December 20, 2023:
The following changes have been made:
python3-dfvfs-20231208-1.{fc37,fc38,fc39,el8,el9}.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
libgzipf{,-devel,-python3,-static,-tools}-20231218-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libgzipf{,-devel,-python36,-static,-tools}-20231218-1.el7.x86_64.rpm, and libgzipf{,-devel,-python3,-static,-tools}-20231218-1.el9.{x86_64,aarch64}.rpm -
libgzipf is a library to access the GZIP file format.
libbde{,-devel,-python3,-tools}-20231220-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libbde{,-devel,-python36,-tools}-20231220-1.el7.x86_64.rpm, and libbde{,-devel,-python3,-tools}-20231220-1.el9.{x86_64,aarch64}.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
pfring-8.7.0-8735.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8735-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.9.0-4517.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc39-x86_64-1.9.1-5.noarch.rpm -
Support for the following kernels were added for LiME:
6.6.6-200 for FC39
6.6.4-200 for FC39
fmem-kernel-modules-fc39-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
6.6.6-200 for FC39
6.6.4-200 for FC39
lime-kernel-modules-fc38-x86_64-1.9.1-23.noarch.rpm -
Support for the following kernels were added for LiME:
6.6.6-100 for FC38
6.6.4-100 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.23.noarch.rpm -
Support for the following kernels were added for Fmem:
6.6.4-100 for FC38
6.6.6-100 for FC38
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-38.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-391 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.38.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-391 for EL9
lime-kernel-modules-el8-x86_64-1.9.1-47.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-526 for EL8
4.18.0-522 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.47.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-526 for EL8
4.18.0-522 for EL8
December 6, 2023:
The following changes have been made:
vleapp-2.0.0-6.{fc36,fc37,fc38,fc39,el7,el8,amzn2}.x86_64.rpm and vleapp-2.0.0-6.el9.{aarch64,x86_64}.rpm -
vleapp is a Vehicle Logs Events And Protobuf Parser application.
Both the command line version (vleapp) and the GUI version (vleappGUI) are included in this package.
This release is patched as of 2023-11-30.
Note that vleapp is not part of the CERT-Forensics-Tools metapackage so it must be installed manually.
libfsext{,-devel,-python3,-tools}-20231129-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfsext{,-devel,-python36,-tools}-20231129-1.el7.x86_64.rpm, and libfsext{,-devel,-python3,-tools}-20231129-1.el9.{aarch64,x86_64}.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
libsigscan{,-devel,-python3,-tools}-20231201-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libsigscan{,-devel,-python36,-tools}-20231201-1.el7.x86_64.rpm, and libsigscan{,-devel,-python3,-tools}-20231201-1.el9.{x86_64,aarch64}.rpm -
Libsigscan is a library and tools used to binary signature scanning.
libfwsi{,-devel,-python3}-20231130-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfwsi{,-devel,-python36}-20231130-1.el7.x86_64.rpm, and libfwsi{,-devel,-python3}-20231130-1.el9.{x86_64,aarch64}.rpm -
Libfwsi is a library to access the Windows Shell Item format.
libmsiecf{,-devel,-python3,-tools}-20231203-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libmsiecf{,-devel,-python36,-tools}-20231203-1.el7.x86_64.rpm, and libmsiecf{,-devel,-python3,-tools}-20231203-1.el9.{x86_64,aarch64}.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
libolecf{,-devel,-python3,-tools}-20231203-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libolecf{,-devel,-python36,-tools}-20231203-1.el7.x86_64.rpm, and libolecf{,-devel,-python3,-tools}-20231203-1.el9.{x86_64,aarch64}.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
libscca{,-devel,-python3,-tools}-20231203-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libscca{,-devel,-python36,-tools}-20231203-1.el7.x86_64.rpm, and libscca{,-devel,-python3,-tools}-20231203-1.el9.{x86_64,aarch64}.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
libregf{,-devel,-python3,-tools}-20231203-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libregf{,-devel,-python36,-tools}-20231203-1.el7.x86_64.rpm, and libregf{,-devel,-python3,-tools}-20231203-1.el9.{x86_64,aarch64}.rpm -
Libregf contains libraries and tools to access the Windows Registry File files.
libwrc{,-devel,-python3,-tools}-20231202-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libwrc{,-devel,-python36,-tools}-20231202-1.el7.x86_64.rpm, and libwrc{,-devel,-python3,-tools}-20231202-1.el9.{x86_64,aarch64}.rpm -
Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
libbde{,-devel,-python3,-tools}-20231205-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libbde{,-devel,-python36,-tools}-20231205-1.el7.x86_64.rpm, and libbde{,-devel,-python3,-tools}-20231205-1.el9.{x86_64,aarch64}.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
libvsbsdl{,-devel,-python3,-static,-tools}-20231204-1.{fc36,fc37,fc38,fc39,,el8,amzn2,el8}.x86_64.rpm, libvsbsdl{,-devel,-python36,-static,-tools}-20231204-1.el7.x86_64.rpm, and libvsbsdl{,-devel,-python3,-static,-tools}-20231204-1.el9.{x86_64,aarch64}.rpm -
libvsbsdl is a library to access the BSD disk label volume system format.
libluksde{,-devel,-python3,-tools}-20231204-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libluksde{,-devel,-python36,-tools}-20231204-1.el7.x86_64.rpm, and libluksde{,-devel,-python3,-tools}-20231204-1.el9.{x86_64,aarch64}.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
libnk2{,-devel,-python3,-tools}-20231205-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libnk2{,-devel,-python36,-tools}-20231205-1.el7.x86_64.rpm, and libnk2{,-devel,-python3,-tools}-20231205-1.el9.{x86_64,aarch64}.rpm -
Libnk2 is a library and tools to access Microsoft Outlook Nickfile (NK2) format files.
python3-dfdatetime-20231205-1.{fc37,fc38,fc39}.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
dfwinreg-20231205-1.{fc37,fc38,fc39}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
snort-3.1.76.0-1.{fc36,fc37,fc38,fc39,el8}.x86_64.rpm and snort-3.1.76.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
libpff{,-devel,-python3,-tools}-20231205-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libpff{,-devel,-python36,-tools}-20231205-1.el7.x86_64.rpm, and libpff{,-devel,-python3,-tools}-20231205-1.el9.{x86_64,aarch64}.rpm -
Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
libfwevt{,-devel,-python3,-static}-20231119-1.{fc36,,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfwevt{,-devel,-static,-python3}-20231119-1.el9.{x86_64,aarch64}.rpm, and libfwevt{,-devel,-python36,-static}-20231119-1.el7.x86_64.rpm -
Libfwevt is a library for Windows XML Event Log (EVTX) data types.
Note: this is a library only - there are no tools provided by these packages.
libexe{,-devel,-python3,-tools}-20231120-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, and libexe{,-devel,-python36,-tools}-20231120-1.el7.x86_64.rpm, and libexe{,-devel,-python3,-tools}-20231120-1.el9.{x86_64,aarch64}.rpm -
Libexe is a library and tools to access the executable (EXE) format.
libfcrypto{,-devel,-python3,-static}-20231120-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfcrypto{,-devel,-python36,-static}-20231120-1.el7.x86_64.rpm, and libfcrypto{,-devel,-python3,-static}-20231120-1.el9.{x86_64,aarch64}.rpm -
Libfcrypto is a library for encryption formats.
python3-dfvfs-20231205-1.{fc37,fc38,fc39}.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
pfring-8.7.0-8708.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8708-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.9.0-4497.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc39-x86_64-1.9.1-4.noarch.rpm -
Support for the following kernels were added for LiME:
6.6.3-200 for FC39
fmem-kernel-modules-fc39-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
6.6.3-200 for FC39
lime-kernel-modules-fc38-x86_64-1.9.1-22.noarch.rpm -
Support for the following kernels were added for LiME:
6.6.3-100 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.22.noarch.rpm -
Support for the following kernels were added for Fmem:
6.6.3-100 for FC38
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-37.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-390 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.37.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-390 for EL9
Nov 29, 2023:
The following changes have been made:
libcaes{,-devel,-python3,-static}-20231120-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libcaes{,-devel,-python36,-static}-20231120-1.el7.x86_64.rpm, and libcaes{,-devel,-python3,-static}-20231120-1.el9.{x86_64,aarch64}.rpm -
libcaes is a library to support cross-platform AES encryption.
libvmdk{,-devel,-python3,-tools}-20231123-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libvmdk{,-devel,-python36,-tools}-20231123-1.el7.x86_64.rpm, and libvmdk{,-devel,-python3,-tools}-20231123-1.el9.{x86_64,aarch64}.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
libvsapm{,-devel,-python3,-static,-tools}-20231123-1.{fc36,fc37,fc38,fc39,el8,amzn2,el8}.x86_64.rpm, libvsapm{,-devel,-python36,-static,-tools}-20231123-1.el7.x86_64.rpm, and libvsapm{,-devel,-python3,-static,-tools}-20231123-1.el9.{x86_64,aarch64}.rpm -
libvsapm is a library to access the Apple Partition Map (APM) volume system format.
libmodi{,-devel,-python3,-tools}-20231123-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libmodi{,-devel,-python36,-tools}-20231123-1.el7.x86_64.rpm , and libmodi{,-devel,-python3,-tools}-20231123-1.el9.{x86_64,aarch64}.rpm -
Libmodi is a library and tools to access the Mac OS disk image formats.
libfwnt{,-devel,-python3}-20231124-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfwnt{,-devel,-python36}-20231124-1.el7.x86_64.rpm, and libfwnt{,-devel,-python3}-20231124-1.el9.{x86_64,aarch64}.rpm =
LibFWNT is a library for Windows NT data types.
libcreg{,-devel,-python3,-tools}-20231123-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libcreg{,-devel,-python36,-tools}-20231123-1.el7.x86_64.rpm, and libcreg{,-devel,-python3,-tools}-20231123-1.el9.{x86_64,aarch64}.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
libfsxfs{,-devel,-python3,-static,-tools}-20231124-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfsxfs{,-devel,-python36,-static,-tools}-20231124-1.el7.x86_64.rpm, and libfsxfs{,-devel,-python3,-static,-tools}-20231124-1.el9.{aarch64,x86_64}.rpm -
Libfsxfs contains library and tools to access the SGI X File System (XFS).
libfshfs{,-devel,-python3,-tools}-20231125-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfshfs{,-devel,-python36,-tools}-20231125-1.el7.x86_64.rpm, and libfshfs{,-devel,-python3,-tools}-20231125-1.el9.{aarch64,x86_64}.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
libfsntfs{,-devel,-python3,-tools}-20231125-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfsntfs{,-devel,-python36,-tools}-20231125-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3,-tools}-20231125-1.el9.{x86_64,aarch64}.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libqcow{,-devel,-python3,-tools}-20231125-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libqcow{,-devel,-python36,-tools}-20231125-1.el7.x86_64.rpm, and libqcow{,-devel,-python3,-tools}-20231125-1.el9.{x86_64,aarch64}.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
libvhdi{,-devel,-python3,-tools}-20231127-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libvhdi{,-devel,-python36,-tools}-20231127-1.el7.x86_64.rpm, and libvhdi{,-devel,-python3,-tools}-20231127-1.el9.{x86_64,aarch64}.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libsmraw{,-devel,-python3,-tools}-20231127-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libsmraw{,-devel,-python36,-tools}-20231127-1.el7.x86_64.rpm, and libsmraw{,-devel,-python3,-tools}-20231127-1.el9.{x86_64,aarch64}.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
libhmac{,-devel,-python3,-static,-tools}-20231127-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libhmac{,-devel,-python36,-static,-tools}-20231127-1.el7.x86_64.rpm and libhmac{,-devel,-python3,-static,-tools}-20231127-1.el9.{x86_64,aarch64}.rpm -
Libhmac is a library to support various Hash-based Message Authentication Codes (HMAC).
opensearch-py-2.4.2-1.{fc36,fc37,fc38,fc39,el7,el8,el9,amzn2}.noarch.rpm -
OpenSearch-PY is a Python client for OpenSearch.
libfwps{,-devel,-python3}-20231126-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfwps{,-devel,-python36}-20231126-1.el7.x86_64.rpm, and libfwps{,-devel,-python3}-20231126-1.el9.{x86_64,aarch64}.rpm -
LibFWPS is a library for Windows Property Store data types.
libfvde{,-devel,-python3,-tools}-20231128-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfvde{,-devel,-python3,-tools}-20231128-1.el9.{aarch64,x86_64}.rpm, and libfvde{,-devel,-python36,-tools}-20231128-1.el7.x86_64.rpm -
Libfvde is a library and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
libvshadow{,-devel,-python3,-tools}-20231128-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libvshadow{,-devel,-python36,-tools}-20231128-1.el7.x86_64.rpm, and libvshadow{,-devel,-python3,-tools}-20231128-1.el9.{x86_64,aarch64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
libphdi{,-devel,-python3,-tools}-20231129-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm , libphdi{,-devel,-python36,-tools}-20231129-1.el7.x86_64.rpm, and libphdi{,-devel,-python3,-tools}-20231129-1.el9.{x86_64,aarch64}.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
libluksde{,-devel,-python3,-tools}-20231128-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libluksde{,-devel,-python36,-tools}-20231128-1.el7.x86_64.rpm, and libluksde{,-devel,-python3,-tools}-20231128-1.el9.{x86_64,aarch64}.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
libsmdev{,-devel,-python3,-tools}-20231128-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libsmdev{,-devel,-python36,-tools}-20231128-1.el7.x86_64.rpm, and libsmdev{,-devel,-python3,-tools}-20231128-1.el9.{x86_64,aarch64}.rpm -
Libsmdev is a library and tools used to access storage media devices.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.1-1.{fc36,fc37,fc38,fc39,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.1-1.el9.{x86_64,aarch64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.1-2.{fc36,fc37,fc38,fc39,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.1-2.el9.{x86_64,aarch64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.1-101.{fc36,fc37,fc38,fc39,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.1-101.el9.{x86_64,aarch64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha2.
Please address any comments on these packages to netsa-help@cert.org.
pfring-8.7.0-8691.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8691-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.9.0-4482.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc39-x86_64-1.9.1-3.noarch.rpm -
Support for the following kernels were added for LiME:
6.6.2-201 for FC39
fmem-kernel-modules-fc39-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
6.6.2-201 for FC39
lime-kernel-modules-fc38-x86_64-1.9.1-21.noarch.rpm -
Support for the following kernels were added for LiME:
6.6.2-101 for FC38
6.5.12-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.21.noarch.rpm -
Support for the following kernels were added for Fmem:
6.6.2-101 for FC38
6.5.12-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-21.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.12-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.21.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.12-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-36.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-388 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.36.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-388 for EL9
November 22, 2023:
The following changes have been made:
vleapp-2.0.0-5.{fc36,fc37,fc38,fc39,el7,el8,amzn2}.x86_64.rpm and vleapp-2.0.0-5.el9.{aarch64,x86_64}.rpm -
vleapp is a Vehicle Logs Events And Protobuf Parser application.
Both the command line version (vleapp) and the GUI version (vleappGUI) are included in this package.
This release is patched as of 2023-11-16.
Note that vleapp is not part of the CERT-Forensics-Tools metapackage so it must be installed manually.
libfsntfs{,-devel,-python3,-tools}-20231119-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfsntfs{,-devel,-python36,-tools}-20231119-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3,-tools}-20231119-1.el9.{x86_64,aarch64}.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libbde{,-devel,-python3,-tools}-20231120-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libbde{,-devel,-python36,-tools}-20231120-1.el7.x86_64.rpm, and libbde{,-devel,-python3,-tools}-20231120-1.el9.{x86_64,aarch64}.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
libesedb{,-devel,-python3,-tools}-20231120-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libesedb{,-devel,-python36,-tools}-20231120-1.el7.x86_64.rpm, and libesedb{,-devel,-python3,-tools}-20231120-1.el9.{x86_64,aarch64}.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
liblnk{,-devel,-python3,-tools}-20231120-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, liblnk{,-devel,-python36,-tools}-20231120-1.el7.x86_64.rpm, and liblnk{,-devel,-python3,-tools}-20231120-1.el9.{x86_64,aarch64}.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
libevt{,-devel,-python3,-tools}-20231121-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libevt{,-devel,-python36,-tools}-20231121-1.el7.x86_64.rpm, and libevt{,-devel,-python3,-tools}-20231121-1.el9.{x86_64,aarch64}.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx{,-devel,-python3,-tools}-20231121-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libevtx{,-devel,-python36,-tools}-20231121-1.el7.x86_64.rpm, and libevtx{,-devel,-python3,-tools}-20231121-1.el9.{aarch64,x86_64}.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
libvslvm{,-devel,-python3,-tools}-20231122-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libvslvm{,-devel,-python36,-tools}-20231122-1.el7.x86_64.rpm, and libvslvm{,-devel,-python3,-tools}-20231122-1.el9.{x86_64,aarch64}.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
libvsgpt{,-devel,-python3,-tools}-20231122-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, and libvsgpt{,-devel,-python3,-tools}-20231122-1.el9.{x86_64,aarch64}.rpm, and libvsgpt{,-devel,-python36,-tools}-20231122-1.el7.x86_64.rpm -
Libvsgpt is a library and tools used to access the GUID Partition Table (GPT) volume system.
libfsapfs{,-devel,-python3,-tools}-20231122-1.{fc36,fc37,fc38,fc39,el8,amzn2,el8}.x86_64.rpm, libfsapfs{,-devel,-python3,-tools}-20231122-1.el9.{x86_64,aarch64}.rpm, and libfsapfs{,-devel,-python36,-tools}-20231122-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
libfsfat{,-devel,-python3,-tools}-20231122-1.{fc36,fc37,fc38,fc39,el8,amzn2}.x86_64.rpm, libfsfat{,-devel,-python36,-tools}-20231122-1.el7.x86_64.rpm, and libfsfat{,-devel,-python3,-tools}-20231122-1.el9.{aarch64,x86_64}.rpm -
Libfsfat is a library and tools to access the file Allocation Table (FAT) file system format.
snort-3.1.75.0-1.{fc36,fc37,fc38,fc39,el8}.x86_64.rpm and snort-3.1.75.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
pfring-8.7.0-8676.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8676-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.9.0-4468.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc39-x86_64-1.9.1-2.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.12-200 for FC39
fmem-kernel-modules-fc39-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.12-200 for FC39
lime-kernel-modules-fc38-x86_64-1.9.1-20.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.11-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.11-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-20.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.11-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.11-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-35.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-386 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.35.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-386 for EL9
November 15, 2023:
The following changes have been made:
daq{,-devel,-modules}-3.0.13-1.{fc36,fc37,fc38,el8}.x86_64.rpm and daq{,-devel,-modules}-3.0.13-1.el9.{aarch64,x86_64}.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
snort-3.1.74.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.74.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
VeraCrypt-1.26.7-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and VeraCrypt-1.26.7-1.el9.{aarch64,x86_64}.rpm -
VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux.
libfsapfs{,-devel,-python3,-tools}-20231115-1.{fc36,fc37,fc38,el8,amzn2,el8}.x86_64.rpm, libfsapfs{,-devel,-python3,-tools}-20231115-1.el9.{x86_64,aarch64}.rpm, and libfsapfs{,-devel,-python36,-tools}-20231115-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
pfring-8.7.0-8665.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8665-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.9.0-4465.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-19.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.10-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.10-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-19.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.10-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.10-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-34.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-383 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.34.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-383 for EL9
fmem-kernel-modules-1.6-1.28.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 39 x86_64 architecture was added.
lime-kernel-modules-1.1.r17-28.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 39 x86_64 architecture was added.
Fedora 39 - The repository now supports Fedora 39
for the x86_64 CPU architecture.
Here is the list of tools provided for Fedora 38:
November 8, 2023:
The following changes have been made:
libregf{,-devel,-python3,-tools}-20231029-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, libregf{,-devel,-python3,-tools}-20231029-1.el9.{x86_64,aarch64}.rpm, and libregf{,-devel,-python36,-tools}-20231029-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows Registry File files.
libcreg{,-devel,-python3,-tools}-20231029-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, libcreg{,-devel,-python3,-tools}-20231029-1.el9.{x86_64,aarch64}.rpm, and libcreg{,-devel,-python36,-tools}-20231029-1.el7.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
snort-3.1.73.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.73.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
zeek{,-btest,-btest-data,-client,-core,ctl,-devel,-spicy-devel,-zkg}-6.0.2-1.{fc36,fc37,fc38,el7,el8}.x86_64.rpm, libbroker-devel-6.0.2-1.{fc36,fc37,fc38,el7,el8}.x86_64.rpm, zeek{,-btest,-btest-data,-client,-core,ctl,-devel,-spicy-devel,-zkg}-6.0.2-1.el9.{x86_64,aarch64}.rpm, libbroker-devel-6.0.2-1.el9.{x86_64,aarch64}.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
libbde{,-devel,-python3,-tools}-20231106-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, libbde{,-devel,-python3,-tools}-20231106-1.el9.{x86_64,aarch64}.rpm, and libbde{,-devel,-python36,-tools}-20231106-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
pfring-8.7.0-{8640,8654}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.{8640,8654}-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.9.0-{4450,4459}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-18.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.9-200 for FC38
6.5.8-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.18.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.9-200 for FC38
6.5.8-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-18.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.8-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.18.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.8-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-33.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-381 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.33.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-381 for EL9
lime-kernel-modules-el8-x86_64-1.9.1-46.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-521 for EL8
4.18.0-519 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.46.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-521 for EL8
4.18.0-519 for EL8
October 25, 2023:
The following changes have been made:
bellsoft-jdk17.0.9+11-linux-{amd64,aarch64}-full.rpm -
Bellsoft Java was installed for Fedora 36, 37, and 38, CentOS/RHEL 7 and 8 Stream, and Amazon Linux 2 for the x86_64 architecture,
and the CentOS 9 Stream reposotiries for the x86_64 and aarch64 architectures.
vleapp-2.0.0-4.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and vleapp-2.0.0-4.el9.{aarch64,x86_64}.rpm -
vleapp is a Vehicle Logs Events And Protobuf Parser application.
Both the command line version (vleapp) and the GUI version (vleappGUI) are included in this package.
This release is patched as of 2023-10-19.
Note that vleapp is not part of the CERT-Forensics-Tools metapackage so it must be installed manually.
libfplist{,-devel}-20231023-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and libfplist{,-devel}-20231023-1.el9.{x86_64,aarch64}.rpm -
Libfplist is a library for plist formats. Note: this is a library only - there are no tools provided by these packages.
pfring-8.7.0-8609.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8609-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.9.0-4428.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-32.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-378 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.32.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-378 for EL9
lime-kernel-modules-el8-x86_64-1.9.1-45.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-518 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.45.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-518 for EL8
lime-kernel-modules-el7-x86_64-1.9.1-93.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.102.1 for EL7
fmem-kernel-modules-el7-x86_64-1.6-1.93.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.102.1 for EL7
October 18, 2023:
The following changes have been made:
vleapp-2.0.0-3.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and vleapp-2.0.0-3.el9.{aarch64,x86_64}.rpm -
vleapp is a Vehicle Logs Events And Protobuf Parser application.
Both the command line version (vleapp) and the GUI version (vleappGUI) are included in this package.
This release is patched as of 2023-10-12.
Note that vleapp is not part of the CERT-Forensics-Tools metapackage so it must be installed manually.
snort-3.1.72.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.72.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
pfring-8.7.0-8581.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8581-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4418.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-17.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.7-200 for FC38
fmem-kernel-modules-fc37-x86_64-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.7-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-31.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-375 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.31.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-375 for EL9
lime-kernel-modules-el8-x86_64-1.9.1-44.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-517 for EL8
4.18.0-516 for EL8
4.18.0-514 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.44.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-517 for EL8
4.18.0-516 for EL8
4.18.0-514 for EL8
October 11, 2023:
The following changes have been made:
python3-pyfixbuf-0.9.0-3.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, python36-pyfixbuf-0.9.0-3.el7.x86_64.rpm, and python3-pyfixbuf-0.9.0-3.el9.{aarch64,x86_64}.rpm -
Pyfixbuf is a Python API for libfixbuf,
an implementation of the IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
This release fixes a permissions problem with some of the directories.
python3-pyfixbuf-0.9.0-4.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, python36-pyfixbuf-0.9.0-4.el7.x86_64.rpm, and python3-pyfixbuf-0.9.0-4.el9.{aarch64,x86_64}.rpm -
Pyfixbuf is a Python API for libfixbuf,
an implementation of the IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha1.
Please address any comments on these packages to netsa-help@cert.org.
This release fixes a permissions problem with some of the directories.
acr-2.1.1-2.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm -
ACR tries to replace autoconf functionality generating a full-compatible 'configure' script (runtime flags).
This release fixes a permissions problem with some of the directories.
analyzeMFT-3.0.1-2.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and analyzeMFT-3.0.1-2.el9.{x86_64,aarch64}.rpm -
AnalyzeMFT is a tool that fully parses
the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple formats.
See here for the changes since the previously installed version 2.0.19.1.
This release fixes a permissions problem with some of the directories.
winevtrc-20220106-2.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and winevtrc-20220106-2.el9.{x86_64,aarch64}.rpm -
Winevt-kb is a project to build a Windows Event Log knowledge base.
winevtrc is the Python module part of winevt-kb to allow reuse of Windows Event Log resources.
Note that this package also provides winevt-kb.
This release fixes a permissions problem with some of the directories.
winregrc-20230205-2.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm and winregrc-20230205-2.el9.{x86_64,aarch64}.rpm -
Winreg-kb winreg-kb is a project to build a Windows Registry Knowledge Base.
winregrc is a Python module part of winreg-kb to allow reuse of Windows Registry Resources.
This release fixes a permissions problem with some of the directories.
python-registry-1.2.0-2.{el7,el8,amzn2}.x86_64.rpm -
Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE.
The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry.
This release fixes a permissions problem with some of the directories.
Volatility-2.6.1-7.{el7,el8}.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6.1 that has been patched to May 14, 2021.
You can read about this version here.
This release fixes a permissions problem with some of the directories.
python-apsw-3.19.3-2.el7.x86_64.rpm - Python-apsw
is a Python wrapper for the SQLite embedded relational database engine.
In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.
This release fixes a permissions problem with some of the directories.
pytsk3-20231007-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm and pytsk3-20231007-1.el9.{x86_64,aarch64}.rpm -
Pytsk is Python bindings for The Sleuth Kit.
vleapp-2.0.0-2.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and vleapp-2.0.0-2.el9.{aarch64,x86_64}.rpm -
vleapp is a Vehicle Logs Events And Protobuf Parser application.
Both the command line version (vleapp) and the GUI version (vleappGUI) are included in this package.
Note that vleapp is not part of the CERT-Forensics-Tools metapackage so it must be installed manually.
pfring-8.7.0-8553.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8553-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4409.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-16.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.6-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.6-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-16.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.6-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.6-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-30.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-373 for EL9
5.14.0-372 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.30.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-373 for EL9
5.14.0-372 for EL9
October 4, 2023:
The following changes have been made:
Volatility3-2.5.0-2.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and Volatility3-2.5.0-2.el9.{aarch64,x86_64}.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
The full documentation for this version of Volatility can be found here.
This is the official release of version 2.5.0.
vleapp-2.0.0-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and vleapp-2.0.0-1.el9.{aarch64,x86_64}.rpm -
vleapp is a Vehicle Logs Events And Protobuf Parser application.
Both the command line version (vleapp) and the GUI version (vleappGUI) are included in this package.
Note that vleapp is not part of the CERT-Forensics-Tools metapackage so it must be installed manually.
ghidra-10.4-PUBLIC_20230928.1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and ghidra-10.4-PUBLIC_20230928.1.el9.{x86_64,aarch64}.rpm -
Ghidra
is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
Please note that this version preserves the file permissions assigned by the NSA which means that the decompiler provided with Ghidra is now executable and works.
We regret the inconvenience this caused in previous releases.
libcreg{,-devel,-python3,-tools}-20230930-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, libcreg{,-devel,-python3,-tools}-20230930-1.el9.{x86_64,aarch64}.rpm, and libcreg{,-devel,-python36,-tools}-20230930-1.el7.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
liblnk{,-devel,-python3,-tools}-20230928-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, liblnk{,-devel,-python3,-tools}-20230928-1.el9.{x86_64,aarch64}.rpm, and liblnk{,-devel,-python36,-tools}-20230928-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
avml-0.13.0-1.{fc36,fc37,fc38,el9}.x86_64.rpm -
AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.
AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori.
No on-target compilation or fingerprinting is needed.
AVML can produce a memory image suitable for processing with
Volatility 2 or Volatility 3 once the appropriate profiles
CERT-Forensics-Tools-1.0-105.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and CERT-Forensics-Tools-1.0-105.el9.{aarch64,x86_64}.rpm -
The following tools were added:
libguestfs - library for accessing and modifying virtual machine disk images.
libguestfs-tools - the guestfish interactive shell and various virtualization tools
libguestfs-forensics - adds filesystem forensics support to libguestfs (Not CentOS 7, 8, or 9 and Amazon Linux 2)
libguestfs-gfs2 - adds GFS2 support to libguestfs(Not CentOS 9
libguestfs-hfsplus - adds HFS+ support to libguestfs (Not Centos 7, 8, or 9 and Amazon Linux 2)
libguestfs-inspect-icons - pull icons out of non-Linux guests
libguestfs-rescue - adds the virt-rescue shell which is a "rescue disk" for virtual machines, and additional tools to use inside the shell such as ssh,
network utilities, editors and debugging utilities
libguestfs-rsync - adds rsync support to libguestfs
libguestfs-ufs - adds UFS support to libguestfs (Not CentOS 7, 8, or 9 and Amazon Linux 2)
libguestfs-xfs - adds XFS support to libguestfs
libguestfs-zfs - adds ZFS support to libguestfs (Not CentOS 7, 8, or 9 and Amazon Linux 2)
pfring-8.7.0-8538.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8538-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4403.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-29.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-370 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-370 for EL9
lime-kernel-modules-el7-x86_64-1.9.1-92.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.99.1 for EL7
fmem-kernel-modules-el7-x86_64-1.6-1.92.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.99.1 for EL7
September 27, 2023:
The following changes have been made:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.0-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.0-1.el9.{x86_64,aarch64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
analysis-pipeline-5.11.4-7.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and analysis-pipeline-5.11.4-7.el9.{x86_64,aarch64}.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt for silk 3.22.0.
super_mediator-1.9.1-3.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and super_mediator-1.9.1-3.el9.{x86_64,aarch64}.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
See here for the list of changes.
This package was rebuilt to use silk 3.22.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.0-2.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.0-2.el9.{x86_64,aarch64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.0-101.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.22.0-101.el9.{x86_64,aarch64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha2.
Please address any comments on these packages to netsa-help@cert.org.
analysis-pipeline-5.11.4-8.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and analysis-pipeline-5.11.4-8.el9.{aarch64,x86_64}.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package is installed in the forensics-test repository.
This package was rebuilt to use libfixbuf 3.0.0.alpha2 and silk 3.22.0.
Please address any comments on these packages to netsa-help@cert.org.
libcreg{,-devel,-python3,-tools}-20230923-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, libcreg{,-devel,-python3,-tools}-20230923-1.el9.{x86_64,aarch64}.rpm, and libcreg{,-devel,-python36,-tools}-20230923-1.el7.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
snort-3.1.71.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.71.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
pfring-8.7.0-8524.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8524-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4400.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-15.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.5-200 for FC38
6.4.15-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.5-200 for FC38
6.4.15-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-15.noarch.rpm -
Support for the following kernels were added for LiME:
6.5.5-100 for FC37
6.4.15-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem:
6.5.5-100 for FC37
6.4.15-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-28.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-368 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.28.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-368 for EL9
September 20, 2023:
The following changes have been made:
pfring-8.7.0-8521.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.7.0.8521-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4399.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-27.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-366 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-366 for EL9
September 13, 2023:
The following changes have been made:
snort-3.1.70.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.70.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
zeek{,-btest,-btest-data,-client,-core,ctl,-devel,-spicy-devel,-zkg}-6.0.1-1.{fc36,fc37,fc38,el7,el8}.x86_64.rpm, libbroker-devel-6.0.1-1.{fc36,fc37,fc38,el7,el8}.x86_64.rpm, zeek{,-btest,-btest-data,-client,-core,ctl,-devel,-spicy-devel,-zkg}-6.0.1-1.el9.{x86_64,aarch64}.rpm, libbroker-devel-6.0.1-1.el9.{x86_64,aarch64}.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
pfring-8.7.0-8509.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
This package was installed for CentOS 7 for the x86_64 architecture.
pfring-dkms-8.7.0.8509-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
This package was installed for CentOS 7 for the x86_64 architecture.
ndpi-4.7.0-4389.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
This package was installed for CentOS 7 for the x86_64 architecture.
pfring-8.7.0-8510.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
This package was installed for CentOS 8 Stream and 9 Stream for the x86_64 architecture.
pfring-dkms-8.7.0.8510-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
This package was installed for CentOS 8 Stream and 9 Stream for the x86_64 architecture.
ndpi-4.7.0-4390.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
This package was installed for CentOS 8 Stream and 9 Stream for the x86_64 architecture.
lime-kernel-modules-fc38-x86_64-1.9.1-14.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.14-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.14.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.14-200 for FC38
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-26.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-362 for EL9
5.14.0-364 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-362 for EL9
5.14.0-364 for EL9
September 6, 2023:
The following changes have been made:
bellsoft-jdk17.0.8.1+1-linux-{amd64,aarch64}-full.rpm -
Bellsoft Java was installed for Fedora 36, 37, and 38, CentOS/RHEL 7 and 8 Stream, and Amazon Linux 2 for the x86_64 architecture,
and the CentOS 9 Stream reposotiries for the x86_64 and aarch64 architectures..
sleuthkit{,-devel,-libs}-4.12.1-100.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and sleuthkit{,-devel,-libs}-4.12.1-100.el9.{x86_64,aarch64}.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
autopsy-4.21.0-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and autopsy-4.21.0-1.el9.{x86_64,aarch64}.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
This version uses Java 8 from Bellsoft.
This release corrects errors in the /usr/bin/autopsy script where the hardware platform was incorrectly determined.
This release fixes a problem with the Java JAR file from the Sleuthkit for the AARCH64 hardware platform. This means that autopsy does work in CentOS 9 for the AARCH64 architecture.
If you wish to run autopsy on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical.
Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
pfring-8.7.0-8483.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
This package was installed for CentOS 7 for the x86_64 architecture.
pfring-dkms-8.7.0.8483-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
This package was installed for CentOS 7 for the x86_64 architecture.
ndpi-4.7.0-4368.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
This package was installed for CentOS 7 for the x86_64 architecture.
pfring-8.7.0-8487.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
This package was installed for CentOS 8 Stream and 9 Stream for the x86_64 architecture.
pfring-dkms-8.7.0.8487-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
This package was installed for CentOS 8 Stream and 9 Stream for the x86_64 architecture.
ndpi-4.7.0-4372.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
This package was installed for CentOS 8 Stream and 9 Stream for the x86_64 architecture.
lime-kernel-modules-fc38-x86_64-1.9.1-13.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.13-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.13-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-13.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.13-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.13-100 for FC37
lime-kernel-modules-el8-x86_64-1.9.1-43.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-513 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.43.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-513 for EL8
August 30, 2023:
The following changes have been made:
Volatility3-windows-symbols-20230821-2.noarch.rpm -
Volatility 3 windows symbols and
Volatility 3 windows symbos from JPCERT.
This package consists of both of these sets of windows symbols combined.
This package is installed in the Fedora 36, 37, and 38, CentOS 7, 8 Stream and 9 Stream, and Amazon Linx 2 repositories for the x86_64 architecture and the CentOS 9 Stream repository for the aarch64 architecture.
Please note that the correct way to install this package is the following:
sudo rpm -ev Volatility3-windows-symbols --nodeps
sudo dnf install Volatility3-windows-symbols --refresh -y
Volatility3-linux-symbols-20191016-3.noarch.rpm -
Volatility 3 linux symbols are a package that contains kernel symbol table information for
some versions of the Linux kernel.
