18.3-201 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 3.18.3-201 for FC21
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-123.20.1 for EL7
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-123.20.1 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-504.8.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-504.8.1 for EL6
dfvfs-20150127-1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.
libluksde{,-devel,-python,-tools}-20150106-1.{fc17,fc18,fc19,fc20,fc21,el7}.{i686,x86_64}.rpm - Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes. See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20150110-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
yaf{,-devel}-2.7.1-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes from the last version (2.6.0):
- Fix a bug with --flow-stats in particular configurations

January 23, 2015: The following have been released:

ddrutility-2.6-4.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to gnuddrescue. It is a set of utilities to help with hard drive data rescue. The change in this release is to reference the correct location of the nfscluster for installed versions.

January 16, 2015: The following have been released:

fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.17.8-300 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for LiME:
- 3.17.6-300 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.17.8-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 3.17.8-200 for FC20

January 9, 2015: The following have been released:

lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 3.14.27-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.14.27-100 for FC19
distorm3-3.0-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Distorm3 is a lightweight, easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX. Distorm3 is used by The Volatility Framework. The changes are listed here.
ghostpdl-9.15-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico. This is the eleventh full release in the stable 9.x series, and is primarily a maintenance release. Highlights in this release include:
- Ghostscript now supports the PDF security handler revision 6.
- The pdfwrite and ps2write (and related) devices can now be forced to "flatten" glyphs into "basic" marking operations (rather than writing fonts to the output), by giving the -dNoOutputFonts command line option (defaults to "false")
- PostScript programs can now use get_params or get_param to determine if a page contains color markings by reading the pageneutralcolor state from the device (so whether the page is "color" or "mono"). Note that this is only accurate when in clist mode, so -dMaxBitmap=0 and -dGrayDetection=true should both be used.
- The pdfwrite device now supports Link annotations with GoTo and GoToR actions
- The pdfwrite device now supports BMC/BDC/EMC pdfmarks
- Regarding the new color management for the pdfwrite device introduced in the previous release, the proscription on using the new color management when producing PDF/A-1 compliant files is now lifted. To reiterate, also, with the new color management implementation, using the UseCIEColor option is strongly discouraged. For further information on the new pdfwrite color management, see: Color Conversion and Management
- Plus the usual round of bug fixes, compatibility changes, and incremental improvements.
To see all of the changes for all releases of ghostpdl, view ths file file:///usr/share/doc/ghostpdl/History9.htm on a system where ghostpdl is installed.
LogAnalysisToolKit-1.7-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.noarch.rpm - LogAnalysisToolkit is a collection of command line and web-based tools for use in incident response and long-term analysis of web server and proxy server log data. LATK can detect beaconing traffic in proxy logs and SQL injection, and XSS attempts in web server logs. Often when responding to a security incident, the only files available are web server and proxy server logs. LATK will aid you in detecting odd traffic, such as botnet beaconing and SQL injection attempts. The data available in these files can be overwhelming, but the tools in LATK can be used to parse these files and build a MySQL database for querying.
dino-1.5-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.noarch.rpm - Dino, the drop in network observer, is a lightweight front end for network visualization. Project:DINO, short for Drop In Network Observer, uses the open source network monitoring tools SiLK and SNORT to create an easy to use dashboard for situational awareness. It is built on PHP and Open Flash Chart, it is designed to be run on Linux systems and has been tested on Fedora, Redhat and Ubuntu. DINO queries flow records stored by SiLK and creates graphs of things like top talkers, incoming/outgoing traffic/hourly traffic/top ports and snort alerts with the related flows records.
yaf{,-devel}-2.7.0-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes from the last version (2.6.0):
- New Gh0st RAT Application Label
- New NetBIOS Datagram Service Application Label
- yafMeta2Pcap can now accept IPFIX input
- getFlowKeyHash now exports IPFIX
- Support for indexing PCAPNG files
- New YAF option --no-output to produce no IPFIX output
- New YAF options --hash and --stime to search for a single flow with the given hash and start time
- DNS DPI now exports query section of resource record for all responses with nonzero RCODE
- Faster searching of pcap-meta files
- Implement SAME_SIZE flag for TCP flows
- Minor Bug Fixes
snarf{,-devel,-python}-0.2.4-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system. Applications can use snarf's C and Python APIs to construct and send network alert messages, which can then be routed to multiple destinations in a configurable manner. Here are the changes:
- Support non-flow ip address fields in alerts.
- Fix ZeroMQ compatibility problems, now requires ZeroMQ 2.2.x.
- Fix problem with certain GLib2 version / platform combinations.
libbde{,-devel,-python,-tools}-20150106-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
libbfio{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Libbfio is a library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff. It is used to chain I/O to support file-in-file access. See here for the list of changes.
libevt{,-devel,-python,-tools}-20150105-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - libevt contains libraries and tools to access the Windows XML Event Log (EVT) format files. See here for the list of changes.
libevtx{,-devel,-python,-tools}-20150105-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
liblnk{,-devel,-python,-tools}-20150105-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20150106-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20150106-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libqcow{,-devel,-tools,-python}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format. See here for the list of changes.
libregf{,-devel,-python,-tools}-20150105-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - libregf contains libraries and tools to access the Windows NT Registry File files. See here for the list of changes.
libsmdev{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20141022-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20150105-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
libvmdk{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format. See here the list of changes.
libvshadow{,-devel,-python,-tools}-20150106-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. See here for the list of changes.

December 24, 2014: The following have been released:

silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.0-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.0-2.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-4.4.1-2.{fc17,fc18,fc9,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). This version was rebuilt to use the latest version of SiLK, specifically 3.10.0-1.
silk-ipset{,-devel,-lib,-tools}-3.10.0-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-123.13.2 for EL7
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-123.13.2 for EL7
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-504.3.3 for EL6
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-504.3.3 for EL6
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-400.1.1 for EL5
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-400.1.1 for EL5
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.17.7-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for LiME:
- 3.17.7-200 for FC20
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.17.7-300 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for LiME:
- 3.17.7-300 for FC21
pytsk-20141220-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
libfwsi{,-devel,-python}-20141116-1.(fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libfwsi is a library to access the Windows Shell Item format. See here for the list of changes.
dfvfs-20141220-1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See hre for the list of changes.
pyparsing{,-doc}-2.0.3-1.{fc17,fc18,fc19,fc20,el6,el7}.{i386,x86_64}.rpm, python3-pyparsing-2.0.3-1.{fc17,fc18,fc19,fc20}.{i386,x86_64}.rpm - Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions. The module provides a library of classes that client code uses to construct the grammar directly in Python code. Pyparsing is provided by RedHat for Fedora 21. Pyparsing version 2.0.3 is needed by plaso.
plaso-1.2.0-2.{fc17,fc18,fc19,fc20,fc21}.{i686,x86_64}.rpm, plaso-1.2.0-2.{el6,el7}.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Go here to read about all of the changes and features in this release. In addition, this release is current up to the development version as of December 24, 2014.

December 15, 2014: The following have been released:

Fedora 21 - The repository now supports Fedora 21 for both the i686 and x86_64 CPU architectures. Here is the list of tools provided for Fedora 21:

lime-kernel-modules-fc20-x86_64
lime-kernel-modules-fc20-x86_64
lime-kernel-modules-fc20-x86_64
lime-kernel-modules-fc20-x86_64
lime-kernel-modules-fc20-x86_64
lime-kernel-modules-fc21-x86_64
lime-kernel-modules-fc21-x86_64
log2timeline
md5deep
mdbtools
missidentify
mount_ewf
nDPI
netsa-python
netsa-rayon
partclone
pasco
perl-File-Mork
perl-Mac-PropertyList
perl-Parse-Evtx
perl-Parse-Win32Registry
plaso
prism
pstotext
ptfinder
ptk
pyew
python-apsw
python-rarfile
python-registry
pytsk
rar
registrydecoder
reglookup
regripper
regripper-plugins
rifiuti
rifiuti2
scrounge-ntfs
sfdumper
shellbags
silk
silk-ipa
silk-ipset
sleuthkit
snort
snort-sample-rules
ssdeep
stegdetect
super_mediator
tln_tools
ttestdisk
undbx
unrar
untex
videosnarf
vinetto
vmfs-tools
Volatility
xmount
xplico
yaf
yara
yara-python

fmem-kernel-modules-1.6-1.4.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. Support for Fedora 21 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-4.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. Support for Fedora 21 x86_64 and i686 architectures was added.
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.17.6-300 for FC21
- 3.17.4-302 for FC21
- 3.17.4-301 for FC21
- 3.17.4-300 for FC21
- 3.17.3-300 for FC21
- 3.17.1-302 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for LiME:
- 3.17.6-300 for FC21
- 3.17.4-302 for FC21
- 3.17.4-301 for FC21
- 3.17.4-300 for FC21
- 3.17.3-300 for FC21
- 3.17.1-302 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.17.6-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for LiME:
- 3.17.6-200 for FC20
CERT-Forensics-Tools-1.0-61.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - This package was updated to add the following packages:
- Removed snarf for Fedora 21
- Added ddrescueview for all supported OSes and architectures.

December 12, 2014: The following have been released:

lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 3.17.4-200 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.17.4-200 for FC20
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-123.13.1 for EL7
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-123.13.1 for EL7
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-400 for EL5
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-400 for EL5
lime-kernel-modules-{fc17,fc18,fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.1.r17-*.noarch.rpm - Building errors were discovered the solution to which was to rebuild all lime modules for all supported versions of Fedora and CentOS/RHEL for all supported architectures. Steps were taken to verify future builds for LiME for each OS/Architecture pair.
fmem-kernel-modules-{fc17,fc18,fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.1.r17-*.noarch.rpm - No changes were made but the release numbers were changed to remain in sync with the lime-kernel-modules release numbers.
libewf{,-devel,-tools,-python}-20141129-1.{fc17,fc18}.{i686,x86_64}.rpm, libewf{-devel,-tools,-python}-20141129-1.{fc19,fc20}.{i686,x86_64}.rpm, ewftools-20141129-1.{fc19,fc20}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note: Beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note: This package is not provided for CentOS/RHEL 5 and 6. Here are the changes from the previously released version (20140608):
- 20141129
  - code clean up
- 20141102
  - bug fixes
  - ewf.net added FileEntry::GetType
- 20141030
  - bug fix in Python-bindings
  - changes for updated dependencies
- 20141021
  - changes for deployment
- 20141012
  - bug fixes
- 20141007
  - updated dependencies and corresponding changes
  - worked on autogen.sh and synclibs.sh scripts
- 20141002
  - removed README.macosx
  - changes for project site move
- 20140801
  - bug fix in Python-bindings
In addition, this version was built to include the Version 1 API. Because of this, the shared object library libewf.so.1 and libewf.so.1.0.4 are no longer provided in this package. If your application requires these shared object libraries, they should be rebuilt to use the shared objects that come with this package, namely libewf.so.2 and libewf.so.2.1.0.
aff{lib,lib-devel,tools}-3.7.4-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format.
pytsk-20141207-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes. In addition, the following changes were also made:
- The scripts ewf.py, tskfuse.py, and imgfuse.py were also installed in /usr/bin.
- The runtime dependency fuse-python was also added.
libfixbuf{,-devel}-1.6.2-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-9.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. This release was rebuilt with libfixbuf version 1.6.2.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-10.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root. This release was rebuilt with libfixbuf version 1.6.2.
super_mediator-0.3.0-7.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. This release was rebuilt to use libfixbuf version 1.6.2.
yaf{,-devel}-2.6.0-4.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. This release was rebuilt to use libfixbuf version 1.6.2.
yaf{,-devel}-2.2.1-9.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter. Note that this version of Yaf is only available for CentOS/RHEL 5. This release was rebuilt to use libfixbuf version 1.6.2.

November 26, 2014: The following have been released:

xmount-0.7.3-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following: Note that xmount is not available for CentOS/RHEL 5. Here are the changes for this version:
- New build system using cmake.
- New command line syntax. Make sure to check the man page!
- New --offset and --sizelimit command line parameters.
- Support for multiple input images.
- Support for image morphing. Currently supporting combine, raid (RAID0) and unallocated (HFS and FAT).
- Internal support for ewf files.
Volatility-2.4-5.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility uses the code as available from here as of 2014-11-24.
ddrescueview-0.3-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Ddrescueview is a small tool that allows the user to graphically examine ddrescue's log files in a user friendly GUI application. The Main window displays a block grid with each block's color representing the block types it contains. Many people know this type of view from defragmentation programs. The program is written in Object Pascal using the Lazarus IDE.
ddrutility-2.6-3.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to gnuddrescue. It is a set of utilities to help with hard drive data rescue. The change in this release is to reference the correct location of the nfscluster program for CentOS 6. All other versions are unchanged but were rebuilt for revision number compatibility.

November 21, 2014: The following have been released:

lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for LiME:
- 3.14.23-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.14.23-100 for FC19
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.17.3-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for LiME:
- 3.17.3-200 for FC20
libevtx-{,devel,python,tools}-20141112-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
sleuthkit{,-devel,-libs}-4.1.3-5.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. The changes from the previous version - 4.1.3-3 - was to add a correct fix for java bindings. Note that the version provided by Fedora - 4.1.3-4 - does not provide this support in the binary packages they provide nor can that support be added using their source packages.
Support for Fedora 21 x86_64 architecture - The repository now supports Fedora 21 for the x86_64 CPU architecture. The cert-forensics-tool-release has been installed in the cert repository and all other packages have been installed in the forensics-test repository. As root, you will need to enable this repository in the /etc/yum.repos.d/cert-forensics-tools.repo file.

To install the CERT-Forensics-Tools package, it was necesary to run sudo yum erase protobuf-c first.

This repository was built with the Fedora 21 development repository and the Fedora 21 testing updates repository. When Fedora 21 is released, the CERT Forensics Tools repository will be entirely rebuilt using that distribution and support for the i686 architecture will be added at that time. If you find any problem with the packages in the CERT Linux Forensics Tools Repository, please send email to:

November 15, 2014: The following have been released:

dfvfs-20141108-1.(fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. This version no longer scans VSS snapshot volumes by default.
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for: Fmem:
- 3.17.2-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for: LiME:
- 3.17.2-200 for FC20
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-504.1.3 for EL6
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-504.1.3 for EL6
libesedb-{,devel,python,tools}-20141110-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc. See here for the list of changes.
ddrutility-2.6-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to gnuddrescue. It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
- ddru_findbad
- ddru_ntfsbitmap
- ddru_ntfsfindbad
- ddru_diskutility
The change in this release is to reference the correct location of the nfscluster program for CentOS 6.
partclone-0.2.71-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the latest version of libntfs-3g.so for CentOS.
testdisk-6.14-3.2.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. This release was built to use the latest version of libntfs-3g.so for CentOS.

November 7, 2014: The following have been released:

guymager-0.7.4-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. See here for the list of changes.
liblnk-{,devel,python,tools}-20141026-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libregf-{,devel,python,tools}-20141030-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libregf contains libraries and tools to access the Windows NT Registry File files. See here for the list of changes.
Volatility-2.4-4.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility uses the code as available from here as of 2014-11-03.
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for: Fmem:
- 3.16.7-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for: LiME:
- 3.16.7-200 for FC20
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-123.9.3 for EL7
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-123.9.3 for EL7

October 31, 2014: The following have been released:

analysis-pipeline-4.4.1-1.{fc17,fc18,fc9,fc20,el5,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the changes in this release.
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.16.6-203 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
- 3.16.6-203 for FC20
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-123.9.2 for EL7
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-123.9.2 for EL7
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-504 for EL6
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-504 for EL6
libevt-{,devel,python,tools}-20141026-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
libevtx-{,devel,python,tools}-20141026-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
libmsiecf-{,devel,python,tools}-20141025-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
libolecf-{,devel,python,tools}-20141026-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libsmraw{,-devel,-tools,-python}-20141026-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
mdbtools{,-devel,-gui}-0.7-43.13.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm, libmdbodbc1-0.7-43.13.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm, - The MDB Tools project is a effort to document the MDB file format used in Microsoft's Access database package, and to provide a set of tools and applications to make that data available on other platforms. Specifically, MDB Tools includes programs to export schema and data to other databases such as MySQL, Oracle, Sybase, PostgreSQL, and others. Also included is a SQL engine for performing simple SQL queries. The 0.5 release includes an updated GUI interface (screenshot is available here). A sparse but functional ODBC driver is included as well. MDB Tools currently has read-only support for Access 97 (Jet 3) and Access 2000/2002 (Jet 4) formats. Write support is currently being worked on and the first cut is expected to be included in the 0.6 release. For more information check the FAQ and the Installation Guide.
ssdeep-2.12.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes. Also see the SourceForge Page for forums, bugtracking, CVS, et al.