This package is installed in the Fedora 36, 37, and 38, CentOS 7, 8 Stream and 9 Stream, and Amazon Linx 2 repositories for the x86_64 architecture and the CentOS 9 Stream repository for the aarch64 architecture.
The change made in this package are to remove unneeded files after installation and package removal.
Please note that the correct way to install this package is the following:
sudo rpm -ev Volatility3-linux-symbols --nodeps
sudo dnf install Volatility3-linux-symbols --refresh -y
Volatility3-mac-symbols-20200601-3.noarch.rpm -
Volatility 3 linux symbols are a package that contains kernel symbol table information for
some versions of Mac OS.
This package is installed in the Fedora 36, 37, and 38, CentOS 7, 8 Stream and 9 Stream, and Amazon Linx 2 repositories for the x86_64 architecture and the CentOS 9 Stream repository for the aarch64 architecture.
The change made in this package are to remove unneeded files after installation and package removal.
Please note that the correct way to install this package is the following:
sudo rpm -ev Volatility3-mac-symbols --nodeps
sudo dnf install Volatility3-mac-symbols --refresh -y
snort-3.1.69.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.69.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
ghidra-10.3.3-PUBLIC_20230829.1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and ghidra-10.3.3-PUBLIC_20230829.1.el9.{x86_64,aarch64}.rpm -
Ghidra
is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
pfring-8.5.0-8460.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8460-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4354.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-12.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.12-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.12-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-12.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.12-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.12-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-25.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-361 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.25.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-361 for EL9
lime-kernel-modules-el8-x86_64-1.9.1-42.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-512 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.42.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-512 for EL8
August 23, 2023:
The following changes have been made:
avml-0.12.0-1.{fc36,fc37,fc38,el9}.x86_64.rpm -
AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.
AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori.
No on-target compilation or fingerprinting is needed.
AVML can produce a memory image suitable for processing with
Volatility 2 or Volatility 3 once the appropriate profiles
have been created.
Volatility3-2.5.0-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and Volatility3-2.5.0-1.el9.{aarch64,x86_64}.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
The full documentation for this version of Volatility can be found here.
This release is current as of 2023-08-21.
Volatility3-windows-symbols-20230821-1.noarch.rpm -
Volatility 3 windows symbols and
Volatility 3 windows symbos from JPCERT.
This package consists of both of these sets of windows symbols combined.
This package is installed in the Fedora 36, 37, and 38, CentOS 7, 8 Stream and 9 Stream, and Amazon Linx 2 repositories for the x86_64 architecture and the CentOS 9 Stream repository for the aarch64 architecture.
Volatility3-linux-symbols-20191016-2.noarch.rpm -
Volatility 3 linux symbols are a package that contains kernel symbol table information for
some versions of the Linux kernel.
This package is installed in the Fedora 36, 37, and 38, CentOS 7, 8 Stream and 9 Stream, and Amazon Linx 2 repositories for the x86_64 architecture and the CentOS 9 Stream repository for the aarch64 architecture.
The change made in this package are to remove unneeded files after installation and package removal.
Volatility3-mac-symbols-20200601-2.noarch.rpm -
Volatility 3 linux symbols are a package that contains kernel symbol table information for
some versions of Mac OS.
This package is installed in the Fedora 36, 37, and 38, CentOS 7, 8 Stream and 9 Stream, and Amazon Linx 2 repositories for the x86_64 architecture and the CentOS 9 Stream repository for the aarch64 architecture.
The change made in this package are to remove unneeded files after installation and package removal.
pfring-8.5.0-8444.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8444-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4338.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-11.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.10-200 for FC38
6.4.11-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.10-200 for FC38
6.4.11-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-11.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.10-100 for FC37
6.4.11-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.10-100 for FC37
6.4.11-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-24.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-354 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.24.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-354 for EL9
lime-kernel-modules-el8-x86_64-1.9.1-41.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-508 for EL8
4.18.0-509 for EL8
4.18.0-511 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.41.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-508 for EL8
4.18.0-509 for EL8
4.18.0-511 for EL8
August 16, 2023:
The following changes have been made:
zeek{,-btest,-btest-data,-client,-core,ctl,-devel,-spicy-devel,-zkg}-6.0.0-1.{fc36,fc37,fc38,el7,el8}.x86_64.rpm, libbroker-devel-6.0.0-1.{fc36,fc37,fc38,el7,el8}.x86_64.rpm, zeek{,-btest,-btest-data,-client,-core,ctl,-devel,-spicy-devel,-zkg}-6.0.0-1.el9.{x86_64,aarch64}.rpm, libbroker-devel-6.0.0-1.el9.{x86_64,aarch64}.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
pfring-8.5.0-8442.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8442-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4337.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-10.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.9-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.9-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-10.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.9-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.9-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-23.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-352 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.23.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-352 for EL9
lime-kernel-modules-el7-x86_64-1.9.1-91.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.95.1 for EL7
fmem-kernel-modules-el7-x86_64-1.6-1.91.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.95.1 for EL7
August 9, 2023:
The following changes have been made:
maryam-2.5.2.post2-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm and maryam-2.5.2.post2-1.el9.{x86_64,aarch64}.rpm -
OWASP Maryam is a modular/optional open-source framework based on OSINT and data gathering.
Maryam is written in the Python programming language and has been designed to provide a powerful environment to harvest data from open sources and search engines and collect data quickly and thoroughly.
See here for documentation on the modules provided for Maryam.
Note that Maryam is not available for CentOS/RHEL 7 at this time.
pfring-8.5.0-8433.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8433-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4328.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-9.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.7-200 for FC38
6.4.8-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.7-200 for FC38
6.4.8-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-9.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.7-100 for FC37
6.4.8-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.7-100 for FC37
6.4.8-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-22.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-347 for EL9
5.14.0-350 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.22.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-347 for EL9
5.14.0-350 for EL9
August 2, 2023:
The following changes have been made:
libfsext{,-devel,-python3,-tools}-20230603-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, libfsext{,-devel,-python3,-tools}-20230603-1.el9.{aarch64,x86_64}.rpm, and libfsext{,-devel,-python36,-tools}-20230603-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
dtfabric-20230520-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm and dtfabric-20230520-1.el9.{x86_64,aarch64}.rpm -
Dtfabric is a project to manage data types and structures, as used in the libyal projects.
dfimagetools-tools-20230526-1.{fc36,fc37,fc38,el8,el9,amzn2}.noarch.rpm and python3-dfimagetools-20230526-1.{fc36,fc37,fc38,el8,el9,amzn2}.noarch.rpm -
DFImageTools is a collection of tools to process storage media images.
python3-dfdatetime-20230506-1.{fc36,fc37,fc38,el8,el9,amzn2}.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
python3-acstore-20230519-1.{fc36,fc37,fc38,el8,el9,amzn2}.noarch.rpm -
ACStore is a library that provides a stand-alone implementation to read and write Attribute Container stores, such as Plaso storage files.
python3-dfvfs-20230531-1.{fc36,fc37,fc38,el8,el9,amzn2}.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
libfsntfs{,-devel,-python3,-tools}-20230606-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, libfsntfs{,-devel,-python3,-tools}-20230606-1.el9.{x86_64,aarch64}.rpm, and libfsntfs{,-devel,-python36,-tools}-20230606-1.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
python3-artifacts-20230723-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, artifacts-data-20230723-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm , python3-artifacts-20230723-1.el9.{x86_64,aarch64}.rpm, and artifacts-data-20230723-1.el9.{x86_64,aarch64}.rpm -
Artifacts is a free, community-sourced,
libfsapfs{,-devel,-python3,-tools}-20230617-1.{fc36,fc37,fc38,el8,amzn2,el8}.x86_64.rpm, libfsapfs{,-devel,-python3,-tools}-20230617-1.el9.{x86_64,aarch64}.rpm, and libfsapfs{,-devel,-python36,-tools}-20230617-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
libvsbsdl{,-devel,-python3,-static,-tools}-20230506-1.{fc36,fc37,fc38,el8,amzn2,el8}.x86_64.rpm, libvsbsdl{,-devel,-python3,-static,-tools}-20230506-1.el9.{x86_64,aarch64}.rpm, and libvsbsdl{,-devel,-python36,-static,-tools}-20230506-1.el7.x86_64.rpm -
libvsbsdl is a library to access the BSD disk label volume system format.
libvsapm{,-devel,-python3,-static,-tools}-20230506-1.{fc36,fc37,fc38,el8,amzn2,el8}.x86_64.rpm, libvsapm{,-devel,-python3,-static,-tools}-20230506-1.el9.{x86_64,aarch64}.rpm, and libvsapm{,-devel,-python36,-static,-tools}-20230506-1.el7.x86_64.rpm -
libvsapm is a library to access the Apple Partition Map (APM) volume system format.
libgzipf{,-devel,-python3,-static,-tools}-20230114-1.{fc36,fc37,fc38,el8,amzn2,el8}.x86_64.rpm, libgzipf{,-devel,-python3,-static,-tools}-20230114-1.el9.{x86_64,aarch64}.rpm, and libgzipf{,-devel,-python36,-static,-tools}-20230114-1.el7.x86_64.rpm -
libgzipf is a library to access the GZIP file format.
libcaes{,-devel,-python3,-static}-20230406-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, libcaes{,-devel,-python3,-static}-20230406-1.el9.{x86_64,aarch64}.rpm, and libcaes{,-devel,-python36,-static}-20230406-1.el7.x86_64.rpm -
libcaes is a library to support cross-platform AES encryption.
plaso-20230717-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and plaso-20230717-1.el9.{x86_64,aarch64}.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
This release removes the version restriction on the pyparsing package.
python3-certifi-2023.7.22-1.{el8,amzn2}.noarch.rpm and python36-certifi-2023.7.22-1.el7.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
CERT-Forensics-Tools-1.0-104.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and CERT-Forensics-Tools-1.0-104.el9.{aarch64,x86_64}.rpm -
The following tools were added:
libvsbsdl-tools - tools to access BSD disk label volume system format.
libvsapm-tools - tools to access the Apple File System (APFS).
libgzipf-tools - tools to access the GZIP file format.
pfring-8.5.0-8415.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
This package was installed for CentOS 7 for the x86_64 architecture.
pfring-dkms-8.5.0.8415-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
This package was installed for CentOS 7 for the x86_64 architecture.
ndpi-4.7.0-4321.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
This package was installed for CentOS 7 for the x86_64 architecture.
pfring-8.5.0-8418.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
This package was installed for CentOS 8 Stream and 9 Stream for the x86_64 architecture.
pfring-dkms-8.5.0.8418-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
This package was installed for CentOS 8 Stream and 9 Stream for the x86_64 architecture.
ndpi-4.7.0-4324.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
This package was installed for CentOS 8 Stream and 9 Stream for the x86_64 architecture.
snort-3.1.67.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.67.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
lime-kernel-modules-fc38-x86_64-1.9.1-8.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.6-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.6-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-8.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.6-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.6-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-21.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-344 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.21.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-344 for EL9
July 26, 2023:
The following changes have been made:
snort-3.1.66.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.66.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
yaf{,-devel}-3.0.0.alpha3-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and yaf{,-devel}-3.0.0.alpha3-1.el9.{aarch64,x86_64}.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 7, 8, and 9 x86_64 systems, yaf has been built to use PF_Ring.
See here for the list of changes.
These packages are installed in the forensics-test repository.
Please address any comments on these packages to netsa-help@cert.org.
bellsoft-jdk8u382+6-linux-amd64-full.rpm -
Bellsoft Java was installed for Fedora 36, 37, and 38, CentOS/RHEL 7, 8, and 9, and Amazon Linux 2 for the x86_64 architecture.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
bellsoft-jdk8u382+6-linux-aarch64.rpm -
Bellsoft Java was installed for CentOS/RHEL 9 for the aarch64 architecture.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
autopsy-4.20.0-2.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and autopsy-4.20.0-2.el9.{x86_64,aarch64}.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
This version uses Java 8 from Bellsoft.
This release corrects errors in the /usr/bin/autopsy script where the hardware platform was incorrectly determined.
This release fixes a problem with the Java JAR file from the Sleuthkit for the AARCH64 hardware platform. This means that autopsy does work in CentOS 9 for the AARCH64 architecture.
If you wish to run autopsy on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical.
Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
pfring-8.5.0-{8401,8410}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.{8401,8410}-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-{4311,4318}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-7.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.4-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.4-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-7.noarch.rpm -
Support for the following kernels were added for LiME:
6.4.4-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
6.4.4-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-20.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-340 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-340 for EL9
July 12, 2023:
The following changes have been made:
fakenet-3.0a-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and fakenet-3.0a-1.el9.{x86_64,aarch64}.rpm -
Fakenet is a next generation dynamic network analysis tool for malware analysts and penetration testers.
It is open source and designed for the latest versions of Windows (and Linux, for certain modes of operation).
FakeNet-NG is based on the excellent Fakenet tool developed by Andrew Honig and Michael Sikorski.
The tool allows you to intercept and redirect all or specific network traffic while simulating legitimate network services.
Using FakeNet-NG, malware analysts can quickly identify malware's functionality and capture network signatures.
Penetration testers and bug hunters will find FakeNet-NG's configurable interception engine and modular framework highly useful when testing application's specific
functionality and prototyping PoCs.
ghidra-10.3.2-PUBLIC_20230711.1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and ghidra-10.3.2-PUBLIC_20230711.1.el9.{x86_64,aarch64}.rpm -
Ghidra
is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
pfring-8.5.0-8381.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8381-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4291.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-6.noarch.rpm -
Support for the following kernels were added for LiME:
6.3.12-200 for FC38
6.3.11-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
6.3.12-200 for FC38
6.3.11-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-6.noarch.rpm -
Support for the following kernels were added for LiME:
6.3.12-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
6.3.12-100 for FC37
lime-kernel-modules-el8-x86_64-1.9.1-40.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-500 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.40.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-500 for EL8
July 5, 2023:
The following changes have been made:
snort-3.1.65.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.65.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
pfring-8.5.0-8373.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8373-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4284.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-19.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-333 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-333 for EL9
June 28, 2023:
The following changes have been made:
maryam-2.5.2-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm and maryam-2.5.2-1.el9.{x86_64,aarch64}.rpm -
OWASP Maryam is a modular/optional open-source framework based on OSINT and data gathering.
Maryam is written in the Python programming language and has been designed to provide a powerful environment to harvest data from open sources and search engines and collect data quickly and thoroughly.
See here for documentation on the modules provided for Maryam.
Note that Maryam is not available for CentOS/RHEL 7 at this time.
avml-0.11.4-1.{fc36,fc37,fc38}.x86_64.rpm and avml-0.11.4-1.el9.{x86_64,aarch64}.rpm -
AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.
AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori.
No on-target compilation or fingerprinting is needed.
AVML can produce a memory image suitable for processing with
Volatility 2 or Volatility 3 once the appropriate profiles
have been created.
libpst{,-devel,-devel-doc,-doc,-libs}-0.6.72-4.{el7,el8}.x86_64.rpm, python3-libpst-0.6.72-4.el8.x86_64.rpm, and python36-libpst-0.6.72-4.el7.x86_64.rpm -
The libpst utilities convert Outlook .pst files to other formats.
See here for the list of changes.
python{2,36}-ssdeep-3.2-1.el7.x86_64.rpm -
Python-SSDeep is a Python wrapper for SSDeep fuzzy hashing library.
This package was built to support the packaging of Volatility-community-plugins.
yaf{,-devel}-2.14.0-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and yaf{,-devel}-2.14.0-1.el9.{x86_64,aarch64}.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 7, 8, and 9 for the x86_64 architecture, yaf has been built to use PF_Ring.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.21.0-1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.21.0-1.el9.{x86_64,aarch64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
analysis-pipeline-5.11.4-5.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and analysis-pipeline-5.11.4-5.el9.{x86_64,aarch64}.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt for silk 3.21.0.
prism-1.2-10.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm -
The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
This package was rebuilt to use silk 3.21.0.
super_mediator-1.9.1-2.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and super_mediator-1.9.1-2.el9.{x86_64,aarch64}.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
See here for the list of changes.
This package was rebuilt to use silk 3.21.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.21.0-2.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.21.0-2.el9.{x86_64,aarch64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.21.0-101.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.21.0-101.el9.{x86_64,aarch64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha2.
Please address any comments on these packages to netsa-help@cert.org.
analysis-pipeline-5.11.4-6.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and analysis-pipeline-5.11.4-6.el9.{aarch64,x86_64}.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package is installed in the forensics-test repository.
This package was rebuilt to use libfixbuf 3.0.0.alpha2 and silk 3.21.0.
Please address any comments on these packages to netsa-help@cert.org.
pfring-8.5.0-8365.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8365-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4280.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-18.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-331 for EL9
5.14.0-330 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.18.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-331 for EL9
5.14.0-330 for EL9
lime-kernel-modules-el8-x86_64-1.9.1-39.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-499 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.39.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-499 for EL8
lime-kernel-modules-el7-x86_64-1.9.1-90.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.92.1 for EL7
fmem-kernel-modules-el7-x86_64-1.6-1.90.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.92.1 for EL7
June 21, 2023:
The following changes have been made:
ghidra-10.3.1-PUBLIC_20230614.1.{fc36,fc37,fc38,el7,el8,amzn2}.x86_64.rpm and ghidra-10.3.1-PUBLIC_20230614.1.el9.{x86_64,aarch64}.rpm -
Ghidra
is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
daq{,-devel,-modules}-3.0.12-1.{fc36,fc37,fc38,el8}.x86_64.rpm and daq{,-devel,-modules}-3.0.12-1.el9.{aarch64,x86_64}.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
snort-3.1.64.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.64.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
pfring-8.5.0-8343.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8343-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4265.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-5.noarch.rpm -
Support for the following kernels were added for LiME:
6.3.8-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
6.3.8-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-5.noarch.rpm -
Support for the following kernels were added for LiME:
6.3.8-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
6.3.8-100 for FC37
lime-kernel-modules-el8-x86_64-1.9.1-38.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-497 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.38.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-497 for EL8
June 14, 2023:
The following changes have been made:
unrar-6.2.2-1.{fc36,fc37,fc38,el8,el9,amzn2}.x86_64.rpm -
Unrar is a powerful archive manager.
It can backup your data and reduce the size of email attachments, decompress RAR, ZIP and other files downloaded from Internet and create new archives in RAR and ZIP file format.
See here for a list of changes in this version.
rar-6.2.2-1.{fc36,fc37,fc38,el8,el9,amzn2}.x86_64.rpm -
Rar is a powerful archive manager.
It can backup your data and reduce the size of email attachments, decompress RAR, ZIP and other files downloaded from Internet and create new archives in RAR and ZIP file format.
See here for a list of changes in this version.
python3-artifacts-20230413-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm, artifacts-data-20230413-1.{fc36,fc37,fc38,el8,amzn2}.x86_64.rpm , python3-artifacts-20230413-1.el9.{x86_64,aarch64}.rpm, and artifacts-data-20230413-1.el9.{x86_64,aarch64}.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
pfring-8.5.0-8320.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8320-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4252.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
pfring-8.5.0-8321.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8321-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4253.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-4.noarch.rpm -
Support for the following kernels were added for LiME:
6.3.7-200 for FC38
6.3.6-200 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
6.3.7-200 for FC38
6.3.6-200 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-4.noarch.rpm -
Support for the following kernels were added for LiME:
6.3.7-100 for FC37
6.3.6-100 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
6.3.7-100 for FC37
6.3.6-100 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-17.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-325 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-325 for EL9
lime-kernel-modules-el8-x86_64-1.9.1-37.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-494 for EL8
4.18.0-496 for EL8
fmem-kernel-modules-el8-x86_64-1.6-1.37.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-494 for EL8
4.18.0-496 for EL8
June 7, 2023:
The following changes have been made:
snort-3.1.63.0-1.{fc36,fc37,fc38,el8}.x86_64.rpm and snort-3.1.63.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
python3-xlsxwriter-3.1.2-1.{el9,amzn2}.noarch.rpm python36-xlsxwriter-3.1.2-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
pfring-8.5.0-8314.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.5.0.8314-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.7.0-4246.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc38-x86_64-1.9.1-3.noarch.rpm -
Support for the following kernels were added for LiME:
6.3.5-200 for FC38
6.3.4-201 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
6.3.5-200 for FC38
6.3.4-201 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-3.noarch.rpm -
Support for the following kernels were added for LiME:
6.3.5-100 for FC37
6.3.4-101 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
6.3.5-100 for FC37
6.3.4-101 for FC37
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-16.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-319 for EL9
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-319 for EL9
May 31, 2023:
The following changes have been made:
libmaxminddb{,-devel}-1.7.1-1.amzn2.x86_64.rpm -
Libmaxminddb provides a C library for reading MaxMind DB files, including the GeoIP2 databases from MaxMind.
bellsoft-jdk8u372+7-linux-amd64-full.rpm -
Bellsoft Java was installed for Fedora 34, 35, and 36, CentOS/RHEL 7, 8, and 9, and Amazon Linux 2 for the x86_64 architecture.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
bellsoft-jdk8u372+7-linux-aarch64.rpm -
Bellsoft Java was installed for CentOS/RHEL 9 for the aarch64 architecture.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
libvhdi{,-devel,-python3,-tools}-20221124-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libvhdi{,-devel,-python3,-tools}-20221124-1.el9.{x86_64,aarch64}.rpm, and libvhdi{,-devel,-python36,-tools}-20221124-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libvmdk{,-devel,-python3,-tools}-20221124-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libvmdk{,-devel,-python3,-tools}-20221124-1.el9.{x86_64,aarch64}.rpm, and libvmdk{,-devel,-python36,-tools}-20221124-1.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
sleuthkit{,-devel,-libs}-4.12.0-100.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and sleuthkit{,-devel,-libs}-4.12.0-100.el9.{x86_64,aarch64}.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
libbde{,-devel,-python3,-tools}-20221031-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libbde{,-devel,-python3,-tools}-20221031-1.el9.{x86_64,aarch64}.rpm, and libbde{,-devel,-python36,-tools}-20221031-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
libevt{,-devel,-python3,-tools}-20221022-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libevt{,-devel,-python3,-tools}-20221022-1.el9.{x86_64,aarch64}.rpm, and libevt{,-devel,-python36,-tools}-20221022-1.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx{,-devel,-python3,-tools}-20221101-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libevtx{,-devel,-python3,-tools}-20221101-1.el9.{aarch64,x86_64}.rpm, and libevtx{,-devel,-python36,-tools}-20221101-1.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
liblnk{,-devel,-python3,-tools}-20230205-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, liblnk{,-devel,-python3,-tools}-20230205-1.el9.{x86_64,aarch64}.rpm, and liblnk{,-devel,-python36,-tools}-20230205-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
libmsiecf{,-devel,-python3,-tools}-20221024-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libmsiecf{,-devel,-python3,-tools}-20221024-1.el9.{x86_64,aarch64}.rpm, and libmsiecf{,-devel,-python36,-tools}-20221024-1.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
libolecf{,-devel,-python3,-tools}-20221024-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libolecf{,-devel,-python3,-tools}-20221024-1.el9.{x86_64,aarch64}.rpm, and libolecf{,-devel,-python36,-tools}-20221024-1.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
libbfio{,-devel,-python3}-20221025-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libbfio{,-devel,-python3}-20221025-1.el9.{x86_64,aarch64}.rpm, and libbfio{,-devel,-python36}-20221025-1.el7.x86_64.rpm -
Libbfio is a library that provides basic file input/output abstraction.
Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access.
libpff{,-devel,-python3,-tools}-20211114-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libpff{,-devel,-python3,-tools}-20211114-1.el9.{x86_64,aarch64}.rpm, and libpff{,-devel,-python36,-tools}-20211114-1.el7.x86_64.rpm -
Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
libqcow{,-devel,-python3,-tools}-20221124-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libqcow{,-devel,-python3,-tools}-20221124-1.el9.{x86_64,aarch64}.rpm, and libqcow{,-devel,-python36,-tools}-20221124-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
libregf{,-devel,-python3,-tools}-20230319-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libregf{,-devel,-python3,-tools}-20230319-1.el9.{x86_64,aarch64}.rpm, and libregf{,-devel,-python36,-tools}-20230319-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows Registry File files.
libsmdev{,-devel,-python3,-tools}-20221028-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libsmdev{,-devel,-python3,-tools}-20221028-1.el9.{x86_64,aarch64}.rpm, and libsmdev{,-devel,-python36,-tools}-20221028-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
libsmraw{,-devel,-python3,-tools}-20230320-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, and libsmraw{,-devel,-python3,-tools}-20230320-1.el9.{x86_64,aarch64}.rpm, and libsmraw{,-devel,-python36,-tools}-20230320-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
libvshadow{,-devel,-python3,-tools}-20221030-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libvshadow{,-devel,-python3,-tools}-20221030-1.el9.{x86_64,aarch64}.rpm, and libvshadow{,-devel,-python36,-tools}-20221030-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
msghack-0.21-19.0.20220203.el8.noarch.rpm -
Msghack is a program that is used used to alter .po files in ways no sane mind would.
gettext{,-devel,-envsubst,-libs,-runtime}-0.21-19.0.20220203.el8.x86_64.rpm, gettext-common-devel-0.21-19.0.20220203.el8.noarch.rpm, and emacs-gettext-0.21-19.0.20220203.el8.noarch.rpm -
Gettext is a set of utilities that provides a framework within which other free packages may produce multi-lingual messages.
autoconf-2.71-3.{fc35,el8,el9}.noarch.rpm Autoconf is an extensible package of M4 macros that produce shell scripts to automatically configure software source code packages.
libmdmp{,-devel,-tools}-20230321-1.{fc35,fc36,el8}.x86_64.rpm and libmdmp{,-devel,-tools}-20230321-1.el9.{x86_64,aarch64}.rpm -
Libmdmp is a library to access the Windows Minidump (MDMP) format.
Note that this project currently only focuses on the analysis of the format.
libhibr{,-devel,-tools}-20230321-1.{fc35,fc36,el8}.x86_64.rpm and libhibr{,-devel,-tools}-20230321-1.el9.{x86_64,aarch64}.rpm -
libhibr is a lbrary and tools to access the Windows Hibernation File (hiberfil.sys) format.
Note that this project currently only focuses on the analysis of the format.
libmodi{,-devel,-python3,-tools}-20221023-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libmodi{,-devel,-python3,-tools}-20221023-1.el9.{x86_64,aarch64}.rpm, and libmodi{,-devel,-python36,-tools}-20221023-1.el7.x86_64.rpm -
Libmodi is a library and tools to access the Mac OS disk image formats.
libnk2{,-devel,-python3,-tools}-20221122-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libnk2{,-devel,-python3,-tools}-20221122-1.el9.{x86_64,aarch64}.rpm, and libnk2{,-devel,-python36,-tools}-20221122-1.el7.x86_64.rpmLibnk2 is a library and tools to access Microsoft Outlook Nickfile (NK2) format files.
libphdi{,-devel,-python3,-tools}-20221025-1.{fc35,fc36,el8,amzn2}.x86_64.rpm , and libphdi{,-devel,-python3,-tools}-20221025-1.el9.{x86_64,aarch64}.rpm, and libphdi{,-devel,-python36,-tools}-20221025-1.el7.x86_64.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
libexe{,-devel,-python3,-tools}-20230318-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libexe{,-devel,-python3,-tools}-20230318-1.el9.{x86_64,aarch64}.rpm, and libexe{,-devel,-python36,-tools}-20230318-1.el7.x86_64.rpm -
Libexe is a library and tools to access the executable (EXE) format.
libwtcdb{,-devel,-tools}-20230129-1.{fc35,fc36,el8}.x86_64.rpm and libwtcdb{,-devel,-tools}-20230129-1.el9.{x86_64,aarch64}.rpm -
Libwtcdb is a library and tools to access the Windows (Vista/7) Explorer thumbnail cache database format (thumbcache.db).
libfplist{,-devel}-20220116-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and libfplist{,-devel}-20220116-1.el9.{x86_64,aarch64}.rpm -
Libfplist is a library for plist formats. Note: this is a library only - there are no tools provided by these packages.
libfwevt{,-devel}-20230410-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and libfwevt{,-devel}-20230410-1.el9.{x86_64,aarch64}.rpm -
Libfwevt is a library for Windows XML Event Log (EVTX) data types.
Note: this is a library only - there are no tools provided by these packages.
libfdata{,-devel,-static}-20220111-1.{el7,amzn2}.x86_64.rpm -
Libfdata is a library to provide generic file data functions.
libagdb{,-devel,-tools}-20230319-1.{fc35,fc36,el8}.x86_64.rpm and libagdb{,-devel,-tools}-20230319-1.el9.{x86_64,aarch64}.rpm -
Libagdb is a library to access the SuperFetch database format.
libagdb{,-devel,-tools}-20201023-1.{el7,amzn2}.x86_64.rpm -
Libagdb is a library to access the SuperFetch database format.
libcreg{,-devel,-python3,-tools}-20221022-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libcreg{,-devel,-python3,-tools}-20221022-1.el9.{x86_64,aarch64}.rpm, and libcreg{,-devel,-python36,-tools}-20221022-1.el7.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
libwrc{,-devel,-python3,-tools}-20230318-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libwrc{,-devel,-python3,-tools}-20230318-1.el9.{x86_64,aarch64}.rpm, libwrc{,-devel,-python36,-tools}-20230318-1.el7.x86_64.rpm -
Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
libvsgpt{,-devel,-python3,-tools}-20221029-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, and libvsgpt{,-devel,-python3,-tools}-20221029-1.el9.{x86_64,aarch64}.rpm, and libvsgpt{,-devel,-python36,-tools}-20221029-1.el7.x86_64.rpm -
Libvsgpt is a library and tools used to access the GUID Partition Table (GPT) volume system.
winevtrc-20220106-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and winevtrc-20220106-1.el9.{x86_64,aarch64}.rpm -
Winevt-kb is a project to build a Windows Event Log knowledge base.
winevtrc is the Python module part of winevt-kb to allow reuse of Windows Event Log resources.
Note that this package also provides winevt-kb.
dtfabric-20221218-1.{fc35,fc36,el8,amzn2}.x86_64.rpm and dtfabric-20221218-1.el9.{x86_64,aarch64}.rpm -
Dtfabric is a project to manage data types and structures, as used in the libyal projects.
libhmac{,-devel,-python3,-static,-tools}-20230407-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libhmac{,-devel,-python36,-static,-tools}-20230407-1.el7.x86_64.rpm and libhmac{,-devel,-python3,-static,-tools}-20230407-1.el9.{x86_64,aarch64}.rpm -
Libhmac is a library to support various Hash-based Message Authentication Codes (HMAC).
dfimagetools-tools-20220312-1.{fc35,fc36,el7,el8,el9,amzn2}.noarch.rpm, python3-dfimagetools-20220312-1.{fc35,fc36,el8,el9,amzn2}.noarch.rpm, and python36-dfimagetools-20220312-1.el7.noarch.rpm -
DFImageTools is a collection of tools to process storage media images.
libfcrypto{,-devel,-python3,-static}-20221230-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libfcrypto{,-devel,-python36,-static}-20221230-1.el7.x86_64.rpm, and libfcrypto{,-devel,-python3,-static}-20221230-1.el9.{x86_64,aarch64}.rpm -
Libfcrypto is a library for encryption formats.
winregrc-20230205-1.{fc35,fc36,el8,amzn2}.x86_64.rpm and winregrc-20230205-1.el9.{x86_64,aarch64}.rpm -
Winreg-kb winreg-kb is a project to build a Windows Registry Knowledge Base.
winregrc is a Python module part of winreg-kb to allow reuse of Windows Registry Resources.
Note that this package also provides winreg-kb.
dfwinreg-20221218-1.{fc35,fc36,el8,amzn2}.x86_64.rpm and dfwinreg-20221218-1.el9.{x86_64,aarch64}.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
2hash-0.2-2.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and 2hash-0.2-2.el9.{x86_64,aarch64}.rpm -
2hash is a tool to calculate the md5 and sha1 hashes of a file in a single read.
If you’re regularly checking/calculating hashes of large files this’ll save you a lot of disk I/O.
libfixbuf{,-devel,-ipfixDump}-2.4.2-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and libfixbuf{,-devel,-ipfixDump}-2.4.2-1.el9.{x86_64,aarch64}.rpm -
Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.2-3.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.2-3.el9.{x86_64,aarch64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
This package was rebuilt for libfixbuf-2.4.2.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.2-4.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.2-4.el9.{x86_64,aarch64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This package was rebuilt for libfixbuf-2.4.2.
libschemaTools{,-devel}-1.4-3.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and libschemaTools{,-devel}-1.4-3.el9.{x86_64,aarch64}.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrieve data, and to know the structure of the records.
This package was rebuilt for libfixbuf-2.4.2.
analysis-pipeline-5.11.4-3.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and analysis-pipeline-5.11.4-3.el9.{x86_64,aarch64}.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt for libfixbuf-2.4.2.
analyzeMFT-3.0.1-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and analyzeMFT-3.0.1-1.el9.{x86_64,aarch64}.rpm -
AnalyzeMFT is a tool that fully parses
the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple formats.
See here for the changes since the previously installed version 2.0.19.1.
Note: This version uses Python 3.
autopsy-4.20.0-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and autopsy-4.20.0-1.el9.{x86_64,aarch64}.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
This version uses Java 8 from Bellsoft.
This version was tested on Fedora 32 through 35 and CentOS 7 and 8 for the x86_64 architectures using an E01 dataset that contains a 7-Zip file that contains two JPEG images, one of which has EXIF metadata.
Those archives were correctly parsed and the EXIF data verified.
If you wish to run autopsy on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical.
Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
exfat-utils-1.4.0-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and exfat-utils-1.4.0-1.el9.{x86_64,aarch64}.rpm -
The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems.
This version was rebuilt to remove the obsoletes directives for exfatprogs and fuse-exfat.
This means that the installer must select the appropriate version for their system if not installing with the CERT-Forensics-Tools meta package.
unrar-6.2.1-1.{fc35,fc36,el8,el9,amzn2}.x86_64.rpm -
Unrar is a powerful archive manager.
It can backup your data and reduce the size of email attachments, decompress RAR, ZIP and other files downloaded from Internet and create new archives in RAR and ZIP file format.
See here for a list of changes in this version.
rar-6.2.1-1.{fc35,fc36,el8,el9,amzn2}.x86_64.rpm -
Rar is a powerful archive manager.
It can backup your data and reduce the size of email attachments, decompress RAR, ZIP and other files downloaded from Internet and create new archives in RAR and ZIP file format.
See here for a list of changes in this version.
perl-Parse-Win32Registry-1.1-1.{fc35,fc36,el7,el8,el9,amzn2}.noarch.rpm -
perl-Parse-Win32Registry
is a module for parsing Windows Registry files, allowing you to read the keys and values of a registry file without going through the Windows API.
It provides an object-oriented interface to the keys and values in a registry file.
Registry files are structured as trees of keys, with each key containing further subkeys or values.
The module is intended to be cross-platform, and run on those platforms where Perl will run.
It supports both Windows NT registry files (Windows NT, 2000, XP, 2003, Vista, 7) and Windows 95 registry files (Windows 95, 98, Millennium Edition).
It is intended to be used to parse offline registry files.
If a registry file is currently in use, you will not be able to open it.
However, you can save part or all of a currently loaded registry file using the Windows reg command if you have the appropriate administrative access.
fuse-python{2,3}-1.0.5-1.{fc35,fc36,el8,amzn2}.x86_64.rpm and fuse-python3-1.0.5-1.el9.{x86_64,aarch64}.rpm -
Fuse-Python is a Python interface to libfuse,
a simple interface for userspace programs to export a virtual filesystem to the Linux kernel.
vmfs6-tools-0.2.1-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm, libvmfs6-devel-0.2.1-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm, vmfs6-tools-0.2.1-1.el9.{x86_64,aarch64}.rpm, and libvmfs6-devel-0.2.1-1.el9.{x86_64,aarch64}.rpm -
VMFS6-tools is a collection of command-line tools for operating on VMware's VMFS file system.