October 24, 2014: The following have been released:

fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.16.6-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 3.16.6-200 for FC20
lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for LiME:
- 3.14.22-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.14.22-100 for FC19
ddrutility-2.6-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to gnuddrescue. It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
- ddru_findbad
- ddru_ntfsbitmap
- ddru_ntfsfindbad
- ddru_diskutility
Here are the changes since the last release (2.5):
- Changes have been made for compiling compatibility:
  - Some unneeded items removed from configure.ac
  - Added lib check for iconv
- Some improvements have been made to the documentation:
  - Added examples to the --mftdomain option of ntfs_bitmap
  - Updated info about ddru_findbad being slow
- Ddru_findbad 1.11 released:
  - No longer relies on bash
  - Fixed a bug dealing with bad ntfscluster results
  - Images are now accessed as read only
- Ddru_ntfsfindbad 1.4 released:
  - Fixed potential memory bug with name conversions
  - Fixed iconv BOM issue
  - Fixed a bug with mft data run length
  - Fixed issue with current postition in logfile
- Ddru_ntfsbitmap 1.4 released:
  - Fixed potential memory bug with name conversions
  - Fixed iconv BOM issue
- Ddru_diskutility 1.3 released:
  - Initial release
distorm3-3-2.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i386,x86_64}.rpm - Distorm3 is a lightweight, easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX. Distorm3 is used by The Volatility Framework. This version used the code release on September 20, 2012.
libsmdev{,-devel,-tools,-python}-20141021-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
libsmraw{,-devel,-tools,-python}-20141022-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20141021-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
libvmdk{,-devel,-tools,-python}-20141021-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format. See here the list of changes.
libbde{,-devel,-python,-tools}-20141023-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here the list of changes.
libvshadow{,-devel,-tools,-python}-20141023-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. See here for the list of changes.
daq-2.0.4-1.{fc17,fc18,fc19,fc20,el6,el7}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort. Here are the changes since the last version:
- Changes in 2.0.4 Released on 2014-09-06
  - api/daq_common.h
    - Changed name from 'priv_flow_id' to 'flow_id'.
    - Changed the 'flow_id' field to an uint32_t rather than void * since that's how it is used and will be safer to pass around.
  - m4/sf.m4, sfbpf/Makefile.am
    - Fix DAQ macros to allow users to edit libpcap version in cache file.
    - Also fixed a parallel build error for individual make targets in spfbf.
  - os-daq-modules/daq_netmap.c, README, configure.ac, api/daq_common.h, os-daq-modules/Makefile.am, os-daq-modules/daq_afpacket.c
    - Add new open source netmap DAQ module for Linux/FreeBSD; see the README for more details.
    - Clean up error reporting during AFPacket DAQ module initialization.
- Changes in 2.0.3 Released on 2014-06-06:
  - api/daq.h, api/daq_api.h, api/daq_base.c, api/daq_mod_ops.c, os-daq-modules/daq_afpacket.c, os-daq-modules/daq_pcap.c, os-daq-modules/daq_static_modules.c, os-daq-modules/daq_static_modules.h, sfbpf/sf_bpf_filter.c, sfbpf/sf_bpf_printer.c, sfbpf/sf_gencode.c, sfbpf/sf_nametoaddr.c, sfbpf/sfbpf-int.h, sfbpf/sfbpf_dlt.h
    - Update copyright.
  - configure.ac
    - Fixed FreeBSD 10 compatibility
  - os-daq-modules/daq_pcap.c
    - Fix compatibility with libpcap 1.5.1 and 1.5.2.
snort-2.9.7.0-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.7.0-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.

October 17, 2014: The following have been released:

fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.16.4-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for LiME:
- 3.16.4-200 for FC20
libfixbuf{,-devel}-1.6.1-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-7.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. This release was rebuilt with libfixbuf version 1.6.1.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-8.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root. This release was rebuilt with libfixbuf version 1.6.1.
super_mediator-0.3.0-7.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. This release was rebuilt to use libfixbuf version 1.6.1.
yaf{,-devel}-2.6.0-3.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. This release was rebuilt to use libfixbuf version 1.6.1.
yaf{,-devel}-2.2.1-8.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter. Note that this version of Yaf is only available for CentOS/RHEL 5. This release was rebuilt to use libfixbuf version 1.6.1.

October 10, 2014: The following have been released:

ddrescue-1.19-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Here are the changes for this version:
- Fixed a race condition at start of run with '--timeout=0'.
- Added new option '-P, --data-preview'.
- Added new option '-u, --unidirectional'.
- Added new option '-X, --exit-on-error'.
- Added new option '--ask' to ask for user confirmation.
- Added new option '--cpass' to select passes during copying phase.
- Added new option '--pause' to insert a pause between passes.
- Removed option '-l, --logfile-size'.
- Skip on the first error during the copying phase.
- rescuebook.cc: Trimming done in one pass, may be run in reverse.
- The splitting phase has been replaced by a scraping phase.
- Changed long name of option '-n' to '--no-scrape'.
- rescuebook.cc: Alternate direction of passes during retrying phase.
- Show ATA model and serial number with '--ask' or '-vv' on Linux.
- configure: Added new option '--enable-linux'.
- New files linux.h linux.cc.
- License changed to GPL version 2 or later.
libsmdev{,-devel,-tools,-python}-20141004-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
partclone-0.2.71-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. Here are the changes for this version:
- fix configure.ac and add libblkid-dev check
- fix xfs
- merger btrfs to 3.14 and update makefile
- try to merge btrfs 3.14.1
- fix restore-to-raw option
ptk-1.0.5-5.{fc17,fc18,fc19,fc20,el5,el6,el7}.noarch.rpm - PTK is a computer forensic framework for the command line tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the command line tool mysql_secure_installation or equivalent, and operating. It also assumes a web server, for example Apache, has been configured and is operational. Here are the list of changes:
- For RHEL/CentOS 7, the package now depends on mysql-compat-server. All other versions are unchanged but were rebuilt for revision number compatibility.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-5.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. This version correctly removes an incorrect Obsoletes: directive from the spec file.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-6.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root. This version was built to keep in step with the release 5 update noted above.
testdisk-6.14-3.1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. This release correctly removes an incorrect Obsoletes: directive from the spec file.
Volatility-2.4-3.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. See here for a list of changes and features in this major release. This version of Volatility uses the code as available from here as of 2014-10-09.

October 3, 2014: The following have been released:

bulk_extractor-1.5.5-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Bulk_extractor bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important. This version fixes many issues. In addition, it also contains the BEViewer GUI front-end for bulk_extractor. Note that this release of bulk_extractor is not available for CentOS/RHEL 5 due to an outdated version of flex for that OS. The change in this release fixes an issue where python3.2 was explicitly referenced in report_encodings.py.
dfvfs-20140928-1.(fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.
xmount-0.7.2-1.{fc17,fc18,fc19,fc20,el7}.{i686,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following: Note that xmount is not available for CentOS/RHEL 5 and 6. Here are the changes for this version:
- 0.7.0
  - Changed build system from autoconf / automake to cmake
  - Moved input image support into external libs
  - Added morphing functionality including combine, raid and unallocated
  - Added --offset and --sizelimit command line parameter
  - Massive code cleanup including some small bug fixes
- 0.7.1
  - Fixed bug with --sizelimit command line option.
- 0.7.2
  - Fixed bug in FreeResources(). Do not free vdi.p_vdi_block_map as it is part of vdi.p_vdi_header
ssdeep-2.11-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for LiME:
- 3.14.19-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.14.19-100 for FC19
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-398 for EL5
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-398 for EL5
libfixbuf{,-devel}-1.6.0-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-3.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. This release was rebuilt with libfixbuf version 1.6.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-4.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root. This release was rebuilt with libfixbuf version 1.6.0.
super_mediator-0.3.0-6.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. This release was rebuilt to use libfixbuf version 1.6.0.
yaf{,-devel}-2.6.0-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. This release was rebuilt to use libfixbuf version 1.6.0.
yaf{,-devel}-2.2.1-7.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter. Note that this version of Yaf is only available for CentOS/RHEL 5. This release was rebuilt to use libfixbuf version 1.6.0.
fred-0.1.1-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and fred-0.1.1-1.{el6,el7}.x86_64.rpm - Fred Forensic Registry EDitor (fred) is a cross-platform Microsoft registry hive editor. This project was born out of the need for a reasonably good registry hive viewer for Linux to conduct forensic analysis. Therefore it includes some functions not found in normal "free" registry editors like a hex viewer with data interpreter and a reporting function that can easily be extended with custom ECMAScript report templates.

September 26, 2014: The following have been released:

lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for LiME:
- 3.16.2-201 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.16.2-201 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
- 3.16.3-200 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.16.3-200 for FC20
lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for LiME:
- 3.10.0-123.6.3 for EL7
- 3.10.0-123.8.1 for EL7
fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.10.0-123.6.3 for EL7
- 3.10.0-123.8.1 for EL7
Volatility-2.4-2.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. See here for a list of changes and features in this major release. This version of Volatility uses the code as available from here as of 2014-09-23.
plaso-1.1.0-2.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.1.0-2.{el6,el7}.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. For this release, IPython was added as a dependency.
python-ipython{,-console,-doc,-gui,-notebook,-sphinx,-tests)-2.2.0-1.el7.x86_64.rpm - IPython is an enhanced interactive Python shell. This package was only provided for CentOS/RHEL 7 for the x86_64 architecture.
python-tornado{,-doc}-3.2.1-3.el7.x86_64.rpm - Python-tornado Tornado is an open source version of the scalable, non-blocking web server and tools. The framework is distinct from most mainstream web server frameworks (and certainly most Python frameworks) because it is non-blocking and reasonably fast. Because it is non-blocking and uses epoll, it can handle thousands of simultaneous standing connections, which means it is ideal for real-time web services.
python-path-3.0.1-2.el7.x86_64.rpm - Python-path implements a path objects as first-class entities, allowing common operations on files to be invoked on those path objects directly. See documentation here.
matchjax-2.2-4.el7.noarch.rpm, mathjax{-ams,-caligraphic,-fraktur,-main,-math,-sansserif,-script,-size1,-size2,-size3,-size4,-typewriter,-winchrome,-winie6}-fonts-2.2-4.el7.noarch.rpm - Matchjax is an open source JavaScript display engine for mathematics that works in all browsers.
fontawesome-fonts{,-web}-4.1.0-1.el7.noarch.rpm - Font Awesome provides scalable vector icons that can instantly be customized — size, color, drop shadow, and anything that can be done with the power of CSS.
ttembed-1.1-3.el7.x86_64.rpm - TTembed removes embedding limitations from TrueType fonts by setting the fsType field in the OS/2 table to zero.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-4.4-2.{fc17,fc18,fc9,fc20,el5,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). This version was rebuilt to use the latest version of SiLK, specifically 3.9.0-1.
silk-ipset{,-devel,-lib,-tools}-3.9.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.

September 19, 2014: The following have been released:

lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for LiME:
- 3.16.2-200 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.16.2-200 for FC20
dff-1.3.0.20140123-2.{fc17,fc18,fc19,fc20,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. This version is the developer version as of January 23, 2014. The changes were to add missing dependencies, specifically PyQt4-webkit for CentOS/RHEL 7 and python-poppler-qt4 for all supported architectures.
python-poppler-qt4-0.16.2-8.el7.x86_64.rpm - Python-poppler-qt4 is a Python interface to the Poppler Qt4 interface library, libpoppler-qt4, which is a library that allows Qt4 programmers to easily load and render PDF files. The Poppler Qt4 interface library uses poppler internally to do its job, but the Qt4 programmer will never have to worry about poppler internals.
analysis-pipeline-4.4-1.{fc17,fc18,fc9,fc20,el5,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the changes in this release.
libevtx-{,devel,python,tools}-20140901-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
libfvde{,-devel,-tools}-20140907-1.{fc17,fc18,fc9,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume. Here are the changes from the last version (20130305):
- exposed some encryption context plist functions in API
- updated dependencies
- updated msvscpp files, not operational yet
- worked on libcthreads build support
liblnk-{,devel,python,tools}-20140905-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. Here are the changes from the last version (20140731):
- updated libfwsi version check
- bug fix in Python-bindings
- worked on property store data block support
libregf-{,devel,python,tools}-20140905-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libregf contains libraries and tools to access the Windows NT Registry File files. Here are the changes from the last version (20140803):
- updated libfwsi version check
- bug fix in Python-bindings
- code clean
ssdeep-2.11-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
xplico-1.1.0-2.{fc17,el6}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. This release was rebuilt to work under CentOS/RHEL 7. All other suported systems were upgraded for release version consistency. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
bulk_extractor-1.5.5-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Bulk_extractor bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important. This version fixes many issues. In addition, it also contains the BEViewer GUI front-end for bulk_extractor. Note that this release of bulk_extractor is not available for CentOS/RHEL 5 due to an outdated version of flex for that OS.

September 12, 2014: The following have been released:

lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for LiME:
- 3.15.10-201 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.15.10-201 for FC20
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-431.29.2 for EL6
- 2.6.32-431.23.3 for EL6
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-431.29.2 for EL6
- 2.6.32-431.23.3 for EL6
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-371.12.1 for EL5
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-371.12.1 for EL5
xplico-1.1.0-2.{fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. This release was rebuilt specifically for CentOS/RHEL 7. All other suported systems were upgraded for release version consistency. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support. Note that Fedora 17 is not supported yet but support is expected soon.
python-psycopg2{,-debug,-docs}-2.5.1-2.el7.x86_64.rpm - Python-psycopg2 is a PostgreSQL adapter for the Python programming language. At its core it fully implements the Python DB API 2.0 specifications. Several extensions allow access to many of the features offered by PostgreSQL. This package was installed for CentOS/RHEL 7 to support xplico.
yaf{,-devel}-2.6.0-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes from the last version (2.5.0):
- Added a new tool, ipfixDump, to read and dump the contents of IPFIX files. Requires Fixbuf 1.4.0 or later.
- Add LDAP application label
- Filedaemon can now move files from one directory to another without passing to a child program
- SSL/TLS DPI modification to capture SSL record version
- Update CERT PEN Information Elements to use full information model if Fixbuf 1.4.0 or later is available
- Fix for Modbus application label to reduce false positives
- Bug Fix for TOS field when running with --uniflow
- Bug Fix in RPM spec file
- Bug Fix for labeling malformed DNS packets
- Bug Fix for processing out of order packets with --force-read-all
- Bug Fix for exporting reverse payload
- Other minor bug fixes
jafat-1.1.6-2.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i386,x86_64}.rpm - JAFAT is an assortment of tools to assist in the forensic investigation of computer systems. The changes in this release were to put the doc files in the correct place in the file system.

August 29, 2014: The following have been released:

dfvfs-20140824-1.(fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.
sqlite{,-devel,tcl}-3.7.17-4.l6}.x86_64.rpm, sqlite-doc-3.7.17-4.el6.noarch.rpm, and lemon-3.7.17-4.el6.x86_64.rpm - Sqlite, is a software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine. SQLite is the most widely deployed SQL database engine in the world. The source code for SQLite is in the public domain. This version was installed for RHEL/CentOS 6 for the x86_64 archicture to support plaso.
CERT-Forensics-Tools-1.0-60.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - This package was updated to add the following packages: libesedb-tools , libqcow-tools , libsmdev-tools , libsmraw-tools , libvmdk-tools , and bokken.
libesedb-tools - Libesedb contains tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
libqcow-tools - Libqcow contains tools used to access the QEMU Copy-On-Write (QCOW) image format.
libsmdev-tools - Libsmdev contains tools used to access storage media devices.
libsmraw-tools - Libsmraw contains tools used to read and write (split) RAW storage media bitstream copies.
libvmdk-tools - Libvmdk contains tools used to access the VMware Virtual Disk (VMDK) image format.
bokken - Bokken is a GUI for the Pyew and Radare projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
pyew-2.0-1.el7.x86_64.rpm - Pyew is a (command line) Python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.
radare-2.0.9.7-1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
valabind-0.7.4-2.el7.x86_64.rpm - Valabind is a tool to parse vala or vapi files to transform them into swig interface files, C++, NodeJS-ffi, or GIR. With swig, you can create language bindings for any API written in vala or C with a vapi interface. It can also generate bindings for C++.
python-radare-2.0.9.7-1.el7.x86_64.rpm - Python-Radare are bindings that allow Radare to be used from Python.
python-tidy-0.2-1.el7.noarch.rpm - Python-tidy pleans up, regularizes, and reformats the text of Python scripts.
pygtksourceview - PyGtkSourceView provides Python bindings for the GtkSourceView widget and is built on top of PyGTK.