Included in this release is limited VMFS version 6 support.
Note: The tools in the vmfs6-tools package are named debugvmfs6, fsck.vmfs6, vmfs6-fuse, vmfs6-lvm.
libscca{,-devel,-python3,-tools}-20221027-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libscca{,-devel,-python3,-tools}-20221027-1.el9.{x86_64,aarch64}.rpm, and libscca{,-devel,-python36,-tools}-20221027-1.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
libfwnt{,-devel,-python3}-20220922-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libfwnt{,-devel,-python3}-20220922-1.el9.{x86_64,aarch64}.rpm, and libfwnt{,-devel,-python36}-20220922-1.el7.x86_64.rpm -
LibFWNT is a library for Windows NT data types.
libfwps{,-devel,-python3}-20230202-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libfwps{,-devel,-python3}-20230202-1.el9.{x86_64,aarch64}.rpm, and libfwps{,-devel,-python36}-20230202-1.el7.x86_64.rpm -
LibFWPS is a library for Windows Property Store data types.
python3-dfdatetime-20230225-1.{fc35,fc36,el8,el9,amzn2}.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
python{2,3}-future-0.18.3-4.1.el8.noarch.rpm -
Python-Future is the missing compatibility layer between Python 2 and Python 3.
It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.
This package was built to support the packaging of Python-PEFile
which in turn is needed to support the packaging of Volatility-community-plugins.
python3-pefile-2023.2.7-1.{fc35,fc36,el9}.noarch.rpm -
PEFile is a Portable Executable reader module.
opensearch-py-2.2.0-1.{fc35,fc36,el7,el8,el9,amzn2}.noarch.rpm -
OpenSearch-PY is a Python client for OpenSearch.
python3-acstore-20230325-1.{fc35,fc36,el8,el9,amzn2}.noarch.rpm -
ACStore is a library that provides a stand-alone implementation to read and write Attribute Container stores, such as Plaso storage files.
python3-flor-1.1.3-1.{fc35,fc36,el8,el9,amzn2}.noarch.rpm and python36-flor-1.1.3-1.el7.noarch.rpm -
Flor implements a Bloom filter class that is fully compatible with the Go Bloom filter implementation.
plaso-20230311-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and plaso-20230311-1.el9.{x86_64,aarch64}.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
This release removes the version restriction on the pyparsing package.
libvslvm{,-devel,-python3,-tools}-20221025-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libvslvm{,-devel,-python3,-tools}-20221025-1.el9.{x86_64,aarch64}.rpm, and libvslvm{,-devel,-python36,-tools}-20221025-1.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
python3-dfvfs-20230408-1.{fc35,fc36,el8,el9,amzn2}.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
libfsntfs{,-devel,-python3,-tools}-20230427-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libfsntfs{,-devel,-python3,-tools}-20230427-1.el9.{x86_64,aarch64}.rpm, and libfsntfs{,-devel,-python36,-tools}-20230427-1.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libsigscan{,-devel,-python3,-tools}-20230109-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libsigscan{,-devel,-python3,-tools}-20230109-1.el9.{x86_64,aarch64}.rpm, and libsigscan{,-devel,-python36,-tools}-20230109-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
pytsk3-20230125-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and pytsk3-20230125-1.el9.{x86_64,aarch64}.rpm -
Pytsk is Python bindings for The Sleuth Kit.
libfwsi{,-devel,-python3}-20230114-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libfwsi{,-devel,-python3}-20230114-1.el9.{x86_64,aarch64}.rpm, and libfwsi{,-devel,-python36}-20230114-1.el7.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
python3-artifacts-20221219-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, artifacts-data-20221219-1.{fc35,fc36,el8,amzn2}.x86_64.rpm , python3-artifacts-20221219-1.el9.{x86_64,aarch64}.rpm, and artifacts-data-20221219-1.el9.{x86_64,aarch64}.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
super_mediator-1.9.1-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and super_mediator-1.9.1-1.el9.{x86_64,aarch64}.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
See here for the list of changes.
acr-2.1.1-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm -
ACR tries to replace autoconf functionality generating a full-compatible 'configure' script (runtime flags).
But using shell-script instead of m4. This means that ACR is faster, smaller and easy to use.
yaf{,-devel}-2.13.0-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and yaf{,-devel}-2.13.0-1.el9.{x86_64,aarch64}.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 7, 8, and 9 for the x86_64 architecture, yaf has been built to use PF_Ring.
libluksde{,-devel,-python3,-tools}-20221103-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libluksde{,-devel,-python3,-tools}-20221103-1.el9.{x86_64,aarch64}.rpm, and libluksde{,-devel,-python36,-tools}-20221103-1.el7.x86_64.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
libfsapfs{,-devel,-python3,-tools}-20221102-1.{fc35,fc36,el8,amzn2,el8}.x86_64.rpm, libfsapfs{,-devel,-python3,-tools}-20221102-1.el9.{x86_64,aarch64}.rpm, and libfsapfs{,-devel,-python36,-tools}-20221102-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
ghidra-10.3-PUBLIC_20230510.1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and ghidra-10.3-PUBLIC_20230510.1.el9.{x86_64,aarch64}.rpm -
Ghidra
is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
apfs-fuse-20230103-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and apfs-fuse-20230103-1.el9.{x86_64,aarch64}.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far).
Thus, the driver may return compressed files instead of uncompressed ones.
zeek{,-btest,-btest-data,-client,-core,ctl,-devel,-spicy-devel,-zkg}-5.0.9-1.{fc35,fc36,el7,el8}.x86_64.rpm, libbroker-devel-5.0.9-1.{fc35,fc36,el7,el8}.x86_64.rpm , zeek{,-btest,-btest-data,-client,-core,ctl,-devel,-spicy-devel,-zkg}-5.0.9-1.el9.{x86_64,aarch64}.rpm, and libbroker-devel-5.0.9-1.el9.{x86_64,aarch64}.rpm for CentOS 9 Stream -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
bulk_extractor-2.0.3-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and bulk_extractor-2.0.3-1.el9.{aarch64,x86_64}.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
mac_apt-1.5.0.dev-3.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and mac_apt-1.5.0.dev-3.el9.{x86_64,aarch64}.rpm -
Mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines)
and extract data/metadata useful for forensic investigation.
It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, etc.).
This package is based on the 2023-03-12 version of the code.
musl-{clang,devel,filesystem,gcc,libc,libc-static}-1.2.3-1.{el7,el8,amzn2}.x86_64.rpm and musl-{clang,devel,filesystem,gcc,libc,libc-static}-1.2.3-1.el9.{x86_64,aarch64}.rpm -
MUSL is a fully featured lightweight standard C library for Linux.
This package was built to support AVML.
avml-0.11.3-1.{fc35,fc36}.x86_64.rpm and avml-0.11.3-1.el9.{x86_64,aarch64}.rpm -
AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.
AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori.
No on-target compilation or fingerprinting is needed.
AVML can produce a memory image suitable for processing with
Volatility 2 or Volatility 3 once the appropriate profiles
have been created.
Volatility3-2.4.2-2.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and Volatility3-2.4.2-2.el9.{aarch64,x86_64}.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
The full documentation for this version of Volatility can be found here.
This release is patched as of 2023-03-09.
daq{,-devel,-modules}-3.0.11-1.{fc35,fc36,el8}.x86_64.rpm and daq{,-devel,-modules}-3.0.11-1.el9.{aarch64,x86_64}.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
snort-3.1.62.0-1.{fc35,fc36,el8}.x86_64.rpm and snort-3.1.62.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
maryam-2.5.1-2.{fc35,fc36,el8,amzn2}.x86_64.rpm and maryam-2.5.1-2.el9.{x86_64,aarch64}.rpm -
OWASP Maryam is a modular/optional open-source framework based on OSINT and data gathering.
Maryam is written in the Python programming language and has been designed to provide a powerful environment to harvest data from open sources and search engines and collect data quickly and thoroughly.
See here for documentation on the modules provided for Maryam.
Note that Maryam is not available for CentOS/RHEL 7 at this time.
EVTXtract-0.2.4-4.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and EVTXtract-0.2.4-4.el9.{aarch64,x86_64}.rpm -
EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
zui-1.0.1.x86_64.rpm -
Zui (formerly known as Brim) is an open source desktop application for security and network specialists,
and was installed for Fedora 34, 35, and 36, CentOS/RHEL 7, 8, and 9, and Amazon Linux 2 repositories for the x86_64 architecture.
Zui makes it easy to search and analyze data from:
packet captures, like those created by Wireshark, and
structured logs, especially from the Zeek network analysis framework.
Zui is especially useful to security and network operators that need to handle large packet captures, especially those that are cumbersome for Wireshark, tshark, or other packet analyzers.
mmc-utils-0.1-2.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and mmc-utils-0.1-2.el9.{aarch64,x86_64}.rpm -
MMC-Utils is a tool for configuring MMC storage devices from userspace.
This version is patched as of 2023-03-12.
libfixbuf{,-devel,-tools}-3.0.0.alpha2-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and libfixbuf{,-devel,-tools}-3.0.0.alpha2-1.el9.{aarch64,x86_64}.rpm -
Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
These packages are installed in the forensics-test repository.
Please address any comments on these packages to netsa-help@cert.org.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.2-103.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.2-103.el9.{aarch64,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha2.
Please address any comments on these packages to netsa-help@cert.org.
libschemaTools{,-devel}-1.4-4.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and libschemaTools{,-devel}-1.4-4.el9.{aarch64,x86_64}.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha2.
Please address any comments on these packages to netsa-help@cert.org.
analysis-pipeline-5.11.4-4.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and analysis-pipeline-5.11.4-4.el9.{aarch64,x86_64}.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package is installed in the forensics-test repository.
This package was rebuilt to use libfixbuf 3.0.0.alpha2.
Please address any comments on these packages to netsa-help@cert.org.
super_mediator-2.0.0.alpha2-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and super_mediator-2.0.0.alpha2-1.el9.{aarch64,x86_64}.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
See here for the list of changes.
This package is installed in the forensics-test repository.
This package was rebuilt to use libfixbuf 3.0.0.alpha1 and silk 3.19.2.
Please address any comments on these packages to netsa-help@cert.org.
yaf{,-devel}-3.0.0.alpha2-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and yaf{,-devel}-3.0.0.alpha2-1.el9.{aarch64,x86_64}.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 7 and 8 systems, yaf has been built to use PF_Ring.
See here for the list of changes.
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha2.
Please address any comments on these packages to netsa-help@cert.org.
libesedb{,-devel,-python3,-tools}-20230318-1.{fc35,fc36,el8,amzn2}.x86_64.rpm, libesedb{,-devel,-python36,-tools}-20230318-1.el7.x86_64.rpm, and libesedb{,-devel,-python3,-tools}-20230318-1.el9.{x86_64,aarch64}.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
hindsight-2023.03-1.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and hindsight-2023.03-1.el9.{x86_64,aarch64}.rpm -
Hindsight is a free tool for analyzing web artifacts.
It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications.
Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords,
preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies).
Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.
CERT-Forensics-Tools-1.0-103.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and CERT-Forensics-Tools-1.0-103.el9.{aarch64,x86_64}.rpm -
The following changes were made:
winregrc replaces winreg-kb
winevtrc replaces winevt-kb
libfixbuf-ipfixDump was added
zeek was removed for Fedora 38 for now
mmc-utils was removed for Fedora 38
libvsmbr{,-devel,-python3,-tools}-20230318-1.{fc35,fc36,el8}.x86_64.rpm and libvsmbr{,-devel,-python3,-tools}-20230318-1.el9.{aarch64,x86_64}.rpm -
Libvsmbr is a library and tools to access the Master Boot Record (MBR) volume system.
python3-oletools-0.60.1-2.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm , python-oletools-doc-0.60.1-2.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm, python3-oletools-0.60.1-2.el9.{aarch64,x86_64}.rpm, and python-oletools-doc-0.60.1-2.el9.{aarch64,x86_64}.rpm -
Python-Oletools is a package of python tools from Philippe Lagadec to analyze Microsoft OLE2 files (also called
Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for
malware analysis, forensics and debugging.
It is based on the olefile parser.
wdpassport-utils-0.2-4.{fc35,fc36,el7,el8,amzn2}.x86_64.rpm and wdpassport-utils-0.2-4.el9.{aarch64,x86_64}.rpm -
WDPassPort-Utils is a utility used to lock, unlock, and reset passwords on Western Digital's Passport drives.
This version was rebuilt to correctly set the permissions on the python executable.
GeoIP{,-devel}-1.6.12-5.el9.{x86_64,aarch64}.rpm -
GeoIP is a library for country/city/organization to IP address or hostname mapping.
pfring-8.5.0-{8169,8194,8197,8211,8232,8235,8241,8253,8265,8279,8305}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
These packages wer installed in the CentOS/RHEL 7 and 8 Stream.
pfring-dkms-8.5.0.{8169,8194,8197,8211,8232,8235,8241,8253,8265,8279,8305}-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
These packages were installed in the CentOS/RHEL 7 and 8 Stream.
ndpi-4.7.0-{4142,4160,4163,4175,4183,4187,4190,4196,4206,4218,4230,4241}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
These packages were installed in the CentOS/RHEL 7 and 8 Stream.
pfring-8.5.0-{8225,8232,8235,8241,8253,8265,8279,8305}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
These packages were installed in the CentOS/RHEL 9 Stream.
pfring-dkms-8.5.0.{8225,8232,8235,8241,8253,8265,8279,8305}-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
These packages were installed in the CentOS/RHEL 9 Stream.
ndpi-4.7.0-{4183,4187,4190,4196,4206,4218,4230,4241}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
These packages were installed in the CentOS/RHEL 9 Stream.
pfring-8.5.0-{8169,8194,8197,8211,8225}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
These packages were installed in the Amazon Linux 2 repositories for the x86_64 architecture.
pfring-dkms-8.5.0.{8169,8194,8197,8211,8225}-dkms.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
These packages were installed in the Amazon Linux 2 repositories for the x86_64 architecture.
ndpi-4.7.0-{4142,4160,4163,4175,4183}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
These packages were installed in the Amazon Linux 2 repositories for the x86_64 architecture.
fmem-kernel-modules-1.6-1.25.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 37 x86_64 architecture was added.
lime-kernel-modules-1.1.r17-25.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 37 x86_64 architecture was added.
Fedora 37 - The repository now supports Fedora 37
for the x86_64 CPU architecture.
Here is the list of tools provided for Fedora 37:
fmem-kernel-modules-1.6-1.26.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 38 x86_64 architecture was added.
lime-kernel-modules-1.1.r17-26.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 38 x86_64 architecture was added.
Fedora 38 - The repository now supports Fedora 38
for the x86_64 CPU architecture.
Here is the list of tools provided for Fedora 38:
lime-kernel-modules-fc38-x86_64-1.9.1-2.noarch.rpm -
Support for the following kernels were added for LiME:
6.2.15-300 for FC38
6.2.14-300 for FC38
6.2.13-300 for FC38
fmem-kernel-modules-fc38-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
6.2.15-300 for FC38
6.2.14-300 for FC38
6.2.13-300 for FC38
lime-kernel-modules-fc37-x86_64-1.9.1-2.noarch.rpm -
Support for the following kernels were added for LiME:
6.2.15-200 for FC37
6.2.14-200 for FC37
6.2.13-200 for FC37
6.2.12-200 for FC37
6.2.11-200 for FC37
6.2.10-200 for FC37
6.2.9-200 for FC37
6.2.8-200 for FC37
6.2.7-200 for FC37
6.1.18-200 for FC37
fmem-kernel-modules-fc37-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
6.2.15-200 for FC37
6.2.14-200 for FC37
6.2.13-200 for FC37
6.2.12-200 for FC37
6.2.11-200 for FC37
6.2.10-200 for FC37
6.2.9-200 for FC37
6.2.8-200 for FC37
6.2.7-200 for FC37
6.1.18-200 for FC37
lime-kernel-modules-fc36-x86_64-1.9.1-18.noarch.rpm -
Support for the following kernels were added for LiME:
6.2.15-100 for FC36
6.2.14-100 for FC36
6.2.13-100 for FC36
6.2.12-100 for FC36
6.2.11-100 for FC36
6.2.10-100 for FC36
6.2.9-100 for FC36
6.2.8-100 for FC36
6.2.7-100 for FC36
6.1.18-100 for FC36
6.1.15-100 for FC36
6.1.14-100 for FC36
6.1.13-100 for FC36
6.1.12-100 for FC36
6.1.11-100 for FC36
6.1.10-100 for FC36
6.1.9-100 for FC36
6.1.8-100 for FC36
6.1.7-100 for FC36
6.1.6-100 for FC36
6.1.5-100 for FC36
6.0.18-200 for FC36
6.0.17-200 for FC36
6.0.16-200 for FC36
6.0.15-200 for FC36
6.0.14-200 for FC36
6.0.12-200 for FC36
6.0.11-200 for FC36
6.0.10-200 for FC36
6.0.9-200 for FC36
6.0.8-200 for FC36
6.0.7-200 for FC36
6.0.5-200 for FC36
5.19.16-200 for FC36
5.19.15-201 for FC36
5.19.14-200 for FC36
5.19.13-200 for FC36
5.19.12-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.18.noarch.rpm -
Support for the following kernels were added for Fmem:
6.2.15-100 for FC36
6.2.14-100 for FC36
6.2.13-100 for FC36
6.2.12-100 for FC36
6.2.11-100 for FC36
6.2.10-100 for FC36
6.2.9-100 for FC36
6.2.8-100 for FC36
6.2.7-100 for FC36
6.1.18-100 for FC36
6.1.15-100 for FC36
6.1.14-100 for FC36
6.1.13-100 for FC36
6.1.12-100 for FC36
6.1.11-100 for FC36
6.1.10-100 for FC36
6.1.9-100 for FC36
6.1.8-100 for FC36
6.1.7-100 for FC36
6.1.6-100 for FC36
6.1.5-100 for FC36
6.0.18-200 for FC36
6.0.17-200 for FC36
6.0.16-200 for FC36
6.0.15-200 for FC36
6.0.14-200 for FC36
6.0.12-200 for FC36
6.0.11-200 for FC36
6.0.10-200 for FC36
6.0.9-200 for FC36
6.0.8-200 for FC36
6.0.7-200 for FC36
6.0.5-200 for FC36
5.19.16-200 for FC36
5.19.15-201 for FC36
5.19.14-200 for FC36
5.19.13-200 for FC36
5.19.12-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-42.noarch.rpm -
Support for the following kernels were added for LiME:
6.0.12-100 for FC35
6.0.11-100 for FC35
6.0.10-100 for FC35
6.0.9-100 for FC35
6.0.8-100 for FC35
6.0.7-100 for FC35
6.0.5-100 for FC35
5.19.16-100 for FC35
5.19.15-101 for FC35
5.19.14-100 for FC35
5.19.13-100 for FC35
5.19.12-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.42.noarch.rpm -
Support for the following kernels were added for Fmem:
6.0.12-100 for FC35
6.0.11-100 for FC35
6.0.10-100 for FC35
6.0.9-100 for FC35
6.0.8-100 for FC35
6.0.7-100 for FC35
6.0.5-100 for FC35
5.19.16-100 for FC35
5.19.15-101 for FC35
5.19.14-100 for FC35
5.19.13-100 for FC35
5.19.12-100 for FC35
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-167 for EL9
5.14.0-168 for EL9
5.14.0-171 for EL9
5.14.0-174 for EL9
5.14.0-176 for EL9
5.14.0-177 for EL9
5.14.0-183 for EL9
5.14.0-191 for EL9
5.14.0-196 for EL9
5.14.0-197 for EL9
5.14.0-200 for EL9
5.14.0-202 for EL9
5.14.0-205 for EL9
5.14.0-206 for EL9
5.14.0-210 for EL9
5.14.0-214 for EL9
5.14.0-226 for EL9
5.14.0-229 for EL9
5.14.0-234 for EL9
5.14.0-239 for EL9
5.14.0-247 for EL9
5.14.0-252 for EL9
5.14.0-267 for EL9
5.14.0-274 for EL9
5.14.0-282 for EL9
5.14.0-283 for EL9
5.14.0-285 for EL9
5.14.0-289 for EL9
5.14.0-293 for EL9
5.14.0-295 for EL9
5.14.0-299 for EL9
5.14.0-302 for EL9
5.14.0-305 for EL9
5.14.0-307 for EL9
5.14.0-311 for EL9
5.14.0-312 for EL9
5.14.0-313 for EL9
5.14.0-315 for EL9
5.14.0-316 for EL9
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-15.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-167 for EL9
5.14.0-168 for EL9
5.14.0-171 for EL9
5.14.0-174 for EL9
5.14.0-176 for EL9
5.14.0-177 for EL9
5.14.0-183 for EL9
5.14.0-191 for EL9
5.14.0-196 for EL9
5.14.0-197 for EL9
5.14.0-200 for EL9
5.14.0-202 for EL9
5.14.0-205 for EL9
5.14.0-206 for EL9
5.14.0-210 for EL9
5.14.0-214 for EL9
5.14.0-226 for EL9
5.14.0-229 for EL9
5.14.0-234 for EL9
5.14.0-239 for EL9
5.14.0-247 for EL9
5.14.0-252 for EL9
5.14.0-267 for EL9
5.14.0-274 for EL9
5.14.0-282 for EL9
5.14.0-283 for EL9
5.14.0-285 for EL9
5.14.0-289 for EL9
5.14.0-293 for EL9
5.14.0-295 for EL9
5.14.0-299 for EL9
5.14.0-302 for EL9
5.14.0-305 for EL9
5.14.0-307 for EL9
5.14.0-311 for EL9
5.14.0-312 for EL9
5.14.0-313 for EL9
5.14.0-315 for EL9
5.14.0-316 for EL9
fmem-kernel-modules-el8-x86_64-1.6-1.36.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-408 for EL8
4.18.0-448 for EL8
4.18.0-481 for EL8
4.18.0-483 for EL8
4.18.0-485 for EL8
4.18.0-486 for EL8
4.18.0-488 for EL8
4.18.0-489 for EL8
4.18.0-490 for EL8
4.18.0-492 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-36.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-408 for EL8
4.18.0-448 for EL8
4.18.0-481 for EL8
4.18.0-483 for EL8
4.18.0-485 for EL8
4.18.0-486 for EL8
4.18.0-488 for EL8
4.18.0-489 for EL8
4.18.0-490 for EL8
4.18.0-492 for EL8
fmem-kernel-modules-el7-x86_64-1.6-1.89.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.90.1 for EL7
3.10.0-1160.88.1 for EL7
3.10.0-1160.83.1 for EL7
3.10.0-1160.81.1 for EL7
3.10.0-1160.80.1 for EL7
lime-kernel-modules-el7-x86_64-1.9.1-89.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.90.1 for EL7
3.10.0-1160.88.1 for EL7
3.10.0-1160.83.1 for EL7
3.10.0-1160.81.1 for EL7
3.10.0-1160.80.1 for EL7
fmem-kernel-modules-1.6-1.27.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the CentOS/RHEL 9 aarch64 architecture was added.
lime-kernel-modules-1.1.r17-27.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the CentOS/RHEL 9 aarch64 architecture was added.
September 28, 2022:
The following changes have been made:
Volatility3-2.4.0-1.{fc34,fc35,fc36,el7,el8,amzn2}.x86_64.rpm and Volatility3-2.4.0-1.el9.{aarch64,x86_64}.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
The full documentation for this version of Volatility can be found here.
This release is patched as of 2022-09-23.
python3-certifi-2022.9.24.1-1.{el8,amzn2}.noarch.rpm and python36-2022.9.24.1.8-1.el7.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
python3-dfdatetime-20220925-1.{fc34,fc35,fc36,el8,el9,amzn2}.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
libevtx{,-devel,-python3,-tools}-20220724-1.{fc34,fc35,fc36,el8,amzn2}.x86_64.rpm, libevtx{,-devel,-python3,-tools}-20220724-1.el9.{aarch64,x86_64}.rpm, and libevtx{,-devel,-python36,-tools}-20220724-1.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
libfsext{,-devel,-python3,-tools}-20220829-1.{fc34,fc35,fc36,el8,amzn2}.x86_64.rpm, libfsext{,-devel,-python3,-tools}-20220829-1.el9.{aarch64,x86_64}.rpm, and libfsext{,-devel,-python36,-tools}-20220829-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
libfsfat{,-devel,-python3,-tools}-20220925-1.{fc34,fc35,fc36,el8,amzn2}.x86_64.rpm, libfsfat{,-devel,-python3,-tools}-20220925-1.el9.{aarch64,x86_64}.rpm, and libfsfat{,-devel,-python36,-tools}-20220925-1.el7.x86_64.rpm -
Libfsfat is a library and tools to access the file Allocation Table (FAT) file system format.
libfshfs{,-devel,-python3,-tools}-20220831-1.{fc34,fc35,fc36,el8,amzn2}.x86_64.rpm, libfshfs{,-devel,-python3,-tools}-20220831-1.el9.{aarch64,x86_64}.rpm, and libfshfs{,-devel,-python36,-tools}-20220831-1.el7.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
libfsxfs{,-devel,-python3,-static,-tools}-20220829-1.{fc34,fc35,fc36,el8,amzn2}.x86_64.rpm, libfsxfs{,-devel,-python3,-static,-tools}-20220829-1.el9.{aarch64,x86_64}.rpm, and libfsxfs{,-devel,-python36,-static,-tools}-20220829-1.el7.x86_64.rpm -
Libfsxfs contains library and tools to access the SGI X File System (XFS).
libfvde{,-devel,-python3,-tools}-20220915-1.{fc34,fc35,fc36,el7,el8,amzn2}.x86_64.rpm, libfvde{,-devel,-python3,-tools}-20220915-1.el9.{aarch64,x86_64}.rpm, and libfvde{,-devel,-python36,-tools}-20220915-1.el7.x86_64.rpm -
Libfvde is a library and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
python3-dfvfs-20220917-1.{fc34,fc35,fc36,el8,el9,amzn2}.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
python3-lz4-4.0.2-1.el9.{aarch64,x86_64}.rpm -
LZ4 contains the python bindings for the lz4 compression library.
python{2,36}-psutil-5.9.2-1.el7.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
snort-3.1.42.0-1.{fc34,fc35,fc36,el8}.x86_64.rpm and snort-3.1.42.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
pfring-8.3.0-7842.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7842-7842.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3965.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-17.noarch.rpm -
Support for the following kernels were added for LiME:
5.19.11-200 for FC36
5.19.10-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem:
5.19.11-200 for FC36
5.19.10-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-41.noarch.rpm -
Support for the following kernels were added for LiME:
5.19.11-100 for FC35
5.19.10-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.41.noarch.rpm -
Support for the following kernels were added for Fmem:
5.19.11-100 for FC35
5.19.10-100 for FC35
September 21, 2022:
The following changes have been made:
snort-3.1.41.0-1.{fc34,fc35,fc36,el8}.x86_64.rpm and snort-3.1.41.0-1.el9.{x86_64,aarch64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
flex{,-devel,-doc}-2.6.1-9.el7.x86_64.rpm -
Flex is a tool for generating scanners: programs which recognize lexical patterns in text.
This was built to support building zeek.
zeek{,-btest,-btest-data,-client,-core,ctl,-devel,-spicy-devel,-zkg}-5.0.1-1.x86_64.rpmlibbroker-devel-5.0.1-1.x86_64.rpm for Fedora 34-36 and CentLS/RHEL 7, 8 Stream and 9 Stream, and zeek{,-btest,-btest-data,-client,-core,ctl,-devel,-spicy-devel,-zkg}-5.0.1-1.aarch64.rpm and libbroker-devel-5.0.1-1.aarch64.rpm for CentOS 9 Stream -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
pfring-8.3.0-7809.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7809-7809.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3946.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-16.noarch.rpm -
Support for the following kernels were added for LiME:
5.19.9-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem:
5.19.9-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-40.noarch.rpm -
Support for the following kernels were added for LiME:
5.19.9-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.40.noarch.rpm -
Support for the following kernels were added for Fmem:
5.19.9-100 for FC35
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-162 for EL9
5.14.0-163 for EL9
5.14.0-165 for EL9
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-13.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-162 for EL9
5.14.0-163 for EL9
5.14.0-165 for EL9
September 14, 2022:
The following changes have been made:
yara{,-devel,-doc}-4.2.3-1.el8.x86_64.rpm Yara is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.
With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns.
Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.
These packages provide the missing yara-devel.
python{2,3}-yara-4.2.3-1.x86_64.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
pfring-8.3.0-7793.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7793-7793.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3933.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-15.noarch.rpm -
Support for the following kernels were added for LiME:
5.19.8-200 for FC36
5.19.7-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem:
5.19.8-200 for FC36
5.19.7-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-39.noarch.rpm -
Support for the following kernels were added for LiME:
5.19.8-100 for FC35
5.19.7-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.39.noarch.rpm -
Support for the following kernels were added for Fmem:
5.19.8-100 for FC35
5.19.7-100 for FC35
September 7, 2022:
The following changes have been made:
Volatility3-2.3.1-1.{fc34,fc35,fc36,el7,el8,amzn2}.x86_64.rpm and Volatility3-2.3.1-1.el9.{aarch64,x86_64}.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
The full documentation for this version of Volatility can be found here.
This release is patched as of 2022-08-31.
pfring-8.3.0-7784.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7784-7784.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3927.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-14.noarch.rpm -
Support for the following kernels were added for LiME:
5.19.6-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.14.noarch.rpm -
Support for the following kernels were added for Fmem:
5.19.6-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-38.noarch.rpm -
Support for the following kernels were added for LiME:
5.19.6-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.38.noarch.rpm -
Support for the following kernels were added for Fmem:
5.19.6-100 for FC35
fmem-kernel-modules-el9-{x86_64,aarch64}-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-160 for EL9
lime-kernel-modules-el9-{x86_64,aarch64}-1.9.1-13.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-160 for EL9
August 31, 2022:
The following changes have been made:
snort-3.1.40.0-1.{fc34,fc35,fc36,el8,el9}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
pfring-8.3.0-7766.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7766-7766.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3910.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-13.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.19-200 for FC36
5.19.4-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.19-200 for FC36
5.19.4-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-37.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.19-100 for FC35
5.19.4-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.37.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.19-100 for FC35
5.19.4-100 for FC35
August 24, 2022:
The following changes have been made:
pfring-8.3.0-7752.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7752-7752.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3900.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-12.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.18-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.18-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-36.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.18-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.36.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.18-100 for FC35
fmem-kernel-modules-el9-x86_64-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem for both the x86_64 and aarch64 architectures:
5.14.0-145 for EL9
5.14.0-148 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-12.noarch.rpm -
Support for the following kernels were added for LiME for both the x86_64 and aarch64 architectures:
5.14.0-145 for EL9
5.14.0-148 for EL9
CentOS 9 Stream - The repository now supports CentOS 9 Stream
for the aarch64 CPU architecture.
Here is the list of tools provided for CentOS 9 Stream:
August 17, 2022:
The following changes have been made:
python3-dfdatetime-20220810-1.{fc34,fc35,fc36,el8,el9,amzn2}.noarch.rpm and python36-dfdatetime-20220810-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
libbde{,-devel,-python3,-tools}-20220807-1.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm and libbde{,-devel,-python36,-tools}-20220121-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
libluksde{,-devel,-python3,-tools}-20220807-1.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm and libluksde{,-devel,-python36,-tools}-20220121-1.el7.x86_64.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
libfvde{,-devel,-python3,-tools}-20220807-1.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm and libfvde{,-devel,-python36,-tools}-20220125-1.el7.x86_64.rpm -
Libfvde is a library and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
libesedb{,-devel,-python3,-tools}-20220806-1.{fc34,fc35,fc36,el8,el9,amzn2}.x86_64.rpm and libesedb{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ghidra-10.1.5_PUBLIC_20220726.1.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
pfring-8.3.0-7745.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7745-7745.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3899.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
daq{,-devel,-modules}-3.0.9-1.{fc34,fc35,fc36,el8,el9}.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
snort-3.1.39.0-1.{fc34,fc35,fc36,el8,el9}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
lime-kernel-modules-fc36-x86_64-1.9.1-11.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.17-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.17-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-35.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.17-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.35.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.17-100 for FC35
fmem-kernel-modules-el7-x86_64-1.6-1.88.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.76.1 for EL7
lime-kernel-modules-el7-x86_64-1.9.1-88.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.76.1 for EL7
August 10, 2022:
The following changes have been made:
plaso-20220724-1.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
This release removes the version restriction on the pyparsing package.
Note: For CentOS/RHEL 7, 8, and 9, and Amazon Linux 2, Plaso now runs in Python Virtual Environment.
hindsight-2021.12-2.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
Hindsight is a free tool for analyzing web artifacts.
It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications.
Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords,
preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies).
Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.
This version was rebuilt to use the latest libcffi library on CentOS/RHEL 7.
bellsoft-jdk8u345+1-linux-amd64-full.rpm -
Bellsoft Java was installed for Fedora 34, 35, and 36, CentOS/RHEL 7, 8, and 9, and Amazon Linux 2.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
pfring-8.3.0-7737.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7737-7737.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3892.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-10.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.16-200 for FC36
5.18.15-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.16-200 for FC36
5.18.15-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-34.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.16-100 for FC35
5.18.15-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.34.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.16-100 for FC35
5.18.15-100 for FC35
fmem-kernel-modules-el9-x86_64-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.0-142 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-11.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.0-142 for EL9
August 3, 2022:
The following changes have been made:
snort-3.1.38.0-1.{fc34,fc35,fc36,el8,el9}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
pfring-8.3.0-7710.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7710-7710.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3877.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
July 27, 2022:
The following changes have been made:
bellsoft-1.8.0.342.0.7-linux-amd64-full.rpm -
Bellsoft Java was installed for Fedora 34, 35, and 36, CentOS/RHEL 7, 8, and 9, and Amazon Linux 2.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
pfring-8.3.0-7689.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7689-7689.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3865.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-9.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.13-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.13-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-33.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.13-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.33.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.13-100 for FC35
fmem-kernel-modules-el9-x86_64-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.0-134 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-10.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.0-134 for EL9
July 20, 2022:
The following changes have been made:
libfshfs{,-devel,-python3,-tools}-20220709-1.{fc34,fc35,el8,el9,amzn2}.x86_64.rpm and libfshfs{,-devel,-python36,-tools}-20220709-1.el7.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
libfsxfs{,-devel,-python3,-static,-tools}-20220706-1.{fc34,fc35,fc36,el8,el9,amzn2}.x86_64.rpm and libfsxfs{,-devel,-python36,-static,-tools}-20220706-1.el7.x86_64.rpm -
Libfsxfs contains library and tools to access the SGI X File System (XFS).
python3-artifacts-20220615-1.{fc34,fc35,fc36,el8,el9,amzn2}.x86_64.rpm, python36-artifacts-20220615-1.el7.x86_64.rpm, and artifacts-data-20220615-1.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
libfsapfs{,-devel,-python3,-tools}-20220709-1.{fc34,fc35,el8,el9,amzn2,el8}.x86_64.rpm and libfsapfs{,-devel,-python36,-tools}-20220709-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
python3-redis-4.3.4-1.el9.noarch.rpm and python36-redis-4.3.4-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
python3-certifi-2022.6.15.1-1.{el8,amzn2}.noarch.rpm and python36-2022.6.15.1.8-1.el7.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
python{2,3}-cffi-1.15.1-1.{el8,el9,amzn2}.x86_64.rpm and cffi-doc-1.15.1-1.{el8,el9,amzn2}.noarch.rpm -
Python-CFFI is a C Foreign Function Interface for Python.
Interact with almost any C code from Python, based on C-like declarations that you can often copy-paste from header files or documentation.
python3-requests-2.28.1-1.amzn2.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
pfring-8.3.0-7652.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7652-7652.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3846.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
Volatility3-2.3.0-1.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
The full documentation for this version of Volatility can be found here.
This release is patched as of 2022-07-19.
CERT-Forensics-Tools-1.0-102.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
The following changes were made:
ssldump removed for CentOS/RHEL 8 and CentOS-8 Stream
cutter-re removed for CentOS/RHEL 8 and CentOS-8 Stream
lime-kernel-modules-fc36-x86_64-1.9.1-8.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.11-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.11-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-32.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.11-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.32.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.11-100 for FC35
fmem-kernel-modules-el9-x86_64-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.0-127 for EL9
5.14.0-130 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-9.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.0-127 for EL9
5.14.0-130 for EL9
July 9, 2022:
The following changes have been made:
snort-3.1.32.0-1.{fc34,fc35,fc36,el8,el9}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
Volatility3-2.2.0-2.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is patched as of 2022-07-01.
pfring-8.3.0-7626.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.3.0.7626-7626.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.5.0-3829.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-7.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.10-200 for FC36
5.18.9-200 for FC36
5.18.7-200 for FC36
5.18.6-200 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.10-200 for FC36
5.18.9-200 for FC36
5.18.7-200 for FC36
5.18.6-200 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-31.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.10-100 for FC35
5.18.9-100 for FC35
5.18.7-100 for FC35
5.18.6-100 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.31.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.10-100 for FC35
5.18.9-100 for FC35
5.18.7-100 for FC35
5.18.6-100 for FC35
fmem-kernel-modules-el9-x86_64-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.0-115 for EL9
5.14.0-118 for EL9
5.14.0-119 for EL9
5.14.0-120 for EL9
5.14.0-124 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-8.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.0-115 for EL9
5.14.0-118 for EL9
5.14.0-119 for EL9
5.14.0-120 for EL9
5.14.0-124 for EL9
fmem-kernel-modules-el7-x86_64-1.6-1.87.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.71.1 for EL7
lime-kernel-modules-el7-x86_64-1.9.1-87.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.71.1 for EL7
June 21, 2022:
The following changes have been made:
pfring-8.1.0-7555.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7555-7555.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3772.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-6.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.5-200 for FC36
5.17.14-300 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.5-200 for FC36
5.17.14-300 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-30.noarch.rpm -
Support for the following kernels were added for LiME:
5.18.5-100 for FC35
5.18.4-101 for FC35
5.17.14-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.30.noarch.rpm -
Support for the following kernels were added for Fmem:
5.18.5-100 for FC35
5.18.4-101 for FC35
5.17.14-200 for FC35
fmem-kernel-modules-el9-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.0-109 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-7.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.0-109 for EL9
June 15, 2022:
The following changes have been made:
super_mediator-1.9.0-1.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
See here for the list of changes.
python3-artifacts-20220608-1.{fc34,fc35,fc36,el8,el9,amzn2}.x86_64.rpm, python36-artifacts-20220608-1.el7.x86_64.rpm, and artifacts-data-20220608-1.{fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
python3-requests-2.28.0-1.amzn2.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
pfring-8.1.0-7543.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7543-7543.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3760.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-5.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.13-300 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.13-300 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-29.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.13-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.13-200 for FC35
June 8, 2022:
The following changes have been made:
python3-elasticsearch-7.17.4-1.{fc34,el8,amzn2}.x86_64.rpm and python36-elasticsearch-7.17.4-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python3-redis-4.3.3-1.el9.noarch.rpm and python36-redis-4.3.3-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
bellsoft-jdk8u333+2-linux-amd64-full.rpm -
Bellsoft Java
was installed for Fedora 34, 35, and 36, CentOS/RHEL 7, 8, and 9, and Amazon Linux 2.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
Brim-0.30.0.rpm -
Brim is an open source desktop application for security and network specialists,
and was installed for Fedora 34, 35, and 36, CentOS/RHEL 7, 8, and 9, and Amazon Linux 2.
Brim makes it easy to search and analyze data from:
packet captures, like those created by Wireshark, and
structured logs, especially from the Zeek network analysis framework.
Brim is especially useful to security and network operators that need to handle large packet captures, especially those that are cumbersome for Wireshark, tshark, or other packet analyzers.
daq{,-devel,-modules}-3.0.8-1.{fc34,fc35,fc36,el8,el9}.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
snort-3.1.31.0-1.{fc34,fc35,fc36,el8,el9}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
pfring-8.1.0-7528.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7528-7528.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3750.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-4.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.12-300 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.12-300 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-28.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.12-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.28.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.12-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.52.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.12-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-52.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.12-100 for FC34
fmem-kernel-modules-el9-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.0-105 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-6.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.0-105 for EL9
fmem-kernel-modules-el8-x86_64-1.6-1.35.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-394 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-35.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-394 for EL8
June 1, 2022:
The following changes have been made:
Volatility3-2.2.0-1.{fc33,fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is patched as of 2022-05-27.
ghidra-10.1.4_PUBLIC_20220125.1.{fc33,fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
libfsxfs{,-devel,-python3,-static,-tools}-20220528-1.{fc33,fc34,fc35,fc36,el8,el9,amzn2}.x86_64.rpm and libfsxfs{,-devel,-python36,-static,-tools}-20220528-1.el7.x86_64.rpm -
Libfsxfs contains library and tools to access the SGI X File System (XFS).
libfsext{,-devel,-python3,-tools}-20220529-1.{fc33,fc34,fc35,fc36,el8,el9,amzn2}.x86_64.rpm and libfsext{,-devel,-python36,-tools}-20220529-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
python3-pefile-2022.5.30-1.{fc33,fc34,fc35,fc36,el9}.noarch.rpm -
PEFile is a Portable Executable reader module.
opensearch-py-2.0.0-1.{fc33,fc34,fc35,fc36,el7,el8,el9,amzn2}.noarch.rpm -
OpenSearch-PY is a Python client for OpenSearch.
python3-lz4-4.0.1-1.el9.x86_64.rpm and python36-lz4-4.0.1-1.el7.x86_64.rpm -
LZ4 contains the python bindings for the lz4 compression library.
pfring-8.1.0-7509.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7509-7509.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3733.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-3.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.11-300 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.11-300 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-27.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.11-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.11-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.51.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.11-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-51.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.11-100 for FC34
fmem-kernel-modules-el9-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.0-101 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-5.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.0-101 for EL9
fmem-kernel-modules-el8-x86_64-1.6-1.34.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-383 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-34.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-383 for EL8
Fedora 33 - Updates to Fedora 33 for the x86_64 CPU architecture have ceased.
May 25, 2022:
The following changes have been made:
python3-oletools-0.60.1-1.{fc33,fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm and python-oletools-doc-0.60.1-1.{fc33,fc34,fc35,fc36,el7,el8,el8,amzn2}.x86_64.rpm -
Python-Oletools is a package of python tools from Philippe Lagadec to analyze Microsoft OLE2 files (also called
Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for
malware analysis, forensics and debugging.
It is based on the olefile parser.
mmc-utils-0.1-1.{fc33,fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
MMC-Utils is a tool for configuring MMC storage devices from userspace.
daq{,-devel,-modules}-3.0.7-1.{fc34,fc35,fc36,el8,el9}.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
snort-3.1.30.0-1.{fc33,fc34,fc35,fc36,el8,el9}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
CERT-Forensics-Tools-1.0-101.{fc33,fc34,fc35,fc36,el7,el8,el9,amzn2}.x86_64.rpm -
The following packages were added:
python3-oletools
python-oletools-doc
mmc-utils
python3-certifi-2022.5.18.1-1.{fc33,el8}.noarch.rpm and python36-2022.5.18.1.8-1.el7.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
python{2,36}-psutil-5.9.1-1.el7.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
python36-pyparsing-3.0.9-1.el7.noarch.rpm, python3-pyparsing-3.0.9-1.{el8,amzn2}.noarch.rpm, and pyparsing-doc-3.0.9-1.{el7,el8,amzn2}.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
pfring-8.1.0-7470.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7470-7470.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3698.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc36-x86_64-1.9.1-2.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.8-300 for FC36
5.17.9-300 for FC36
fmem-kernel-modules-fc36-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.8-300 for FC36
5.17.9-300 for FC36
lime-kernel-modules-fc35-x86_64-1.9.1-26.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.8-200 for FC35
5.17.9-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.8-200 for FC35
5.17.9-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.50.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.8-100 for FC34
5.17.9-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-50.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.8-100 for FC34
5.17.9-100 for FC34
fmem-kernel-modules-el9-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.0-80 for EL9
5.14.0-83 for EL9
5.14.0-85 for EL9
5.14.0-86 for EL9
5.14.0-92 for EL9
5.14.0-96 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-4.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.0-80 for EL9
5.14.0-83 for EL9
5.14.0-85 for EL9
5.14.0-86 for EL9
5.14.0-92 for EL9
5.14.0-96 for EL9
fmem-kernel-modules-el7-x86_64-1.6-1.86.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.66.1 for EL7
lime-kernel-modules-el7-x86_64-1.9.1-86.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.66.1 for EL7
May 18, 2022:
The following changes have been made:
zeek{,-btest,-btest-data,-core,ctl,-devel,-libcaf-devel,-zkg}-4.2.1-1.x86_64.rpm, and libbroker-devel-4.2.1-1.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
sleuthkit{,-devel,-libs}-4.11.1-2.1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
The only change was to update the revision number due to the relase of revision 2 for Fedora 36.
pfring-8.1.0-7454.{el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-8.1.0-7443.el7.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7454-7454.{el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
pfring-dkms-8.1.0.7443-7443.el7.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3695.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-25.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.7-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.25.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.7-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.49.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.7-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-49.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.7-100 for FC34
Fedora 36 - The repository now supports Fedora 36
for the x86_64 CPU architecture.
Here is the list of tools provided for Fedora 36:
fmem-kernel-modules-1.6-1.24.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 36 x86_64 architecture was added.
lime-kernel-modules-1.1.r17-24.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 36 x86_64 architecture was added.
May 11, 2022:
The following changes have been made:
python3-redis-4.3.0-1.{fc33,el9}.noarch.rpm and python36-redis-4.3.0-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
pfring-8.1.0-7424.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7424-7424.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3689.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-24.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.6-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.24.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.6-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.48.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.6-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-48.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.6-100 for FC34
May 4, 2022:
The following changes have been made:
Volatility3-2.1.0-1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is patched as of 2022-04-28.
python3-elasticsearch-7.17.3-1.{fc33,fc34,el8,amzn2}.x86_64.rpm and python36-elasticsearch-7.17.3-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python3-artifacts-20220429-1.{fc33,fc34,fc35,el8,el9,amzn2}.x86_64.rpm, python36-artifacts-20220429-1.el7.x86_64.rpm, and artifacts-data-20220429-1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
libfsapfs{,-devel,-python3,-tools}-20220501-1.{fc33,fc34,fc35,el8,el9,amzn2,el8}.x86_64.rpm and libfsapfs{,-devel,-python36,-tools}-20220501-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
plaso-20220428-1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
This release removes the version restriction on the pyparsing package.
Note: For CentOS/RHEL 7, 8, and 9, and Amazon Linux 2, Plaso now runs in Python Virtual Environment.
pfring-8.1.0-7410.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7410-7410.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3676.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-23.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.5-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.23.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.5-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.47.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.5-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-47.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.5-100 for FC34
April 27, 2022:
The following changes have been made:
bellsoft-jdk8u332+9-linux-amd64-full.rpm -
Bellsoft Java
was installed for Fedora 33, 34, and 35, CentOS/RHEL 7, 8, and 9, and Amazon Linux 2.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
libfshfs{,-devel,-python3,-tools}-20220427-1.{fc33,fc34,fc35,el8,el9,amzn2}.x86_64.rpm and libfshfs{,-devel,-python36,-tools}-20220427-1.el7.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
pfring-8.1.0-7398.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7398-7398.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3666.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-22.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.4-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.22.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.4-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.46.noarch.rpm -
Support for the following kernels were added for Fmem:
5.17.4-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-46.noarch.rpm -
Support for the following kernels were added for LiME:
5.17.4-100 for FC34
April 20, 2022:
The following changes have been made:
python3-dfvfs-20220418-1.{fc33,fc34,fc35,el8,el9,amzn2}.noarch.rpm and python36-dfvfs-20220418-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
libfshfs{,-devel,-python3,-tools}-20220418-1.{fc33,fc34,fc35,el8,el9,amzn2}.x86_64.rpm and libfshfs{,-devel,-python36,-tools}-20220418-1.el7.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
python3-elasticsearch-7.17.2-1.{fc33,fc34,el8,amzn2}.x86_64.rpm and python36-elasticsearch-7.17.2-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
pfring-8.1.0-7382.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7382-7382.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3653.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-21.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.20-200 for FC35
5.16.19-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.21.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.20-200 for FC35
5.16.19-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.45.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.20-100 for FC34
5.16.19-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-45.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.20-100 for FC34
5.16.19-100 for FC34
fmem-kernel-modules-el9-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.0-77 for EL9
5.14.0-78 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-3.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.0-77 for EL9
5.14.0-78 for EL9
April 13, 2022:
The following changes have been made:
Volatility3-2.0.3-1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is patched as of 2022-03-03.
libschemaTools{,-devel}-1.4-1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrieve data, and to know the structure of the records.
analysis-pipeline-5.11.4-1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
pfring-8.1.0-7374.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.1.0.7374-7374.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.3.0-3645.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
libfixbuf{,-devel,-tools}-3.0.0.alpha1-1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
These packages are installed in the forensics-test repository.
Please address any comments on these packages to netsa-help@cert.org.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.2-101.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha1.
Please address any comments on these packages to netsa-help@cert.org.
libschemaTools{,-devel}-1.4-2.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha1.
Please address any comments on these packages to netsa-help@cert.org.
python3-pyfixbuf-0.9.0-2.{fc33,fc34,fc35,el8,el9,amzn2}.x86_64.rpm and python36-pyfixbuf-0.9.0-2.el7.x86_64.rpm -
Pyfixbuf is a Python API for libfixbuf,
an implementation of the IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha1.
Please address any comments on these packages to netsa-help@cert.org.
analysis-pipeline-5.11.4-2.{fc33,fc34,fc35,el7,el9,amzn2}.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package is installed in the forensics-test repository.
This package was rebuilt to use libfixbuf 3.0.0.alpha1.
Please address any comments on these packages to netsa-help@cert.org.
super_mediator-2.0.0.alpha1-1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
See here for the list of changes.
This package is installed in the forensics-test repository.
This package was rebuilt to use libfixbuf 3.0.0.alpha1 and silk 3.19.2.
Please address any comments on these packages to netsa-help@cert.org.
yaf{,-devel}-3.0.0.alpha1-1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 7 and 8 systems, yaf has been built to use PF_Ring.
See here for the list of changes.
These packages are installed in the forensics-test repository.
These packages were rebuilt to use libfixbuf 3.0.0.alpha1.
Please address any comments on these packages to netsa-help@cert.org.
CERT-Forensics-Tools-1.0-100.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
The following packages were added:
crunch
docker-forensics-toolkit
KStrike
libfplist
libfwevt
libfwps
mtftar
pstotext
python3-pyfixbuf (python36-pyfixbuf for CentOS/RHEL 7)
VeraCrypt
videosnarf
wdpassport-utils
zeek
python3-semantic_version-2.8.4-8.{el9,amzn2}.noarch.rpm -
Semantic_Version for Python 3 is a library implementing the 'SemVer' scheme.
python3-gitdb-4.0.5-4.amzn2.noarch.rpm -
GitDB for Python 3 is a Git Object Database.
python3-smmap-3.0.1-6.amzn2.noarch.rpm -
SMMap for Python 3 is a sliding window memory map manager.
python3-GitPython-3.1.14-4.amzn2.noarch.rpm -
GitPython is a Git Library for Python3.
docker-forensics-toolkit-0.2.0-3.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
Docker Forensics Toolkit is a toolkit for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the docker host system.
See this page for usage instructions.
This version fixes a packaging problem.
VeraCrypt-1.25.9-2.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux.
This release fixes a packing issue related to updating the icon cache.
snort-3.1.27.0-1.{fc33,fc34,fc35,el8,el9}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the list of changes.
fmem-kernel-modules-el7-x86_64-1.6-1.85.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.62.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-85.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.62.1 for EL7
April 6, 2022:
The following changes have been made:
VeraCrypt-1.25.9-1.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux.
VeraCypt is based on TrueCrypt 7.1a.
wdpassport-utils-0.2-3.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
WDPassPort-Utils is a utility used to lock, unlock, and reset passwords on Western Digital's Passport drives.
This version was rebuilt to correctly set the permissions on the wdpassport-utils.py executable.
async-timeout-4.0.2-1.fc33.x86_64 -
Async-Timeout is an asyncio-compatible timeout context manager needed bu redis.
python3-redis-4.2.2-1.{fc33,el9}.noarch.rpm and python36-redis-4.2.2-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
cert-forensics-tools-release-{2,7,8,9,33,34,35}-17.noarch.rpm -
cert-forensics-tools-release is the package
that connects a Fedora-, CentOS/RHEL-, and Amazon Linux-based computer system to the CERT Linux Forensics Tools Repository (LiFTeR).
This package has been changed to include a new key for the Splunk application.
To install this file and all other updates, to the following for CentOS/RHEL 7 and Amazon Linux 2:
sudo yum update cert-forensics-tools-release -y
sudo yum update -y
And for Fedora 33, 34, 35, and CentOS/RHEL 8 and 9, the following:
sudo dnf update cert-forensics-tools-release -y --refresh
sudo dnf update -y
The first command updates the cert-forensics-tools-release package which is signed with the old key and contains the new key.
The second command then updates the system, installing any updated packages that are now signed with the new key.
lime-kernel-modules-fc35-x86_64-1.9.1-20.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.18-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.18-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.44.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.18-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-44.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.18-100 for FC34
fmem-kernel-modules-el9-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.0-73 for EL9
5.14.0-74 for EL9
5.14.0-75 for EL9
lime-kernel-modules-el9-x86_64-1.9.1-2.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.0-73 for EL9
5.14.0-74 for EL9
5.14.0-75 for EL9
March 28, 2022:
The following changes have been made:
cert-forensics-tools-release-{2,7,8,9,33,34,35}-16.noarch.rpm -
cert-forensics-tools-release is the package
that connects a Fedora-, CentOS/RHEL-, and Amazon Linux-based computer system to the CERT Linux Forensics Tools Repository (LiFTeR).
This package has been changed to include a new Forensics team key (2025-03-24) which is also available here.
To install this file and all other updates, to the following for CentOS/RHEL 7 and Amazon Linux 2:
sudo yum update cert-forensics-tools-release -y
sudo yum update -y
And for Fedora 33, 34, 35, and CentOS/RHEL 8 and 9, the following:
sudo dnf update cert-forensics-tools-release -y --refresh
sudo dnf update -y
The first command updates the cert-forensics-tools-release package which is signed with the old key and contains the new key.
The second command then updates the system, installing any updated packages that are now signed with the new key.
wdpassport-utils-0.2-2.{fc33,fc34,fc35,el7,el8,el9,amzn2}.x86_64.rpm -
WDPassPort-Utils is a utility used to lock, unlock, and reset passwords on Western Digital's Passport drives.
This version was rebuilt to build the virtual envirnoment at package build time rather than at package installation time
ddrescueview-0.4.5-1.{fc33,fc34,fc35,el8}.x86_64.rpm -
Ddrescueview is a small tool that allows
the user to graphically examine ddrescue's log files in a user friendly GUI application.
The Main window displays a block grid with each block's color representing the block types it contains.
Many people know this type of view from defragmentation programs.
The program is written in Object Pascal using the Lazarus IDE.
opensearch-py-1.1.0-1.{fc33,fc34,fc35,el7,el8,el9,amzn2}.noarch.rpm -
OpenSearch-PY is a Python client for OpenSearch.
pfring-8.0.0-7340.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7340-7340.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.2.0-3618.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.43.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.16-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-43.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.16-100 for FC34
March 23, 2022:
The following changes have been made:
foremost-1.5.7-27.{el7,dl8}.x86_64.rpm -
Foremost is a console program to recover files based on their headers, footers, and internal data structures.
This process is commonly referred to as data carving.
Foremost can work on image files, such as those generated by dd, Safeback,
EnCase, etc, or directly on a drive.
The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types.
These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
Originally developed by the United States Air Force Office Special Investigation and
Center for Information Systems Security Studies and Research, foremost has been opened to the general public.
Send any comments, suggestions, patches, or feedback you have on this program to namikus@users.sf.net.
CentOS 9 - The repository now supports CentOS 9
for the x86_64 CPU architecture.
Here is the list of tools provided for CentOS 9:
fmem-kernel-modules-1.6-1.23.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for CentOS 9 x86_64 architecture was added.
lime-kernel-modules-1.1.r17-23.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for CentOS 9 x86_64 architecture was added.
libfsext{,-devel,-python3,-tools}-20220319-1.{fc33,fc34,fc35,el8,el9,amzn2}.x86_64.rpm and libfsext{,-devel,-python36,-tools}-20220319-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
pfring-8.0.0-7328.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7328-7328.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.2.0-3608.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-19.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.16-200 for FC35
5.16.15-201 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.16-200 for FC35
5.16.15-201 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.42.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.15-101 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-42.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.15-101 for FC34
fmem-kernel-modules-el8-x86_64-1.6-1.33.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-373 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-33.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-373 for EL8
fmem-kernel-modules-el7-x86_64-1.6-1.84.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.59.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-84.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.59.1 for EL7
March 16, 2022:
The following changes have been made:
Volatility-2.6.1-8.{fc35,amzn2}.x86_64.rpm -
The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version fixes some logic and coding errors in the vol.py script which is actually a BASH script that relies on a docker container
to run Volatility. You can find that docker container here.
This container means that Python 2 is no longer needed on the host.
python3-dfvfs-20220311-1.{fc33,fc34,fc35,el8,amzn2}.noarch.rpm and python36-dfvfs-20220311-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
libfshfs{,-devel,-python3,-tools}-20220313-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and libfshfs{,-devel,-python36,-tools}-20220313-1.el7.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
snort-3.1.21.0-1.{fc33,fc34,fc35,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
Snort version 3 has been move to the production repository.
CERT-Forensics-Tools-1.0-99.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
The package snort-sample-rules is no longer automatically installed.
pfring-8.0.0-7324.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7324-7324.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.2.0-3606.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-18.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.14-200 for FC35
5.16.13-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.18.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.14-200 for FC35
5.16.13-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.41.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.14-100 for FC34
5.16.13-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-41.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.14-100 for FC34
5.16.13-100 for FC34
March 9, 2022:
The following changes have been made:
libphdi{,-devel,-python3,-tools}-20220301-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and libphdi{,-devel,-python36,-tools}-20220301-1.el7.x86_64.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
python3-xlsxwriter-3.0.3-1.amzn2.noarch.rpm and python36-xlsxwriter-3.0.3-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
Volatility3-2.0.2-1.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is patched as of 2022-03-03.
python3-pyfixbuf-0.9.0-1.{fc31,fc32,fc33,el8,amzn2}.x86_64.rpm and python36-pyfixbuf-0.9.0-1.el7.x86_64.rpm -
Pyfixbuf is a Python API for libfixbuf,
an implementation of the IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.2-1.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm and -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.2-2.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
Brim-0.28.0.rpm -
Brim is an open source desktop application for security and network specialists.
Brim makes it easy to search and analyze data from:
packet captures, like those created by Wireshark, and
structured logs, especially from the Zeek network analysis framework.
Brim is especially useful to security and network operators that need to handle large packet captures, especially those that are cumbersome for Wireshark, tshark, or other packet analyzers.
pfring-8.0.0-7280.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7280-7280.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.2.0-3575.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-17.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.12-200 for FC35
5.16.11-200 for FC35
5.16.10-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.12-200 for FC35
5.16.11-200 for FC35
5.16.10-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.40.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.12-100 for FC34
5.16.11-100 for FC34
5.16.10-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-40.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.12-100 for FC34
5.16.11-100 for FC34
5.16.10-100 for FC34
February 23, 2022:
The following changes have been made:
libfsext{,-devel,-python3,-tools}-20220216-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and libfsext{,-devel,-python36,-tools}-20220112-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
python3-dtfabric-20220219-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and python36-dtfabric-20220219-1.el7.x86_64.rpm -
Dtfabric is a project to manage data types and structures, as used in the libyal projects.
python3-artifacts-20220219-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm, python36-artifacts-20220219-1.el7.x86_64.rpm, and artifacts-data-20220219-1.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
libfsntfs{,-devel,-python3}-20220220-2.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and libfsntfs{,-devel,-python36}-20220220-2.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
pfring-8.0.0-7272.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7272-7272.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.2.0-3567.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-16.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.9-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.9-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.39.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.9-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-39.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.9-100 for FC34
February 16, 2022:
The following changes have been made:
aff{lib,lib-devel,tools}-3.7.19-1.el8.x86_64.rpm -
Afflib is the library and tools to manipulate files using the Advanced Forensic Format.
adns{,-devel,-progs}-1.6.0-5.{el8,amzn2}.x86_64.rpm -
ADNS is a resolver library for C (and C++) programs, and a collection of useful DNS resolver utilities.
xmount-0.7.6-9.{el8,amzn2}.x86_64.rpm -
Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types.
python3-dtfabric-20220213-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and python36-dtfabric-20220213-1.el7.x86_64.rpm -
Dtfabric is a project to manage data types and structures, as used in the libyal projects.
pfring-8.0.0-7269.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7269-7269.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.2.0-3564.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
python3-redis-4.1.4-1.fc33.noarch.rpm and python36-redis-4.1.4-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
lime-kernel-modules-fc35-x86_64-1.9.1-15.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.8-200 for FC35
5.16.7-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.8-200 for FC35
5.16.7-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.38.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.8-100 for FC34
5.16.7-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-38.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.8-100 for FC34
5.16.7-100 for FC34
fmem-kernel-modules-el8-x86_64-1.6-1.32.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-365 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-32.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-365 for EL8
February 9, 2022:
The following changes have been made:
snort-3.1.21.0-1.{fc33,fc34,fc35,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
python3-redis-4.1.3-1.fc33.noarch.rpm and python36-redis-4.1.3-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
pfring-8.0.0-7252.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7252-7252.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.2.0-3547.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-14.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.5-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.14.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.5-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.37.noarch.rpm -
Support for the following kernels were added for Fmem:
5.16.5-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-37.noarch.rpm -
Support for the following kernels were added for LiME:
5.16.5-100 for FC34
February 2, 2022:
The following changes have been made:
bellsoft-java8-full-1.8.0.322+6.x86_64.rpm -
Bellsoft Java
was installed for Fedora 33, 34, and 35, CentOS/RHEL 7 and 8, and Amazon Linux 2.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
hachoir-3.1.2-3.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
Hachoir is a Python library to view and edit a binary stream field by field.
In other words, Hachoir allows you to "browse" any binary stream just like you browse directories and files.
A file is splitted in a tree of fields, where the smallest field is just one bit.
Examples of fields types: integers, strings, bits, padding types, floats, etc.
Hachoir is the French word for a meat grinder (meat mincer), which is used by butchers to divide meat into long tubes;
Hachoir is used by computer butchers to divide binary files into fields.
The only changes in this version are packaging changes where the virtual environment version (Amazpm Linux 2) and the non-virtual environment version (all others) were homogenized into
a single SPEC file.
Volatility3-2.0.0-3.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is patched as of 2022-01-26.
ghidra-10.1.2_PUBLIC_20220125.1.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
zeek{,-btest,-btest-data,-core,ctl,-devel,-libcaf-devel,-zkg}-4.2.0-1.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm, and libbroker-devel-4.2.0-1.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
python3-dtfabric-20220130-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and python36-dtfabric-20220130-1.el7.x86_64.rpm -
Dtfabric is a project to manage data types and structures,
as used in the libyal projects.
python3-dfvfs-20220127-1.{fc33,fc34,fc35,el8,amzn2}.noarch.rpm and python36-dfvfs-20220127-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
libphdi{,-devel,-python3,-tools}-20220110-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and libphdi{,-devel,-python36,-tools}-20220110-1.el7.x86_64.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
python3-redis-4.1.2-1.fc33.noarch.rpm and python36-redis-4.1.2-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
python3-dfdatetime-20220131-1.{fc33,fc34,fc35,el8,amzn2}.noarch.rpm and python36-dfdatetime-20220131-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
plaso-20220129-3.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
This release removes the version restriction on the pyparsing package.
Note: For CentOS/RHEL 7 and 8 and Amazon Linux 2, Plaso now runs in Python Virtual Environment.
libregf{,-devel,-python3,-tools}-20220131-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rp and libregf{,-devel,-python36,-tools}-20220131-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows Registry File files.
python3-elasticsearch-7.17.0-1.{fc33,fc34,el8,amzn2}.x86_64.rpm and python36-elasticsearch-7.17.0-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
pfring-8.0.0-7227.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7227-7227.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3527.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-13.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.18-200 for FC35
5.15.17-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.18-200 for FC35
5.15.17-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.36.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.18-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-36.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.18-100 for FC34
January 26, 2022:
The following changes have been made:
Amazon Linux 2 - The following packages were removed from the Amazon Linux 2 repository because they were built by accident.
In most cases, these packages are available from the Extra Packages for Enterprise Linux (EPEL) repository.
hachoir-3.1.2-2.amzn2.noarch.rpm -
Hachoir is a Python library to view and edit a binary stream field by field.
In other words, Hachoir allows you to "browse" any binary stream just like you browse directories and files.
A file is splitted in a tree of fields, where the smallest field is just one bit.
Examples of fields types: integers, strings, bits, padding types, floats, etc.
Hachoir is the French word for a meat grinder (meat mincer), which is used by butchers to divide meat into long tubes;
Hachoir is used by computer butchers to divide binary files into fields.
Notes:
In this version, these tools are all available: hachoir-grep, hachoir-metadata, hachoir-strip,
hachoir-urwid, and hachoir-wx.
As such, the previous packages where these tools were packaged separately are obsoleted.
This version fixes an error that precluded all of the available tools appearing in the /usr/bin directory.
libfvde{,-devel,-python3,-tools}-20220125-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and libfvde{,-devel,-python36,-tools}-20220125-1.el7.x86_64.rpm -
Libfvde is a library and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
plaso-20211229-3.{fc33,fc34,fc35,el7,el8,amzn2}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
This release removes the version restriction on the pyparsing package.
Note: For CentOS/RHEL 7 and 8 and Amazon Linux 2, Plaso now runs in Python Virtual Environment.
python36-pyparsing-3.0.7-1.el7.noarch.rpm, python3-pyparsing-3.0.7-1.{el8,amzn2}.noarch.rpm, and pyparsing-doc-3.0.7-1.{el7,el8,amzn2}.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
libbde{,-devel,-python3,-tools}-20220121-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and libbde{,-devel,-python36,-tools}-20220121-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
libfwsi{,-devel,-python3}-20220123-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and libfwsi{,-devel,-python36}-20220123-1.el7.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
python3-dtfabric-20220126-1.{fc33,fc34,fc35,amzn2,el8}.x86_64.rpm and python36-dtfabric-20220126-1.el7.x86_64.rpm -
Dtfabric is a project to manage data types and structures,
as used in the libyal projects.
libsigscan{,-devel,-python3}-20220124-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and libsigscan{,-devel,-python36}-20220124-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
libluksde{,-devel,-python3,-tools}-20220121-1.{fc33,fc34,fc35,el8,amzn2}.x86_64.rpm and libluksde{,-devel,-python36,-tools}-20220121-1.el7.x86_64.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
pfring-8.0.0-7207.{el7,el8,amzn2}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7207-7207.{el7,el8,amzn2}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3509.{el7,el8,amzn2}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-12.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.16-200 for FC35
5.15.15-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.16-200 for FC35
5.15.15-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.35.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.16-100 for FC34
5.15.15-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-35.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.16-100 for FC34
5.15.15-100 for FC34
January 19, 2022:
The following changes have been made:
libfsext{,-devel,-python3,-tools}-20220112-1.{fc33,fc34,fc35,el8}.x86_64.rpm and libfsext{,-devel,-python36,-tools}-20220112-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
libfsxfs{,-devel,-python3,-static,-tools}-20220113-1.{fc33,fc34,fc35,el8}.x86_64.rpm and libfsxfs{,-devel,-python36,-static,-tools}-20220113-1.el7.x86_64.rpm -
Libfsxfs contains library and tools to access the SGI X File System (XFS).
libfshfs{,-devel,-python3,-tools}-20220115-1.{fc33,fc34,fc35,el8}.x86_64.rpm and libfshfs{,-devel,-python36,-tools}-20220115-1.el7.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
snort-3.1.20.0-1.{fc33,fc34,fc35,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
python3-elasticsearch-7.16.3-1.{fc33,fc34,el8}.x86_64.rpm and python36-elasticsearch-7.16.3-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
Volatility3-mac-symbols-20200601-1.noarch.rpm -
These three packages are the kernel symbol table files needed by Volatility 3
to correctly interpret information in various MacOS kernels.
python3-redis-4.1.1-1.fc33.noarch.rpm and python36-redis-4.1.1-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
lime-kernel-modules-fc35-x86_64-1.9.1-11.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.14-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.14-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.34.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.14-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-34.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.14-100 for FC34
fmem-kernel-modules-el8-x86_64-1.6-1.31.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-358 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-31.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-358 for EL8
fmem-kernel-modules-el7-x86_64-1.6-1.83.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.53.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-83.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.53.1 for EL7
Amazon Linux 2 - The repository now supports Amazon Linux 2
for the x86_64 CPU architecture.
Here is the list of tools provided for Amazon Linux 2:
January 12, 2022:
The following changes have been made:
Volatility3-2.0.0-2.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is patched as of 2022-01-05.
python36-requests-2.27.1-1.el7.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
pfring-8.0.0-7172.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7172-7172.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3475.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-10.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.13-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.13-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.33.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.13-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-33.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.13-100 for FC34
January 5, 2022:
The following changes have been made:
libfsntfs{,-devel,-python3}-20211229-2.{fc33,fc34,fc35,el8}.x86_64.rpm and libfsntfs{,-devel,-python36}-20211229-2.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
opensearch-py-1.0.0-1.{fc33,fc34,fc35,el7,el8}.noarch.rpm -
OpenSearch-PY is a Python client for OpenSearch.
plaso-20211229-1.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
Note: For CentOS/RHEL 7 and 8, Plaso now runs in Python Virtual Environment.
python{2,36}-psutil-5.9.0-1.el7.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
mac_apt-1.4.3.dev-3.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines)
and extract data/metadata useful for forensic investigation.
It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, etc.).
This package is based on the 2022-01-04 version of the code.
hindsight-2021.12-1.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Hindsight is a free tool for analyzing web artifacts.
It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications.
Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords,
preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies).
Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.
lime-kernel-modules-fc35-x86_64-1.9.1-9.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.12-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.12-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.32.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.12-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-32.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.12-100 for FC34
fmem-kernel-modules-el8-x86_64-1.6-1.30.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-348.7.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-30.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-348.7.1 for EL8
December 29, 2021:
The following changes have been made:
python3-dfdatetime-20211228-1.{fc33,fc34,fc35,el8}.noarch.rpm and python36-dfdatetime-20211225-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
python3-dfvfs-20211228-1.{fc33,fc34,fc35,el8}.noarch.rpm and python36-dfvfs-20211224-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
bulk_extractor-2.0.0.beta3-1.{,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
This is the development version for 2.0.0.
Note: These packages have been installed in the forensics-test repository.
exfat-utils-1.3.0-2.{fc33,fc34,fc35,el7,cl8}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
This version was rebuilt to remove the obsoletes directives for exfatprogs and fuse-exfat.
This means that the installer must select the appropriate version for their system if not installing with the CERT-Forensics-Tools meta package.
ghidra-10.1.1-PUBLIC_20211221.1.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
This release fixes a log4j vulnerability.
python3-elasticsearch-7.16.2-1.{fc33,fc34,fc35,el8}.x86_64.rpm and python36-elasticsearch-7.16.2-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python3-packaging-21.3-1.fc33.x86_64.rpm and python36-packaging-21.3-1.el7.x86_64.rpm -
Packaging is a library that provides utilities that implement the interoperability specifications which have clearly one correct behaviour (eg: PEP 440)
or benefit greatly from having a single shared implementation (eg: PEP 425).
python3-redis-4.1.0-1.fc33.noarch.rpm and python36-redis-4.1.0-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
VeraCrypt-1.25.4-1.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux.