August 22, 2014: The following have been released:

lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for LiME:
- 3.14.17-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.14.17-100 for FC19
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for LiME:
- 3.15.9-200 for FC20
- 3.15.10-200 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.15.9-200 for FC20
- 3.15.10-200 for FC20
dc3dd-7.2.641.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64} - dc3dd is a patched version of GNU dd that includes several features useful for computer forensics. New in this version are the following:
- Log output may be sent to multiple job logs and hash logs. Simply specify log=LOG and/or hlog=LOG more than once.
- Verification of an image restored to a device larger than the image is now supported. Specify hof=DEVICE to hash only the bytes dc3dd writes to the device. Specify fhod=DEVICE to hash both the bytes dc3dd writes to the device and all the bytes that follow, up to the end of the device.
- Specifying hof=DEVICE will now default to phod=DEVICE behavior (hash only the bytes output by dc3dd, not the full device).
dd_rescue-1.46-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previously distributed version (1.46):
- ddr_hash now supports calculating HMACS instead of plain hashes. The hash calculation has been cleaned up a bit. When a seed val of 0 is passed on the command line, additional randomness is created using the rdrand() command on x86/x86-64 (if available).
- (2014-06-27) A vulnerability in most implementations of lzo decompression has been reported. The liblzo2 library (up to and including v 2.06) used by the ddr_lzo plugin (until dd_rescue-1.45) is affected. You need to feed specially crafted compressed data in blocks of 16MB or larger to the decompressor on 32-bit platforms to exploit it, see the report for more details. (This issue has ID LMS-20140616-1/ CVE-2014-4607.) The man page ddr_lzo advises to be careful when feeding data from untrusted sources to the decompressor; it seems that this advice has been wise. Fortunately, ddr_lzo does not normally feed such large blocks to the decompressor; you'd need to manually increase the soft block size to at least 8MB and ignore a warning to trigger this issue with dd_rescue. But it is possible. So here's the advice:
  - Update liblzo2 to 2.07 (or a fixed 2.06 version) which has this issue fixed (your Linux distributor should provide this very soon). This is enough to fix the issue, as the ddr_lzo plugin of dd_rescue does dynamically link against liblzo2, except for Android.
libsmraw{,-devel,-tools,-python}-20140817-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
yaf{,-devel}-2.5.0-3.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm/yaf{,-devel}-2.2.1-6.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. The RHEL/CentOS 5 package needed to be rebuilt with the latest verson of libfixbuf. The RHEL/CentOS 6 package for the x86_64 archiecture was rebuilt with the correct version of libfixbuf so all other versions of yaf and yaf-devel were rebuilt to keep the release number consistent.
super_mediator-0.3.0-5.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. The Fedora 17 package for the i386 archiecture was rebuilt with the correct version of libfixbuf so all other versions of super_mediator were rebuilt to keep the release number consistent.
protobuf-c{,-devel}-0.15-2.2.el6.x86_64.rpm - Protobuf-c package provides a code generator and runtime libraries to use Protocol Buffers from pure C (not C++). This package was only provided for CentOS/RHEL 6 for the x86_64 architecture. This RHEL/CentOS 6 package for the i386 architecture was rebuilt to use the latest version of protobuf-devel.
snarf{,-devel,-python}-0.2.2-3.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system. Applications can use snarf's C and Python APIs to construct and send network alert messages, which can then be routed to multiple destinations in a configurable manner. This version was built to use version 0.15 of protobuf and protobuf-c-devel where required.

Note: Extra Packages for Enterprise Linux (EPEL) for RHEL/CentOS 7 includes a version of protobuf-c that is incompatible with snarf and its installation causes problems when attempting to install snarf. To solve this problem, you need to add the following exclude line to /etc/yum.repos.d/epel.repo file:
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
exclude=protobuf-c

August 15, 2014: The following have been released:

bulk_extractor-1.5.3-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Bulk_extractor bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important. This version fixes many issues. In addition, it also contains the BEViewer GUI front-end for bulk_extractor. Note that this release of Bulk_extractor is not available for CentOS/RHEL 5 due to an outdated version of flex for that OS.
fmem-kernel-modules-{fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.14.15-100 for FC19
lime-kernel-modules-{fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.1.r17-*.noarch.rpm - Support for the following kernels were added for LiME:
- 3.14.15-100 for FC19
libbde{,-devel,-python,-tools}-20140731-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the support formats, protection methods, and additional features. Here are the changes for this release:
- added is locked function
- bug fix in Python bindings
- compression method is now forced to effective 16-bits
- fixes for FreeBSD 8 compilation
- moved password hashes to password keep
- small change in bdemount for Dokan support
- small improvements to error reporting
- updated dependencies
- updated msvscpp files
- worked on bdemount
- worked on exposing metadata
- worked on exposing metadata via bdeinfo
- worked on Python bindings
- worked on setup.py
- worked on tests
Volatility-2.4-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. See here for a list of changes and features in this major release.

August 8, 2014: The following have been released:

fmem-kernel-modules-{fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.6-1.*.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.14.13-100 for FC19
- 3.15.8-200 for FC20
- 3.15.7-200 for FC20
- 3.15.6-200 for FC20
- 3.15.5-200 for FC20
- 2.6.18-371.11.1 for EL5
- 2.6.32-431.20.5 for EL6
- 3.10.0-123.4.4 for EL7
lime-kernel-modules-{fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.1.r17-*.noarch.rpm - Support for the following kernels were added for LiME:
- 3.14.13-100 for FC19
- 3.15.8-200 for FC20
- 3.15.7-200 for FC20
- 3.15.6-200 for FC20
- 3.15.5-200 for FC20
- 2.6.18-371.11.1 for EL5
- 2.6.32-431.20.5 for EL6
- 3.10.0-123.4.4 for EL7
dfvfs-20140727-1.(fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
libesedb-{,devel,python,tools}-20140803-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc. See here for the list of changes.
libevt-{,devel,python,tools}-20140731-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
libevtx-{,devel,python,tools}-20140731-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
liblnk-{,devel,python,tools}-20140731-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libmsiecf-{,devel,python,tools}-20140731-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
libolecf-{,devel,python,tools}-20140801-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libqcow{,-devel,-tools,-python}-20140729-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format. See here for the list of changes.
libregf-{,devel,python,tools}-20140803-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libregf contains libraries and tools to access the Windows NT Registry File files. See here for the list of changes.
libsmdev{,-devel,-tools,-python}-20140803-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
libsmraw{,-devel,-tools,-python}-20140728-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
libvshadow{,-devel,-tools,-python}-20140731-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. See here for the list of changes.
python-registry-1.0.4-1.{fc17,fc18,fc19,fc20,el7}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry. Python-registry is written in pure Python, making it portable across all major platforms.
libfixbuf{,-devel}-1.5.0-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.3-3.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.3-4.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
super_mediator-0.3.0-4.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. This package was rebuilt to use libfixbuf version 1.5.0.
yaf{,-devel}-2.5.0-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap dumpfiles as generated by tcpdump, from live capture from an interface using pcap, an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. This package was rebuilt to use libfixbuf version 1.5.0.

July 24, 2014: The following have been released:

ddrescue-1.18.1-2.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. A patch from the developer was applied that adds the following arguments:
- --no-reverse-pass: do not switch direction for each pass
- --skip-on-first-err start skipping on first error
- --trim-sequentially don't trim small blocks first
- --split-sequentially don't split large blocks first
- --no-reverse: This makes the second pass also go in the same direction as the first. This is for those who may ask for the option. But in my benchmark testing I can say there is no real benefit to turning off reverse.
- --skip-on-first-err: By default, ddrescue doesn't start skipping until 2 errors are encountered in a row. Sometimes the errors are spread out so that skipping does not happen very often if at all. This option will make ddrescue skip on the first error on the first pass forwards, and also on the second pass in reverse. If used with --no-reverse, the second forward pass skips on the second error like normal. Note that if used with the --reverse option then ddrescue will behave as normal and this option will not do anything. This option does best when setting a higher skip size, as when used with the default skip size it does not have a positive effect.
- --trim-sequentially: Normally ddrescue trims the smallest block first, which can cause unwanted head movement. This option makes it trim in order in one pass in the direction specified. My tests did not show any speed difference, but the small size of the test also did not have excessive head movement to begin with.
- --split-sequentially: Normally ddrescue splits the largest blocks first (which can cause a lot of unwanted head movement), and then when there are only small blocks of less than 7 sectors in size it will split sequentially. This option makes it split in order in one pass in the direction specified. In my benchmarking tests this helped slightly with overall recovery time, which is likely a result of drive read-ahead. This was even with a small test size, so it is possible that there could be more to gain on a full size recovery. Note that this speed increase would not normally be noticed due to the amount of time errors take to process, and is a very small increase overall. The biggest benefit is the head movement.
ddrutility-2.5-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to gnuddrescue. It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
- ddru_findbad
- ddru_ntfsbitmap
- ddru_ntfsfindbad
fmem-kernel-modules-1.6-1.3.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. This package is not linked between OS and Architectures.
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for Fmem:
- 3.15.6-200
- 3.15.5-200
ip4r-2.0.2-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and ip4r-2.0-1.{el6,el7}.x86_64.rpm - IP4R and ip4 are types that contain a single IPv4 address and a range of IPv4 addresses respectively. They can be used as a more flexible, indexable version of the cidr type. This version has been built for PostgreSQL version 9.3.4 for Fedora and CentOS/RHEL 7 and version 9.2 for CentOS/RHEL using the CentOS Software Collections Repository.
liblnk-{,devel,python,tools}-20140714-1.(fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
lime-kernel-modules-1.1.r17-3.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. This package is not linked between OS and Architectures.
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for LiME:
- 3.15.6-200
- 3.15.5-200
python-rarfile-2.6-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Python-rarfile is a Python module for RAR archive reading.
snort-2.9.6.2-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.6.2-1.1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
yara-2.1.0-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Here are the changes since the last version (1.7.2):
- Improve regexp engine
- Improve multithreading support
- Case-insensitive and single-line matching modes for "matches" operator's regexps
- Added "error_on_warning" argument to "match" in yara-python
- Recognize x64 PE files
- BUGFIX: Mutex handle leak
- BUGFIX: NULL pointer dereferences
- BUGFIX: Buffer overflow
- BUGFIX: Crash while using compiled rules with yara64 in Windows
- BUGFIX: Infinite loop while scanning 64bits process in Windows
- BUGFIX: Side-effect on "externals" argument in yara-python's "match" function
- BUGFIX: "x of them" not working with strings containing unbounded jumps
yara-python-2.1.0-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. Here are the changes since the last version (1.7.2):
- Improve regexp engine
- Improve multithreading support
- Case-insensitive and single-line matching modes for "matches" operator's regexps
- Added "error_on_warning" argument to "match" in yara-python
- Recognize x64 PE files
- BUGFIX: Mutex handle leak
- BUGFIX: NULL pointer dereferences
- BUGFIX: Buffer overflow
- BUGFIX: Crash while using compiled rules with yara64 in Windows
- BUGFIX: Infinite loop while scanning 64bits process in Windows
- BUGFIX: Side-effect on "externals" argument in yara-python's "match" function
- BUGFIX: "x of them" not working with strings containing unbounded jumps

July 17, 2014: The following have been released:

lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-5.noarch.rpm and
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for Fmem and LiME
- 3.15.4-200
- 3.15.3-200
- 3.14.9-200

Support for CentOS 7.0.1406 x86_64 architecture - The repository now supports CentOS 7.0.1406 for the x86_64 CPU architecture. Here is the list of tools provided for CentOS 7.0.1406

perl-Image-ExifTool
perl-Mac-PropertyList
perl-Net-Pcap
perl-Parse-Evtx
perl-Parse-Win32Registry
plaso
prism
protobuf
protobuf-c
pstotext
ptfinder
ptk
pyPdf
python3
python-apsw
python-construct
python-dpkt
python-httplib2
python-rarfile
python-xlwt
pytsk
recoll
registrydecoder
reglookup
regripper
regripper-plugins
rifiuti
rifiuti2
scalpel
scrounge-ntfs
sfdumper
silk
silk-ipa
silk-ipset
sleuthkit
snarf
snort
snort-sample-rules
stegdetect
super_mediator
tcpxtract
tln_tools
untex
videosnarf
vinetto
vmfs-tools
Volatility
xapian-core
xmount
xplico
xrdp
yaf
yara
yara-python
zeromq
ip4r
ipa
postgresql
silk

All other packages installed when the CERT-Forensics-Tools package is installed are taken from the CentOS 7 Release, Updates, Extras, EPEL, and RPM Forge repositories.

July 2, 2014: The following have been released:

plaso-1.1.0-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.1.0-1.el6.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Go here to read about all of the changes and features in this release.
libevt-{,devel,python,tools}-20140531-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
python-construct-2.5.2-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Python-construct is a powerful declarative parser (and builder) for binary data.
bencode-1.0-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Bencode is the BitTorrent bencode module as light-weight, standalone package.
libesedb-{,devel,python,tools}-20140406-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
dfvfs-20140604-1.(fc17,fc18,fc19,fc20,el6}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
libvhdi{,-devel,-python,-tools}-20140330-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
libvshadow{,-devel,-tools,-python}-20140323-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here here the list of changes.
libvmdk{,-devel,-tools,-python}-20140421-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format. Here here the list of changes.
libsmraw{,-devel,-tools,-python}-20140621-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. Here here the list of changes.
libsmdev{,-devel,-tools,-python}-20140529-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. Here here the list of changes.
libqcow{,-devel,-tools,-python}-20140529-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format. Here here the list of changes.
libewf{,-devel,-tools,-python}-20140608-2.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm, libewf{-devel,-tools,-python}-20140608-2.{fc19,fc20}.{i686,x86_64}.rpm, ewftools-20140608-1.{fc19,fc20}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. The change from the previous release (1) is that python support has been added in package libewf-python
openssl{,-devel,-libs,-perl,-static}-1.0.1e-38.{fc17,fc18}.{i686,x86_64}.rpm, - OpenSSL is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation. This packages provided for Fedora 17 and 18 because those versions of Fedora are no longer maintained by RedHat and in the case of ADIA for Fedora 17, OpenSSL is used to secure the Webmin connection.
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-4.noarch.rpm and
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for Fmem and LiME
- 3.14.9-200 for FC20

June 27, 2014: The following have been released:

dd_rescue-1.45-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Note: these packages are available from the RPM Forge repository for CentOS/RHEL 5 and 6. See here for more details on the RPM Forge repository. Here are the changes from the previously distributed version (1.40):
- Release 1.45-1: ddr_hash received a bugfix (sha512/sha384 could overflow a buffer). It gained support for sha1 hash. ddr_hash can now conveniently retrieve (and check) and store hashes in xattrs and md5sum/sha256sum/... style files. A new null plugin (ddr_null) was added.
- Release 1.44-1: The plugin libddr_MD5.so (short ddr_MD5) has been renamed to ddr_hash, reflecting that we also support sha1, sha256, sha224, sha512, sha384 now. Checks have been added to the test suite and the documentation been updated accordingly.
- Release 1.43-1: The main feature of 1.43 is the new lzo plugin. It de/compresses data using the lzo algorithms, which are very fast to decompress and most versions are also fast to compress (at somewhat moderate compression levels). The plugin supports many of dd_rescue's features, such as skipping bad blocks (encoding sparseness/holes into the output) as well as appending. It also continues on errors (skipping a whole block if nodiscard is NOT given) and allows to search for valid lzo block headers if sync is lost. fuzz testing has been done to support reliability. A man page ddr_lzo(1) has been created.
  