VeraCypt is based on TrueCrypt 7.1a.
lime-kernel-modules-fc35-x86_64-1.9.1-8.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.11-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.11-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.31.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.11-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-31.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.11-100 for FC34
December 22, 2021:
The following changes have been made:
python3-dfdatetime-20211222-1.{fc33,fc34,fc35,el8}.noarch.rpm and python36-dfdatetime-20211222-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
pfring-8.0.0-7150.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7150-7150.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-X3460.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-7.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.10-200 for FC35
5.15.8-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.10-200 for FC35
5.15.8-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.30.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.10-100 for FC34
5.15.8-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-30.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.10-100 for FC34
5.15.8-100 for FC34
December 15, 2021:
The following changes have been made:
plaso-20211024-2.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
Note: For CentOS/RHEL 7 and 8, Plaso now runs in Python Virtual Environment.
The Fedora version is unchanged in this release.
python3-elasticsearch-7.16.1-1.{fc33,fc34,fc35,el8}.x86_64.rpm and python36-elasticsearch-7.16.1-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
ghidra-10.1-PUBLIC_20211210.1.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
pfring-8.0.0-7140.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7140-7140.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3453.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-6.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.7-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.7-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.7-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-29.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.7-100 for FC34
December 10, 2021:
The following changes have been made:
python3-artifacts-20211205-1.{fc33,fc34,fc35,el8}.x86_64.rpm, python36-artifacts-20211205-1.el7.x86_64.rpm, and artifacts-data-20211205-1.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
snort-2.9.19-1.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 7 and 8 for the x86_64 architecture.
snort-sample-rules-2.9.19-1.{fc33,fc34,fc35,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.19-1.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 7 and 8 for the x86_64 architecture.
python3-dfwinreg-20211207-1.{fc33,fc34,fc35,el8}.x86_64.rpm and python36-dfwinreg-20211207-1.el7.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
python3-elasticsearch-7.16.0-1.{fc33,fc34,fc35,el8}.x86_64.rpm and python36-elasticsearch-7.16.0-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
snort-3.1.18.0-1.{fc33,fc34,fc35,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
pfring-8.0.0-7115.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7115-7115.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3441.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
CERT-Forensics-Tools-1.0-98.{fc33,fc34,fc35,el7,el8}.x86_64.rpm -
This release removes exfat-utils and replaces it with exfatprogs.
lime-kernel-modules-fc35-x86_64-1.9.1-5.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.6-200 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.6-200 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.28.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.6-100 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-28.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.6-100 for FC34
fmem-kernel-modules-el7-x86_64-1.6-1.82.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.49.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-82.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.49.1 for EL7
December 1, 2021:
The following changes have been made:
mac_apt-1.4.3.dev-2.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines)
and extract data/metadata useful for forensic investigation.
It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, etc.).
This package fixes a scripting error for each provided command.
snort-3.1.17.0-1.{fc32,fc33,fc34,fc35,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
Note that these packages have been installed in the forensics-test repository.
veracrypt-1.24.7-2.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux.
VeraCypt is based on TrueCrypt 7.1a.
This release was rebuilt to include larger and easier to see icons.
python36-lz4-3.1.10-1.el7.x86_64.rpm -
LZ4 contains the python bindings for the lz4 compression library.
python3-redis-4.0.2-1.{fc32,fc33}.noarch.rpm and python36-redis-4.0.2-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
pfring-8.0.0-7106.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7106-7106.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3432.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-fc35-x86_64-1.9.1-4.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.5-200 for FC35
5.15.4-201 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.5-200 for FC35
5.15.4-201 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem:
5.15.5-100 for FC34
5.15.4-101 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-27.noarch.rpm -
Support for the following kernels were added for LiME:
5.15.5-100 for FC34
5.15.4-101 for FC34
Fedora 32 - Updates to Fedora 32 for the x86_64 CPU architecture have ceased.
November 19, 2021:
The following changes have been made:
python3-elasticsearch-7.15.2-1.{fc32,fc33,fc34,fc35,el8}.x86_64.rpm and python36-elasticsearch-7.15.2-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python3-pytsk3-20211111-1.{fc32,fc33,fc34,fc35,el8}.x86_64.rpm and python36-pytsk3-20211111-1.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
sleuthkit{,-devel,-libs}-4.11.1-1.1.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
autopsy-4.19.2-1.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
This version uses Java 8 from Bellsoft.
This version was tested on Fedora 32 through 35 and CentOS 7 and 8 for the x86_64 architectures using an E01 dataset that contains a 7-Zip file that contains two JPEG images, one of which has EXIF metadata.
Those archives were correctly parsed and the EXIF data verified.
If you wish to run autopsy on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical.
Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
mac_apt-1.4.3.dev-1.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines)
and extract data/metadata useful for forensic investigation.
It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, etc.).
Here are a list of features:
Cross platform (no dependency on pyobjc)
Works on E01, VMDK, AFF4, DD, split-DD, DMG (no compression), SPARSEIMAGE & mounted images
XLSX, CSV, TSV, Sqlite outputs
Analyzed files/artifacts are exported for later review
zlib, lzvn, lzfse compressed files are supported!
Native HFS & APFS parser
Reads the Spotlight database and Unified Logging (tracev3) files
And here are a list of new functionality added in this release:
Can read Axiom created targeted collection zip files
ios_apt can read GrayKey extracted file system
Can read RECON created .sparseimage files
Support for macOS Big Sur Sealed volumes (11.0)
Introducing ios_apt for processing iOS/ipadOS images
FAST mode ⏳
Encrypted 🔒 APFS images can now be processed using password/recovery-key 🔑
macOS Catalina (10.15+) separately mounted SYSTEM & DATA volumes now supported
AFF4 images (including macquisition created) are supported
python3-dfvfs-20211107-1.{fc32,fc33,fc34,fc35,el8}.noarch.rpm and python36-dfvfs-20211107-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
python3-dfdatetime-20211113-1.{fc32,fc33,fc34,fc35,el8}.noarch.rpm and python36-dfdatetime-20211113-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
libvshadow{,-devel,-python3,-tools}-20211114-1.{fc32,fc33,fc34,fc35,el8}.x86_64.rpm and libvshadow{,-devel,-python36,-tools}-20211114-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
python3-redis-4.0.1-1.{fc32,fc33}.noarch.rpm and python36-redis-4.0.1-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
libvsgpt{,-devel,-python3,-tools}-20211115.{fc32,fc33,fc34,fc35,el8}.x86_64.rpm and libfsgpt{,-devel,-python36,-tools}-20211115.el7.x86_64.rpm -
Libvsgpt is a library and tools used to access the GUID Partition Table (GPT) volume system.
pfring-8.0.0-7094.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7094-7094.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3423.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
bulk_extractor-1.6.0-4.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
This version fixes many issues.
In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
Note 1: This version was built with the expat-devel library to facility restarting bulk_extractor.
bulk_extractor-2.0.0.dev-2.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
This is the development version for 2.0.0.
Note 1: These packages have been installed in the forensics-test repository.
Note 2: This version was built with the expat-devel library to facility restarting bulk_extractor.
lime-kernel-modules-fc35-x86_64-1.9.1-3.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.18-300 for FC35
5.14.17-301 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.18-300 for FC35
5.14.17-301 for FC35
fmem-kernel-modules-fc34-x86_64-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.18-200 for FC34
5.14.17-201 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-26.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.18-200 for FC34
5.14.17-201 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.46.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.18-100 for FC33
5.14.17-101 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-46.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.18-100 for FC33
5.14.17-101 for FC33
fmem-kernel-modules-el8-x86_64-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-348.2.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-29.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-348.2.1 for EL8
November 10, 2021:
The following changes have been made:
python36-xlsxwriter-3.0.2-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
zeek{,-btest,-btest-data,-core,ctl,-devel,-libcaf-devel,-zkg}-4.1.1-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm, and libbroker-devel-4.1.1-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
snort-3.1.16.0-1.{fc32,fc33,fc34,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
Note that these packages have been installed in the forensics-test repository.
fuse-python{2,3}-1.0.4-1.{fc32,fc33,fc34}.x86_64.rpm -
Fuse-Python is a Python interface to libfuse,
a simple interface for userspace programs to export a virtual filesystem to the Linux kernel.
guymager-0.8.12-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Guymager is a forensic imaging package.
See here for the list of changes.
python{2,3}-pycparser-2.21-1.el8.noarch.rpm -
Python-PYCParser is a complete C99 parser in pure Python.
rifiuti2-0.7.0-20.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
This package was updated to avoid a conflict with the rifiuti package.
python3-artifacts-20211107-1.{fc32,fc33,fc34,el8}.x86_64.rpm, python36-artifacts-20211107-1.el7.x86_64.rpm, and artifacts-data-20211107-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
pfring-8.0.0-7085.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7085-7085.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3415.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
CERT-Forensics-Tools-1.0-97.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
This release removes the following tools from Fedora 35 only. All other releases are unchanged
binplist
shellbags
vinetto
Volatility-community-plugins
In addition, the Volatility application has been replaced by a Docker container based on
Alpine Linux 3.10.
The volatility, vol, and vol.py programs have been replaced by a script that manages this container.
Please address any unexpected behavior or requests for improvements and enhancements to
fmem-kernel-modules-fc34-x86_64-1.6-1.25.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.16-201 for FC34
5.14.15-200 for FC34
5.14.14-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-25.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.16-201 for FC34
5.14.15-200 for FC34
5.14.14-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.45.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.16-101 for FC33
5.14.15-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-45.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.16-101 for FC33
5.14.15-100 for FC33
fmem-kernel-modules-el8-x86_64-1.6-1.28.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-305.25.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-28.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-305.25.1 for EL8
Fedora 35 - The repository now supports Fedora 35
for the x86_64 CPU architecture.
Here is the list of tools provided for Fedora 35:
fmem-kernel-modules-1.6-1.22.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 35 x86_64 architecture was added.
lime-kernel-modules-1.1.r17-22.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 35 x86_64 architecture was added.
lime-kernel-modules-fc35-x86_64-1.9.1-2.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.16-301 for FC35
fmem-kernel-modules-fc35-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.16-301 for FC35
October 29, 2021:
The following changes have been made:
Volatility3-2.0.0-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is the version of Volatility 3 which can be found here.
libfsntfs{,-devel,-python3}-20211023-2.{fc32,fc33,fc34,el8}.x86_64.rpm and libfsntfs{,-devel,-python36}-20211023-2.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
python36-pyparsing-3.0.0-2.el7.noarch.rpm, python3-pyparsing-3.0.0-2.el8.noarch.rpm, and pyparsing-doc-3.0.0-2.{el7,el8}.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
Note: based on the requirements of Plaso, versions of pyparsing newer than version 3.0.0 need to be removed and 3.0.0 installed as described below:
yaf{,-devel}-2.12.2-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 7 and 8 for the x86_64 architecture, yaf has been built to use PF_Ring.
plaso-20211024-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
ghidra-10.0.4-PUBLIC_20210928.1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
pfring-8.0.0-7059.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7059-7059.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3399.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.24.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.13-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-24.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.13-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.44.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.13-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-44.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.13-100 for FC33
bellsoft-java8-full-1.8.0.312-1+7.x86_64.rpm -
Bellsoft Java
was installed for Fedora 32, 33, and 34 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
fmem-kernel-modules-el8-x86_64-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-348 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-27.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-348 for EL8
October 20, 2021:
The following changes have been made:
python{2,3}-cffi-1.15.0-1.el8.x86_64.rpm and cffi-doc-1.15.0-1.el8.noarch.rpm -
Python-CFFI is a C Foreign Function Interface for Python.
Interact with almost any C code from Python, based on C-like declarations that you can often copy-paste from header files or documentation.
python3-elasticsearch-7.15.1-1.{fc32,fc33,fc34,el8}.x86_64.rpm and python36-elasticsearch-7.15.1-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python3-dfvfs-20211017-1.{fc32,fc33,fc34,el8}.noarch.rpm and python36-dfvfs-20211017-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
KStrike-20210624-1.{fc32,fc33,fc34,el7,el8}.noarch.rpm -
KStrike is a stand-alone parser for User Access Logging from Server 2012 and newer systems.
pfring-8.0.0-7045.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7045-7045.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3390.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.23.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.12-200 for FC34
5.14.11-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-23.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.12-200 for FC34
5.14.11-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.43.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.12-100 for FC33
5.14.11-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-43.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.12-100 for FC33
5.14.11-100 for FC33
fmem-kernel-modules-el7-x86_64-1.6-1.81.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.45.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-81.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.45.1 for EL7
October 13, 2021:
The following changes have been made:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-5.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This package was rebuilt to use Python 3 instead of Python 2.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-6.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This package was rebuilt to use Python 3 instead of Python 2.
python3-artifacts-20211012-1.{fc32,fc33,fc34,el8}.x86_64.rpm, python36-artifacts-20211012-1.el7.x86_64.rpm, and artifacts-data-20211003-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
python3-certifi-2021.10.8-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-certifi-2021.10.8-1.el7.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
analyzeMFT-3.0.0-1.{fc32,fc33,fc34,el7,el8}.{i686,x86_64}.rpm -
AnalyzeMFT is a tool that fully parses
the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple formats.
See here for the changes since the previously installed version 2.0.19.1.
Note: This version uses Python 3.
python3-idna-3.3-1.el8.noarch.rpm and python36-idna-3.3-1.el7.noarch.rpm -
IDNA provides support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891.
pfring-8.0.0-7003.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.7003-7003.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3370.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.22.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.10-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-22.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.10-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.42.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.10-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-42.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.10-100 for FC33
October 6, 2021:
The following changes have been made:
bulk_extractor-2.0.0.dev-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
This is the development version for 2.0.0.
Note that these packages have been installed in the forensics-test repository.
bulk-reviewer-0.3.0-1.{fc32,fc33,fc34,el8}.x86_64.rpm -
< href="https://bulk-reviewer.readthedocs.io/en/latest/">BulkReviewer
is an Electron desktop application that aids in identification, review, and removal of sensitive files in directories and disk images.
Bulk Reviewer scans directories and disk images for personally identifiable information (PII) and other sensitive information using bulk_extractor, a best-in-class digital forensics tool.
The desktop application enables users to configure, start, and review scans; generate CSV reports of features found; and export sets of files (either those free of sensitive information,
or those with PII that should be restricted or run though redaction software).
EVTXtract-0.2.3-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
CERT-Forensics-Tools-1.0-96.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
This relese does the following:
Added bulk-reviewer for all except CentOS/RHEL 7.
Added EVTXtract.
fmem-kernel-modules-fc34-x86_64-1.6-1.21.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.9-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-21.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.9-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.41.noarch.rpm -
Support for the following kernels were added for Fmem:
5.14.9-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-41.noarch.rpm -
Support for the following kernels were added for LiME:
5.14.9-100 for FC33
September 29, 2021:
The following changes have been made:
python3-elasticsearch-7.15.0-1.{fc32,fc33,fc34,el8}.x86_64.rpm and python36-elasticsearch-7.15.0-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python3-dfvfs-202100918-1.{fc32,fc33,fc34,el8}.noarch.rpm and python36-dfvfs-202100918-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
python3-pyxattr-0.7.2-1.{fc32,fc33,el8}.noarch.rpm and python36-pyxattr-0.7.2-1.el7.noarch.rpm -
PYXattr is a C extension module for Python which implements extended attributes manipulation. It is a wrapper on top of the attr C library - see attr(5).
Volatility3-1.2.1-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is the version of Volatility 3 which can be found here.
snort-3.1.13.0-1.{fc32,fc33,fc34,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
Note that these packages have been installed in the forensics-test repository.
pfring-8.0.0-6952.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.6952-6952.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3344.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.19-200 for FC34
5.13.16-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-20.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.19-200 for FC34
5.13.16-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.40.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.19-100 for FC33
5.13.16-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-40.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.19-100 for FC33
5.13.16-100 for FC33
fmem-kernel-modules-el8-x86_64-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-305.19.1 for EL8
4.18.0-305.17.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-26.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-305.19.1 for EL8
4.18.0-305.17.1 for EL8
September 15, 2021:
The following changes have been made:
daq{,-devel,-modules}-3.0.5-1.{fc32,fc33,fc34,el8}.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
Note that these packages have been installed in the forensics-test repository.
snort-3.1.12.0-1.{fc32,fc33,fc34,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
Note that these packages have been installed in the forensics-test repository.
wdpassport-utils-0.2-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
WDPassPort-Utils is a utility used to lock, unlock, and reset passwords on Western Digital's Passport drives.
qtmltfs-noscripts-2.4.0.2-2.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
QTMLTFS
(Quantum Linear Tape File System) enables standard file operations on LTO-5 and LTO-6 tape media.
This package differs from qtmltfs in that there are no %pre nor %post scripts, eliminating the /bin/sh dependency, making this package
more suitable for building spins.
pfring-8.0.0-6892.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.6892-6892.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3311.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.15-200 for FC34
5.13.14-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-19.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.15-200 for FC34
5.13.14-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.39.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.15-100 for FC33
5.13.14-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-39.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.15-100 for FC33
5.13.14-100 for FC33
fmem-kernel-modules-el7-x86_64-1.6-1.80.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.42.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-80.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.42.2 for EL7
September 8, 2021:
The following changes have been made:
snort-2.9.18.1-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 7 and 8 for the x86_64 architecture.
snort-sample-rules-2.9.18.1-1.{fc32,fc33,fc34,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.18.1-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 7 and 8 for the x86_64 architecture.
python3-elasticsearch-7.14.1-1.{fc32,fc33,fc34,el8}.x86_64.rpm and python36-elasticsearch-7.14.1-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python{2,3}-pefile-2021.9.3-1.{fc32,fc33,fc34,el8}.noarch.rpm and python{2,36}-pefile-2021.9.3-1.el7.noarch.rpm -
PEFile is a Portable Executable reader module.
veracrypt-1.24.7-2.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux.
VeraCypt is based on TrueCrypt 7.1a.
This release is patched as of 2021-09-05.
libfwnt{,-devel,-python3,-tools}-20210906-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libfwnt{,-devel,-python36,-tools}-20210906-1.el7.x86_64.rpm -
LibFWNT is a library for Windows NT data types.
pfring-8.0.0-6874.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.6874-6874.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3308.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.18.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.13-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-18.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.13-200 for FC34
September 1, 2021:
The following changes have been made:
pfring-8.0.0-6862.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.6862-6862.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3307.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-el8-x86_64-1.6-1.25.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-338 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-25.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-338 for EL8
fmem-kernel-modules-el7-x86_64-1.6-1.79.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.41.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-79.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.41.1 for EL7
August 25, 2021:
The following changes have been made:
xplico-1.2.2-3.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
xplico is an Internet traffic decoder.
Note: due to issues related to the version of PHP, the versions for Fedora and CentOS/RHEL 8 now use a Docker container based on Ubuntu 18.04.
To used this version, run the /usr/bin/xplico script and address the issues that that script highlights.
Speifically some additional adjustments may need to be made.
Here are some of the issues:
Fedora 32: If you see the error related to CGroups, follow the steps here.
Fedora 33: If you see the error related to CGroups, follow the steps here.
Volatility3-1.2.0-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is the version of Volatility 3 which can be found here.
ghidra-10.0.2-PUBLIC_20210804.1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
python2-yara-4.1.2-1.{fc32,fc33,fc34,el8}.x86_64.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
pfring-8.0.0-6835.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.6835-6835.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3305.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.12-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-17.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.12-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.38.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.12-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-38.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.12-100 for FC33
fmem-kernel-modules-el8-x86_64-1.6-1.24.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-331 for EL8
4.18.0-305.12.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-24.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-331 for EL8
4.18.0-305.12.1 for EL8
August 18, 2021:
The following changes have been made:
snort-3.1.10.0-1.{fc32,fc33,fc34,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
Note that these packages have been installed in the forensics-test repository.
libmodi{,-devel,-python3,-tools}-20210807-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libmodi{,-devel,-python36,-tools}-20210807-1.el7.x86_64.rpm -
Libmodi is a library and tools to access the Mac OS disk image formats.
yaf{,-devel}-2.12.1-2.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 7 and 8 for the x86_64 architecture, yaf has been built to use PF_Ring.
This release was rebuilt to accomodate PF_Ring version 8.
pfring-8.0.0-6812.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-8.0.0.6812-6812.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3293.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.10-200 for FC34
5.13.9-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-16.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.10-200 for FC34
5.13.9-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.37.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.10-100 for FC33
5.13.9-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-37.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.10-100 for FC33
5.13.9-100 for FC33
August 11, 2021:
The following changes have been made:
snort-3.1.9.0-1.{fc32,fc33,fc34,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
Note that these packages have been installed in the forensics-test repository.
libvmdk{,-devel,-python3,-tools}-20210807-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libvmdk{,-devel,-python36,-tools}-20210807-1.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
libvslvm{,-devel,-python3,-tools}-20210807-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libvslvm{,-devel,-python36,-tools}-20210807-1.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
libsmraw{,-devel,-python3,-tools}-20210807-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libsmraw{,-devel,-python36,-tools}-20210807-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
mtftar-0.9.0-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Mtftar is a tool that translates a MTF stream to a TAR stream.
MTF is a format commonly found on Microsoft systems as it's what is generated by the NTBACKUP.EXE tool that ships with all modern versions of Windows.
python36-xlsxwriter-3.0.1-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
libregf{,-devel,-python3,-tools}-20210809-1.{fc32,fc33,fc34,el8}.x86_64.rp and libregf{,-devel,-python36,-tools}-20210809-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
fmem-kernel-modules-fc34-x86_64-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.8-200 for FC34
5.13.7-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-15.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.8-200 for FC34
5.13.7-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.36.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.8-100 for FC33
5.13.7-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-36.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.8-100 for FC33
5.13.7-100 for FC33
August 4, 2021:
The following changes have been made:
python3-dfvfs-20210728-1.{fc32,fc33,fc34,el8}.noarch.rpm and python36-dfvfs-20210728-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
python36-xlsxwriter-1.4.5-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
python3-dtfabric-20210731-1.{fc32,fc33,fc34,el8}.x86_64.rpm and python36-dtfabric-20210731-1.el7.x86_64.rpm -
Dtfabric is a project to manage data types and structures,
as used in the libyal projects.
sleuthkit{,-devel,-libs}-4.11.0-1.1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
autopsy-4.19.0-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
This version uses Java 8 from Bellsoft.
This version was tested on Fedora 27 through 32 and CentOS 7 and 8 for the x86_64 architectures using an E01 dataset that contains a 7-Zip file that contains two JPEG images, one of which has EXIF metadata.
Those archives were correctly parsed and the EXIF data verified.
If you wish to run autopsy on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical.
Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
python3-pytsk3-20210801-1.{fc32,fc33,fc34,el8}.x86_64.rpm and python36-pytsk3-20210801-1.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
libcreg{,-devel,-python2,-python3,-tools}-20210625-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libcreg{,-devel,-python36,-tools}-20210625-1.el7.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
python3-elasticsearch-7.14.0-1.{fc32,fc33,fc34,el8}.x86_64.rpm and python36-elasticsearch-7.14.0-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
pfring-7.8.0-3496.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3496.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3274.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.14.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.6-200 for FC34
5.13.5-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-14.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.6-200 for FC34
5.13.5-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.35.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.6-100 for FC33
5.13.5-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-35.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.6-100 for FC33
5.13.5-100 for FC33
fmem-kernel-modules-el8-x86_64-1.6-1.23.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-326 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-23.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-326 for EL8
July 28, 2021:
The following changes have been made:
libfsxfs{,-devel,-python3,-static,-tools}-20210726-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libfsxfs{,-devel,-python36,-static,-tools}-20210726-1.el7.x86_64.rpm -
Libfsxfs contains library and tools to access the SGI X File System (XFS).
libfshfs{,-devel,-python3,-tools}-20210722-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libfshfs{,-devel,-python36,-tools}-20210722-1.el7.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
nDPI{,-devel}-2.9.0-2.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
nDPI is a ntop-maintained superset of the popular OpenDPI library.
These packages were rebuilt to eliminate a conflict with ndpi-4.
pfring-7.8.0-3487.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3487.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-4.0.0-3273.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.4-200 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-13.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.4-200 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.34.noarch.rpm -
Support for the following kernels were added for Fmem:
5.13.4-100 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-34.noarch.rpm -
Support for the following kernels were added for LiME:
5.13.4-100 for FC33
fmem-kernel-modules-el7-x86_64-1.6-1.78.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.36.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-78.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.36.2 for EL7
July 21, 2021:
The following changes have been made:
python3-elasticsearch-7.13.4-1.{fc32,fc33,fc34,el8}.x86_64.rpm and python36-elasticsearch-7.13.4-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
libfsext{,-devel,-python3,-tools}-20210720-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libfsext{,-devel,-python36,-tools}-20210522-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
libfwnt{,-devel,-python3,-tools}-20210717-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libfwnt{,-devel,-python36,-tools}-20210717-1.el7.x86_64.rpm -
LibFWNT is a library for Windows NT data types.
bellsoft-java8-full-1.8.0.302-1+8.x86_64.rpm -
Bellsoft Java
was installed for Fedora 32, 33, and 34 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
fmem-kernel-modules-fc34-x86_64-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.17-300 for FC34
5.12.15-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-12.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.17-300 for FC34
5.12.15-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.33.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.17-200 for FC33
5.12.14-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-33.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.17-200 for FC33
5.12.14-200 for FC33
fmem-kernel-modules-el8-x86_64-1.6-1.22.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-305.10.2 for EL8
4.18.0-305.7.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-22.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-305.10.2 for EL8
4.18.0-305.7.1 for EL8
July 14, 2021:
The following changes have been made:
hindsight-2021.04.26-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Hindsight is a free tool for analyzing web artifacts.
It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications.
Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords,
preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies).
Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.
Please note that hindsight is implemented as Python Virtual Environments with wrapper shell script that is installed in /usr/bin.
This means that you need to conifugre pip's /etc/pip.conf if your system is located behind a proxy server.
This configuration should be completed before hindsight is installed.
python3-elasticsearch-7.13.3-1.{fc32,fc33,fc34,el8}.x86_64.rpm and python36-elasticsearch-7.13.3-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python{2,3}-cffi-1.14.6-1.el8.x86_64.rpm and cffi-doc-1.14.6-1.el8.noarch.rpm -
Python-CFFI is a C Foreign Function Interface for Python.
Interact with almost any C code from Python, based on C-like declarations that you can often copy-paste from header files or documentation.
Volatility3-1.1.1-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is the version of Volatility 3 which can be found here.
ghidra-10.0.1-PUBLIC_20210708.1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvement
here.
CERT-Forensics-Tools-1.0-95.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
This relese does the following:
Added Hindsight.
python36-requests-2.26.0-1.el7.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-4.0.3-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm, and libbroker-devel-4.0.1-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
fmem-kernel-modules-fc34-x86_64-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.14-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-11.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.14-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.32.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.14-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-32.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.14-200 for FC33
July 7, 2021:
The following changes have been made:
xva-img-1.4.2-2.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
XVA-IMG is a tool for working with Citrix XEN disk images.
Citrix Xen uses a custom virtual appliance format for import/export called "XVA".
It's basically a strangely crafted tar-file.
You don't need this program to unpack this tar-file, just use your favourite tar unpacker (tar, gtar, bsdtar).
Once unpacked you will end up with a lot of different files, ova.xml (which contains the settings for the virtual appliance, think VMware vmx) and a number of folders called Ref:/, this is your disks.
Each of these folders contain hundreds of files named 00000000, 00000001 with a accompanying .CHECKSUM file (SHA1).
Each file is a 1MB slice of the disk, but some of the files in the sequence will probably be missing this is because XVA do not use compression; instead it will exclude slices of the disk that only contains zeros (are empty).
This tool can assemble the disk for you (you will end up with a RAW disk) that can easily be mounted and modified.
It can then also split the file again and generate checksum.
Once ready, you will probably want to use the "package" command to rebuild the XVA file.
In this release, the modes for the xva-img file were set to 755 as is appropriate.
python36-xlsxwriter-1.4.4-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
avml-0.3.0-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.
AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori.
No on-target compilation or fingerprinting is needed.
AVML can produce a memory image suitable for processing with
Volatility 2 or Volatility 3 once the appropriate profiles
have been created.
pfring-7.8.0-3459.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3459.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3226.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-el8-x86_64-1.6-1.21.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-315 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-21.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-315 for EL8
June 30, 2021:
The following changes have been made:
Volatility3-1.0.1-3.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is the version of Volatility 3 which can be found here.
Release 2 is patched as of 2021-06-25.
pfring-7.8.0-3457.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3457.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3221.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.13-300 for FC34
5.12.12-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-10.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.13-300 for FC34
5.12.12-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.31.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.13-200 for FC33
5.12.12-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-31.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.13-200 for FC33
5.12.12-200 for FC33
June 23, 2021:
The following changes have been made:
python3-artifacts-20210620-1.{fc32,fc33,fc34,el8}.x86_64.rpm, python36-artifacts-20210620-1.el7.x86_64.rpm, and artifacts-data-20210620-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
daq{,-devel,-modules}-3.0.4-1.{fc32,fc33,fc34,el8}.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
Note that these packages have been installed in the forensics-test repository.
snort-3.1.6.0-1.{fc32,fc33,fc34,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
Note that these packages have been installed in the forensics-test repository.
fmem-kernel-modules-fc34-x86_64-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.11-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-9.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.11-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.30.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.11-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-30.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.11-200 for FC33
June 16, 2021:
The following changes have been made:
libbde{,-devel,-python3,-tools}-20210605-1.{fc32,fc33,fc34,el8}.x86_64.rpm and libbde{,-devel,-python36,-tools}-20210605-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
python{2,3}-pefile-2021.5.24-1.{fc32,fc33,fc34,el8}.noarch.rpm and python{2,36}-pefile-2021.5.24-1.el7.noarch.rpm -
PEFile is a Portable Executable reader module.
python3-dfvfs-20210606-1.{fc32,fc33,fc34,el8}.noarch.rpm and python36-dfvfs-20210606-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
plaso-20210606-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
snort-2.9.18-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 7 and 8 for the x86_64 architecture.
snort-sample-rules-2.9.18-1.{fc32,fc33,fc34,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.18-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 7 and 8 for the x86_64 architecture.
libregf{,-devel,-python3,-tools}-20210615-1.{fc32,fc33,fc34,el8}.x86_64.rp and libregf{,-devel,-python36,-tools}-20210615-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
fmem-kernel-modules-fc34-x86_64-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.10-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-8.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.10-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.10-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-29.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.10-200 for FC33
fmem-kernel-modules-el7-x86_64-1.6-1.77.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.25.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-77.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.25.1 for EL7
June 11, 2021:
The following changes have been made:
python3-elasticsearch-7.13.1-1.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm and python36-elasticsearch-7.13.1-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
plaso-20210412-2.{fc31,fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
Note: This version was rebuilt to remove the restriction on the version of Elasticsearch.
pfring-7.8.0-3429.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3429.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3200.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.9-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-7.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.9-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.28.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.9-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-28.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.9-200 for FC33
fmem-kernel-modules-el8-x86_64-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-310 for EL8
4.18.0-305.3.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-20.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-310 for EL8
4.18.0-305.3.1 for EL8
Fedora 31 - Updates to Fedora 31 for the x86_64 CPU architecture have ceased.
June 2, 2021:
The following changes have been made:
python3-dfvfs-20210531-1.{fc31,fc32,fc33,fc34,el8}.noarch.rpm and python36-dfvfs-20210531-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
maryam-2.2.6.post1-1.{fc31,fc32,fc33,fc34,el8}.noarch.rpm -
OWASP Maryam is a modular/optional open-source framework based on OSINT and data gathering.
Maryam is written in the Python programming language and has been designed to provide a powerful environment to harvest data from open sources and search engines and collect data quickly and thoroughly.
See here for documentation on the modules provided for Maryam.
Note that Maryam is not available for CentOS/RHEL 7 at this time.
python3-idna-3.2-1.el8.noarch.rpm and python36-idna-3.2-1.el7.noarch.rpm -
IDNA provides support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891.
python3-certifi-2021.5.30-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-certifi-2021.5.30-1.el7.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
libfshfs{,-devel,-python3,-tools}-20210602-1.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm and libfshfs{,-devel,-python36,-tools}-20210602-1.el7.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
Note that this project currently only focuses on the analysis of the format.
CERT-Forensics-Tools-1.0-94.{fc31,fc32,fc33,fc34,el7,el8}.x86_64.rpm -
This relese does the following:
Added Maryam for all except CentOS/RHEL 7.
pfring-7.8.0-3424.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3424.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3182.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.8-300 for FC34
5.12.7-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-6.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.8-300 for FC34
5.12.7-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.8-200 for FC33
5.12.7-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-27.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.8-200 for FC33
5.12.7-200 for FC33
fmem-kernel-modules-el8-x86_64-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-305.0.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-19.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-305.0.1 for EL8
May 26, 2021:
The following changes have been made:
libfsext{,-devel,-python3,-tools}-20210522-1.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm and libfsext{,-devel,-python36,-tools}-20210522-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
python3-dfvfs-20210522-1.{fc31,fc32,fc33,fc34,el8}.noarch.rpm and python36-dfvfs-20210522-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
python{2,3}-pefile-2021.5.24-1.{fc31,el8}.noarch.rpm and python{2,36}-pefile-2021.5.24-1.el7.noarch.rpm -
PEFile is a Portable Executable reader module.
libevtx{,-devel,-python3,-tools}-20210525-1.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm and libevtx{,-devel,-python36,-tools}-20210525-1.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
pfring-7.8.0-3419.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3419.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3180.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
snort-3.1.5.0-1.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
Note that these packages have been installed in the forensics-test repository.
fmem-kernel-modules-fc34-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.6-300 for FC34
5.12.5-300 for FC34
5.11.21-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-5.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.6-300 for FC34
5.12.5-300 for FC34
5.11.21-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem:
5.12.6-200 for FC33
5.12.5-200 for FC33
5.11.21-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-26.noarch.rpm -
Support for the following kernels were added for LiME:
5.12.6-200 for FC33
5.12.5-200 for FC33
5.11.21-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.46.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.22-100 for FC32
5.11.21-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-46.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.22-100 for FC32
5.11.21-100 for FC32
fmem-kernel-modules-el8-x86_64-1.6-1.18.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-305 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-18.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-305 for EL8
May 19, 2021:
The following changes have been made:
Volatility-2.6.1-6.{fc31,fc32,fc33,fc34,el7,el8}.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6.1 that has been patched to May 14, 2021.
You can read about this version here.
python{2,3}-pefile-2021.5.13-1.{fc31,el8}.noarch.rpm and python{2,36}-pefile-2021.5.13-1.el7.noarch.rpm -
PEFile is a Portable Executable reader module.
python{2,3}-future-0.18.2-2.1.{fc31,el8}.noarch.rpm -
Python-Future is the missing compatibility layer between Python 2 and Python 3.
It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.
This package was built to support the packaging of Python-PEFile
which in turn is needed to support the packaging of Volatility-community-plugins.
fmem-kernel-modules-fc34-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.20-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-4.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.20-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.25.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.20-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-25.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.20-200 for FC33
May 13, 2021:
The following changes have been made:
python2-six-1.16.0-1.el8.noarch.rpm -
Six provides simple utilities for wrapping over differences between Python 2 and Python 3.
python36-xlsxwriter-1.4.3-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
python3-dfdatetime-20210509-1.{fc31,fc32,fc33,fc34,el8}.noarch.rpm and python36-dfdatetime-20210509-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
python2-yara-4.1.0-3.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
This package was rebuilt due to the releases of Yara 4.1.0 for CentOS/RHEL 8.
libolecf{,-devel,-python3,-tools}-20210512-1.{fc31,fc32,fc33,fc34,el8}.x86_64.rpma and libolecf{,-devel,-python36,-tools}-20210512-1.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
pfring-7.8.0-3410.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3410.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3160.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc34-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.19-300 for FC34
5.11.18-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-3.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.19-300 for FC34
5.11.18-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.24.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.19-200 for FC33
5.11.18-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-24.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.19-200 for FC33
5.11.18-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.45.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.19-100 for FC32
5.11.18-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-45.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.19-100 for FC32
5.11.18-100 for FC32
May 6, 2021:
The following changes have been made:
libfsntfs{,-devel,-python3}-20210503-2.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm and libfsntfs{,-devel,-python36}-20210503-2.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libcreg{,-devel,-python2,-python3,-tools}-20210502-2.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm and libcreg{,-devel,-python36,-tools}-20210502-2.el7.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
The previous release was buit with the wrong source file.
libmodi{,-devel,-python3,-tools}-20210501-2.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm and libmodi{,-devel,-python36,-tools}-20210501-2.el7.x86_64.rpm -
Libmodi is a library and tools to access the Mac OS disk image formats.