  The plugin interface has been enhanced to support ddr_lzo; the MD5 plugin has also seen some work beyond just refactoring: It supports the parameter output/outfd= now and supports all type of holes that can be generated in a chain with ddr_lzo now.
  
  Some minor improvements (docu, messages) and bug fixes have been applied. There also is a new ARMv8 (AArch64 aka ARM64) optimized routine to detect zero-blocks.
- Release 1.42.1-1: 1.42.1 contains a fix for a sublety how we set up a handler for SIGILL and return with longjmp to detect the supported instruction sets of the CPU -- we need to manually reset the process' signal mask, otherwise a second failed probe would abort.
- Release 1.42-1: 1.42 brings the possibility to load plugins to analyze or transform data before it's written to the output file(s). A plugin to calculate the MD5 hash is provided. posix_fadvise() is used if available (optimization) and dd_rescue now only provides a short usage info rather than the long help text on wrong parameters.
- Release 1.41-1: There has been a lot of internal refactoring that improves the detection of CPU features (at runtime) and libc/compiler features (at build time). One result is that this version supports building against the Android NDK. (armv7l binaries built against Android API 17 (aka 4.2) libc can be found below in the download section.) Another consequence is that AVX2 support is now enabled (for saving CPU cycles on sparse block detection). A few minor bugs have been addressed (the most serious one a harmless off-by-one on determining the size of a block device). Number formatting is more consistent now. There also a new option -u/--rmvtrim that deletes the created file again and issues a fstrim on the filesystem -- good if you filled the empty space of a filesystem with zeros for data protection and SSD refreshment.
- Release 1.40.1-1: It just has one patch to fix the SSE2 detection on i386 -- the old code would end in an endless loop ...
ddrescue-1.18.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Here are the changes from the previous distributed version (1.17):
- ddrescuelog.cc (do_logic_ops): Fixed 'or' and 'xor'.
- Added new option '-H, --test-mode' to simulate read errors.
- Added new option '-L, --loose-domain' to ddrescue and ddrescuelog.
- Added new option '-N, --no-trim' to disable trimming of damaged areas.
- Added new option '-O, --reopen-on-error'.
- Added new options '-1, --log-rates', and '-2, --log-reads'.
- Extended '-K, --skip-size' with maximum and disable values.
- Changed long name of option '-r' to '--retry-passes'.
- Changed short name of option '--generate-mode' to '-G'.
- Default value of option '-l, --logfile-size' increased to 10000.
- If interrupted, ddrescue terminates by raising the signal received.
- rescuebook.cc (copy_non_tried): Do not mark skipped blocks as non-trimmed. Try them in additional passes (before trimming).
- rescuebook.cc: Limit the copying phase to 3 passes.
- rescuebook.cc: Alternate direction of passes during copying phase.
- rescuebook.cc: Smallest blocks are trimmed first.
- rescuebook.cc (split_errors): Read largest first if logfile full.
- Improved speed when using option '-m, --domain-logfile'.
- io.cc (show_status): Show the current total run time.
- rescuebook.cc: Show pass number and direction during copying.
- rescuebook.cc (show_status): Show block pos instead of current_pos.
- main.cc: Show "an unknown number of bytes" for unknown isize.
- Added option '-B, --binary-prefixes' to ddrescuelog.
- Added new option '-C, --complete-logfile' to ddrescuelog.
- Added new option '-P, --compare-as-domain' to ddrescuelog.
- Improved speed of logic operations in ddrescuelog.
- rescuebook.cc (Rescuebook::do_rescue): Show warning when domain is smaller than logfile.
- ddrescuelog.cc (do_show_status): Show logfile and domain extents when domain is smaller than logfile.
- block.h: Class Block now forces the invariant by itself.
- Code reorganization. New class 'Logfile'.
- Added status message to rescue logfile.
- Many improvements to documentation.
- ddrescue.texinfo: Renamed to ddrescue.texi.
libewf-{,devel,tools}-20140608-1.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm, libewf-{devel,tools}-20140608-1.{fc19,fc20}.{i686,x86_64}.rpm, ewftools-20140608-1.{fc19,fc20}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20140427):
- bug fix for utf16 header functions
- bug fix in ewfmount regarding logical files date and time values
- updated python.m4
- fixes to build static library with mingw and cygwin
- bug fixes in m4 files
- removed #error restriction in dependency include header files
- make pyewf_handle_open more strict to catch non-string objects without the check the code will segfault on non-string objects
{python-,}binplist-0.1.4-2.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Binplist is a binary property list (plist) parser module written in python. Here are the changes from the previous release (0.1.4-0):
- The python library (python-binplist) has been split from the binplist executable.
- In binplist, the following changes were made:
  - The plist.py file was removed.
  - The binplist.py file was renamed to binplist.
  - The /usr/bin/binplist.py[co] and /usr/bin/plist.py[co] files are removed. These files are automatically created if either binplist.py or plist.py programs were executed by root. Their presence causes log2timeline.py and related programs to fail.
plaso-1.0.2-2.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.0.2-2.el6.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Here are the changes from the previous release (1.0.2-1)
- Missing dependencies were added (python-construct, libolecf-python, python-dpkt, python-binplist). Note that on CentOS/RHEL 6, the python-construct and python-dpkt were release in support of plaso.
- Fixed a bug in the Firefox history parser.
- For the CentOS/RHEL 6 version, the Software Collections Library version of Python 2 is used to byte compile the Python source files.
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-3.noarch.rpm,
lime-kernel-modules-{fc19,el5,el6}-{i686,x86_64}-1.1.r17-2.noarch.rpm,
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.3.noarch.rpm,
fmem-kernel-modules-{fc19,el5,el6}-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem and LiME
- 3.14.8-200 for FC20
- 3.14.6-200 for FC20
- 3.14.7-100 for FC19
- 3.14.8-100 for FC19
- 2.6.32-431.20.3 for EL6
- 2.6.18-371.9.1 for EL5

June 11, 2014: The following have been released:

lime-kernel-modules-common-1.1.r17-1.noarch.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page. This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects. This repackaging increases the number of pckages but decreases their size.

Note: this RPM is hard-linked between all of the supported architectures, Fedora 17-20 and CentOS 5 and 6. If you use rsync, make certain that you use the -H option to preserve those hard links.
lime-kernel-modules-1.1.r17-1.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects, specifically the following:
- lime-kernel-modules-{fc17,fc18,fc19,fc20,el5,el6}-{i686,x86_64}-1.1.r17-*.noarch.rpm - These are the actual kernel objects packaged for each operating system version and architecture.
  
  Note: again these RPMs are hard-linked between all of the supported architectures, Fedora 17-20 and CentOS 5 and 6.
fmem-kernel-modules-common-1.6-1.1.noarch.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This package contains the source code for making the FMEM kernel modules and the install-fmem script. This package also obsoletes tie fmem-kernel-objects package which contained the source code and all of the kernel objects. This repackaging increases the number of pckages but decreases their size.

Note: this RPM is hard-linked between all of the supported architectures, Fedora 17-20 and CentOS 5 and 6. If you use rsync, make certain that you use the -H option to preserve those hard links.

May 22, 2014: The following have been released:

nDPI{,-devel}-1.4.0.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - nDPI nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

See here for the list of supported protocols.
xplico-1.1.0-1.{fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. See here for the changes in this release. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support. Note that Fedora 17 is not supported yet but support is expected soon.
libewf-{,devel,tools}-20140427-1.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm, libewf-{devel,tools}-20140427-1.{fc19,fc20}.{i686,x86_64}.rpm, ewftools-20140427-1.{fc19,fc20}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20140216):
- fixes to build static library with mingw and cygwin
- bug fixes in m4 files
- removed #error restriction in dependency include header files
- make pyewf_handle_open more strict to catch non-string objects without the check the code will segfault on non-string objects
- bug fixes in empty block compression
- bug fix in libewf_read_io_handle_read_chunk_data error tolerance code path
bokken-1.6-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Bokken is a GUI for the Pyew and Radare projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
pyew-2.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Pyew is a (command line) Python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.
radare-2.0.9.7-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Radare is a framework for doing reverse engineering.
python-radare-2.0.9.7-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Python-Radare are bindings that allow Radare to be used from Python .
vala{,-devel,-doc,-tools}-0.20-1.el6.{i686,x86_64}.rpm and emacs-vala-0.20-1.el6.{i686,x86_64}.rpm - Vala is a new programming language that aims to bring modern programming language features to GNOME developers without imposing any additional runtime requirements and without using a different ABI compared to applications and libraries written in C.
valabind-0.7.4-2.{fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Valabind is a tool to parse vala or vapi files to transform them into swig interface files, C++, NodeJS-ffi, or GIR. With swig, you can create language bindings for any API written in vala or C with a vapi interface. It can also generate bindings for C++.
snort-2.9.6.1-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.6.1-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
md5deep-4.4-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - This package was updated to reflect the new version of md5deep. See here for the list of changes in this version.
pytsk-20140506-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
yaf{,-devel}-2.5.0-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap dumpfiles as generated by tcpdump, from live capture from an interface using pcap, an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.2-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version. Note: In this release of SiLK (3.8.2-1), support for the IPA extensions have been removed.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.2-2.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-ipset{,-devel,-lib,-tools}-3.8.2-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
guymager-0.7.3-2.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. The change made in this version was to replace all lines in the configuration file (/etc/guymager/guymager.cfg) that contain backslashes at the end lines with spaces to work around a programming error in libguytools.

lime-kernel-objects-1.1.r16-1.28.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The changes added support for the following kernels:

FC20

3.14.4-200
3.14.3-200
3.14.2-200
3.13.9-200
3.13.8-200
3.13.7-200
3.13.10-200

FC19

3.14.4-100
3.13.9-100
3.13.7-100
3.13.11-100

EL6

2.6.32-431.17.1
2.6.32-431.11.2

EL5

2.6.18-371.8.1
2.6.18-371.6.1

fmem-kernel-objects-1.6-1.28.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the same kernels noted for lime.
plaso-1.0.2-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.0.2-1.el6.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. See here for the changes in this release.

April 24, 2014: The following have been released:

splunk-4.3.7-181874.i386.rpm, splunk-4.3.7-181874-linux-2.6-x86_64.rpm and splunk-6.0.3-204106.i386.rpm, splunk-6.0.3-204106-linux-2.6-x86_64.rpm - These versions of Splunk provide what is needed to upgrade to the latest version which is 6.0.3. The version in the repository is old and contains an expired signing key. We apologize for not keeping Splunk up to date and any inconvenience this upgrade may cause. Please note that these versions are installed in the forensics-test repository which is normally disabled.

To update to the latest version (6.0.3 as of this writing), follow this procedure:
1. First, upgrade to splunk 4.3.7 by following the procedure found here. In step 2 in the Steps for upgrading section, use this command to upgrade to splunk 4.3.7:
  sudo yum --enablerepo=forensics-test update splunk-4.3.7
2. Next, read this first before you start the upgrade.
3. Then, upgrade to splunk 6.0.3 using this command:
  sudo yum --enablerepo=forensics-test update splunk-6.0.3
4. If you have previously enabled splunk to start on a reboot, you need to use these commands to reestablish that configuration:
  sudo /opt/splunk/bin/splunk disable boot-start
  sudo /opt/splunk/bin/splunk enable boot-start
5. Then restart splunk with the following:
  sudo /opt/splunk/bin/splunk start
Note: On Wednesday, September 10, 2014, the latest version of Splunk will become the default version in the regular cert repository. You will need to perform the upgrade noted above before then so that Splunk will continue to function properly.

April 7, 2014: The following have been released:

CERT-Forensics-Tools-1.0-58.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - This package was updated to add the following:
- plaso - A timeline tool (Fedora 17 and beyond, and CentOS/RHEL 6.5 for x86_64 only)
- libregf-tools - Tools to access Windows NT Registry files
- libmsiecf-tools - Tools to access Microsoft Internet Explorer (MSIE) Cache File (index.dat) files
- libevt-tools - Tools to access Windows Event Log (EVT) format files
- liblnk-tools - Tools to access Windows NT Registry files
- libolecf-tools - Tools to access OLE 2 Compound File (OLECF) format files
- ddrutility (not CentOS/RHEL 5) - Utility for use with gnuddrescue to aid with data recovery
- fcrackzip - Zip Password Cracker
- undbx (not CentOS/RHEL 5) - Tool to extract, recover and undelete e-mail messages from Outlook Express .dbx files
- silk-ipa (Fedora 17 and beyond, and CentOS/RHEL 6.5 for x86_64 only) - Script to enable the IPA-based version of the SiLK tools
Note: On CentOS/RHEL, installing the CERT-Forensics-Tools meta package or plaso requires postgresql. For Fedora, postgresql is provided in the the CERT Linux Forensics Tools repository. However, for CentOS 6.5 for the x86_x64 architecture only, the version of postgresql comes from the CentOS Software Collections Repository. This means that you must install the centos-release-SCL package by running yum install centos-release-SCL as root before you apply updates from the repository.
hachoir-metadata-1.3.3-2.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - hachoir-metadata is a tool that extracts metadata from multimedia files: music, picture, video, and archives. The changes were to correct the permissions of the installed files.
plaso-1.0.1alpha-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.0.1alpha-1.el6.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
libregf-{,devel,python,tools}-20140118-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libregf contains libraries and tools to access the Windows NT Registry File files.
libmsiecf-{,devel,python,tools}-20140131-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
libevt-{,devel,python,tools}-20140112-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx-{,devel,python,tools}-20140112-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
liblnk-{,devel,python,tools}-20140112-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.s
libolecf-{,devel,python,tools}-20131108-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. The OLE 2 Compound File format is used to store certain versions of Microsoft Office files, thumbs.db and other file formats.
protobuf-c{,-devl}-0.15-2.1.el6.x86_64.rpm - Protobuf-c package provides a code generator and runtime libraries to use Protocol Buffers from pure C (not C++). This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
protobuf{,-compiler,-devel,-lite,-lite-devel,-lite-static,-python,-static,-vim)-2.4.1-1.el6.x86_64.rpm - Protobuf (Protocol Buffers) are a way of encoding structured data in an efficient yet extensible format. Google uses Protocol Buffers for almost all of its internal RPC protocols and file formats. This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
python-ipython{,-console,-doc,-gui,-notebook,-tests)-0.13.2-1.el6.x86_64.rpm - IPython is an enhanced interactive Python shell. This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
perl-Parse-Evtx-{,-tools}1.1.1-2.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - perl-Parse-Evtx is a Windows Event Log Parser library and tools collection. Because files in the previous release - 1.1.1-1 - of perl-Parse-Evtx now conflict with files in libevtx-tools, the tools from perl-Parse-Evtx were moved to perl-Parse-Evtx-tools so that perl-Parse-Evtx, upon which log2timeline depends, could be installed.
binplist-0.1.4-0-(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Binplist is a binary property list (plist) parser module written in python.
libewf-{,devel,tools}-20140216-1.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm, libewf-{devel,tools}-20140216-1.{fc19,fc20}.{i686,x86_64}.rpm, ewftools-20140216-1.{fc19,fc20}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20140216):
- bug fix in recent process status changes
- integrating latest update for multi threaded ewfacquire changes
- changed behavior of empty-block check
- worked on integrating multi threaded ewfacquire changes
- updated dependencies
- added libcdatetime
- removed borlandc files
- small updates
- moved low-level function support from compile time to run time
- worked on sync with experimental version
- Also added missing fuse-devel build requirement
sleuthkit{,-devel,-libs}-4.1.3-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. The changes from the previous version - 4.1.3-1 - are the following:
- Patch to support pytsk.
- Rebuilt with libewf-20140216
pytsk-20131230-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
partclone-0.2.69-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the correct version of libntfs-3g.so.
lime-kernel-objects-1.1.r16-1.27.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The changes added support for the following kernels:
- 3.13.6-200 for FC20
- 3.13.5-202 for FC20
- 3.13.5-200 for FC20
- 3.13.4-200 for FC20
- 3.13.3-201 for FC20
- 3.12.10-300 for FC20
- 3.13.6-100 for FC19
- 3.13.5-103 for FC19
- 3.13.5-101 for FC19
- 3.12.11-201 for FC19
- 2.6.32-431.5.1 for EL6
fmem-kernel-objects-1.6-1.27.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the same kernels noted for lime.
ddrutility-2.2-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to gnuddrescue. It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
- ddru_findbad
- ddru_ntfsbitmap
- ddru_ntfsfindbad (NEW)
fcrackzip-1.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fcrackzip is a zip password cracker, similar to fzc, zipcrack and others. It is intended to be free, fast, portable, and featureful.
undbx-0.21-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Undbx extracts, recovers and undeletes e-mail messages from Outlook Express .dbx files.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.

Note: In this release of SiLK (3.8.1-3), support for the IPA extensions have been removed. They have been replaced by an optional repository that is now part of cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root. When that script is run, the following additional packages are installed or updated:
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-4.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm or silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-4.el6.x86_64.rpm - The only change to this release is that it was built with the IPA IP address annotation system.
- postgresql{,-contrib,-devel,-docs,-libs,-plperl,-plpython,-plpython3,-pltcl,-server,-test,-upgrade}-9.3.4-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - PostgreSQL is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql-server sub-package.
- ipa{,-devel,-python}-0.5.2-3.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and ipa{,-devel,-python}-0.5.2-3.{el6}.x86_64.rpm - IPA is an IP address annotation system. IPA provides a flexible and efficient repository of IP address information, tools for querying and maintaining the data, and shared libraries and modules for data access. For more information, read the IPA documentation.
- ip4r-2.0-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and ip4r-2.0-1.el6.x86_64.rpm - IP4R and ip4 are types that contain a single IPv4 address and a range of IPv4 addresses respectively. They can be used as a more flexible, indexable version of the cidr type. This version has been built for PostgreSQL version 9.3.4 for Fedora and version 9.2 for CentOS/RHEL using the CentOS Software Collections Repository.

February 12, 2014: The following have been released:

lime-kernel-objects-1.1.r16-1.26.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

In addition, this package includes a script named CaptureMemoryWithLime and a corresponding man page that manages the installation of the appropriate kernel object and dumps memory on the installed machine to the indicated file.

LiME can be used with Volatility as described here to analyze memory as part of an investigation of digital assets.

LiME releases will track with fmem-kernel-objects as to the list of supported kernels.
fmem-kernel-objects-1.6-1.26.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
- 3.12.9-301 for FC20
- 3.12.8-300 for FC20
- 3.12.7-300 for FC20
- 3.12.8-200 for FC19
- 3.12.7-200 for FC19
- 2.6.18-371.4.1 for EL5
daq-2.0.2-1.{fc16,fc17,fc18,fc19,el6}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort. Here are the changes since the last version:
- os-daq-modules/daq_ipfw.c: Don't treat being interrupted by a signal as an error.
- configure.ac, daq.spec, os-daq-modules/daq_afpacket.c: Fix frame length sanity check.
- README, configure.ac, os-daq-modules/daq_afpacket.c: Fix AFPacket DAQ module to attempt to reconstruct the automatically stripped VLAN header prior to passing it to the reader. Also, use AFPacket TX Ring instead of sendto to improve TX performance. (Requires a newer Linux kernel version, README and configure.ac updated to reflect this.)
disktype-9-15.{fc17,fc18,fc19,fc20,el5,el6}.noarch.rpm - Disktype detects the content format of a disk or disk image. This version is based on the standard version with support for exfat, LUKS, f2fs, btrfs, and EXT 2, 3, and 4, all courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.63-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. Here are the changes from the previous distributed version (0.6.61):
- Daniel Gryniewicz found buffer overrun in LIST_COPY_TIME
- Old dependency filter breaks file coloring
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for the list of the changes since the previous version (3.8.0).
analysis-pipeline-4.3.2-2.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). This version was rebuilt to use the latest version of SiLK, specifically 3.8.1-1.
silk-ipset-{devel,lib,tools}-3.8.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
sleuthkit{,-devel,-libs}-4.1.3-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 4.1.2:
- Fixed bug that could crash UFS/ExtX in inode_lookup
- More bounds checking in ISO9660 code
- Image layer bounds checking
- Update version of SQLITE-JDBC
- Changed how java loads navite libraries
- Config file for YAFFS2 spare area
- New method in image layer to return names
- Yaffs2 cleanup
- Escape all strings in SQLite database
- SQlite code uses NTTFS sequence number to match parent IDs
snort-2.9.6.0-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.6.0-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
xmount-0.6.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following:
- Added support for split DD input files.
- Patch for newer libewf support (meaning packages newer than 20110903), courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA.

January 24, 2014: The following have been released:

dff-1.3.0.20140123-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. Note that only Fedora 17, 18, 19, and 20 are supported in this release. This release uses ffmpeg version 2.

This version is the developer version as of January 23, 2014. Note that these packages have been placed in the forensics-test repository which must be enabled in the /etc/yum.repos.d/cert-forensics-tools.repo by setting enabled to 1 (true).

January 22, 2014: The following have been released:

analysis-pipeline-4.3.2-1.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See the release notes for a list of changes.
ffmpeg{,-libs,-devel}-2.1.1-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - FFmpeg is a complete, cross-platform solution to record, convert and stream audio and video. It includes libavcodec - the leading audio/video codec library. These packages have been made available in are support of dff.
dff-1.3.0-4.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. Note that only Fedora 17, 18, 19, and 20 supported in this release. This release uses ffmpeg version 2.
fmem-kernel-objects-1.6-1.25.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
- 3.12.6-300 for FC20
- 3.12.5-302 for FC20
- 3.11.10-301 for FC20
- 3.12.6-200 for FC19
- 3.12.5-200 for FC19
- 3.11.10-200 for FC19
- 3.11.9-200 for FC19
- 3.11.8-200 for FC19
- 3.11.7-200 for FC19
- 3.11.10-100 for FC18
- 3.11.9-100 for FC18
- 3.11.7-100 for FC18
- 3.11.4-101 for FC18
- 2.6.32-431.3.1 for EL6
- 2.6.32-431.1.2.0.1 for EL6
- 2.6.32-431 for EL6
- 2.6.18-371.3.1 for EL5
guymager-0.7.3-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. See here for the list of changes.
netsa-rayon-1.4.3-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython,/a> (for GUI output). See here for a list of changes.
python-rarfile-2.2-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Python-rarfile is a Python module for RAR archive reading.
python-registry-1.0.1-1.{fc17,fc18,fc19,fc20}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry. Python-registry is written in pure Python, making it portable across all major platforms.
pytsk-20131230-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
yaf{,-devel}-2.4.0-3.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap dumpfiles as generated by tcpdump, from live capture from an interface using pcap, an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. These packages were rebuilt to remove support for p0f.
yara-2.0.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Here are the changes since the last version (1.7.2):
- Faster
- Better multi-thread support
- Rules can be saved in binary form
yara-python-2.0.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. Here are the changes since the last version (1.7.2):
- Faster
- Better multi-thread support
- Rules can be saved in binary form
Volatility-2.3.1-2.el5.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. See here for a list of changes. This version also includes the plugins from the Malware Analyst's Cookbook to version R134. This version was rebuilt to use the latest version of yara.
xrdp-0.7.0-1.el6.{i386,x86_64}.rpm - XRDP is an open source Remote Desktop Protocol (RDP) server. CentOS/RHEL 6 did not have such a server so this version was added and released through the repository.
CERT-Forensics-Tools-1.0-57.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - This package was updated to add the following:
- analyzeMFT
- hdparm
- kracked, for Fedora and CentOS/RHEL 6 only
- libpff-tools
- snarf, for Fedora and CentOS/RHEL 6 only
- super_mediator
- vmfs-tools

January 6, 2014: The following have been released:

Fedora 20 - The repository now supports Fedora 20 for both the i686 and x86_64 CPU architectures. Here is the list of tools provided for Fedora 20:

2hash
DropboxReader
KHracker
Volatility
aimage
analysis-pipeline
analyzeMFT
ataraw
autopsy
bloom
bulk_extractor
bulk_extractor-stoplist
CERT-Forensics-Tools
cryptcat
daq
dff
disktype
distorm3
eindeutig
epub
exfat-utils
fatback
ffmpeg
fmem-kernel-objects
frag_find
fred
fundl
fuse-exfat
galleta
ghostpdl
grokevt
guymager
hachoir-core
hachoir-metadata
hachoir-parser
hachoir-regex
hachoir-subfile

hachoir-urwid
hachoir-wx
ip4r93
ipa
jafat
kracked
lame
libbde
libbfio
libewf1
libewf2
libfixbuf
libfvde
libguytools
libiconv
libp0f
libpff
libpst
libvhdi
libvshadow
log2timeline
missidentify
mount_ewf
nDPI
netsa-python
netsa-rayon
partclone
pasco
perl-File-Mork
perl-Mac-PropertyList
perl-Parse-Evtx
perl-Parse-Win32Registry
pgadmin3_93
postgresql93
prism
pstotext
ptfinder

ptk
python-apsw
python-registry
pytsk
rar
recoll
registrydecoder
reglookup
regripper
regripper-plugins
rifiuti
rifiuti2
scrounge-ntfs
sfdumper
shellbags
silk
silk-ipset
sleuthkit
snarf
snort
snort-sample-rules
ssdeep
stegdetect
super_mediator
testdisk
tln_tools
unrar
untex
videosnarf
vinetto
vmfs-tools
x264
xplico
xvidcore
yaf
yara
yara-python

All other packages installed when the CERT-Forensics-Tools package is installed are taken from the Fedora 20 Release and Updates repositories. Note that the RPM Fusion repository is not required to install of the CERT Linux Forensics Tools.

Fedora 16 Support for Fedora 16 i686 and x86_64 architectures - Updates to Fedora 16 for both the i686 and x86_64 CPU architectures has ceased.

January 8, 2014: The following have been released:

cert-forensics-tools-release-{16,17,18,19,5.10,6}-9.noarch.rpm - These packages were added to provide the new CERT Forensics Oeprations and Investigations Team Key. The fingerprint for this key is: 5FA3 2061 C4A0 F073 D6E7 3C1D BFCC 1527 ED92 ABE3.

You must do the following as root to install this new package before updating existing packages installed from the repository:
yum update cert-forensics-tools-release
You can then do the following as root to install any other updates for your system:
yum update
In addition, all of the packages in the Fedora 16, 17, 18, 19, and RHEL/CentOS repositories have been resigned with this new key.

December 13, 2013: The following have been released:

libewf-{,devel,tools}-20131210-1.{fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm/{ewftools,libewf,libewf-devel}-20131210-1.fc19.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that in Fedora 19, the tools package is named ewftools to reflect the package name found in the Fedora 19 release. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20130416):
- updated dependencies
- worked on Python bindings
- added libcthreads
- fix in DFXML output for size values
- worked on ewfmount
libfixbuf{,-devel}-1.4.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for the list of the changes since the previous version (3.7.2).
yaf{,-devel}-2.4.0-2.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm/yaf{,-devel}-2.2.1-5.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. These packages were rebuilt to use libfixbuf version 1.4.0.
super_mediator-0.3.0-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. This package was rebuilt to use libfixbuf version 1.4.0.
python-apsw-3.8.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
pytsk-20131124-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
yara-1.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Here are the changes since the last version (1.7):
- BUGFIX: Regular expressions marked as both "wide" and "ascii" were treated as just "wide"
- BUGFIX: Bug in "n of ()" operator
- BUGFIX: Bug in get_process_memory could cause infinite loop
- BUGFIX: Fix SIGABORT in ARM
- BUGFIX: Failing to detect one-byte strings at the end of a file.
- BUGFIX: Strings being incorrectly printed when markes both as wide and ascii
- BUGFIX: Stack overflow while following circular symlinks
- BUGFIX: Expression "/re/ matches var" always matching if "var" was an empty string
- BUGFIX: Strings marked as "fullword" were incorrectly matching in some cases
yara-python-1.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. Here are the changes since the last version (1.7):
- BUGFIX: Regular expressions marked as both "wide" and "ascii" were treated as just "wide"
- BUGFIX: Bug in "n of ()" operator
- BUGFIX: Bug in get_process_memory could cause infinite loop
- BUGFIX: Fix SIGABORT in ARM
- BUGFIX: Failing to detect one-byte strings at the end of a file.
- BUGFIX: Strings being incorrectly printed when markes both as wide and ascii
- BUGFIX: Stack overflow while following circular symlinks
- BUGFIX: Expression "/re/ matches var" always matching if "var" was an empty string
- BUGFIX: Strings marked as "fullword" were incorrectly matching in some cases
Volatility-2.3.1-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. See here for a list of changes. This version also includes the plugins from the Malware Analyst's Cookbook to version R134. See here for the list of recent changes.

November 18, 2013: The following have been released:

device-mapper-multipath{,-libs,-sysvinit}-0.4.9-*.1.{fc16,fc17,fc18,fc19}.{i386,x86_64}.rpm,kpartx-0.4.9-*.1.{fc16,fc17.fc18,fc19}.{i386,x86_64}, device-mapper-multipath{,-libs}-0.4.9-64.1.el6.{i386,x86_64}.rpm,kpartx-0.4.9-64.1.el6.{i386,x86_64}, device-mapper-multipath-0.4.7-59.1.el5.{i386,x86_64}.rpm,kpartx-0.4.7-59.1.el6.{i386,x86_64} - Device-mapper-multipath provides tools to manage multipath devices by instructing the device-mapper multipath kernel module what to do. Of particular importance is kpartx which reads partition tables on specified device and create device maps over partitions segments detected. Unfortunately, kpartx as distributed fails if the specified device is not writable. This version opens the specified device read-only which makes it more usable when dealing with read-only evidence. This read-only change is the only change made to the latest distribution for each of Fedora 16-19, and CentOS/RHEL 5 and 6.

November 8, 2013: The following have been released:

snort-2.9.5.5-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.5.5-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
sleuthkit{,-devel,-libs}-4.1.2-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 4.1.0:
- Core
  - Fixed more visual studio projects to work on 64-bit
  - Added FILE_SHARE_WRITE to all windows open calls
  - Removed unused methods in CRC code that caused compile errors
  - Added NTFS FNAME times to time2 struct in TSK_FS_META to make them easier to access -- should have done this a long time ago!
  - fls -m and tsk_gettimes output NTFS FNAME times to output for timelines
  - hfind with EnCase hashsets works when DB is specified (and not only index)
  - TskAuto now goes into UNALLOC partitions by default too
  - Added support to automatically find all Cellebrite raw dump files given the name of the first image
  - Added 64-bit windows targets to VisualStudio files
  - Added NTFS sequence to parent address in directory and directory itself
  - Updated SQLite code to use sequence when finding parent object ID
- Java
  - Added method to Image to perform sanity check on image sizes
  - Java bindings JAR files now have native libraries in them
  - Logical files are added with a transaction
- fiwalk
  - Fixed compile error on Linux etc
analyzeMFT-2.0.11-1.1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - AnalyzeMFT is a tool that fully parses the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple formats.
Volatility-2.3-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. See here for a list of changes. This version also includes the plugins from the Malware Analyst's Cookbook to version R134. See here for the list of recent changes.
fmem-kernel-objects-1.6-1.24.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
- 3.11.6-201 for FC19
- 3.11.6-200 for FC19
- 3.11.4-201 for FC19
- 3.11.3-201 for FC19
- 3.11.2-200 for FC19
- 3.11.1-200 for FC19
- 3.10.11-200 for FC19
- 3.10.10-200 for FC19
- 3.10.9-200 for FC19
- 3.10.7-200 for FC19
- 3.10.6-200 for FC19
- 3.10.5-201 for FC19
- 3.10.4-300 for FC19
- 3.11.4-101 for FC18
- 3.10.14-100 for FC18
- 3.10.13-101 for FC18
- 3.10.12-100 for FC18
- 3.10.11-100 for FC18
- 3.10.10-100 for FC18
- 3.10.9-100 for FC18
- 3.10.7-100 for FC18
- 3.10.6-100 for FC18
- 3.10.4-100 for FC18
- 2.6.32-358.23.2 for EL6
- 2.6.32-358.18.1 for EL6
- 2.6.18-348.18.1 for EL5
- 2.6.18-371.1.2 for EL5

September 17, 2013: The following have been released:

postgresql{,-contrib,-devel,-libs,-plperl,-plpython,-server,9.3.0-1PGDG.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - PostgreSQL is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql93-server sub-package.
pgadmin3_93-1.18.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - PGadmin III is a powerful administration and development platform for the PostgreSQL database, free for any use. It is designed to answer the needs of all users, from writing simple SQL queries to developing complex databases. The graphical interface supports all PostgreSQL features and makes administration easy.
ipa{,-devel,-python}-0.5.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - IPA is an IP address annotation system. IPA provides a flexible and efficient repository of IP address information, tools for querying and maintaining the data, and shared libraries and modules for data access. For more information, read the IPA documentation.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.7.2-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. This version has support for the IPA library.
ip4r93-2.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - IP4R and ip4 are types that contain a single IPv4 address and a range of IPv4 addresses respectively. They can be used as a more flexible, indexable version of the cidr type. This version has been built for PostgreSQL version 9.3.
ghostpdl-9.10-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico.
testdisk-6.14-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. This version correctly specifies the version of libntfs-3g.so.
partclone-0.2.48-4.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the correct version of libntfs-3g.so.
libbde{,-devel,-python,-tools}-20130908-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the support formats, protection methods, and additional features. Here are the changes for this release:
- updated dependencies
- added libcthreads build support
- updated msvscpp files
- bug fixes
- code clean up
pytsk-20130910-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.