The previous release was buit with the wrong source file.
python3-dfvfs-20210501-2.{fc31,fc32,fc33,fc34,el8}.noarch.rpm and python36-dfvfs-20210501-2.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The previous release was buit with the wrong source file.
daq{,-devel,-modules}-3.0.3-1.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
Note that these packages have been installed in the forensics-test repository.
snort-3.1.4.0-1.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
Note that these packages have been installed in the forensics-test repository.
libfsext{,-devel,-python3,-tools}-20210504-1.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm and libfsext{,-devel,-python36,-tools}-20210504-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
libewf-experimental{,-devel,-tools,-python3,-tools}-20210426-1.{fc31,fc32,fc33,fc34,el8}.x86_64.rpm and libewf-experimental{,-devel,-tools,-python36,-tools}-2,fc340201230-1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
See this page for the list of supported and unsupported formats.
Libewf-Experimental installs packages in /usr/local so that it can be optionally installed along with the conventional Libewf packages, where package contents are installed in /usr.
Further, the Libewf-Experimental packages have been installed in the forensics-test repository.
You will need to enable this repository with this command for Fedora or CentOS/RHEL 8:
python2-yara-4.1.0-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
This package was rebuilt due to the releases of Yara 4.1.0 for Fedora 34.
fmem-kernel-modules-fc34-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.17-300 for FC34
lime-kernel-modules-fc34-x86_64-1.9.1-2.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.17-300 for FC34
fmem-kernel-modules-fc33-x86_64-1.6-1.23.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.17-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-23.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.17-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.44.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.17-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-44.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.17-100 for FC32
May 2, 2021:
The following changes have been made:
libcreg{,-devel,-python2,-python3,-tools}-20210502-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libcreg{,-devel,-python36,-tools}-20210502-1.el7.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
libesedb{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libesedb{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
libevt{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libevt{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libevtx{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
libfsapfs{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfsapfs{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
libfsext{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfsext{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
libfshfs{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfshfs{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
Note that this project currently only focuses on the analysis of the format.
libfsntfs{,-devel,-python3}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfsntfs{,-devel,-python36}-20210424-1.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libfvde{,-devel,-python3,-tools}-20210425-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfvde{,-devel,-python36,-tools}-20210425-1.el7.x86_64.rpm -
Libfvde is a library and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
libfwnt{,-devel,-python3,-tools}-20210421-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfwnt{,-devel,-python36,-tools}-20210421-1.el7.x86_64.rpm -
LibFWNT is a library for Windows NT data types.
libfwsi{,-devel,-python3}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfwsi{,-devel,-python36}-20210419-1.el7.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
liblnk{,-devel,-python3,-tools}-20210417-1.{fc31,fc32,fc33,el8}.x86_64.rpm and liblnk{,-devel,-python36,-tools}-20210417-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
libluksde{,-devel,-python3,-tools}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libluksde{,-devel,-python36,-tools}-20210419-1.el7.x86_64.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
libmodi{,-devel,-python3,-tools}-20210501-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libmodi{,-devel,-python36,-tools}-20210501-1.el7.x86_64.rpm -
Libmodi is a library and tools to access the Mac OS disk image formats.
libmsiecf{,-devel,-python3,-tools}-20210420-1.{fc31,fc32,fc33,el8}.x86_64.rpm and ibmsiecf{,-devel,-python36,-tools}-20210420-1.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
libolecf{,-devel,-python3,-tools}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpma and libolecf{,-devel,-python36,-tools}-20210419-1.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
libqcow{,-devel,-python3,-tools}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rp and libqcow{,-devel,-python36,-tools}-20210419-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
libregf{,-devel,-python3,-tools}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rp and libregf{,-devel,-python36,-tools}-20210419-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
libscca{,-devel,-python3,-tools}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libscca{,-devel,-python36,-tools}-20210419-1.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
libsigscan{,-devel,-python3}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libsigscan{,-devel,-python36}-20210419-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
libsmdev{,-devel,-python3}-20210418-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libsmdev{,-devel,-python36}-20210418-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
libsmraw{,-devel,-python3,-tools}-20210418-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libsmraw{,-devel,-python36,-tools}-20210418-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
libvhdi{,-devel,-python3,-tools}-20210425-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libvhdi{,-devel,-python36,-tools}-20210425-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libvmdk{,-devel,-python3,-tools}-20210418-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libvmdk{,-devel,-python36,-tools}-20210418-1.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
libvshadow{,-devel,-python3,-tools}-20210425-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libvshadow{,-devel,-python36,-tools}-20210425-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
libvslvm{,-devel,-python3,-tools}-20210425-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libvslvm{,-devel,-python36,-tools}-20210425-1.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
python2-yara-4.1.0-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-4.0.1-1.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm, and libbroker-devel-4.0.1-1.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
xva-img-1.4.2-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
XVA-IMG is a tool for working with Citrix XEN disk images.
Citrix Xen uses a custom virtual appliance format for import/export called "XVA".
It's basically a strangely crafted tar-file.
You don't need this program to unpack this tar-file, just use your favourite tar unpacker (tar, gtar, bsdtar).
Once unpacked you will end up with a lot of different files, ova.xml (which contains the settings for the virtual appliance, think VMware vmx) and a number of folders called Ref:/, this is your disks.
Each of these folders contain hundreds of files named 00000000, 00000001 with a accompanying .CHECKSUM file (SHA1).
Each file is a 1MB slice of the disk, but some of the files in the sequence will probably be missing this is because XVA do not use compression; instead it will exclude slices of the disk that only contains zeros (are empty).
This tool can assemble the disk for you (you will end up with a RAW disk) that can easily be mounted and modified.
It can then also split the file again and generate checksum.
Once ready, you will probably want to use the "package" command to rebuild the XVA file.
python3-dfvfs-20210501-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20210501-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
libtommath{,-devel}-1.2.01.2.0--1.el8.x86_64.rpm -
LibTOMMath is a free open source portable number theoretic multiple-precision integer library written entirely in C.
The library is designed to provide a simple to work with API that provides fairly efficient routines that build out of the box without configuration.
rifiuti2-0.7.0-5.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
This package was updated to avoid a conflict with the rifiuti package.
pfring-7.8.0-3406.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3406.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3150.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-1.6-1.21.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 34 x86_64 architecture was added.
lime-kernel-modules-1.1.r17-21.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 34 x86_64 architecture was added.
fmem-kernel-modules-fc33-x86_64-1.6-1.22.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.16-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-22.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.16-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.43.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.16-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-43.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.16-100 for FC32
fmem-kernel-modules-el7-x86_64-1.6-1.76.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.25.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-76.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.25.1 for EL7
Fedora 34 - The repository now supports Fedora 34
for the x86_64 CPU architecture.
Here is the list of tools provided for Fedora 34:
April 23, 2021:
The following changes have been made:
python3-pytsk3-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpm and python36-pytsk3-20210419-1.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
bellsoft-java8-full-1.8.0.292-1+10.x86_64.rpm -
Bellsoft Java
was installed for Fedora 31, 32, and 33 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
python36-xlsxwriter-1.4.0-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
pfring-7.8.0-3402.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3402.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3137.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.21.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.15-200 for FC33
5.11.14-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-21.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.15-200 for FC33
5.11.14-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.42.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.15-100 for FC32
5.11.14-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-42.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.15-100 for FC32
5.11.14-100 for FC32
fmem-kernel-modules-el8-x86_64-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-301.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-17.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-301.1 for EL8
April 15, 2021:
The following changes have been made:
plaso-20210412-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
ghidra-9.2.2-PUBLIC_20201229.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvement here.
python36-xlsxwriter-1.3.9-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
pfring-7.8.0-3398.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3398.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3130.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.13-200 for FC33
5.11.12-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-20.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.13-200 for FC33
5.11.12-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.41.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.13-100 for FC32
5.11.12-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-41.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.13-100 for FC32
5.11.12-100 for FC32
fmem-kernel-modules-el8-x86_64-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-240.22.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-16.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-240.22.1 for EL8
fmem-kernel-modules-el7-x86_64-1.6-1.75.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.24.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-75.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.24.1 for EL7
April 9, 2021:
The following changes have been made:
libfsxfs{,-devel,-python3,-tools}-20210403-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfsxfs{,-devel,-python36,-tools}-20210403-1.el7.x86_64.rpm -
Libfsxfs contains library and tools to access the SGI X File System (XFS).
python3-artifacts-20210404-1.{fc31,fc32,fc33,el8}.x86_64.rpm, python36-artifacts-20210404-1.el7.x86_64.rpm, and artifacts-data-20210404-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
April 2, 2021:
The following changes have been made:
python3-pytsk3-20210327-1.{fc31,fc32,fc33,el8}.x86_64.rpm and python36-pytsk3-20210327-1.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
libbde{,-devel,-python3,-tools}-20210327-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libbde{,-devel,-python36,-tools}-20210327-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
snort-2.9.17.1-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 7 and 8 for the x86_64 architecture.
This release contains these two additional symbolic links that are intended to simplify writing Snort configuration rules in that they are no longer required to contain
the Snort version in the path name.
These symbolic links are:
Furthermore, the Snort configuration file - /etc/snort/snort.conf - references these version-agnostic path names.
snort-sample-rules-2.9.17.1-1.{fc31,fc32,fc33,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.17.1-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 7 and 8 for the x86_64 architecture.
This release contains these two additional symbolic links that are intended to simplify writing Snort configuration rules in that they are no longer required to contain
the Snort version in the path name.
These symbolic links are:
Furthermore, the Snort configuration file - /etc/snort/snort.conf - references these version-agnostic path names.
python36-xlsxwriter-1.3.8-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
pfring-7.8.0-3396.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3396.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3123.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.11-200 for FC33
5.11.10-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-19.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.11-200 for FC33
5.11.10-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.40.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.11-100 for FC32
5.11.10-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-40.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.11-100 for FC32
5.11.10-100 for FC32
March 26, 2021:
The following changes have been made:
sleuthkit{,-devel,-libs}-4.10.2-1.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
autopsy-4.18.0-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
This version uses Java 8 from Bellsoft.
This version was tested on Fedora 27 through 32 and CentOS 7 and 8 for the x86_64 architectures using an E01 dataset that contains a 7-Zip file that contains two JPEG images, one of which has EXIF metadata.
Those archives were correctly parsed and the EXIF data verified.
If you wish to run autopsy on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical.
Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
pfring-7.8.0-3394.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3394.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3115.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.18.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.9-200 for FC33
5.11.8-200 for FC33
5.11.7-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-18.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.9-200 for FC33
5.11.8-200 for FC33
5.11.7-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.39.noarch.rpm -
Support for the following kernels were added for Fmem:
5.11.7-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-39.noarch.rpm -
Support for the following kernels were added for LiME:
5.11.7-100 for FC32
March 19, 2021:
The following changes have been made:
fmem-kernel-modules-fc33-x86_64-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.23-200 for FC33
5.10.22-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-17.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.23-200 for FC33
5.10.22-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.38.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.22-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-38.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.22-100 for FC32
fmem-kernel-modules-el8-x86_64-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-294 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-15.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-294 for EL8
fmem-kernel-modules-el7-x86_64-1.6-1.74.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.21.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-74.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.21.1 for EL7
March 12, 2021:
The following changes have been made:
Volatility3-1.0.1-2.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is the version of Volatility 3 which can be found here.
Release 2 is patched as of 2021-03-10.
plaso-20210213-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
pfring-7.8.0-3385.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3385.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3094.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.21-200 for FC33
5.10.20-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-16.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.21-200 for FC33
5.10.20-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.37.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.21-100 for FC32
5.10.20-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-37.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.21-100 for FC32
5.10.20-100 for FC32
March 5, 2021:
The following changes have been made:
python2-yara-4.0.5-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
pfring-7.8.0-3382.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3382.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3084.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.19-200 for FC33
5.10.18-200 for FC33
5.10.17-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-15.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.19-200 for FC33
5.10.18-200 for FC33
5.10.17-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.36.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.19-100 for FC32
5.10.18-100 for FC32
5.10.17-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-36.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.19-100 for FC32
5.10.18-100 for FC32
5.10.17-100 for FC32
fmem-kernel-modules-el8-x86_64-1.6-1.14.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-240.15.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-14.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-240.15.1 for EL8
February 19, 2021:
The following changes have been made:
python3-dfvfs-20210213-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20210213-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
python3-elasticsearch-7.11.0-1.{fc31,fc32,fc33,el8}.x86_64.rpm and python36-elasticsearch-7.11.0-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
Note: This version has been removed from the repository due to incompatibilities with plaso.
python3-elasticsearch-7.9.1-1.{fc31,fc32,fc33,el8}.x86_64.rpm and python36-elasticsearch-7.9.1-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
Note: You will need to downgrade to this version of elasticsearch with the following on Fedora and CentOS/RHEL 8:
sudo dnf downgrade python3-elasticsearch -y
And this on CentOS/RHEL 7:
sudo yum downgrade python36-elasticsearch -y
plaso-20201228-2.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
This version removes a patch that intended to make plaso work with ElasticSearch version 7.10 and newer.
zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-3.0.12-0.{fc31,fc32,fc33,el7,el8}.x86_64.rpm, and libbroker-devel-3.0.12-0.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
pfring-7.8.0-3371.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3371.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3047.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.14.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.16-200 for FC33
5.10.15-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-14.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.16-200 for FC33
5.10.15-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.35.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.16-100 for FC32
5.10.15-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-35.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.16-100 for FC32
5.10.15-100 for FC32
February 12, 2021:
The following changes have been made:
python3-dfvfs-20210207-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20210207-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
python3-elasticsearch-7.11.0-1.{fc31,fc32,fc33,el8}.x86_64.rpm and python36-elasticsearch-7.11.0-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
Volatility3-1.0.1-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is the version of Volatility 3 which can be found here.
Due to the way in which the previous packages were named, you will need to remove the older version and install this version by hand with the following on Fedora and CentOS/RHEL 8:
libvsgpt{,-devel,-python3,-tools}-20210207.{fc31,fc32,fc33,el8}.x86_64.rpm and libfsgpt{,-devel,-python36,-tools}-20210207.el7.x86_64.rpm -
Libvsgpt is a library and tools used to access the GUID Partition Table (GPT) volume system.
plaso-20201228-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
pfring-7.8.0-3361.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3361.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3044.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.14-200 for FC33
5.10.13-200 for FC33
5.10.12-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-13.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.14-200 for FC33
5.10.13-200 for FC33
5.10.12-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.34.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.13-100 for FC32
5.10.12-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-34.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.13-100 for FC32
5.10.12-100 for FC32
fmem-kernel-modules-el8-x86_64-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-277 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-13.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-277 for EL8
February 4, 2021:
The following changes have been made:
python3-dfvfs-20210125-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20210125-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
libfsext{,-devel,-python3,-tools}-20210129-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfsext{,-devel,-python36,-tools}-20210129-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
pfring-7.8.0-3356.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3356.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-2999.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.11-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-12.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.11-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.33.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.11-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-33.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.11-100 for FC32
fmem-kernel-modules-el7-x86_64-1.6-1.73.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.15.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-73.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.15.2 for EL7
January 29, 2021:
The following changes have been made:
Volatility3-2.0.0-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is the version of Volatility 3 which can be found here.
It is taken from the source code available as of 2021-01-27.
Due to the way in which the previous packages were named, you will need to remove the older version and install this version by hand with the following on Fedora and CentOS/RHEL 8:
python2-yara-4.0.4-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
fmem-kernel-modules-fc33-x86_64-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.10-200 for FC33
5.10.9-201 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-11.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.10-200 for FC33
5.10.9-201 for FC33
January 22, 2021:
The following changes have been made:
python36-lz4-3.1.3-1.el7.x86_64.rpm -
LZ4 contains the python bindings for the lz4 compression library.
bellsoft-java8-full-1.8.0.282-1+8.x86_64.rpm -
Bellsoft Java
was installed for Fedora 31, 32, and 33 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
libvsgpt{,-devel,-python3,-tools}-20210118.{fc31,fc32,fc33,el8}.x86_64.rpm and libfsgpt{,-devel,-python36,-tools}-20210118.el7.x86_64.rpm -
Libvsgpt is a library and tools used to access the GUID Partition Table (GPT) volume system.
python3-dfvfs-20210120-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20210120-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
daq{,-devel,-modules}-3.0.0-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
Note that these packages have been installed in the forensics-test repository.
snort-3.1.0.0-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the announcement.
Note that these packages have been installed in the forensics-test repository.
pfring-7.8.0-3343.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3343.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-2996.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-common-1.9.1-7.noarch.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page.
The changes are the following:
Updated to include a fix for kernels 5.10 and beyond
Note: the version number has changed to correspond with the version on the LiME website.
fmem-kernel-modules-fc33-x86_64-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.8-200 for FC33
5.10.7-200 for FC33
5.10.6-200 for FC33
lime-kernel-modules-fc33-x86_64-1.9.1-10.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.8-200 for FC33
5.10.7-200 for FC33
5.10.6-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.32.noarch.rpm -
Support for the following kernels were added for Fmem:
5.10.8-100 for FC32
5.10.7-100 for FC32
lime-kernel-modules-fc32-x86_64-1.9.1-32.noarch.rpm -
Support for the following kernels were added for LiME:
5.10.8-100 for FC32
5.10.7-100 for FC32
fmem-kernel-modules-el8-x86_64-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-240.10.1 for EL8
lime-kernel-modules-el8-x86_64-1.9.1-12.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-240.10.1 for EL8
January 7, 2021:
The following changes have been made:
libewf-experimental{,-devel,-tools,-python3,-tools}-20201230-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libewf-experimental{,-devel,-tools,-python36,-tools}-20201230-1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
See this page for the list of supported and unsupported formats.
Libewf-Experimental installs packages in /usr/local so that it can be optionally installed along with the conventional Libewf packages, where package contents are installed in /usr.
Further, the Libewf-Experimental packages have been installed in the forensics-test repository.
You will need to enable this repository with this command for Fedora or CentOS/RHEL 8:
python3-idna-3.1-1.el8.noarch.rpm and python36-idna-3.1-1.el7.noarch.rpm -
IDNA provides support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891.
This is the latest version of the protocol and is sometimes referred to as "IDNA 2008".
libfixbuf{,-devel,-ipfixDump}-2.4.1-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-3.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This package was rebuilt to use libfixbuf 2.4.1.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-4.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This package was rebuilt to use libfixbuf 2.4.1.
libschemaTools{,-devel}-1.3-7.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
This package was rebuilt to use libfixbuf 2.4.1.
python3-pyfixbuf-0.8.1-2.{fc31,fc32,fc33,el8}.x86_64.rpm and python36-pyfixbuf-0.8.1-2.el7.x86_64.rpm -
Pyfixbuf is a Python API for libfixbuf,
an implementation of the IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
This package was rebuilt to use libfixbuf 2.4.1.
Note also that the Python 2 version is no longer provided.
analysis-pipeline-5.11.3-5.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt to use libfixbuf 2.4.1.
super_mediator-1.8.0-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
See here for the list of changes.
yaf{,-devel}-2.12.1-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 6 and 7 for the x86_64 architecture, yaf has been built to use PF_Ring.
See here for the list of changes.
mac-robber-1.02-1.el8.x86_64.rpm -
Mac-robber is a digital investigation tool that collects data from allocated files in a mounted file system.
Removed: Provided by CentOS/RHEL.
python3-redis-3.5-1.el8.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
Removed: Provided by CentOS/RHEL.
pfring-7.8.0-3323.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3323.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-2968.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.16-200 for FC33
lime-kernel-modules-fc33-x86_64-1.1.r17-9.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.16-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.31.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.16-100 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-31.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.16-100 for FC32
December 23, 2020:
The following changes have been made:
python3-dfvfs-20201219-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20201219-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
pfring-7.8.0-3320.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3320.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-2958.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.15-200 for FC33
lime-kernel-modules-fc33-x86_64-1.1.r17-8.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.15-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.30.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.15-100 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-30.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.15-100 for FC32
fmem-kernel-modules-el7-x86_64-1.6-1.72.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.11.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-72.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.11.1 for EL7
December 18, 2020:
The following changes have been made:
libewf-experimental{,-devel,-tools,-python3,-tools}-20201210-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libewf-experimental{,-devel,-tools,-python36,-tools}-20201210-1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
See this page for the list of supported and unsupported formats.
Libewf-Experimental installs packages in /usr/local so that it can be optionally installed along with the conventional Libewf packages, where package contents are installed in /usr.
Further, the Libewf-Experimental packages have been installed in the forensics-test repository.
You will need to enable this repository with this command for Fedora or CentOS/RHEL 8:
python36-chardet-4.0.0-1.el7.x86_64.rpm -
Chardet is a universal character encoding detector.
ghidra-9.2-PUBLIC_20201113.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvement here.
Volatility3-2.0.0.b1-20201216.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is a beta version of Volatility 3 which can be found here.
It is patched to 2020-12-16.
python36-requests-2.25.1-1.el7.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
python3-cryptography-3.3-1.{fc31,fc32,fc33,el8}.x86_64.rpm and python36-cryptography-3.1-1.el7.x86_64.rpmCryptography is a package which provides cryptographic recipes and primitives to Python developers.
Note: This package is being withdrawn from the repository.
It needs to be removed and the vendor-provided version installed in its place.
snort-2.9.17.0-2.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 7 and 8 for the x86_64 architecture.
This release contains these two additional symbolic links that are intended to simplify writing Snort configuration rules in that they are no longer required to contain
the Snort version in the path name.
These symbolic links are:
Furthermore, the Snort configuration file - /etc/snort/snort.conf - references these version-agnostic path names.
snort-sample-rules-2.9.17.0-2.{fc31,fc32,fc33,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.17.0-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm and snort-openappid-2.9.1.17-1.el6.{i686,x86_64}.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 7 and 8 for the x86_64 architecture.
This release contains these two additional symbolic links that are intended to simplify writing Snort configuration rules in that they are no longer required to contain
the Snort version in the path name.
These symbolic links are:
Furthermore, the Snort configuration file - /etc/snort/snort.conf - references these version-agnostic path names.
pfring-7.8.0-3307.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3307.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-2954.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.14-200 for FC33
5.9.13-200 for FC33
lime-kernel-modules-fc33-x86_64-1.1.r17-7.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.14-200 for FC33
5.9.13-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.14-100 for FC32
5.9.13-100 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-29.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.14-100 for FC32
5.9.13-100 for FC32
December 10, 2020:
The following changes have been made:
python3-certifi-2020.12.5-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-certifi-2020.12.5-1.el7.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
Note: The Python 2 package is no longer provided.
libbde{,-devel,-python36,-tools}-20200724-2.el7.x86_64.rpm and libbde{,-devel,-python3,-tools}-20200724-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
Note: The Python 2 package is no longer provided.
libesedb{,-devel,-python36,-tools}-20200418-2.el7.x86_64.rpm and libesedb{,-devel,-python3,-tools}-20200418-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
Note: The Python 2 package is no longer provided.
libevt{,-devel,-python36,-tools}-20200926-2.el7.x86_64.rpm and libevt{,-devel,-python3,-tools}-20200926-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
Note: The Python 2 package is no longer provided.
libevtx{,-devel,-python36,-tools}-20200709-2.el7.x86_64.rpm and libevtx{,-devel,-python3,-tools}-20200709-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
Note: The Python 2 package is no longer provided.
libexe{,-devel,-python36,-tools}-20191221-2.el7.x86_64.rpm and libexe{,-devel,-python3,-tools}-20191221-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libexe is a library and tools to access the executable (EXE) format.
Note: The Python 2 package is no longer provided.
libfsapfs{,-devel,-python36,-tools}-20201107-2.el7.x86_64.rpm and libfsapfs{,-devel,-python3,-tools}-20201107-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
Note: The Python 2 package is no longer provided.
libfshfs{,-devel,-python36,-tools}-20201104-2.el7.x86_64.rpm and libfshfs{,-devel,-python3,-tools}-20201104-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
Note that this project currently only focuses on the analysis of the format.
Note: The Python 2 package is no longer provided.
libfvde{,-devel,-python36,-tools}-20191221-2.el7.x86_64.rpm and libfvde{,-devel,-python3,-tools}-20191221-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libfvde is a library and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
Note: The Python 2 package is no longer provided.
libfwnt{,-devel,-python36,-tools}-20200723-2.el7.x86_64.rpm and libfwnt{,-devel,-python3,-tools}-20200723-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
LibFWNT is a library for Windows NT data types.
Note: The Python 2 package is no longer provided.
libfwps{,-devel,-python36,-tools}-20191221-2.el7.x86_64.rpm and libfwps{,-devel,-python3,-tools}-20191221-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
LibFWPS is a library for Windows Property Store data types.
Note: The Python 2 package is no longer provided.
liblnk{,-devel,-python36,-tools}-20200810-2.el7.x86_64.rpm and liblnk{,-devel,-python3,-tools}-20200810-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
Note: The Python 2 package is no longer provided.
libmodi{,-devel,-python36,-tools}-20201019-2.el7.x86_64.rpm and libmodi{,-devel,-python3,-tools}-20201019-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libmodi is a library and tools to access the Mac OS disk image formats.
Note that this project currently only focuses on the analysis of the format.
Note: The Python 2 package is no longer provided.
libmsiecf{,-devel,-python36,-tools}-20200710-2.el7.x86_64.rpm and libmsiecf{,-devel,-python3,-tools}-20200710-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
Note: The Python 2 package is no longer provided.
libnk2{,-devel,-python36,-tools}-20181101-3.el7.x86_64.rpm and libnk2{,-devel,-python3,-tools}-20181101-3.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libnk2 is a library and tools to access Microsoft Outlook Nickfile (NK2) format files.
Note: The Python 2 package is no longer provided.
libolecf{,-devel,-python36,-tools}-20201004-2.el7.x86_64.rpm and libolecf{,-devel,-python3,-tools}-20201004-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
Note: The Python 2 package is no longer provided.
libpff{,-devel,-python36,-tools}-20180714-5.el7.x86_64.rpm and libpff{,-devel,-python3,-tools}-20180714-5.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
Note: The Python 2 package is no longer provided.
libphdi{,-devel,-python36,-tools}-20201003-2.el7.x86_64.rpm and libphdi{,-devel,-python3,-tools}-20201003-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
Note: The Python 2 package is no longer provided.
libqcow{,-devel,-python36,-tools}-20200928-2.el7.x86_64.rpm and libqcow{,-devel,-python3,-tools}-20200928-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
Note: The Python 2 package is no longer provided.
libregf{,-devel,-python36,-tools}-20201007-2.el7.x86_64.rpm and libregf{,-devel,-python3,-tools}-20201007-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
Note: The Python 2 package is no longer provided.
libscca{,-devel,-python36,-tools}-20200717-2.el7.x86_64.rpm and libscca{,-devel,-python3,-tools}-20200717-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
Note: The Python 2 package is no longer provided.
libsmraw{,-devel,-python36,-tools}-20191221-2.el7.x86_64.rpm and libsmraw{,-devel,-python3,-tools}-20191221-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Note: The Python 2 package is no longer provided.
libvhdi{,-devel,-python36,-tools}-20201204-1.el7.x86_64.rpm and libvhdi{,-devel,-python3,-tools}-20201204-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note: The Python 2 package is no longer provided.
libvmdk{,-devel,-python36,-tools}-20200926-2.el7.x86_64.rpm and libvmdk{,-devel,-python3,-tools}-20200926-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
Note: The Python 2 package is no longer provided.
libvshadow{,-devel,-python36,-tools}-20191221-2.el7.x86_64.rpm and libvshadow{,-devel,-python3,-tools}-20191221-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
Note: The Python 2 package is no longer provided.
libvslvm{,-devel,-python36,-tools}-20200817-2.el7.x86_64.rpm and libvslvm{,-devel,-python3,-tools}-20200817-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
Note: The Python 2 package is no longer provided.
libvsmbr{,-devel,-python36,-tools}-20200818-2.el7.x86_64.rpm and libvsmbr{,-devel,-python3,-tools}-20200818-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libvsmbr is a library and tools to access the Master Boot Record (MBR) volume system.
Note: The Python 2 package is no longer provided.
libwrc{,-devel,-python36,-tools}-20191221-2.el7.x86_64.rpm and libwrc{,-devel,-python3,-tools}-20191221-2.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
Note: The Python 2 package is no longer provided.
Volatility3-2.0.0.b1-3.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is a beta version of Volatility 3 which can be found here.
It is patched to 2020-12-07.
python3-cryptography-3.3-1.{fc31,fc32,fc33,el8}.x86_64.rpm and python36-cryptography-3.1-1.el7.x86_64.rpmCryptography is a package which provides cryptographic recipes and primitives to Python developers.
Note that for CentOS/RHEL 7, the version remains at 3.1.
python3-elasticsearch-7.10.1-1.{fc31,fc32,fc33,el8}.x86_64.rpm and python36-elasticsearch-7.10.1-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
pfring-7.8.0-3294.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3294.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-2941.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.12-200 for FC33
lime-kernel-modules-fc33-x86_64-1.1.r17-6.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.12-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.28.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.12-100 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-28.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.12-100 for FC32
fmem-kernel-modules-el8-x86_64-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-240.1.1 for EL8
4.18.0-240 for EL8
lime-kernel-modules-el8-x86_64-1.1.r17-11.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-240.1.1 for EL8
4.18.0-240 for EL8
December 4, 2020:
The following changes have been made:
libewf-experimental{,-devel,-tools,-python3,-tools}-20201129-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libewf-experimental{,-devel,-tools,-python36,-tools}-20201129-1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
See this page for the list of supported and unsupported formats.
Libewf-Experimental installs packages in /usr/local so that it can be optionally installed along with the conventional Libewf packages, where package contents are installed in /usr.
Further, the Libewf-Experimental packages have been installed in the forensics-test repository.
You will need to enable this repository with this command for Fedora or CentOS/RHEL 8:
musl-{clang,devel,filesystem,gcc,libc,libc-static}-1.2.1-1.{el7,el8}.x86_64.rpm -
MUSL is a fully featured lightweight standard C library for Linux.
This package was built to support AVML.
avml-0.2.1-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.
AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori.
No on-target compilation or fingerprinting is needed.
AVML can produce a memory image suitable for processing with
Volatility 2 or Volatility 3 once the appropriate profiles
have been created.
CERT-Forensics-Tools-1.0-93.el6.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-93.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
This relese does the following:
Added AVML for Fedora 31 and beyond and CentOS/RHEL 7 and beyond.
python3-dfvfs-20201202-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20201202-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
sleuthkit{,-devel,-libs}-4.10.1-1.3.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
This release attempts to correct an issue with the Sleuth Kit was build with the incorrect version of the Java Development packages.
Note that release 1.3 copies the /usr/share/java/sleuthkit-4.10.1.jar file to the correct place for Autopsy as found in LiFTeR which is /usr/autopsy/autopsy/modules/ext/sleuthkit-4.10.1.jar
If your version of Autopsy is installed in a different place, you will need to copy /usr/share/java/sleuthkit-4.10.1.jar to that place manually.
autopsy-4.17.0-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
This version uses Java 8 from Bellsoft.
This version was tested on Fedora 27 through 32 and CentOS 7 and 8 for the x86_64 architectures using an E01 dataset that contains a 7-Zip file that contains two JPEG images, one of which has EXIF metadata.
Those archives were correctly parsed and the EXIF data verified.
If you wish to run autopsy on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical.
Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
libfwsi{,-devel,-python36}-20201204-1.el7.x86_64.rpm and libfwsi{,-devel,-python3}-20201204-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
libsmdev{,-devel,-python36}-20201204-1.el7.x86_64.rpm and libsmdev{,-devel,-python3}-20201204-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
pfring-7.8.0-3285.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3285.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-2937.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.11-200 for FC33
5.9.10-200 for FC33
lime-kernel-modules-fc33-x86_64-1.1.r17-5.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.11-200 for FC33
5.9.10-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.11-100 for FC32
5.9.10-100 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-27.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.11-100 for FC32
5.9.10-100 for FC32
CentOS 6 - Updates to CentOS 6 for both the i686 and x86_64 CPU architectures have ceased.
November 25, 2020:
The following changes have been made:
snort-2.9.17.0-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm and snort-2.9.17.0-1.el6.{i686,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
snort-sample-rules-2.9.17.0-1.{fc31,fc32,fc33,el6,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.17-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm and snort-openappid-2.9.1.17-1.el6.{i686,x86_64}.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
yaf{,-devel}-2.11.2-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm and yaf{,-devel}-2.11.2-1.el6.{i686,x86_64}.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
Volatility3-2.0.0.b1-2.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is a beta version of Volatility 3 which can be found here.
It is patched to 2020-11-23.
libewf-experimental{,-devel,-tools,-python3,-tools}-20201123-1.{fc31,fc32,fc33,el8}.x86_64.rpm, libewf-experimental{,-devel,-tools,-python36,-tools}-20201123-1.el7.x86_64.rpm, and libewf-experimental{,-devel,-tools,-python2,-tools}-20201123-1.el6.{i686,x86_64}.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
See this page for the list of supported and unsupported formats.
Libewf-Experimental installs packages in /usr/local so that it can be optionally installed along with the conventional Libewf packages, where package contents are installed in /usr.
Further, the Libewf-Experimental packages have been installed in the forensics-test repository.
You will need to enable this repository with this command for Fedora or CentOS/RHEL 8:
sleuthkit{,-devel,-libs}-4.10.1-1.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
apfs-fuse-20200928-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far).
Thus, the driver may return compressed files instead of uncompressed ones.
python2-distorm3-3.5.0-1.el6.{i386,x86_64}.rpm, python{2,36}-distorm3-3.5.0-1.el7.x86_64.rpm, and python{2,3}-distorm3-3.5.0-1.(fc31,fc32,fc33,el8}.x86_64.rpm -
Distorm3 is a lightweight, easy-to-use and fast decomposer library.
It disassembles instructions in 16, 32 and 64 bit modes.
Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
Distorm3 is used by The Volatility Framework.
libodraw{,-devel,-tools}-20201003-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Libodraw is a library to access to optical disc (split) RAW image files (bin/cue, iso/cue).
zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-3.0.11-0.{fc31,fc32,fc33,el7,el8}.x86_64.rpm, and libbroker-devel-3.0.11-0.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
pfring-7.8.0-3283.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3283.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-2929.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.9-200 for FC33
lime-kernel-modules-fc33-x86_64-1.1.r17-4.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.9-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.9-100 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-26.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.9-100 for FC32
November 22, 2020:
The following changes have been made:
python3-dfvfs-20201118-1.{fc27,fc28,fc29,fc30,fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20201118-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
libfsntfs{,-devel,-python3}-20201115-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20201115-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20201115-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20201115-1.{fc31,fc32,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libfsxfs{,-devel,-python3,-tools}-20201114-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsxfs{,-devel,-python2,-tools}-20201114-1.el6.{i686,x86_64}.rpm, libfsxfs{,-devel,-python36,-tools}-20201114-1.el7.x86_64.rpm, and libfsxfs{,-devel,-python3,-tools}-20201114-1.{fc31,fc32,el8}.x86_64.rpm -
Libfsxfs contains library and tools to access the SGI X File System (XFS).
libsigscan{,-devel,-python3}-20201117-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsigscan{,-devel,-python2}-20201117-1.el6.{i686,x86_64}.rpm, libsigscan{,-devel,-python36}-20201117-1.el7.x86_64.rpm, and libsigscan{,-devel,-python3}-20201117-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
python36-lz4-3.1.1-1.el7.x86_64.rpm -
LZ4 contains the python bindings for the lz4 compression library.
pfring-7.8.0-3278.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3278.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-2923.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc33-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.8-200 for FC33
lime-kernel-modules-fc33-x86_64-1.1.r17-3.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.8-200 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.25.noarch.rpm -
Support for the following kernels were added for Fmem:
5.9.8-100 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-25.noarch.rpm -
Support for the following kernels were added for LiME:
5.9.8-100 for FC32
fmem-kernel-modules-el7-x86_64-1.6-1.71.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.6.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-71.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.6.1 for EL7
Fedora 30 - Updates to Fedora 30 for both the i686 and x86_64 CPU architectures has ceased.