September 2, 2013: The following have been released:

dd_rescue-1.40-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.33):
- Release 1.40-1 It brings copying of extended attributes (with -p/--preserve). It doubles the default soft block size for buffered IO, but brings sparse write optimization for half-empty blocks. It also optimizes copying by using the first write to get rid off odd file offsets. It also adds a lot more test cases to make check.
- Release 1.39-1 It fixes an issue where a copied file could be appended zeros if hardblocksize copy was used (e.g. b/c hardbs==softbs, bnc #833765). There's also a bit better ARM asm optimization, yielding a ~15% performance increase. There's also a help/manpage clarification that syncfreq actually is a size. And we use autoconf now to determine the target system features. Default build target now uses libdl.
- Release 1.38-1 Improving SSE sparse detection performance (by 40%), adding a testcase for the 1.35/1.36 bug and run it in make check. There's even an AVX version, but it's not enabled by default, as it's untested. --force/-f now allows to ignore a non-zero output position on non-seekable output and the curr.rate and ETA calculations have improved a bit.
- Release 1.37-1 Fixing an issue with SSE2 sparse detection, which could spuriously detect zero-filled blocks and thus result in corrupted copies if option -a was used. (This would happen for blocks that had no bytes with the uppermost bit set, such as e.g. ASCII text.) Embarassing! Also fixed issues on big-endian machines (although these were inconsequential for dd_rescue).
- Release 1.36-1 It fixes an overflow issue with the number output for long running dd_rescue processes. SSE2 is now also enabled in x86 (32bit, with runtime detection) and an optimized ARM version (assembler yeah!) to find zero blocks was added.
- Release 1.35-1 It had some improvements on the output that it prints -- beyond internal improvements it introduces colours to the output unless the terminal type is clearly dumb; there is also an option to control this. Numbers are highlighted for readability. Output is rate limited (10/s). 1.35 also brings a simple rewrite logic for handling write errors. There's an SSE2 optimized version to find zero blocks for sparse writing.
python-apsw-3.8.0-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
pytsk-20130826-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
regripper-28000000-4.{fc16,fc17,fc18,fc19,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is contains version 2.8 of the regripper tool. The plugins are packaged separately. This release contains version 08-26-13 of the auto_rip.pl. See here for more details about this script.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. Here are the changes from the previous version (3.7.1):
- PySiLK changes
  - Add IPSet.is_ipv6() and IPSet.convert() methods.
  - Fix a bug when saving an IPv6-IPset that contains only IPv4 addresses.
- IPset bug fixes
  - Fix bugs when computing the union or intersection of an IPv4-IPset and an IPv6-IPset that contains only IPv4 addresses.
- rwfilter bug fixes
  - Fix a spurious warning when loading an IPset.
  - Fix a memory issue during shutdown when an argument to one of the --*cidr switches (--scidr, --dcidr, etc) is mistyped.
- rwflowpack, flowcap bug fixes
  - Fix a bug where the daemon failed to read TCP flags contained in a SubTemplateMultiList when reading IPFIX data over the network.
  - Fix a memory leak when receiving IPFIX data containing a SubTemplateList or a SubTemplateMultiList.
silk-ipset-{devel,lib,tools}-3.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.

August 26, 2013: The following have been released:

libvshadow{,-devel,-tools,-python}-20130723-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version:
- fixes for 32-bit WINAPI build of pyvshadow in file object glue code
- Changes for stand-alone libbfio build
- updated msvscpp files
- remove unnecessary restriction in library include headers
- updated dependencies
daq-2.0.1-1.{fc16,fc17,fc18,fc19,el6}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort. here are the changes since the last version:
- daq.h, daq_api.h, daq_base.c, daq_common.h, daq_mod_ops.c, daq_afpacket.c, daq_dump.c, daq_ipfw.c, daq_ipq.c, daq_nfq.c, daq_pcap.c, daq_static_modules.c, daq_static_modules.h, sf_bpf_filter.c, sf_bpf_printer.c, sf_gencode.c, sf_nametoaddr.c, sf_optimize.c, sfbpf-int.c, sfbpf-int.h, sfbpf.h, sfbpf_dlt.h: Update copyright year.
- daq_dump.c, daq_ipfw.c, daq_ipq.c, daq_nfq.c: Ensure verdict is in range before bumping peg counts. Thanks to John Menerick for reporting the issue.
snort-2.9.5.3-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - (Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.5.3-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
dd_rescue-1.34-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.33):
- This version provides better support for various *nix systems (specifically had a few fixes for FreeBSD), better compatibility with compilers (clang and g++ and clang++). It can now also load libfallocate at runtime (libdl) and detects a few more fatl write errors as such.
ddrescue-1.17-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Here are the changes from the previous distributed version (1.16):
- Added new option -l, --logfile-size.
- Added new option -w, --ignore-write-errors.
- Option --fill has been renamed to --fill-mode.
- Option --generate-logfile has been renamed to --generate-mode.
- Added option --sector-size as a synonym of --block-size.
- Added option --retries as a synonym of --max-retries.
- Added option --size as a synonym of --max-size.
- rescuebook.cc: Trimming is now done from both edges of each non-trimmed block. Largest blocks are trimmed first.
- rescuebook.cc: Largest blocks are now split first until logfile reaches --logfile-size entries.
- logbook.cc (extend_sblock_vector, truncate_vector): Terminate if truncation would discard finished blocks.
- rescuebook.cc: Mark failed blocks with 1 sector as bad-sector.
- logbook.cc (extend_sblock_vector): Remove last block of logfile if it starts at isize and is not marked as finished.
- io.cc (show_status,update_rates): Detect a jump back in time and adjust status.
- ddrescue.h (slow_read): Return false for the first 10 seconds.
- io.cc (show_status) Leave cursor after message so that ^C does not overwrite it.
- main.cc: Do not require --force for generate mode.
- ddrescue.h (Logbook::logfile_exists): Do not return false if logfile exists but is empty.
- Added new chapter 'Using ddrescue safely' to the manual.
- Documented that 'direct disc access' only reads whole sectors.
- configure: Options now accept a separate argument.
- Makefile.in: Added new target install-bin.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.61-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. Here are the changes from the previous distributed version (0.6.61):
- Move documentation to unversioned directory
netsa-rayon-1.4.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython (for GUI output). See here for a list of changes.
snarf{,-devel,-python}-0.2.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system. Applications can use snarf's C and Python APIs to construct and send network alert messages, which can then be routed to multiple destinations in a configurable manner. Here are the changes:
- Initial release to open source community.
- Additional documentation.
- Bug fixes.
ghostpdl-9.09-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico. This version attempts to update Xplico's version of pcl6 - the binary installed as part of ghostpdl - as stored in /opt/xplico/bin if Xplico is installed.
ssdeep-2.10-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
testdisk-6.14-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. Here are the changes from the last version (6.13):
- General Improvements
  - The log file generated by the Windows version (cygwin) reports bad sectors in a more readable fashion, example
  - ReadFile Data error (cyclic redundancy check).
  - As openssl isn't used, don't link with this cryptographic library (Debian tries to avoid mixing GPL code and openssl)
- TestDisk
  - Improvements
    - testdisk /list now displays the disk model, serial number, firmware version and hpa or dco presence if detected
    - Recover WBFS (Wii Backup File System) partition
    - Make FAT RebuildBS works when there is a single FAT table
    - Interface: Display the partition table type if autodetected
    - Interface: modified warning about mismatching geometry between FAT or NTFS boot sector and HD geometry information (Debian #651756)
    - Interface: Remove "Allow partial last cylinder" option
  - Bug fixes
    - Fix crc in EFI backup GPT
    - Rewrote how TestDisk aligns partition on cylinder or 1MB boundary. It avoids to create partition entry where the partition ends after the end of the disk.
- PhotoRec
  - Improvements
    - Improve Olympus .orf recovery
    - Improve WP Mac/WP5/WP6 Corel Documents .wpd files recovery
    - Fix thumbs.db recovery, avoid some false positive with .doc
    - Interface: if less than 10 file families are enabled, display the results even if zero has been found yet
    - New file formats:
      - .aep After Effects
      - .axx AxCrypt
      - .dp Designer, a Photobook Designer Software
      - .lzh archive
      - .mmap MindManager
      - .plt Gerber Graphix Advantage
      - .prproj Adobe Premiere project
      - .psb Adobe Photoshop Image
      - .pts PTGui, panoramic stitching software
      - .qcp The QCP File Format and Media Types for Speech Data (RFC3625)
      - .shn Shorten audio file
      - .snt Windows Sticky Notes
      - .ttd TinyTag Data
      - .wallet Armory bitcoin wallet
      - .wim Windows imaging (WIM) image
  - Bug fixes
    - Fix an endless loop during .caf file recovery
    - Fix tiff recovery including some raw file formats, 64-bit version wasn't affected

August 1, 2013: The following have been released:

CERT-Forensics-Tools-1.0-55.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - This package was updated to do the following:
- For Fedora 19, use ewftools.
- For all else, use libewf-tools and obsolete ewftools.
libbfio{,devel}-20120425-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Libbfio is a library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff. It is used to chain I/O to support file-in-file access. Here are the changes:
- add VC_EXTRALEAN to config_msc.h
- add autoconf/make test suite
- add callback function to resize memory range if needed?
- additional checks for system strings
- allow re-set of pool entries?
- bug fix for POSIX wide character support in path functions
- check if libbfio.3 is up to date
- code clean up
- fixed memory leak due to recent changes
- remove deprecated functions in libbfio_legacy.[ch]
- removed deprecated functions
- updated .pc and .spec file
- updated codegear files
- updated common
- updated configure.ac
- updated configure.ac and m4 files
- updated dependencies
- updated gettext
- updated libcstring, libuna
- updated libuna
- updated list type, offset list
- updated msvscpp and borlandc files
- updated msvscpp files
- updated spec and pc files
- what about disk full on write
- wide to narrow (ASCII with codepage) conversion
- worked on absolute path support with /../
- worked on file range back end
- worked on full file name support for open on demand
- worked on full path functions
- worked on libcfile rewrite
- worked on libcpath rewrite
libpff-20120802-2.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided. Libpff is used by DFF - the Digital Forensics Framework. See the libpff website for the list of changes
dff-1.3.0-3.{fc17,fc18,fc19}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. Note that only Fedora 17, 18, and 19 supported in this release. Here are the changes (thanks to Danil Bazin for the bug report and suggested fixes):
- Added a dynamic loader configuration file, activated them when dff is installed, and deactived them when dff is uninstalled.
- Added missing PyQt4 dependency.
- Added missing reglookup dependency.
- Added the __init__.py file needed for searching.
- Recomplied with latest libbfio and libpff libraries.
- Installed the ffmpeg-devel package from the RPMFusion to add video support to dff. This required the installation of these additional pagkages, all also from RPMFusion:
  - ffmpeg-libs
  - librtmp
  - x264-libs
  - xvidcore
fmem-kernel-objects-1.6-1.23.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
- 2.6.32-358.11.1 for EL6
- 3.9.8-108 for FC17
- 3.9.10-100 for FC17
- 3.9.5-201 for FC18
- 3.9.6-208 for FC18
- 3.9.9-201 for FC18
- 3.9.10-200 for FC18
- 3.9.11-200 for FC18
- 3.9.5-301 for FC19
- 3.9.9-302 for FC19
- 3.10.3-300 for FC19
libbde{,-devel,-python,-tools}-20130729-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the support formats, protection methods, and additional features. Here are the changes for this release:
- updated dependencies
- pybde fixes for >2G file objects in BFIO glue code
- worked on git support
- updated dependencies
- fixed some typos
- fix for dealing with padding in FVE metadata block
partclone-0.2.48-3.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the latest libntfs-3g shared library, bringing all of the releases to the same release level.
recoll-1.19.4-2.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Recoll is a text search tool for Unix and Linux desktops. Recoll finds keywords inside documents as well as file names. See here for a list of changes in this version. In addition, tar archives have been enabled and the epub, pstotext, and aspell packages have been added as required packages.
stegdetect-0.6.0-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - stegdetect is an automated tool for detecting steganographic content in images. This package was rebuilt to remove compiler optimization, the inclusion of which caused stegdetect to crash. Thanks to Pete Troxell for the bug reports and suggested fixes.
kracked-0.1-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Kracked is a tool that creates word lists from files, memory captures for example.
{vmfs-tools,ilibvmfs-devel}-0.2.5-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - VMfs-tools is a collection of command-line tools for operating on VMware's VMFS file system. Included in this release is limited VMFS version 5 support.

August 6, 2013: The following have been released:

Fedora 19 - The repository now supports Fedora 19 for both the i686 and x86_64 CPU architectures.
Fedora 15 Support for Fedora 16 i686 and x86_64 architectures - Updates to Fedora 15 for both the i686 and x86_64 CPU architectures has ceased.

July 10, 2013: The following have been released:

libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.60-1.1.{fc15,fc16,fc17,fc18, el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats.
sleuthkit{,-devel,-libs}-4.1.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 4.0.2:
- Core
  - Added YAFFS2 support (patch from viaForensics).
  - Added Ext4 support (patch from kfairbanks)
  - changed all include paths to be 'tsk' instead of 'tsk3' (IMPORTANT FOR ALL DEVELOPERS!)
- Framework
  - Added Linux and MAC support.
  - Added L01 support.
  - Added APIs to find files by name, path and extension.
  - Removed deprecated TskFile::getAttributes methods.
  - moved code around for AutoBuild tool support.
- Java Bindings
  - added DerivedFile datamodel support
  - added a public method to Content to add ability to close() its tsk handle before the object is gc'd
  - added faster skip() and random seek support to ReadContentInputStream
  - refactored datamodel by pushing common methods up to AbstractFile
  - fixed minor memory leaks
  - improved regression testing framework for java bindings datamodel
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.7.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See the release notes for a list of changes since the previous version, 2.5.0.
analysis-pipeline-4.2-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See the release notes for a list of changes since the previous version, 3.0.0.
silk-ipset-{devel,lib,tools}-3.7.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
super_mediator-0.3.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
netsa-python-1.4.3-1.{fc15,fc16,fc17,fc18,el5,el6}.{i386,x86_64}.rpm - Netsa-python is a library of Python routines and frameworks that the NetSA team at CERT has found helpful when developing analyses using the SiLK toolkit. Of particular note are the netsa.script NetSA Scripting Framework, which provides a standard framework for writing scripts that process flow data, and the netsa.util.shell command line processing system, which provides tools for managing extremely complicated collections of shell processes that should fail or succeed together (extremely useful when working with named pipes). Netsa-python is compatible with Python versions 2.4 and greater. See here for a list of the changes since the last release which was version 1.3.
netsa-rayon-1.4.1-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Netsa-rayon is compatible with Python versions 2.4 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython (for GUI output). See here for a list of changes.
snarf{,-devel,-python}-0.2.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system. Applications can use snarf's C and Python APIs to construct and send network alert messages, which can then be routed to multiple destinations in a configurable manner.
prism-1.2-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool. The script can be used directly, or might be used as a component in other more specialized scripts. In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup. This is a new release keeping up with the latest SiLK 3 tools.
CERT-Forensics-Tools-1.0-54.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - This package was updated to do the following:
- Added libbde-tools for all supported architectures
- Added libfvde-tools for all supported architectures
- Added libvhdi-tools for all supported architectures
- Obsoletes rayon and replaces it with netsa-python
pytsk-2012113-3.{fc15,fc16,fc17,fc18,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. This release has been rebuilt to use version 4.1.0 of The Sleuth Kit.

June 17, 2013: The following have been released:

aff{lib,lib-devel,tools}-3.7.1-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. This version now uses the correct version of libewf-devel.
testdisk-6.13-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. This version now uses the correct version of libewf-devel.
libbde{,-devel,-python,-tools}-20130422-1.fc18.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.

The supported BDE formats are:
- BitLocker Windows Vista
- BitLocker Windows 7
- BitLocker Windows 8 (Consumer Preview)
- BitLocker To Go
The supported protection methods are:
- clear key
- password
- recovery password
- start-up key
- FKEV and/or TWEAK key data
The additional features are:
- support for partial encrypted volumes
- zeros out the BDE metadata, matches behavior seen on Windows
libfvde{,-devel,-tools}-20130422-1.fc18.{i686,x86_64}.rpm - Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.

The supported FileVault2 implementations are:
- Mac OS X Lion
- Mac OS X Mountain Lion
The supported encryption volume types are:
- removable media volume (initial support as of 20121113 version)
- system volume
The supported protection methods are:
- password
- recovery password
- VMK key data (as of 20121114 version)
The development in progress work areas are:
- extend CoreStorage volume support
- partial encrypted volumes
libvhdi{,-devel,-python,-tools}-20130512-1.fc18.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status.

The supported formats for reading are:
- VHD version 1
The supported image types are:
- Fixed-size hard disk image
- Dynamic-size (or sparse) hard disk image
The image types currently not supported are:
- Differential (or differencing) hard disk image
The areas for work in progress are:
- Differential image support
- Dokan library support

June 6, 2013: The following have been released:

python-apsw-3.7.17-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
libewf-{,devel,tools}-20130416-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20130128):
- added error tolerance for Logicube image with missing checksum in data section
- bug fix in libcfile.m4 for building on MingW and Cygwin
- changes and fixes in debug output
- changes to zlib.m4 for adler32 detection
- code clean up
- fix in libsmdev for MinGW build
- fixed maximum number of segments
- fixed unknown symbols error related to libbfio
- moved README.mingw and README.static to wiki
- sync with experimental version
- updated codegear files
- updated dependencies
- updated msvscpp files
- updated types.h
- updates for libsmdev
- worked on libcdata integration
fmem-kernel-objects-1.6-1.22.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
- 3.9.4-200 for FC18
- 3.9.2-200 for FC18
- 3.8.13-100 for FC17
- 3.8.12-100 for FC17
- 2.6.32-358.6.2 for EL6
- 2.6.18-348.6.1 for EL5

May 23, 2013: The following have been released:

libvshadow{,-devel,-tools,-python}-20130509-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version>
- added libcthreads
- added libvshadow_volume_get_store_identifier function
- added store read from file IO handle function
- changes to read block descriptors on demand improves vshadowinfo preformance
- fixed issue in read buffer due to recent changes
- fixes for multiple open/close on the same volume object
- slight improvement of error tolerability of catalog parsing
- vshadowmount small changes
- worked on multi-threading support
- worked on multi-threading support
- worked on multi-threading support
- worked on tests
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.59-1.1.{fc15,fc16,fc17,fc18, el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats.
regripper-28000000-3.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is contains version 2.8 of the regripper tool. The plugins are packaged separately. This release contains the auto_rip.pl. See here for more details about this script.

May 14, 2013: The following have been released:

ADIA-FC17-{i686,x86-64}-{VMware,VirtualBox}.iso - These items are VMware and VirtualBox-based forensic appliances built with Fedora 17 for the i686 and x86_64 architectures. Please note that they are not a live CDs. See here for more details.

May 7, 2013: The following have been released:

partclone-0.2.48-3.el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release (3) was built to use the latest libntfs-3g shared library which comes from the fuse-ntfs-3g package. It has only be rebuilt for RHEL/CentOS 6 to fix a conflict with this shared library.
prism-1.2-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool. The script can be used directly, or might be used as a component in other more specialized scripts. In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup. The changes in this version are the following:
- Added new wsgi web UI.
- Filter DeprecationWarnings to prevent user confusion.
- Correct runtime dependencies.
rayon-1.3.3-2.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Rayon is compatible with Python versions 2.4 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython (for GUI output). This version has been rebuilt to more precisely defined the build and operational dependencies.
libvshadow{,-devel,-tools,-python}-20130501-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version>
- added initial version of qcowmount with Dokan library support
yaf{,-devel}-2.4.0-1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE for that OS. Here are the changes since the last version:
- New HTTP DPI Fields
- Updated DPI Elements
- Bug Fix to not replace yaf.conf on install
- New application label: VMware server console
- Added support to decode ERSPAN headers
- Drop statistics are updated when statistics messages are exported
- yafcollect bug fix
- Other Bug Fixes
fmem-kernel-objects-1.6-1.21.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
- 3.8.11-200 for FC18
- 3.8.11-100 for FC17

April 30, 2013: The following have been released:

regripper-28000000-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is contains version 2.8 of the regripper tool. The plugins are packaged separately. See the Update History for a list of the changes made since the last release (20130404).
regripper-plugins-20130429-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. See the Update History for the list of changes made in this release.
fmem-kernel-objects-1.6-1.20.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
- 3.8.9-200 for FC18
- 3.8.8-203 for FC18
- 3.8.8-202 for FC18
- 3.8.8-100 for FC17
- 2.6.32-358.6.1 for EL6
- 2.6.18-348.4.1 for EL5

April 26, 2013: The following have been released:

scalpel-2.0-2.el5.{i686,x86_64}.rpm - This package was updated to reflect the new version of the regular expression matching library tre. Note that this change is only for RHEL/CentOS 5.
snort-2.9.4.6-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - (Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.4.6-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
libvshadow{,-devel,-tools,-python}-20130417-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
- added tests directory
- bug fix in dependencies
- code clean up
- pyvshadow updates
- updated README files
- updated dependencies
- updates and bug fixes in pyvshadow
- vshadowtools now detect if there is a VSS signature first and bail out with a different error if not

April 22, 2013: The following have been released:

snort-2.9.4.5-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - (Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-sample-rules-2.9.4.5-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
regripper-plugins-20130404-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. The plugins added are the following:
- NOTE: these are the packager's comments on what is new in this release, not the authors.
- NEW PLUGIN attachmgr.pl The Windows Attachment Manager manages how attachments are handled, and settings are on a per-user basis. Malware has been shown to access these settings and make modifications.
- NEW PLUGIN javasoft.pl Gets contents of JavaSoft/UseJava2IExplorer value
- NEW PLUGIN lsa_packages.pl Lists various *Packages key contents beneath LSA key
- NEW PLUGIN olsearch.pl Gets contents of user's OutLook Searches
- NEW PLUGIN outlook2.pl Gets MAPI (Outlook) settings *BETA*
- NEW PLUGIN photos.pl Read data on images opened via Win8 Photos app
- NEW PLUGIN scanwithav.pl Checks ScanWithAV value in Software hive, per KB 883260
- NEW PLUGIN uac.pl Get User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- UPDATE appinitdlls.pl updated to address 64-bit systems
- UPDATE ares.pl updated based on data provided by J. Weg
- UPDATE ie_settings.pl added "AutoConfigURL" value info
- UPDATE inprocserver.pl fixed retrieving LW time from correct key
- UPDATE landesk.pl added Wow6432Node path
- UPDATE sevenzip.pl minor updates added
- UPDATE soft_run.pl updated to include Policies keys; added additional keys
- UPDATE ssh_host_keys.pl Added rptMsg for key not found errors by Corey Harrell
- UPDATE termserv.pl updated with autostart locations
- UPDATE user_run.pl added additional keys; updated to include Policies keys; updated to include additional keys; updated to include 64-bit, additional keys/values
- UPDATE winlogon_u updated with ThreatExpert info
- UPDATE winscp_sessions.pl Added rptMsg for key not found errors by Corey Harrell
- NOTE RegRipperPluginsPackage (RRPP) now counts 236 plugins
bloom-1.4.6-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Bloom is an NPS bloom filter package that includes the frag_find utility. This version removes the frag_find tool which is now packaged separately.
frag_find-1.0.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Frag_find is a program for finding blocks of one or more MASTER files in a disk IMAGE file. This is useful in cases where a MASTER file has been stolen and you wish to establish that the file has been present on a subject's drive. If most of the MASTER file's sectors are found on the IMAGE drive---and if the sectors are in consecutive sector runs---then the chances are excellent that the file was once there.
CERT-Forensics-Tools-1.0-53.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - This package was updated to do the following:
- add frag_find for all supported architectures
disktype-9-9.3.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Disktype detects the content format of a disk or disk image. This release corrects a package building error dealing with release numbering.

fmem-kernel-objects-1.6-1.19.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:

3.8.7-201 for FC18
3.8.6-203 for FC18

RHEL/CentOS 5: Added the following:

2.6.18-8.el5.i686
2.6.18-8.el5.x86_64
2.6.18-8.el5PAE.i686
2.6.18-8.1.1.el5.i686
2.6.18-8.1.1.el5.x86_64
2.6.18-8.1.1.el5PAE.i686
2.6.18-8.1.10.el5.i686
2.6.18-8.1.10.el5.x86_64
2.6.18-8.1.10.el5PAE.i686
2.6.18-8.1.14.el5.i686
2.6.18-8.1.14.el5.x86_64
2.6.18-8.1.14.el5PAE.i686
2.6.18-8.1.15.el5.i686
2.6.18-8.1.15.el5.x86_64
2.6.18-8.1.15.el5PAE.i686
2.6.18-8.1.3.el5.i686
2.6.18-8.1.3.el5.x86_64
2.6.18-8.1.3.el5PAE.i686
2.6.18-8.1.4.el5.i686
2.6.18-8.1.4.el5.x86_64
2.6.18-8.1.4.el5PAE.i686
2.6.18-8.1.6.el5.i686
2.6.18-8.1.6.el5.x86_64
2.6.18-8.1.6.el5PAE.i686
2.6.18-8.1.8.el5.i686
2.6.18-8.1.8.el5.x86_64
2.6.18-8.1.8.el5PAE.i686
2.6.18-53.el5.i686
2.6.18-53.el5.x86_64
2.6.18-53.el5PAE.i686
2.6.18-53.1.13.el5.i686
2.6.18-53.1.13.el5.x86_64
2.6.18-53.1.13.el5PAE.i686
2.6.18-53.1.14.el5.i686
2.6.18-53.1.14.el5.x86_64
2.6.18-53.1.14.el5PAE.i686
2.6.18-53.1.19.el5.i686
2.6.18-53.1.19.el5.x86_64
2.6.18-53.1.19.el5PAE.i686
2.6.18-53.1.21.el5.i686
2.6.18-53.1.21.el5.x86_64
2.6.18-53.1.21.el5PAE.i686
2.6.18-53.1.4.el5.i686
2.6.18-53.1.4.el5.x86_64
2.6.18-53.1.4.el5PAE.i686
2.6.18-53.1.6.el5.i686
2.6.18-53.1.6.el5.x86_64
2.6.18-53.1.6.el5PAE.i686
2.6.18-92.el5.i686
2.6.18-92.el5.x86_64
2.6.18-92.el5PAE.i686
2.6.18-92.1.1.el5.i686
2.6.18-92.1.1.el5.x86_64
2.6.18-92.1.1.el5PAE.i686
2.6.18-92.1.10.el5.i686
2.6.18-92.1.10.el5.x86_64
2.6.18-92.1.10.el5PAE.i686
2.6.18-92.1.13.el5.i686
2.6.18-92.1.13.el5.x86_64
2.6.18-92.1.13.el5PAE.i686
2.6.18-92.1.17.el5.i686
2.6.18-92.1.17.el5.x86_64
2.6.18-92.1.17.el5PAE.i686
2.6.18-92.1.18.el5.i686
2.6.18-92.1.18.el5.x86_64
2.6.18-92.1.18.el5PAE.i686
2.6.18-92.1.22.el5.i686
2.6.18-92.1.22.el5.x86_64
2.6.18-92.1.22.el5PAE.i686
2.6.18-92.1.6.el5.i686
2.6.18-92.1.6.el5.x86_64
2.6.18-92.1.6.el5PAE.i686
2.6.18-128.el5.i686
2.6.18-128.el5.x86_64
2.6.18-128.el5PAE.i686
2.6.18-128.1.1.el5.i686

2.6.18-128.1.1.el5.x86_64
2.6.18-128.1.1.el5PAE.i686
2.6.18-128.1.10.el5.i686
2.6.18-128.1.10.el5.x86_64
2.6.18-128.1.10.el5PAE.i686
2.6.18-128.1.14.el5.i686
2.6.18-128.1.14.el5.x86_64
2.6.18-128.1.14.el5PAE.i686
2.6.18-128.1.16.el5.i686
2.6.18-128.1.16.el5.x86_64
2.6.18-128.1.16.el5PAE.i686
2.6.18-128.1.6.el5.i686
2.6.18-128.1.6.el5.x86_64
2.6.18-128.1.6.el5PAE.i686
2.6.18-128.2.1.el5.i686
2.6.18-128.2.1.el5.x86_64
2.6.18-128.2.1.el5PAE.i686
2.6.18-128.4.1.el5.i686
2.6.18-128.4.1.el5.x86_64
2.6.18-128.4.1.el5PAE.i686
2.6.18-128.7.1.el5.i686
2.6.18-128.7.1.el5.x86_64
2.6.18-128.7.1.el5PAE.i686
2.6.18-164.el5.i686
2.6.18-164.el5.x86_64
2.6.18-164.el5PAE.i686
2.6.18-164.10.1.el5.i686
2.6.18-164.10.1.el5.x86_64
2.6.18-164.10.1.el5PAE.i686
2.6.18-164.11.1.el5.i686
2.6.18-164.11.1.el5.x86_64
2.6.18-164.11.1.el5PAE.i686
2.6.18-164.15.1.el5.i686
2.6.18-164.15.1.el5.x86_64
2.6.18-164.15.1.el5PAE.i686
2.6.18-164.2.1.el5.i686
2.6.18-164.2.1.el5.x86_64
2.6.18-164.2.1.el5PAE.i686
2.6.18-164.6.1.el5.i686
2.6.18-164.6.1.el5.x86_64
2.6.18-164.6.1.el5PAE.i686
2.6.18-164.9.1.el5.i686
2.6.18-164.9.1.el5.x86_64
2.6.18-164.9.1.el5PAE.i686
2.6.18-194.el5.i686
2.6.18-194.el5.x86_64
2.6.18-194.el5PAE.i686
2.6.18-194.11.1.el5.i686
2.6.18-194.11.1.el5.x86_64
2.6.18-194.11.1.el5PAE.i686
2.6.18-194.11.3.el5.i686
2.6.18-194.11.3.el5.x86_64
2.6.18-194.11.3.el5PAE.i686
2.6.18-194.11.4.el5.i686
2.6.18-194.11.4.el5.x86_64
2.6.18-194.11.4.el5PAE.i686
2.6.18-194.17.1.el5.i686
2.6.18-194.17.1.el5.x86_64
2.6.18-194.17.1.el5PAE.i686
2.6.18-194.17.4.el5.i686
2.6.18-194.17.4.el5.x86_64
2.6.18-194.17.4.el5PAE.i686
2.6.18-194.26.1.el5.i686
2.6.18-194.26.1.el5.x86_64
2.6.18-194.26.1.el5PAE.i686
2.6.18-194.3.1.el5.i686
2.6.18-194.3.1.el5.x86_64
2.6.18-194.3.1.el5PAE.i686
2.6.18-194.32.1.el5.i686
2.6.18-194.32.1.el5.x86_64
2.6.18-194.32.1.el5PAE.i686
2.6.18-194.8.1.el5.i686
2.6.18-194.8.1.el5.x86_64
2.6.18-194.8.1.el5PAE.i686
2.6.18-238.el5.i686
2.6.18-238.el5.x86_64