Fedora 29 - Updates to Fedora 29 for both the i686 and x86_64 CPU architectures has ceased.
Fedora 28 - Updates to Fedora 28 for both the i686 and x86_64 CPU architectures has ceased.
Fedora 27 - Updates to Fedora 27 for both the i686 and x86_64 CPU architectures has ceased.
November 13, 2020:
The following changes have been made:
libfsapfs{,-devel,-python2,-python3}-20201107-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2}-20201107-1.el6.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-python36}-20201107-1.el7.x86_64.rpm, and libfsapfs{,-devel,-python2,-python3}-20201107-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
python3-dfvfs-20201107-1.{fc27,fc28,fc29,fc30,fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20201107-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
python{2,3}-certifi-2020.11.8-1.{fc27,fc28,fc29,fc30,fc31,fc32,fc33,el8}.noarch.rpm and python{2,36}-certifi-2020.11.8-1.el7.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
python36-requests-2.25.0-1.el7.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
pfring-7.8.0-3272.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3272.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-2911.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-el7-x86_64-1.6-1.70.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1160.2.2 for EL7
3.10.0-1160.2.1 for EL7
3.10.0-1160 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-70.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1160.2.2 for EL7
3.10.0-1160.2.1 for EL7
3.10.0-1160 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.69.noarch.rpm -
Support for the following kernels were added for Fmem:
2.6.32-754.35.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-69.noarch.rpm -
Support for the following kernels were added for LiME:
2.6.32-754.35.1 for EL6
November 6, 2020:
The following changes have been made:
Volatility3-2.0.0.b1-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is a beta version of Volatility 3 which can be found here.
Volatility3-{windows,linux,mac}-symbols-20191016-1.noarch.rpm -
These three packages are the kernel symbol table files needed by Volatility 3
to correctly interpret inforamtion in various Windows, Linux, and MacOS kernels.
CERT-Forensics-Tools-1.0-92.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-92.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
This relese does the following:
Added Volatility3 and the Volatility 3 symbol table packages for Fedora 31 and beyond and CentOS/RHEL 7 and beyond.
libfshfs{,-devel,-python2,-python3,-tools}-20201104-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfshfs{,-devel,-python2,-tools}-20201104-1.el6.{i686,x86_64}.rpm, libfshfs{,-devel,-python2,-python36,-tools}-20201104-3.el7.x86_64.rpm, and libfshfs{,-devel,-python2,-python3,-tools}-20201104-3.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libfshfs is a lbrary and tools to access the Hierarchical File System (HFS).
Note that this project currently only focuses on the analysis of the format.
python3-dfvfs-20201105-1.{fc27,fc28,fc29,fc30,fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20201105-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
pfring-7.8.0-3267.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
pfring-dkms-7.8.0-3267.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.4.0-3267.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
yaf{,-devel}-2.11.0-5.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.11.0-5.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
This release has been updated to support PF_Ring Version 7.8.
bellsoft-java8-full-1.8.0.275-1+1.{i586,x86_64}.rpm -
Bellsoft Java
was installed for Fedora 27 through 32 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
python3-artifacts-20201106-1.{fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm, artifacts-data-20201106-1.{fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm,
python36-artifacts-20201106-1.el7.x86_64.rpm, artifacts-data-20201106-1.el7.x86_64.rpm -
python3-artifacts-20201106-1.{fc31,fc32,fc33,el8}.x86_64.rpm, artifacts-data-20201106-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
fmem-kernel-modules-fc33-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.18-300 for FC33
5.8.17-300 for FC33
lime-kernel-modules-fc33-x86_64-1.1.r17-2.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.18-300 for FC33
5.8.17-300 for FC33
fmem-kernel-modules-fc32-x86_64-1.6-1.24.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.18-200 for FC32
5.8.17-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-24.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.18-200 for FC32
5.8.17-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.40.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.18-100 for FC31
5.8.17-100 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-40.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.18-100 for FC31
5.8.17-100 for FC31
fmem-kernel-modules-el8-x86_64-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-193.28.1 for EL8
lime-kernel-modules-el8-x86_64-1.1.r17-10.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-193.28.1 for EL8
October 30, 2020:
The following changes have been made:
python{2,36}-psutil-5.7.3-1.el7.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
plaso-20201007-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20201007-1.{fc31,fc32,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
libcreg{,-devel,-python3,-tools}-20200725-2.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libcreg{,-devel,-python2,-tools}-20200725-2.el6.{i686,x86_64}.rpm, libcreg{,-devel,-python36,-tools}-20200725-2.el7.x86_64.rpm, and libcreg{,-devel,-python2,-python3,-tools}-20200725-2.{fc31,fc32,el8}.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
Note that in this release, the Python3 version for CentOS/RHEl 7 is correctly named, that is it is named libcreg-python36 and not libcreg-python3.
There are no other changes in this release.
Volatility-2.6.1-5.{fc27,fc28,fc29,fc30,el6}.{i386,x86_64}.rpm and Volatility-2.6.1-5.{fc31,fc32,el7,el8}.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6.1 that has been patched to October 27, 2020.
You can read about this version here.
libfsntfs{,-devel,-python3}-20201027-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20201027-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20201027-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20201027-1.{fc31,fc32,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libmdmp{,-devel,-tools}-20200819-1.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and libmdmp{,-devel,-tools}-20200819-1.{fc31,fc32,el7,el8}.x86_64.rpm -
Libmdmp is a library to access the Windows Minidump (MDMP) format.
Note that this project currently only focuses on the analysis of the format.
libhibr{,-devel,-tools}-20200820-1.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and libhibr{,-devel,-tools}-20200820-1.{fc31,fc32,el7,el8}.x86_64.rpm -
libhibr is a lbrary and tools to access the Windows Hibernation File (hiberfil.sys) format.
Note that this project currently only focuses on the analysis of the format.
libmodi{,-devel,-python2,-python3,-tools}-20201019-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libmodi{,-devel,-python2,-tools}-20201019-1.el6.{i686,x86_64}.rpm, and libmodi{,-devel,-python2,-python36,-tools}-20201019-1.el7.x86_64.rpm, libmodi{,-devel,-python2,-python3,-tools}-20201019-1.{fc31,fc32,el8}.x86_64.rpm -
Libmodi is a lbrary and tools to access the Mac OS disk image formats.
Note that this project currently only focuses on the analysis of the format.
libphdi{,-devel,-python2,-python3,-tools}-20201003-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libphdi{,-devel,-python2,-tools}-20201003-1.el6.{i686,x86_64}.rpm, libphdi{,-devel,-python2,-python36,-tools}-20201003-1.el7.x86_64.rpm, and libphdi{,-devel,-python2,-python36,-tools}-20201003-1.{fc31,fc32,el8}.x86_64.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
libagdb{,-devel,-tools}-20201023-1.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and libagdb{,-devel,-tools}-20201023-1.{fc31,fc32,el7,el8}.x86_64.rpm -
Libagdb is a library to access the SuperFetch database format.
libvsmbr{,-devel,-python2,-python3,-tools}-20200818-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvsmbr{,-devel,-python2,-tools}-20200818-1.el6.{i686,x86_64}.rpm, and libvsmbr{,-devel,-python2,-python36,-tools}-20200818-1.el7.x86_64.rpm, and libvsmbr{,-devel,-python2,-python3,-tools}-20200818-1.{fc31,fc32,el8}.x86_64.rpm -
Libvsmbr is a library and tools to access the Master Boot Record (MBR) volume system.
rifiuti2-0.7.0-5.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and rifiuti2-0.7.0-5.fc31,fc32,el7,el8.x86_64.rpm -
rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
This package was updated to avoid a conflict with the rifiuti package.
fmem-kernel-modules-1.6-1.20.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 33 x86_64 architecture was added.
lime-kernel-modules-1.1.r17-20.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 33 x86_64 architecture was added.
fmem-kernel-modules-fc32-x86_64-1.6-1.23.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.16-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-23.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.16-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.39.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.16-100 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-39.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.16-100 for FC31
Fedora 33 - The repository now supports Fedora 33
for the x86_64 CPU architecture.
Here is the list of tools provided for Fedora 33:
October 23, 2020:
The following changes have been made:
libvhdi{,-devel,-python2,-python3,-tools}-20201018-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20201018-1.el6.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-python36,-tools}-20201018-1.el7.x86_64.rpm, and libvhdi{,-devel,-python2,-python3,-tools}-20201018-1.{fc31,fc32,el8}.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libfshfs{,-devel,-python2,-python3,-tools}-20201019-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfshfs{,-devel,-python2,-tools}-20201019-1.el6.{i686,x86_64}.rpm, libfshfs{,-devel,-python2,-python36,-tools}-20201019-3.el7.x86_64.rpm, and libfshfs{,-devel,-python2,-python3,-tools}-20201019-3.{fc31,fc32,el8}.x86_64.rpm -
Libfshfs is a lbrary and tools to access the Hierarchical File System (HFS).
Note that this project currently only focuses on the analysis of the format.
python3-cryptography-3.1-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-cryptography-3.1-1.el7.x86_64.rpm, and python3-cryptography-3.1-1.{fc30,fc31,el8}.x86_64.rpm -
Cryptography is a package which provides cryptographic recipes and primitives to Python developers.
python3-dfvfs-20201018-1.{fc27,fc28,fc29,fc30,fc31,fc32,el8}.noarch.rpm and python36-dfvfs-20201018-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
bellsoft-java8-full-1.8.0.272-1+10.{i586,x86_64}.rpm -
Bellsoft Java
was installed for Fedora 27 through 32 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
pfring-7.6.0-3245.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3245.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2878.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
October 16, 2020:
The following changes have been made:
libfsapfs{,-devel,-python2,-python3}-20201008-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2}-20201008-1.el6.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-python36}-20201008-1.el7.x86_64.rpm, and libfsapfs{,-devel,-python2,-python3}-20201008-1.{fc31,fc32,el8}.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
python3-xlsxwriter-1.3.7-1.{fc27,fc28,fc29}.noarch.rpm and python36-xlsxwriter-1.3.7-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
libvhdi{,-devel,-python2,-python3,-tools}-20201014-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20201014-1.el6.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-python36,-tools}-20201014-1.el7.x86_64.rpm, and libvhdi{,-devel,-python2,-python3,-tools}-20201014-1.{fc31,fc32,el8}.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
fmem-kernel-modules-fc32-x86_64-1.6-1.22.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.15-200 for FC32
5.8.14-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-22.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.15-200 for FC32
5.8.14-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.38.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.15-101 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-38.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.15-101 for FC31
October 8, 2020:
The following changes have been made:
python3-dfwinreg-20201006-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-dfwinreg-20201006-1.el7.x86_64.rpm, and python3-dfwinreg-20201006-1.{fc31,fc32,el8}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
libregf{,-devel,-python2,-python3}-20201007-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libregf{,-devel,-python2}-20201007-1.el6.{i686,x86_64}.rpm, libregf{,-devel,-python2,-python36}-20201007-1.el7.x86_64.rpm, and libregf{,-devel,-python2,-python3}-20201007-1.{fc31,fc32,el8}.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
libolecf{,-devel,-python2,-python3}-20201004-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libolecf{,-devel,-python2}-20201004-1.el6.{i686,x86_64}.rpm, libolecf{,-devel,-python2,-python36}-20201004-1.el7.x86_64.rpm, and libolecf{,-devel,-python2,-python3}-20201004-1.{fc31,fc32,el8}.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
pfring-7.6.0-3209.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3209.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2862.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.21.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.13-200 for FC32
5.8.12-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-21.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.13-200 for FC32
5.8.12-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.37.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.13-100 for FC31
5.8.12-100 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-37.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.13-100 for FC31
5.8.12-100 for FC31
October 1, 2020:
The following changes have been made:
libevt{,-devel,-python2,-python3}-20200926-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevt{,-devel,-python2}-20200926-1.el6.{i686,x86_64}.rpm, libevt{,-devel,-python2,-python36}-20200926-1.el7.x86_64.rpm, and libevt{,-devel,-python2,-python3}-20200926-1.{fc31,fc32,el8}.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libvhdi{,-devel,-python2,-python3,-tools}-20200926-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20200926-1.el6.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-python36,-tools}-20200926-1.el7.x86_64.rpm, and libvhdi{,-devel,-python2,-python3,-tools}-20200926-1.{fc31,fc32,el8}.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libvmdk{,-devel,-python2,-python3}-20200926-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvmdk{,-devel,-python2}-20200926-1.el6.{i686,x86_64}.rpm, libvmdk{,-devel,-python2,-python36}-20200926-1.el7.x86_64.rpm, and libvmdk{,-devel,-python2,-python3}-20200926-1.{fc31,fc32,el8}.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
bulk_extractor-1.6.0-3.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and bulk_extractor-1.6.0-3.{fc31,fc32,el7,el8}.x86_64.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
This version fixes many issues.
In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
This version was rebuilt to add the python3-matplotlib dependency which caused be_grapher.py to be removed from CentOS/RHEL 7.
libqcow{,-devel,-python2,-python3}-20200928-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libqcow{,-devel,-python2}-20200928-1.el6.{i686,x86_64}.rpm, libqcow{,-devel,-python2,-python36}-20200928-1.el7.x86_64.rpm, and libqcow{,-devel,-python2,-python3}-20200928-1.{fc31,fc32,el8}.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
python3-dfwinreg-20200928-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-dfwinreg-20200928-1.el7.x86_64.rpm, and python3-dfwinreg-20200928-1.{fc31,fc32,el8}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
fmem-kernel-modules-fc32-x86_64-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.11-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-20.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.11-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.36.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.11-100 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-36.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.11-100 for FC31
September 24, 2020:
The following changes have been made:
python3-xlsxwriter-1.3.6-1.{fc27,fc28,fc29}.noarch.rpm and python36-xlsxwriter-1.3.6-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
libfsntfs{,-devel,-python3}-20200921-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20200921-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20200921-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20200921-1.{fc31,fc32,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
python3-dfwinreg-20200415-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-dfwinreg-20200415-1.el7.x86_64.rpm, and python3-dfwinreg-20200415-1.{fc31,fc32,el8}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
python3-dfvfs-20200920-1.{fc27,fc28,fc29,fc30,fc31,fc32,el8}.noarch.rpm and python36-dfvfs-20200920-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
libfsext{,-devel,-python2,-python3,-tools}-20200819-2.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsext{,-devel,-python2,-tools}-20200819-2.el6.{i686,x86_64}.rpm, libfsext{,-devel,-python2,-python36,-tools}-20200819-2.el7.x86_64.rpm and libfsext{,-devel,-python2,-python3,-tools}-20200819-2.{fc31,fc32,el8}.x86_64.rpm -
Libfsext is a lbrary and tools to access the Extended File System (EXT).
This release correctly names the CentOS/RHEL 7 version (python36 vs. python3).
mac_apt-0.7-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and mac_apt-0.7-1.{fc321,fc32,el7,el8}.x86_64.rpm -
Mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation.
It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, etc.).
Here are a list of features:
Cross platform (no dependency on pyobjc)
Works on E01, VMDK, AFF4, DD, split-DD, DMG (no compression) and mounted images
XLSX, CSV, Sqlite outputs
Analyzed files/artifacts are exported for later review
zlib, lzvn, lzfse compressed files are supported!
Native HFS and APFS parser
Reads the Spotlight database and Unified Logging (tracev3) files
And here are a list of new functionality added in this release:
Support for macOS Big Sur (11.0)
FAST mode ⏳
Encrypted 🔒 APFS images can now be processed using password/recovery-key 🔑
macOS Catalina (10.15) images can be parsed now
macOS Catalina (10.15) separately mounted SYSTEM and DATA volumes now supported
AFF4 images (including macquisition created) now supported
CERT-Forensics-Tools-1.0-91.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-91.{fc31,fc32,el7,el8}.x86_64.rpm -
This relese does the following:
Added mac_apt for Fedora and CentOS/RHEL 7 and 8.
pfring-7.6.0-3176.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3176.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2841.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.10-200 for FC32
5.8.9-200 for FC32
5.8.8-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-19.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.10-200 for FC32
5.8.9-200 for FC32
5.8.8-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.35.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.10-100 for FC31
5.8.9-101 for FC31
5.8.8-100 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-35.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.10-100 for FC31
5.8.9-101 for FC31
5.8.8-100 for FC31
fmem-kernel-modules-el8-x86_64-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-193.19.1 for EL8
lime-kernel-modules-el8-x86_64-1.1.r17-9.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-193.19.1 for EL8
September 12, 2020:
The following changes have been made:
sleuthkit{,-devel,-libs}-4.10.0-1.1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and sleuthkit{,-devel,-libs}-4.10.0-1.1.{fc31,el7,el8}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
autopsy-4.16.0-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and autopsy-4.16.0-1.{fc31,fc32,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
This version uses Java 8 from Bellsoft.
This version was tested on Fedora 27 through 32 and CentOS 7 and 8 for the x86_64 architectures using an E01 dataset that contains a 7-Zip file that contains two JPEG images, one of which has EXIF metadata.
Those archives were correctly parsed and the EXIF data verified.
If you wish to run autopsy on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical.
Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
python2-pysocks-1.6.8-6.el8.noarch.rpm -
Pysocks is a fork of SocksiPy with bug fixes and extra features.
It acts as a drop-in replacement for the socket module.
This package was built for CentOS 8 to support the Volatility-community-plugins package.
python2-six-1.11.0-5.el8.noarch.rpm -
Six provides simple utilities for wrapping over differences between Python 2 and Python 3.
This package was built for CentOS 8 to support the Volatility-community-plugins package.
fmem-kernel-modules-fc32-x86_64-1.6-1.18.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.7-200 for FC32
5.8.6-201 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-18.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.7-200 for FC32
5.8.6-201 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.34.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.6-101 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-34.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.6-101 for FC31
September 3, 2020:
The following changes have been made:
python3-dfdatetime-20200824-1.{fc27,fc28,fc29,fc30,fc31,fc32,el8}.noarch.rpm and python36-dfdatetime-20200824-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
libfsext{,-devel,-python2,-python3,-tools}-20200819-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsext{,-devel,-python2,-tools}-20200819-1.el6.{i686,x86_64}.rpm, libfsext{,-devel,-python2,-python36,-tools}-20200819-1.el7.x86_64.rpm and libfsext{,-devel,-python2,-python3,-tools}-20200819-1.{fc31,fc32,el8}.x86_64.rpm -
Libfsext is a lbrary and tools to access the Extended File System (EXT).
libcreg{,-devel,-python3,-tools}-20200725-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libcreg{,-devel,-python2,-tools}-20200725-1.el6.{i686,x86_64}.rpm, libcreg{,-devel,-python36,-tools}-20200725-1.el7}.x86_64.rpm, and libfsext{,-devel,-python2,-python3,-tools}-20200819-1.{fc31,fc32,el8}.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
pfring-7.6.0-3146.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3146.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2780.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
lime-kernel-modules-common-1.1.r17-6.noarch.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page.
The changes are the following:
LiME code up to date as of August 31, 2020 (which includes changes for the 5.8 Linux kernels)
fmem-kernel-modules-fc32-x86_64-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem:
5.8.4-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-17.noarch.rpm -
Support for the following kernels were added for LiME:
5.8.4-200 for FC32
August 28, 2020:
The following changes have been made:
python3-dfdatetime-20200809-1.{fc27,fc28,fc29,fc30,fc31,fc32,el8}.noarch.rpm and python36-dfdatetime-20200809-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
snort-2.9.16.1-2.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-2.9.16.1-2.{fc31,fc32,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
This release corrected a packaging error where the openappid option was not correctly disabled.
snort-sample-rules-2.9.16.1-2.{fc27,fc28,fc29,fc30,fc31,fc32,el6,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.1.16.1-2.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.16-1.{fc31,fc32,el7,el8}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
This release corrected a packaging error where the openappid option was not correctly enabled.
pfring-7.6.0-3144.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3144.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2775.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.17-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-16.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.17-200 for FC32
fmem-kernel-modules-el7-x86_64-1.6-1.69.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1127.19.1 for EL7
3.10.0-1127.18.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-69.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1127.19.1 for EL7
3.10.0-1127.18.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.68.noarch.rpm -
Support for the following kernels were added for Fmem:
2.6.32-754.33.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-68.noarch.rpm -
Support for the following kernels were added for LiME:
2.6.32-754.33.1 for EL6
August 23, 2020:
The following changes have been made:
python3-xlsxwriter-1.3.3-1.{fc27,fc28,fc29}.noarch.rpm and python36-xlsxwriter-1.3.3-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
libvhdi{,-devel,-python2,-python3,-tools}-20200810-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20200810-1.el6.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-python36,-tools}-20200810-1.el7.x86_64.rpm, and libvhdi{,-devel,-python2,-python3,-tools}-20200810-1.{fc31,fc32,el8}.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libvmdk{,-devel,-python2,-python3}-20200810-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvmdk{,-devel,-python2}-20200810-1.el6.{i686,x86_64}.rpm, libvmdk{,-devel,-python2,-python36}-20200810-1.el7.x86_64.rpm, and libvmdk{,-devel,-python2,-python3}-20200810-1.{fc31,fc32,el8}.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
liblnk{,-devel,-python2,-python3}-20200810-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, liblnk{,-devel,-python2}-20200810-1.el6.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-python36}-20200810-1.el7.x86_64.rpm, and liblnk{,-devel,-python2,-python3}-20200810-1.{fc31,fc32,el8}.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
libevt{,-devel,-python2,-python3}-20200810-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevt{,-devel,-python2}-20200810-1.el6.{i686,x86_64}.rpm, libevt{,-devel,-python2,-python36}-20200810-1.el7.x86_64.rpm, and libevt{,-devel,-python2,-python3}-20200810-1.{fc31,fc32,el8}.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libvslvm{,-devel,-python2,-python3}-20200817-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvslvm{,-devel,-python2,-python36}-20200817-1.el7.x86_64.rpm, and libvslvm{,-devel,-python2,-python3}-20200817-1.{fc31,fc32,el8}.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
libfsext{,-devel,-python2,-python3,-tools}-20200811-2.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsext{,-devel,-python2,-tools}-20200811-2.el6.{i686,x86_64}.rpm, libfsext{,-devel,-python2,-python36,-tools}-20200811-2.el7.x86_64.rpm and libfsext{,-devel,-python2,-python3,-tools}-20200811-2.{fc31,fc32,el8}.x86_64.rpm -
Libfsext is a lbrary and tools to access the Extended File System (EXT).
python3-elasticsearch-7.9.1-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-elasticsearch-7.9.1-1.el7.x86_64.rpm, python3-elasticsearch-7.9.1-1.{fc31,fc32,el8}.x86_64.rpm, and python2-elasticsearch-7.9.1-1.el6.{i686,x86_64}.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
pfring-7.6.0-3136.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3136.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2753.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.16-200 for FC32
5.7.15-200 for FC32
5.7.14-200 for FC32
5.7.12-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-15.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.16-200 for FC32
5.7.15-200 for FC32
5.7.14-200 for FC32
5.7.12-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.33.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.15-100 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-33.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.15-100 for FC31
August 6, 2020:
The following changes have been made:
snort-2.9.16.1-1.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-2.9.16.1-1.{fc31,fc32,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
snort-sample-rules-2.9.16.1-1.{fc27,fc28,fc29,fc30,fc31,fc32,el6,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.1.16.1-1.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.16-1.{fc31,fc32,el7,el8}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
libfsntfs{,-devel,-python3}-20200805-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20200805-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20200805-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20200805-1.{fc31,fc32,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libregf{,-devel,-python2,-python3}-20200805-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libregf{,-devel,-python2}-20200805-1.el6.{i686,x86_64}.rpm, libregf{,-devel,-python2,-python36}-20200805-1.el7.x86_64.rpm, and libregf{,-devel,-python2,-python3}-20200805-1.{fc31,fc32,el8}.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
fmem-kernel-modules-fc32-x86_64-1.6-1.14.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.11-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-14.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.11-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.32.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.11-100 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-32.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.11-100 for FC31
July 31, 2020:
The following changes have been made:
libfsntfs{,-devel,-python3}-20200726-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20200726-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20200726-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20200726-1.{fc31,fc32,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libfsapfs{,-devel,-python2,-python3}-20200727-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2}-20200727-1.el6.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-python36}-20200727-1.el7.x86_64.rpm, and libfsapfs{,-devel,-python2,-python3}-20200727-1.{fc31,fc32,el8}.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
libqcow{,-devel,-python2,-python3}-20200729-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libqcow{,-devel,-python2}-20200729-1.el6.{i686,x86_64}.rpm, libqcow{,-devel,-python2,-python36}-20200729-1.el7.x86_64.rpm, and libqcow{,-devel,-python2,-python3}-20200729-1.{fc31,fc32,el8}.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
pfring-7.6.0-3097.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3097.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2705.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
bellsoft-java8-1.8.0.265-1+1.{i586,x86_64}-full.rpm -
Bellsoft Java
was installed for Fedora 27 through 32 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
python3-elasticsearch-7.8.1-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-elasticsearch-7.8.1-1.el7.x86_64.rpm, python3-elasticsearch-7.8.1-1.{fc31,fc32,el8}.x86_64.rpm, and python2-elasticsearch-7.8.1-1.el6.{i686,x86_64}.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
fmem-kernel-modules-fc32-x86_64-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.10-201 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-13.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.10-201 for FC32
fmem-kernel-modules-el8-x86_64-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-193.14.2 for EL8
lime-kernel-modules-el8-x86_64-1.1.r17-8.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-193.14.2 for EL8
July 24, 2020:
The following changes have been made:
plaso-20200717-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20200717-1.{fc31,fc32,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
docker-forensics-toolkit-0.2.0-2.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and docker-forensics-toolkit-0.2.0-1.{fc31,fc32,el7,el8}.x86_64.rpm -
Docker Forensics Toolkit is a toolkit for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the docker host system.
See this page for usage instructions.
This version fixes a packaging problem.
libfwnt{,-devel,-python2,-python3}-20200723-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwnt{,-devel,-python2}-20200723-1.el6.{i686,x86_64}.rpm, libfwnt{,-devel,-python2,-python36}-20200723-1.el7.x86_64.rpm, and libfwnt{,-devel,-python2,-python3}-20200723-1.{fc31,fc32,el8}.x86_64.rpm -
LibFWNT is a library for Windows NT data types.
libscca{,-devel,-python2,-python3,-tools}-20200717-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, ibscca{,-devel,-python2,-tools}-20200717-1.el6.{i686,x86_64}.rpm, libscca{,-devel,-python2,-python36,-tools}-20200717-1.el7.x86_64.rpm, and libscca{,-devel,-python2,-python3,-tools}-20200717-1.{fc31,fc32,el8}.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
libolecf{,-devel,-python2,-python3}-20200724-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libolecf{,-devel,-python2}-20200724-1.el6.{i686,x86_64}.rpm, libolecf{,-devel,-python2,-python36}-20200724-1.el7.x86_64.rpm, and libolecf{,-devel,-python2,-python3}-20200724-1.{fc31,fc32,el8}.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
bellsoft-java8-1.8.0.262-1+10.{i586,x86_64}-full.rpm -
Bellsoft Java
was installed for Fedora 27 through 32 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
fmem-kernel-modules-fc32-x86_64-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.9-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-12.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.9-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.31.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.9-100 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-31.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.9-100 for FC31
July 17, 2020:
The following changes have been made:
libmsiecf{,-devel,-python2,-python3}-20200710-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2}-20200710-1.el6.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2,-python36}-20200710-1.el7.x86_64.rpm, and libmsiecf{,-devel,-python2,-python3}-20200710-1.{fc31,fc32,el8}.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
perl-Parse-Win32Registry-1.0-3.{fc27,fc28,fc29,fc30,fc31,fc32,el7,el8}.noarch.rpm -
perl-Parse-Win32Registry
is a module for parsing Windows Registry files, allowing you to read the keys and values of a registry file without going through the Windows API.
It provides an object-oriented interface to the keys and values in a registry file.
Registry files are structured as trees of keys, with each key containing further subkeys or values.
The module is intended to be cross-platform, and run on those platforms where Perl will run.
It supports both Windows NT registry files (Windows NT, 2000, XP, 2003, Vista, 7) and Windows 95 registry files (Windows 95, 98, Millennium Edition).
It is intended to be used to parse offline registry files.
If a registry file is currently in use, you will not be able to open it.
However, you can save part or all of a currently loaded registry file using the Windows reg command if you have the appropriate administrative access.
This version corrected a packaging error in the previous release.
regripper-30000000-2.{fc27,fc28,fc29,fc30,fc31,fc32,el7,el8}.noarch.rpm -
Regripper is a Windows Registry data extraction and correlation tool.
This package is contains version 3.0 of the regripper tool.
The plugins are packaged separately.
This version is based on the May 28, 2020 version of the code, also known as RegRipper 3.0.
This version contains a patch that correctly finds the pluginsfolder.
libevt{,-devel,-python2,-python3}-20200715-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevt{,-devel,-python2}-20200715-1.el6.{i686,x86_64}.rpm, libevt{,-devel,-python2,-python36}-20200715-1.el7.x86_64.rpm, and libevt{,-devel,-python2,-python3}-20200715-1.{fc31,fc32,el8}.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
pfring-7.6.0-3095.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3095.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2657.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.8-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-11.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.8-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.30.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.8-100 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-30.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.8-100 for FC31
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.67.noarch.rpm -
Support for the following kernels were added for Fmem:
2.6.32-754.31.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-67.noarch.rpm -
Support for the following kernels were added for LiME:
2.6.32-754.31.1 for EL6
July 10, 2020:
The following changes have been made:
liblnk{,-devel,-python2,-python3}-20200709-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, liblnk{,-devel,-python2}-20200709-1.el6.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-python36}-20200709-1.el7.x86_64.rpm, and liblnk{,-devel,-python2,-python3}-20200709-1.{fc31,fc32,el8}.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
libevt{,-devel,-python2,-python3}-20200708-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevt{,-devel,-python2}-20200708-1.el6.{i686,x86_64}.rpm, libevt{,-devel,-python2,-python36}-20200708-1.el7.x86_64.rpm, and libevt{,-devel,-python2,-python3}-20200708-1.{fc31,fc32,el8}.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx{,-devel,-python2,-python3}-20200709-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevtx{,-devel,-python2}-20200709-1.el6.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-python36}-20200709-1.el7.x86_64.rpm, and libevtx{,-devel,-python2,-python3}-20200709-1.{fc31,fc32,el8}.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
pfring-7.6.0-3060.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3060.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2605.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.7-200 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-10.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.7-200 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.7-100 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-29.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.7-100 for FC31
July 3, 2020:
The following changes have been made:
libfsntfs{,-devel,-python3}-20200627-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20200627-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20200627-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20200627-1.{fc31,fc32,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
python3-idna-2.10-1.{fc27,fc28,el8}.noarch.rpm and python36-idna-2.10-1.el7.noarch.rpm -
IDNA provides support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891.
This is the latest version of the protocol and is sometimes referred to as "IDNA 2008".
python3-dfdatetime-20200613-1.{fc27,fc28,fc29,fc30,fc31,fc32,el8}.noarch.rpm and python36-dfdatetime-20200613-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
python3-dtfabric-20200621-2.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-dtfabric-20200621-2.el7.x86_64.rpm, and python3-dtfabric-20200621-2.{fc31,fc32,el8}.x86_64.rpm -
Dtfabric is a project to manage data types and structures,
as used in the libyal projects.
python2-yara-4.0.2-1.fc30.{i386,x86_64}.rpm and python2-yara-4.0.2-1.x86_64.{fc31,fc32,el8}.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
python2-coverage-4.5.1-4.fc32.x86_64.rpm -
Python Coverage measures code coverage, typically during test execution.
It uses the code analysis tools and tracing hooks provided in the Python standard library to determine which lines are executable, and which have been executed.
This package was installed to support building python2-yara for Fedora 32.
python2-nose-1.3.7-24.fc32.noarch.rpm -
Python Nose extends the test loading and running features of unittest, making it easier to write, find and run tests.
This package was installed to support building python2-yara for Fedora 32.
docker-forensics-toolkit-0.2.0-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and docker-forensics-toolkit-0.2.0-1.{fc31,fc32,el7,el8}.x86_64.rpm -
Docker Forensics Toolkit is a toolkit for performing post-mortem analysis of Docker runtime environments based on forensic HDD copies of the docker host system.
See this page for usage instructions.
python3-dfvfs-20200625-1.{fc27,fc28,fc29,fc30,fc31,fc32,el8}.noarch.rpm and python36-dfvfs-20200625-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
python3-redis-3.5-1.{fc27,fc28,fc29,fc30,fc31,fc32,el8}.noarch.rpm and python36-redis-3.5-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
plaso-20200630-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20200630-1.{fc31,fc32,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
pfring-7.6.0-3059.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3059.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2599.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
5.7.6-201 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-9.noarch.rpm -
Support for the following kernels were added for LiME:
5.7.6-201 for FC32
June 26, 2020:
The following changes have been made:
python{2,3}-certifi-2020.6.20-1.{fc27,fc28,fc29,fc30,fc31,el8}.noarch.rpm and python{2,36}-certifi-2020.6.20-1.el7.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
python3-bencode-4.0.0-1.{fc27,fc28,fc29,fc30,fc31,fc32,el8}.noarch.rpm and python36-bencode-4.0.0-1.el7.noarch.rpm -
Bencode re-packages the existing bencoding
and bdecoding implemention from the ‘official’ BitTorrent client as a separate, light-weight package for re-using them without having the entire BitTorrent software as a dependency.
zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-3.0.7-0.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libbroker-devel-3.0.7-0.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-3.0.7-0.{fc31,fc32,el7,el8}.x86_64.rpm, and libbroker-devel-3.0.7-0.{fc31,fc32,el7,el8}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
pfring-7.6.0-3052.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3052.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2544.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.19-300 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-8.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.19-300 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.28.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.19-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-28.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.19-200 for FC31
fmem-kernel-modules-el7-x86_64-1.6-1.68.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1127.13.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-68.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1127.13.1 for EL7
June 19, 2020:
The following changes have been made:
perl-Parse-Win32Registry-1.0-2.{fc27,fc28,fc29,fc30,fc31,fc32,el7,el8}.noarch.rpm -
perl-Parse-Win32Registry
is a module for parsing Windows Registry files, allowing you to read the keys and values of a registry file without going through the Windows API.
It provides an object-oriented interface to the keys and values in a registry file.
Registry files are structured as trees of keys, with each key containing further subkeys or values.
The module is intended to be cross-platform, and run on those platforms where Perl will run.
It supports both Windows NT registry files (Windows NT, 2000, XP, 2003, Vista, 7) and Windows 95 registry files (Windows 95, 98, Millennium Edition).
It is intended to be used to parse offline registry files.
If a registry file is currently in use, you will not be able to open it.
However, you can save part or all of a currently loaded registry file using the Windows reg command if you have the appropriate administrative access.
This version was built with the new modules required for regripper Version 3.0.
regripper-30000000-1.{fc27,fc28,fc29,fc30,fc31,fc32,el7,el8}.noarch.rpm -
Regripper is a Windows Registry data extraction and correlation tool.
This package is contains version 3.0 of the regripper tool.
The plugins are packaged separately.