2.6.18-238.el5PAE.i686
2.6.18-238.1.1.el5.i686
2.6.18-238.1.1.el5.x86_64
2.6.18-238.1.1.el5PAE.i686
2.6.18-238.12.1.el5.i686
2.6.18-238.12.1.el5.x86_64
2.6.18-238.12.1.el5PAE.i686
2.6.18-238.19.1.el5.i686
2.6.18-238.19.1.el5.x86_64
2.6.18-238.19.1.el5PAE.i686
2.6.18-238.5.1.el5.i686
2.6.18-238.5.1.el5.x86_64
2.6.18-238.5.1.el5PAE.i686
2.6.18-238.9.1.el5.i686
2.6.18-238.9.1.el5.x86_64
2.6.18-238.9.1.el5PAE.i686
2.6.18-274.el5.i686
2.6.18-274.el5.x86_64
2.6.18-274.el5PAE.i686
2.6.18-274.12.1.el5.i686
2.6.18-274.12.1.el5.x86_64
2.6.18-274.12.1.el5PAE.i686
2.6.18-274.17.1.el5.i686
2.6.18-274.17.1.el5.x86_64
2.6.18-274.17.1.el5PAE.i686
2.6.18-274.18.1.el5.i686
2.6.18-274.18.1.el5.x86_64
2.6.18-274.18.1.el5PAE.i686
2.6.18-274.3.1.el5.i686
2.6.18-274.3.1.el5.x86_64
2.6.18-274.3.1.el5PAE.i686
2.6.18-274.7.1.el5.i686
2.6.18-274.7.1.el5.x86_64
2.6.18-274.7.1.el5PAE.i686
2.6.18-308.el5.i686
2.6.18-308.el5.x86_64
2.6.18-308.el5PAE.i686
2.6.18-308.1.1.el5.i686
2.6.18-308.1.1.el5.x86_64
2.6.18-308.1.1.el5PAE.i686
2.6.18-308.11.1.el5.i686
2.6.18-308.11.1.el5.x86_64
2.6.18-308.11.1.el5PAE.i686
2.6.18-308.13.1.el5.i686
2.6.18-308.13.1.el5.x86_64
2.6.18-308.13.1.el5PAE.i686
2.6.18-308.16.1.el5.i686
2.6.18-308.16.1.el5.x86_64
2.6.18-308.16.1.el5PAE.i686
2.6.18-308.20.1.el5.i686
2.6.18-308.20.1.el5.x86_64
2.6.18-308.20.1.el5PAE.i686
2.6.18-308.24.1.el5.i686
2.6.18-308.24.1.el5.x86_64
2.6.18-308.24.1.el5PAE.i686
2.6.18-308.4.1.el5.i686
2.6.18-308.4.1.el5.x86_64
2.6.18-308.4.1.el5PAE.i686
2.6.18-308.8.1.el5.i686
2.6.18-308.8.1.el5.x86_64
2.6.18-308.8.1.el5PAE.i686
2.6.18-308.8.2.el5.i686
2.6.18-308.8.2.el5.x86_64
2.6.18-308.8.2.el5PAE.i686
2.6.18-348.el5.i686
2.6.18-348.el5.x86_64
2.6.18-348.el5PAE.i686
2.6.18-348.1.1.el5.i686
2.6.18-348.1.1.el5.x86_64
2.6.18-348.1.1.el5PAE.i686
2.6.18-348.2.1.el5.i686
2.6.18-348.2.1.el5.x86_64
2.6.18-348.2.1.el5PAE.i686
2.6.18-348.3.1.el5.i686
2.6.18-348.3.1.el5.x86_64
2.6.18-348.3.1.el5PAE.i686

RHEL/CentOS 6: Added the following:

2.6.32-71.el6.i686
2.6.32-71.el6.x86_64
2.6.32-71.14.1.el6.i686
2.6.32-71.14.1.el6.x86_64
2.6.32-71.18.1.el6.i686
2.6.32-71.18.1.el6.x86_64
2.6.32-71.18.2.el6.i686
2.6.32-71.18.2.el6.x86_64
2.6.32-71.24.1.el6.i686

2.6.32-71.24.1.el6.x86_64
2.6.32-71.29.1.el6.i686
2.6.32-71.29.1.el6.x86_64
2.6.32-71.7.1.el6.i686
2.6.32-71.7.1.el6.x86_64
2.6.32-131.0.15.el6.i686
2.6.32-131.0.15.el6.x86_64
2.6.32-220.el6.i686
2.6.32-220.el6.x86_64

2.6.32-279.el6.i686
2.6.32-279.el6.x86_64
2.6.32-358.0.1.el6.i686
2.6.32-358.0.1.el6.x86_64
2.6.32-358.el6.i686
2.6.32-358.el6.x86_64
2.6.32-358.2.1.el6.i686
2.6.32-358.2.1.el6.x86_64

cert-forensics-tools-release-5.9-8.noarch.rpm - This package was added to correct a configuration problem where the package could not be installed on all RHEL/CentOS-5 systems.

April 3, 2013: The following have been released:

dd_rescue-1.33-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.31):
- This version brings long options, a new double overwrite mode (-2) and a man page.
fmem-kernel-objects-1.6-1.18.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following Fedora kernels:
- 3.8.5-201 for FC18
- 3.8.4-102 for FC17
python-apsw-3.7.16.1_r1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
yara-1.7-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Here are the changes since the last version:
- faster compilation
- added suport for modulus (%) and bitwise xor (|) operators
- better hashing of regular expressions
- BUGFIX: yara-python segfault when using dir() on Rules and Match classes
- BUGFIX: Integer overflow causing infinite loop
- BUGFIX: Handling strings containing \x00 characters correctly
- BUGFIX: Regular expressions not matching at the end of the file when compiled with RE2
- BUGFIX: Memory leaks
- BUGFIX: File handle leaks
yara-python-1.7-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to YARA's powerful features from Python scripts. See the changes for yara above.

March 26, 2013: The following have been released:

guymager-0.7.1-1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.6.13):
- Duplicate image creation
- New RunStats module
- New job queue mechanism - Note that because of this capability and the version of qt-devel on RHEL/CentOS 5, this version of guymager is not available on RHEL/CentOS 5
- New userfield
- New configuration table for main Guymager table
- New font configuration
- New cfg table HiddenDevices
- New configuration parameter CommandAcquisitionEnd
- Writing hidden area info into info file
- Gray out rescan button when scan is running
- In order to avoid the "contagious error", DirectIO is switched on in fallback mode.
- Removed race condition where write thread would write hash into image before it has been calculated by hash thread.
- SHA-1 support added
fmem-kernel-objects-1.6-1.17.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following Fedora kernels:
- 3.8.4-202 for FC18
- 3.8.3-203 for FC18
- 3.8.2-206 for FC18
- 3.8.3-103 for FC17

March 12, 2013: The following have been released:

disktype-9-9.2.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Disktype detects the content format of a disk or disk image. This release corrects a package building error dealing with libewf.
libfixbuf{,-devel}-1.3.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.5.0-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. This version has been recompiled to use the latest version of libfixbuf for the supported operating system and architecture.
yaf{,-devel}-2.3.3-3.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE for that OS. This version has been recompiled to use the latest version of libfixbuf for the supported operating system and architecture.
yaf{,-devel}-2.2.1-4.{el5}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter. Note that this version of Yaf is only available for CentOS/RHEL 5. It has been recompiled to use the latest version of libfixbuf.

March 5, 2013: The following have been released:

Fedora 18 - The repository now supports Fedora 18 for both the i686 and x86_64 CPU architectures. All packages have been moved from the forensics-test repository to the standard cert repository. If you find any unexpected behavior with the packages as currently distributed, please send email to
partclone-0.2.48-2.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the latest libntfs-3g shared library.
dff-1.3.0-1.{fc17,fc18}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. Note that only Fedora 17 and 18 are supported in this release. See here for a list of recent changes
fmem-kernel-objects-1.6-1.16.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following Fedora kernels:
- 3.7.9-205 for FC18
- 3.8.1-201 for FC18
- 3.7.9-101 for FC17
- 3.7.9-104 for FC17
xplico-1.0.1-3.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support. This release includes support for Python version 3.3 which is the default for Fedora 18.
snort-2.9.4.1-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - (Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
libvshadow{,-devel,-tools,-python}-20130304-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
- added PackageMaker files
- updated include/types.h
- fixed typo in vhsadowmount
regripper-plugins-20130218-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. The plugins added are the following:
- NEW PLUGIN by Corey Harrell: uac.pl that gets UAC configuration values (SOFTWARE)
- UPDATE by Harlan Carvey to comdlg32.pl, many updates (NTUSER)
- NOTE profile software-all was updated
- NOTE profiles all DO NOT contain plugins TLN versions: you must create your own profiles or use them directly
- NOTE RegRipperPluginsPackage (RRPP) counts 236 plugins

February 21, 2013: The following have been released:

dd_rescue-1.32-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.31):
- 1.32: This version has a new option (-x) to append to the output file and you can specify -Y (multiple times if you wish so) to write the same data to secondary output files.
ghostpdl-9.07-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico. This version attempts to update Xplico's version of pcl6 - the binary installed as part of ghostpdl - as stored in /opt/xplico/bin if Xplico is installed.
fmem-kernel-objects-1.6-1.15.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes are the following:
- 3.7.6-201 for FC18
- 3.7.7-201 for FC18
- 3.7.8-202 for FC18
- 3.7.9-201 for FC18

February 8, 2013: The following have been released:

dd_rescue-1.31-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.28):
- 1.31: This version brings a few tiny improvements in the output (such as displaying the total elapsed time in the summary as opposed to ETA of 0, and the amount of data really written with option -W). But importantly, it has the new mode of triple overwriting of data (options -3 and -4), with random numbers, inverse random numbers, new random numbers (only for -4) and zeros, this way allowing paranoia-safe deletion of information.
- 1.30: This version brought a fix for outputting data to stdout and a fix for a possible double free operation (introduced in 1.29). The message formatting has been streamlined a bit. The PRNG can now be initialized from a file (e.g. -Z /dev/urandom). The program now can also avoid writing to a target block if the target block already has the same data (option -W). Think of SSDs or other devices where you want to avoid writes.
- 1.29: This contains a bug was fixed, where the last bytes where not copied corrected if hardbs == softbs. 1.29 also brings a number of new features; the ability to write the same (softbs sized) block again and again (option -R, automatically set if infile is /dev/zero), the ability to limit transfer size such that the outfile won't be enlarged (-M) and the possibility to use userspace random numbers (libc/frandom) to fill files with random data (options -z and -Z). Last not least, OBS also builds .deb binaries for Ubu12.04 / Deb6 now.
fuse-exfat-1.0.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fuse-exfat is an exFAT file system implementation with write support. exFAT is a simple file system created by Microsoft. It is intended to replace FAT32 removing some of it's limitations. exFAT is a standard file system for SDXC memory cards. Here are the changes from the previous version:
- Fixed unexpected removal of a directory if it is moved into itself.
- Fixed "Operation not permitted" error on reading an empty file.
exfat-utils-1.0.1-1.1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. Here are the changes from the previous version:
- Fixed unexpected removal of a directory if it is moved into itself.
- Fixed "Operation not permitted" error on reading an empty file.
libewf-{,devel,tools}-20130128-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20121209):
- worked on sync with experimental version
- docstring changes in pyewf
- fix for corruption scenario
- fixes in pyewf examples
- updated msvscpp files
- updated codegear files
- updated pyewf
- worked on sync with experimental version
- replace libmfcache by new libfcache
- updated configure files
- updated dpkg files
- updated rpm spec file
- updated pyewf - fixes multiple issues
- updated dependencies
- worked on sync with experimental version
- added pyewf/setup.py with thanks to Michael Cohen
- bug fix for 31th day of the month issue
libvshadow{,-devel,-tools,-python}-20130131-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
- worked on pyvshadow
- worked on exposing block descriptors via vshadowinfo
- worked on exposing block descriptors via API
- removed LIBVSHADOW_STORE_FLAG_IO_HANDLE_MANAGED flags
sleuthkit{,-devel,-libs}-4.0.2-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 4.0.1:
- New Features
  - Added fiwalk tool from Simson. Not supported in Visual Studio yet.
- Bug Fixes
  - Fixed fcat to work on NTFS files (still doesn't support ADS though).
  - Fixed HFS+ support in tsk_loaddb / SQLite -- root directory was not added.
  - NTFS code now looks at all MFT entries when listing directory contents. It used to only look at unallocated entries for orphan files. This fixes an image that had allocated files missing from the directory b-tree.
  - NTFS code uses sequence number when searching MFT entries for all files.
  - Libewf detection code change to support v2 API more reliably (ID: 3596212).
  - NTFS $SII code could crash in rare cases if $SDS was multiple of block size.
- Framework
  - Added new API to TskImgDB that returns the base name of an image.
  - Numerous performance improvements to framework.
  - Removed requirement in framework to specify module extension in pipeline configuration file.
  - Added blackboard artifacts to represent both operating system and network service user accounts.
- Java Bindings
  - added more APIs to find files by name, path and where clause
  - added API to get currently processed dir when image is being added,
  - added API to return specific types of children of image, volume system, volume, file system.
  - moved more common methods up to Content interface
  - deprecated context of blackboard attributes,
  - deprecated SleuthkitCase.runQuery() and SleuthkitCase.closeRunQuery()
  - fixed ReadContentInputStream bugs (ignoring offset into a buffer, implementing available() )
  - methods that are lazy loading are now thread safe
  - Hash class is now thread-safe
  - use more PreparedStatements to improve performance
  - changed source level from java 1.6 to 1.7
  - Throw exceptions from C++ side better
fiwalk-0.6.16-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format. This release has been rebuilt to use version 4.0.2 of The Sleuth Kit, which because that release now contains both fiwalk and jpeg_extract, this release no longer contains those to programs.
yaf{,-devel}-2.3.3-2.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE. See here for the list of changes.
fmem-kernel-objects-1.6-1.14.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes are the following:
- 3.7.5-201 for FC18

February 5, 2013: The following have been released:

Support for Fedora 18 i686 and x86_64 architectures - The repository now supports Fedora 18 for both the i686 and x86_64 CPU architectures. Please note that while the release packages are located in the standard cert repository, all other packages are located in the forensics-test repository. To install and use these packages, you must enable the forensics-test repository by editing the /etc/yum.repos.d/cert-forensics-tools.repo and changing the enabled=0 line to enabled=1. You must do this as root. The schedule is to move all packages to the standard cert repository on Monday, March 4, 2013 unless testing disrupts this schedule. If you find any unexpected behavior with the packages as currently distributed, please send email to
fuse-exfat-1.0.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fuse-exfat is an exFAT file system implementation with write support. exFAT is a simple file system created by Microsoft. It is intended to replace FAT32 removing some of it's limitations. exFAT is a standard file system for SDXC memory cards. Here are the changes from the previous version:
- Fixed crash when renaming a file within a single directory and a new name differs only in case.
- Fixed clusters allocation: a cluster beyond valid clusters range could be allocated.
- Fixed crash when a volume is unmounted while some files are open.
- SConscript now respects AR and RANLIB environment variables.
- Improved error handling.
- Enabled big_writes. This improves write speed (larger block size means less switches between kernel- and user-space).
- Do BLKROGET ioctl to make sure the device is not read-only: after "blockdev --setro" kernel still allows to open the device in read-write mode but fails writes.
exfat-utils-1.0.0-1.1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. Here are the changes from the previous version:
- Fixed crash when renaming a file within a single directory and a new name differs only in case.
- Fixed clusters allocation: a cluster beyond valid clusters range could be allocated.
- Fixed crash when a volume is unmounted while some files are open.
- SConscript now respects AR and RANLIB environment variables.
- Improved error handling.
- Enabled big_writes. This improves write speed (larger block size means less switches between kernel- and user-space).
- Do BLKROGET ioctl to make sure the device is not read-only: after "blockdev --setro" kernel still allows to open the device in read-write mode but fails writes.
libvshadow{,-devel,-tools,-python}-20130113-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
- 2013 u