This version is based on the May 28, 2020 version of the code, also known as RegRipper 3.0.
regripper-plugins-20200528-1.{fc27,fc28,fc29,fc20,fc31,fc32,el7,el8}.noarch.rpm -
Regripper-plugins
are the plugins packaged separately from the regripper application.
This package is taken from the plugins directory at the Github source code site as of 2020-05-28.
python3-elasticsearch-7.8.0-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-elasticsearch-7.8.0-1.el7.x86_64.rpm, python3-elasticsearch-7.8.0-1.{fc31,fc32,el8}.x86_64.rpm, and python2-elasticsearch-7.8.0-1.el6.{i686,x86_64}.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python36-requests-2.24.0-1.el7.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
pfring-7.6.0-3043.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3043.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2534.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.18-300 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-7.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.18-300 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.18-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-27.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.18-200 for FC31
fmem-kernel-modules-el8-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-193.6.3 for EL8
4.18.0-193.1.2 for EL8
4.18.0-193 for EL8
lime-kernel-modules-el8-x86_64-1.1.r17-7.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-193.6.3 for EL8
4.18.0-193.1.2 for EL8
4.18.0-193 for EL8
June 12, 2020:
The following changes have been made:
Volatility-2.6.1-4.{fc27,fc28,fc29,fc30,el6}.{i386,x86_64}.rpm and Volatility-2.6.1-4.{fc31,fc32,el7,el8}.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6.1 that has been patched to June 8, 2020.
You can read about this version here.
libfwnt{,-devel,-python2,-python3}-20200605-1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwnt{,-devel,-python2}-20200605-1.el6.{i686,x86_64}.rpm, libfwnt{,-devel,-python2,-python36}-20200605-1.el7.x86_64.rpm, and libfwnt{,-devel,-python2,-python3}-20200605-1.{fc31,fc32,el8}.x86_64.rpm -
LibFWNT is a library for Windows NT data types.
pfring-7.6.0-3016.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3016.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2522.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.16-300 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-6.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.16-300 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.16-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-26.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.16-200 for FC31
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.66.noarch.rpm -
Support for the following kernels were added for Fmem:
2.6.32-754.30.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-66.noarch.rpm -
Support for the following kernels were added for LiME:
2.6.32-754.30.2 for EL6
June 5, 2020:
The following changes have been made:
veracrypt-1.24.6-1.{fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and veracrypt-1.24.6-1.{fc31,fc32,el7,el8}.x86_64.rpm -
VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux.
based on TrueCrypt 7.1a.
pfring-7.6.0-3011.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3011.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2503.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.15-300 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-5.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.15-300 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.25.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.15-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-25.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.15-200 for FC31
fmem-kernel-modules-el7-x86_64-1.6-1.67.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1127.10.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-67.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1127.10.1 for EL7
May 29, 2020:
The following changes have been made:
disktype-9-30.1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and disktype-9-30.1.{fc31,fc32,el7,el8}.x86_64.rpm -
Disktype detects the content format of a disk or disk image.
This version is based on the standard version with support for
exfat,
LUKS,
f2fs,
btrfs, and
EXT 2, 3, and 4,
all courtesy Erik Uitto formerly from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA.
This version was rebuilt to increment the release number to be higher (30.1) than the current version provided for either Fedora (30) or CentOS/RHEL (29).
python3-elasticsearch-7.7.1-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-elasticsearch-7.7.1-1.el7.x86_64.rpm, python3-elasticsearch-7.7.1-1.{fc31,fc32,el8}.x86_64.rpm, and python2-elasticsearch-7.7.1-1.el6.{i686,x86_64}.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
Note that the Python 2 version is no longer provided except for CentOS/RHEL 6.
python3-bencode-3.0.1-1.{fc26,fc27,fc28,fc29,fc30,fc31,fc32,el8}.noarch.rpm and python36-bencode-3.0.1-1.el7.noarch.rpm -
Bencode re-packages the existing bencoding
and bdecoding implemention from the ‘official’ BitTorrent client as a separate, light-weight package for re-using them without having the entire BitTorrent software as a dependency.
pfring-7.6.0-3000.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-3000.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2477.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.14-300 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-4.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.14-300 for FC32
Fedora 26 - Updates to Fedora 26 for both the i686 and x86_64 CPU architectures has ceased.
May 22, 2020:
The following changes have been made:
bellsoft-java8-1.8.0.252-1+9.{i586,x86_64}-full.rpm -
Bellsoft Java
was installed for Fedora 26 through 32 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
Note that the previous version of BellSoft's Java that was installed as part of autopsy can be removed with:
sudo yum erase bellsoft-java8 -y
autopsy-4.15.0-6.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and autopsy-4.15.0-6.{fc31,fc32,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
This version uses the aforementiontion version of Java 8 from Bellsoft.
This version was tested on Fedora 26 through 32 and CentOS 7 and 8 for the x86_64 architectures using an E01 dataset that contains a 7-Zip file that contains two JPEG images, one of which has EXIF metadata.
Those archives were correctly parsed and the EXIF data verified.
If you wish to run autopsy on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical.
Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
python3-artifacts-20200515-1.{fc26,fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm, artifacts-data-20200515-1.{fc26,fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm,
python36-artifacts-20200515-1.el7.x86_64.rpm, artifacts-data-20200515-1.el7.x86_64.rpm -
python3-artifacts-20200515-1.{fc31,fc32,el8}.x86_64.rpm, artifacts-data-20200515-1.{fc31,fc32,el8}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
python2-yara-4.0.1-1.fc30.{i386,x86_64}.rpm and python2-yara-4.0.1-1.x86_64.{fc31,fc32,el8}.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
pfring-7.6.0-2990.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2990.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2473.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.13-300 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-3.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.13-300 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.24.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.13-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-24.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.13-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.39.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.13-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-39.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.13-100 for FC30
fmem-kernel-modules-el7-x86_64-1.6-1.66.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1127.8.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-66.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1127.8.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.65.noarch.rpm -
Support for the following kernels were added for Fmem:
2.6.32-754.29.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-65.noarch.rpm -
Support for the following kernels were added for LiME:
2.6.32-754.29.2 for EL6
May 15, 2020:
The following changes have been made:
plaso-20200430-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20200430-1.{fc31,fc32,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
sevenzipjbinding-16.02_2.01-1.el7.x86_64.rpm -
7-Zip Bindings is a java wrapper for 7-Zip C++ library.
It allows extraction of many archive formats using a very fast native library directly from java through JNI.
This version was build for CentOS/RHEL 7 due to a compiler inconsistency with the version provided with Autopsy 4.15.0.
autopsy-4.15.0-5.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and autopsy-4.15.0-5.{fc31,fc32,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
This release fixes a problem with the 7 Zip ingest module on CentOS/RHEL 7.
For all other releases for all other systems, these same packages were simply rebuilt to maintain release numbering consistency and contain no new functionality.
apfs-fuse-20200429-1.{fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm and apfs-fuse-20200429-1.{fc31,fc32,el7,el8}.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far).
Thus, the driver may return compressed files instead of uncompressed ones.
Although most of the time it should just report an error.
pfring-7.6.0-2977.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2977.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2448.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc32-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.12-300 for FC32
5.6.11-300 for FC32
lime-kernel-modules-fc32-x86_64-1.1.r17-2.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.12-300 for FC32
5.6.11-300 for FC32
fmem-kernel-modules-fc31-x86_64-1.6-1.23.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.11-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-23.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.11-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.38.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.11-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-38.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.11-100 for FC30
May 11, 2020:
The following changes have been made:
autopsy-4.15.0-4.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and autopsy-4.15.0-4.{fc31,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
This release reverts back to the JDK that comes with the OS and away from BellSoft.
It also fixed a problem with the CentOS/RHEL version.
May 10, 2020:
The following changes have been made:
autopsy-4.15.0-3.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and autopsy-4.15.0-3.{fc31,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
This release reverts back to the JDK that comes with the OS and away from BellSoft.
May 8, 2020:
The following changes have been made:
guymager-0.8.12-1.{fc26,fc27,fc28.fc29,fc30}.{i686,x86_64}.rpm and guymager-0.8.12-1.{fc31,el7,el8}.x86_64.rpm -
Guymager is a forensic imaging package.
See here for the list of changes.
hachoir-3.1.2-1.{fc26,fc27,fc28,fc29,fc30,fc31,el7,el8}.noarch.rpm -
Hachoir is a Python library to view and edit a binary stream field by field.
In other words, Hachoir allows you to "browse" any binary stream just like you browse directories and files.
A file is splitted in a tree of fields, where the smallest field is just one bit.
Examples of fields types: integers, strings, bits, padding types, floats, etc.
Hachoir is the French word for a meat grinder (meat mincer), which is used by butchers to divide meat into long tubes;
Hachoir is used by computer butchers to divide binary files into fields.
Notes:
In this version, these tools are all available: hachoir-grep, hachoir-metadata, hachoir-strip,
hachoir-urwid, and hachoir-wx.
As such, the previous packages where these tools were packaged separately are obsoleted.
For CentOS/RHEL 8, the hachoir-wx program is not available due to a lack of the Python 3 version of wx.
CERT-Forensics-Tools-1.0-90.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-90.{fc31,el7,el8}.x86_64.rpm -
This relese does the following:
Added hachoir for Fedora and CentOS/RHEL 7 and 8.
sleuthkit{,-devel,-libs}-4.9.0-1.1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and sleuthkit{,-devel,-libs}-4.9.0-1.1.{fc31,el7,el8}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
bellsoft-jdk8u252+9-linux-{i586,amd64}.rpm -
Bellsoft Java
was installed for Fedora 26 through 32 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux.
autopsy-4.15.0-2.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and autopsy-4.15.0-2.{fc31,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
ghidra-9.1.2-PUBLIC_20200212.2.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and ghidra-9.1.2-PUBLIC_20200212.2{fc26,fc31,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvement here.
This release repairs some incorrect file permissions and properly references various other files within the Ghidra hierarchy.
zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-3.0.5-0.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libbroker-devel-3.0.5-0.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-3.0.5-0.{fc31,el7,el8}.x86_64.rpm, and libbroker-devel-3.0.5-0.{fc31,el7,el8}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
rifiuti2-0.7.0-4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and rifiuti2-0.7.0-4.{fc31,el7,el8}.x86_64.rpm -
rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
This package was updated to avoid a conflict with the rifiuti package.
libfsntfs{,-devel,-python3}-20200506-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20200506-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20200506-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20200506-1.{fc31,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
python2-colorama-0.4.1-2.{fc30,fc31,fc32,el8}.noarch.rpm -
Python-Colorama is a Python library that makes ANSI escape character sequences (for producing colored terminal text and cursor positioning) work under MS Windows.
This package was built to negate obsoletes in fedora-obsolate-packages for Fedora 32.
For all other releases, these same packages were simply rebuilt to maintain release numbering consistency and contain no new functionality.
umit-1.0-17.1.{fc32,el8}.noarch.rpm -
Umit is a front-end for nmap.
This package was built to negate obsoletes in fedora-obsolate-packages for Fedora 32.
For all other releases, these same packages were simply rebuilt to maintain release numbering consistency and contain no new functionality.
python{2,3}-m2crypto-0.35.2-3.1.{fc32,el8}.x86_64.rpm -
M2Crypto is a Python library that allows you to call OpenSSL functions from Python 2 and 3 scripts.
This package was built to negate obsoletes in fedora-obsolate-packages for Fedora 32.
For all other releases, these same packages were simply rebuilt to maintain release numbering consistency and contain no new functionality.
python-netaddr-0.7.19-18.1.fc32.x86_64 - python-netaddr is a pure Python network address
representation and manipulation library. Python-netaddr provides a Pythonic way of working with:
This package was built to negate obsoletes in fedora-obsolate-packages for Fedora 32.
python2-enum34-1.1.6-10.1.fc32.noarch.rpm -
python-enum34 is the Python 3.4 version of enum backported to Python 2, in this case.
This package was built to negate obsoletes in fedora-obsolate-packages for Fedora 32.
python2-yara-3.11.0-4.{fc30,el6}.{i386,x86_64}.rpm and python2-yara-3.11.0-4.x86_64.{fc31,fc32,el8}.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
This package was built to negate obsoletes in fedora-obsolate-packages for Fedora 32.
For all other releases, these same packages were simply rebuilt to maintain release numbering consistency and contain no new functionality.
pfring-7.6.0-2963.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2963.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2431.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-1.6-1.19.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 32 x86_64 architecture was added.
lime-kernel-modules-1.1.r17-19.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 32 x86_64 architecture was added.
fmem-kernel-modules-fc31-x86_64-1.6-1.22.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.8-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-22.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.8-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.37.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.8-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-37.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.8-100 for FC30
Fedora 32 - The repository now supports Fedora 32
for the x86_64 CPU architecture.
Here is the list of tools provided for Fedora 32:
May 1, 2020:
The following changes have been made:
qtmltfs-2.4.0.2-1.{fc28,fc29,fc30}.{i686,x86_64}.rpm and qtmltfs-2.4.0.2-1.{fc31,el7,el8}.x86_64.rpm -
QTMLTFS
(Quantum Linear Tape File System) enables standard file operations on LTO-5 and LTO-6 tape media.
libfsntfs{,-devel,-python3}-20200428-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20200428-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20200428-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20200428-1.{fc31,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
python3-dfvfs-20200429-1.{fc26,fc27,fc28,fc29,fc30,fc31,el8}.noarch.rpm and python36-dfvfs-20200429-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
libregf{,-devel,-python2,-python3}-20200429-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libregf{,-devel,-python2}-20200429-1.el6.{i686,x86_64}.rpm, libregf{,-devel,-python2,-python36}-20200429-1.el7.x86_64.rpm, and libregf{,-devel,-python2,-python3}-20200429-1.{fc31,el8}.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
python3-dfdatetime-20200501-1.{fc26,fc27,fc28,fc29,fc30,fc31,el8}.noarch.rpm and python36-dfdatetime-20200501-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
pfring-7.6.0-2934.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2934.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2425.{el6,el7}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-common-1.6-1.6.noarch.rpm -
Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations.
This package contains the source code for making the FMEM kernel modules and the install-fmem script.
The changes are the following:
Fmem code up was updated to provide support for Linux 5.6 kernels.
fmem-kernel-modules-fc31-x86_64-1.6-1.21.noarch.rpm -
Support for the following kernels were added for Fmem:
5.6.7-200 for FC31
5.6.6-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-21.noarch.rpm -
Support for the following kernels were added for LiME:
5.6.7-200 for FC31
5.6.6-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.36.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.7-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-36.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.7-100 for FC30
fmem-kernel-modules-el7-x86_64-1.6-1.65.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1127 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-65.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1127 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.64.noarch.rpm -
Support for the following kernels were added for Fmem:
2.6.32-754.29.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-64.noarch.rpm -
Support for the following kernels were added for LiME:
2.6.32-754.29.1 for EL6
April 24, 2020:
The following changes have been made:
libesedb{,-devel,-python2,-python3}-20200418-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libesedb{,-devel,-python2}-20200418-1.el6.{i686,x86_64}.rpm, libesedb{,-devel,-python2,-python36}-20200418-1.el7.x86_64.rpm, and libesedb{,-devel,-python2,-python3}-20200418-1.{fc31,el8}.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
libevt{,-devel,-python2,-python3}-20200418-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevt{,-devel,-python2}-20200418-1.el6.{i686,x86_64}.rpm, libevt{,-devel,-python2,-python36}-20200418-1.el7.x86_64.rpm, and libevt{,-devel,-python2,-python3}-20200418-1.{fc31,el8}.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx{,-devel,-python2,-python3}-20200419-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevtx{,-devel,-python2}-20200419-1.el6.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-python36}-20200419-1.el7.x86_64.rpm, and libevtx{,-devel,-python2,-python3}-20200419-1.{fc31,el8}.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
libfsntfs{,-devel,-python3}-20200416-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20200416-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20200416-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20200416-1.{fc31,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
pfring-7.6.0-2926.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2926.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2411.{el6,el7}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.17-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-20.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.17-200 for FC31
April 17, 2020:
The following changes have been made:
daq{,-devel,-modules}-2.0.7-10.1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and daq{,-devel,-modules}-2.0.7-10.1.{fc31,el7,el8}.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
This release differs from daq provided by Fedora and EPEL because it contains the static libraries required by snort.
snort-2.9.16-1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-2.9.16-1.{fc31,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
snort-sample-rules-2.9.16-1.{fc26,fc27,fc28,fc29,fc30,fc31,el6,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.1.16-1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.16-1.{fc31,el7,el8}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
bulk_extractor-1.6.0-2.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and bulk_extractor-1.6.0-2.{fc31,el7,el8}.x86_64.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
This version fixes many issues.
In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
This version was rebuilt to add SQLite and LibXML build dependencies.
libewf-experimental{,-devel,-tools,-python3,-tools}-20200405-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libewf-experimental{,-devel,-tools,-python2,-tools}-20200405-1.el6.{i686,x86_64}.rpm,
libewf-experimental{,-devel,-tools,-python36,-tools}-20200405-1.el7.x86_64.rpm, and libewf-experimental{,-devel,-tools,-python3,-tools}-20200405-1.{fc31,el8}.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
See this page for the list of supported and unsupported formats.
Libewf-Experimental installs packages in /usr/local so that it can be optionally installed along with the conventional Libewf packages, where package contents are installed in /usr.
Further, the Libewf-Experimental packages have been installed in the forensics-test repository.
You will need to enable this repository with this command for Fedora or CentOS/RHEL 8:
python{2,36}-psutil-5.7.0-2.el7.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
Note that the Python 2 version is now provided and the Python 3 version no longer obsoletes the Python 2 version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-1.{fc31,el7,el8}.x86_64.rpm and -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
Note: The version of SiLK that was released on 2019-10-24 contained some bugs that were fixed in the version dated 2019-10-28.
This release contains those fixes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-2.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.1-2.{fc31,el6,el7,el8}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
Note: The version of SiLK that was released on 2019-10-24 contained some bugs that were fixed in the version dated 2019-10-28.
This release contains those fixes.
analysis-pipeline-5.11.3-4.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.11.3-4.{fc31,el7,el8}.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt to use silk 3.19.0 release 3.
prism-1.2-9.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and prism-1.2-9.{fc31,el7,el8}.x86_64.rpm -
The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
This package was rebuilt to use silk 3.19.0.
super_mediator-1.7.1-3.{fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.7.1-3.{fc31,el7,el8}.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
This package was rebuilt to use silk 3.19.0.
libfsapfs{,-devel,-python2,-python3}-20200416-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2}-20200416-1.el6.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-python36}-20200416-1.el7.x86_64.rpm, and libfsapfs{,-devel,-python2,-python3}-20200416-1.{fc31,el8}.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
pfring-7.6.0-2903.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2903.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2375.{el6,el7}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.16-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-19.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.16-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.35.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.16-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-35.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.16-100 for FC30
fmem-kernel-modules-el8-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-147.8.1 for EL8
lime-kernel-modules-el8-x86_64-1.1.r17-6.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-147.8.1 for EL8
April 10, 2020:
The following changes have been made:
python{2,3}-certifi-2020.4.5.1-1.{fc26,fc27,fc28,fc29,fc30,fc31,el8}.noarch.rpm and python{2,36}-certifi-2020.4.5.1-1.el7.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
python{2,3}-pyparsing-2.4.7-1.{fc26,fc27,fc28,fc29,fc30,fc31,el8}.noarch.rpm, python{2,36}-pyparsing-2.4.7-1.el7.noarch.rpm, and pyparsing-doc-2.4.7-1.{fc26,fc27,fc28,fc29,fc30,fc31,el7,el8}.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
The pyparsing module provides a library of classes that client code uses to construct the grammar directly in Python code.
bulk_extractor-1.6.0-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and bulk_extractor-1.6.0-1.{fc31,el7,el8}.x86_64.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
This version fixes many issues.
In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
CERT-Forensics-Tools-1.0-89.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-89.{fc31,el7,el8}.x86_64.rpm -
This relese does the following:
Added bulk_extractor
Volatility-community-plugins-20190729-5.{fc26,fc27,fc28,fc29,fc30,fc31,el6,el7,el8}.noarch.rpm -
The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community.
This package was updated to reflect the removal of the python-dpapick dependency for Fedora 31.
No changes were made for any of the other provided systems.
python2-dpapick-0.3-1.fc31.noarch.rpm -
Python-DPAPick is a Python toolkit to provide a platform-independant implementation of Microsoft's cryptography subsytem called DPAPI (Data Protection API).
This package was removed from the Fedora 31 repository for the x86_64 architecture.
python-CFPropertyList-0.0.1-1.fc31.x86_64.rpm -
Python-CFPropertyList is a Python toolkit to that contains classes to read binary property list files as defined by Apple.
This package was removed from the Fedora 31 repository for the x86_64 architecture.
python-registry-1.2.0-1.fc31.x86_64.rpm -
Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE.
This package was removed from the Fedora 31 repository for the x86_64 architecture.
python-unicodecsv-0.14.0-1.fc31.x86_64.rpm -
Python-unicodecsv is a drop-in replacement for Python 2.7’s csv module which supports unicode strings without a hassle.
This package was removed from the Fedora 31 repository for the x86_64 architecture.
pfring-7.6.0-2900.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2900.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2358.{el6,el7}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.18.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.15-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-18.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.15-200 for FC31
fmem-kernel-modules-el8-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-147.5.1 for EL8
lime-kernel-modules-el8-x86_64-1.1.r17-5.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-147.5.1 for EL8
April 3, 2020:
The following changes have been made:
cert-forensics-tools-release-{6,7,8,26,27,28,29,30,31}-15.noarch.rpm -
cert-forensics-tools-release is the package
that connects a Fedora- and CentOS/RHEL-based computer system to the CERT Linux Forensics Tools Repository (LiFTeR).
This package has been changed to include a new Forensics team key which is also available here.
pfring-7.6.0-2891.{el6,el7}.x86_64.rpm and pfring-7.6.0-2888.el8.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2891.{el6,el7}.x86_64.rpm and pfring-dkms-7.6.0-2888.el8.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2351.{el6,el7}.x86_64.rpm and ndpi-3.2.0-2340.el8.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.13-200 for FC31
5.5.11-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-16.noarch.rpm -
This package has been changed to include a new Forensics team key which is also available here.
pfring-7.6.0-2891.{el6,el7}.x86_64.rpm and pfring-7.6.0-2888.el8.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2891.{el6,el7}.x86_64.rpm and pfring-dkms-7.6.0-2888.el8.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2351.{el6,el7}.x86_64.rpm and ndpi-3.2.0-2340.el8.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.13-200 for FC31
5.5.11-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-16.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.13-200 for FC31
5.5.11-200 for FC31
March 27, 2020:
The following changes have been made:
python{2,3}-elasticsearch-7.6.0-1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm, python{2,36}-elasticsearch-7.6.0-1.el7.x86_64.rpm, and python{2,3}-elasticsearch-7.6.0-1.{fc31,el8}.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python3-zmq{,-tests}-19.0.0-el8.x86_64.rpm -
ZMQ is the Python bindings for ØMQ. This documentation currently contains notes on some important aspects of developing PyZMQ and an overview of what the ØMQ API looks like in Python.
For information on how to use ØMQ in general, see the many examples in the excellent ØMQ Guide, all of which have a version in Python.
pfring-7.6.0-2887.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2887.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2340.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
yaf{,-devel}-2.11.0-4.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.11.0-4.{fc31,el7,el8}.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 6 and 7 for the x86_64 architecture, yaf has been built to use PF_Ring.
snort-2.9.15.1-2.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-2.9.15.1-2.{fc31,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
snort-openappid-2.9.1.15-2.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.15.1-2.{fc31,el7,el8}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6, 7, and 8 for the x86_64 architecture.
fmem-kernel-modules-fc31-x86_64-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.10-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-16.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.10-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.34.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.10-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-34.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.10-100 for FC30
March 21, 2020:
The following changes have been made:
ddrescue-1.25-1.{fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm -
Ddrescue is a data recovery tool.
It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
See here for the changes since the last version (1.24) released to this repository.
cutter-1.10.1-1.fc30.{i686,x86_64}.rpm and cutter-1.10.1-1.fc31.x86_64.rpm -
Cutter is a Qt and C++
GUI for radare2 reverse engineering framework.
These packages have been removed from the repository because they are now provided by Fedora by a package named cutter-re
cutter-1.10.1-1.{fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and cutter-1.10.1-1.{el7,el8}.x86_64.rpm -
Cutter is a Qt and C++
GUI for radare2 reverse engineering framework.
These packages have been removed from the repository because they are now provided by a package named cutter-re to be consistent with the packages provided by Fedora.
cutter-re-1.7.3-2.{fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and cutter-re-1.7.3-1.{el7,mel8}.x86_64.rpm -
Cutter is a Qt and C++
GUI for radare2 reverse engineering framework.
Its goal is making an advanced, customizable, and FOSS (free and open-source software) reverse-engineering platform while keeping the user experience at mind.
Cutter is created by reverse engineers for reverse engineers.
This version of cutter is based on the code dated 2019-01-15 which was built to embed radare2 version 2.6.0 in it.
This release provides the same files as cutter-1.7.3-1 except that the package is renamed to be consistent with the packages provided by Fedora.
CERT-Forensics-Tools-1.0-88.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-88.{fc31,el7,el8}.x86_64.rpm -
This relese does the following:
Obsoletes cutter.
Added cutter-re.
aeskeyfind-1.0-3.{fc31,el7,el8}.x86_64.rpm and aeskeyfind-1.0-3.fc30.{i686,x86_64}.rpm -
Aeskeyfind
illustrates automatic techniques for locating 128-bit and 256-bit AES keys in a captured memory image.
This package has been removed form the repository because it is now provided by Fedora.
fmem-kernel-modules-fc31-x86_64-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.9-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-15.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.9-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.33.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.9-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-33.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.9-100 for FC30
fmem-kernel-modules-el7-x86_64-1.6-1.64.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1062.18.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-64.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1062.18.1 for EL7
March 13, 2020:
The following changes have been made:
pfring-7.6.0-2867.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2867.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2314.{el6,el7}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
pfring-7.6.0-2867.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2867.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2314.{el6,el7}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.14.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.8-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-14.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.8-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.32.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.8-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-32.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.8-100 for FC30
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.63.noarch.rpm -
Support for the following kernels were added for Fmem:
2.6.32-754.28.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-63.noarch.rpm -
Support for the following kernels were added for LiME:
2.6.32-754.28.1 for EL6
March 4, 2020:
The following changes have been made:
python3-dfvfs-20200211-1.{fc26,fc27,fc28,fc29,fc30,fc31,el8}.noarch.rpm and python36-dfvfs-20200211-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
plaso-20200227-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20200227-1.{fc31,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
pfring-7.6.0-2853.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2853.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2295.{el6,el7}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.7-200 for FC31
5.5.6-201 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-13.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.7-200 for FC31
5.5.6-201 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.31.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.7-100 for FC30
5.5.6-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-31.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.7-100 for FC30
5.5.6-100 for FC30
February 28, 2020:
The following changes have been made:
libfsntfs{,-devel,-python3}-20200223-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20200223-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20200223-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20200223-1.{fc31,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
python3-xlsxwriter-1.2.8-1.{fc26,fc27,fc28,fc29,fc30,el8}.noarch.rpm and python36-xlsxwriter-1.2.8-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
Note that the Python 2 version is no longer provided.
python{2,3}-future-0.18.2-1.{fc31,el8}.noarch.rpm -
Python-Future is the missing compatibility layer between Python 2 and Python 3.
It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.
This package was built to support the packaging of Python-PEFile
which in turn is needed to support the packaging of Volatility-community-plugins.
python3-idna-2.9-1.{fc26,fc27,fc28,el8}.noarch.rpm and python36-idna-2.10-1.el7.noarch.rpm -
IDNA provides support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891.
This is the latest version of the protocol and is sometimes referred to as "IDNA 2008".
python36-psutil-5.7.0-1.el7.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
Note that the Python 2 version is no longer provided.
python{2,3}-requests-2.23.0-1.fc26.{i686,x86_64}.rpm and python36-requests-2.23.0-1.el7.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.0-3.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.0-3.{fc31,el7,el8}.x86_64.rpm and -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
Note: The version of SiLK that was released on 2019-10-24 contained some bugs that were fixed in the version dated 2019-10-28.
This release contains those fixes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.0-4.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.0-4.{fc31,el6,el7,el8}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
Note: The version of SiLK that was released on 2019-10-24 contained some bugs that were fixed in the version dated 2019-10-28.
This release contains those fixes.
analysis-pipeline-5.11.3-3.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.11.3-3.{fc31,el7,el8}.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt to use silk 3.19.0 release 3.
prism-1.2-8.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and prism-1.2-8.{fc31,el7,el8}.x86_64.rpm -
The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
This package was rebuilt to use silk 3.19.0.
super_mediator-1.7.1-2.{fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.7.1-2.{fc31,el7,el8}.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
This package was rebuilt to use silk 3.19.0.
fmem-kernel-modules-common-1.6-1.5.noarch.rpm -
Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations.
This package contains the source code for making the FMEM kernel modules and the install-fmem script.
The changes are the following:
Fmem code up to date as of February 28, 2020 which incorporates changes for Linux 5.5 kernels.
pfring-7.6.0-2852.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2852.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2295.{el6,el7}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem:
5.5.5-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-12.noarch.rpm -
Support for the following kernels were added for LiME:
5.5.5-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.30.noarch.rpm -
Support for the following kernels were added for Fmem:
5.4.21-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-30.noarch.rpm -
Support for the following kernels were added for LiME:
5.4.21-100 for FC30
February 21, 2020:
The following changes have been made:
cutter-1.10.1-1.fc30.{i686,x86_64}.rpm and cutter-1.10.1-1.fc31.x86_64.rpm -
Cutter is a Qt and C++
GUI for radare2 reverse engineering framework.
Its goal is making an advanced, customizable, and FOSS (free and open-source software) reverse-engineering platform while keeping the user experience at mind.
Cutter is created by reverse engineers for reverse engineers.
Note that this release is only available for Fedora 30 and 31 because it relies on Qt version 5.12.
ghidra-9.1.2-PUBLIC_20200212.1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and ghidra-9.1.2-PUBLIC_20200212.1.{fc26,fc31,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvement here.
pfring-7.6.0-2845.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.6.
pfring-dkms-7.6.0-2845.{el6,el7}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.2.0-2284.{el6,el7}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
5.4.20-200 for FC31
5.4.19-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-11.noarch.rpm -
Support for the following kernels were added for LiME:
5.4.20-200 for FC31
5.4.19-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem:
5.4.19-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-29.noarch.rpm -
Support for the following kernels were added for LiME:
5.4.19-100 for FC30
February 17, 2020:
The following changes have been made:
Volatility-community-plugins-20190729-4.{fc26,fc27,fc28,fc29,fc30,fc31,el6,el7,el8}.noarch.rpm -
The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community.
This package was updated to reflect the removal of python2-simplejson from EPEL for CentOS/RHEL 8.
No changes were made for any of the other provided systems.
February 14, 2020:
The following changes have been made:
python3-artifacts-20200118-2.{fc26,fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm, artifacts-data-20200118-2.{fc26,fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm,
python36-artifacts-20200118-2.el7.x86_64.rpm, artifacts-data-20200118-2.el7.x86_64.rpm,
python3-artifacts-20200118-2.{fc31,el8}.x86_64.rpm, artifacts-data-20200118-2.{fc31,el8}.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
Note that the Python 2 version is no longer provided.
python{2,3}-cffi-1.14.0-1.el8.x86_64.rpm and cffi-doc-1.14.0-1.el8.noarch.rpm -
Python-CFFI is a C Foreign Function Interface for Python.
Interact with almost any C code from Python, based on C-like declarations that you can often copy-paste from header files or documentation.
python3-dfdatetime-20200121-2.{fc26,fc27,fc28,fc29,fc30,fc31,el8}.noarch.rpm and python36-dfdatetime-20200121-2.el7.noarch.rpm -
dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
Note that the Python 2 version is no longer provided.
python3-dfvfs-20200121-2.{fc26,fc27,fc28,fc29,fc30,fc31,el8}.noarch.rpm and python36-dfvfs-20200121-2.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
Note that the Python 2 version is no longer provided.
python3-dfwinreg-20200121-2.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-dfwinreg-20200121-2.el7.x86_64.rpm, and python3-dfwinreg-20200121-2.{fc31,el8}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
Note that the Python 2 version is no longer provided.
python3-dfwinreg-20200121-2.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-dfwinreg-20200121-2.el7.x86_64.rpm, and python3-dfwinreg-20200121-2.{fc31,el8}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
Note that the Python 2 version is no longer provided.
python3-dtfabric-20200119-2.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-dtfabric-20200119-2.el7.x86_64.rpm, and python3-dtfabric-20200119-2.{fc31,el8}.x86_64.rpm -
Dtfabric is a project to manage data types and structures,
as used in the libyal projects.
Note that the Python 2 version is no longer provided.
libfsntfs{,-devel,-python3}-20200201-2.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20200201-2.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python36}-20200201-2.el7.x86_64.rpm, and libfsntfs{,-devel,-python3}-20200201-2.{fc31,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
Note that the Python 2 version is no longer provided.
zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-3.0.1-0.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libbroker-devel-3.0.1-0.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-3.0.1-0.{fc31,el7,el8}.x86_64.rpm, and libbroker-devel-3.0.1-0.{fc31,el7,el8}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
Please note: zeek packages install files in /opt/zeek.
To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
python{2,3}-elasticsearch-7.5.1-1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm, python{2,36}-elasticsearch-7.5.1-1.el7.x86_64.rpm, and python{2,3}-elasticsearch-7.5.1-1.{fc31,el8}.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
libluksde{,-devel,-python3,-tools}-20200205-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libluksde{,-devel,-python2,-tools}-20200205-1.el6.{i686,x86_64}.rpm, libluksde{,-devel,-python36,-tools}-20200205-1.el7.x86_64.rpm, and libluksde{,-devel,-python3,-tools}-20200205-1.{fc31,el8}.x86_64.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
Note that the Python 2 version is only provided for CentOS/RHEL 6.
libsmdev{,-devel,-python3}-20200210-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2}-20200210-1.el6.{i686,x86_64}.rpm, libsmdev{,-devel,-python36}-20200210-1.el7.x86_64.rpm, and libsmdev{,-devel,-python3}-20200210-1.{fc31,el8}.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
Note that the Python 2 version is only provided for CentOS/RHEL 6.
python36-lz4-3.0.2-1.el7.x86_64.rpm -
LZ4 contains the python bindings for the lz4 compression library.
Note that the Python 2 version is no longer provided.
sleuthkit{,-devel,-libs}-4.8.0-1.1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and sleuthkit{,-devel,-libs}-4.8.0-1.1.{fc31,el7}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
Note that CentOS/RHEL 6 is no longer being udpated.
autopsy-4.14.0-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and autopsy-4.14.0-1.{fc31,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Note: this release no longer requires JDK from Oracle for Fedora 25 through 30, relying instead on version 1.8.0 of OpenJDK version provided by Fedora, along with version 1.8.0 of OpenJFX, also provided by Fedora.
However, for CentOS/RHEL 7 and 8,the latest version of JDK 8 from Oracle is required and this package has been added to the appropriate repositories.
In addition, this release also contains a autopsy.desktopfile that supports the GNOME and Mate Window managers.
Further, note that CentOS/RHEL 6 is no longer being udpated.
python3-pytsk3-20200117-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python36-pytsk3-20200117-1.el7.x86_64.rpm, and python3-pytsk3-20200117-1.{fc31,el8}.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
python3-idna-2.8-1.{fc26,fc27,fc28,el8}.noarch.rpm and python36-idna-2.8-1.el7.noarch.rpm -
IDNA provides support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891. This is the latest version of the protocol and is sometimes referred to as "IDNA 2008".
python{2,3}-requests-2.22.0-3.fc26.{i686,x86_64}.rpm and python36-requests-2.22.0-3.el7.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
plaso-20200121-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20200121-1.{fc31,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
CERT-Forensics-Tools-1.0-87.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-87.{fc31,el7,el8}.x86_64.rpm -
The registerydecoder package was removed due to its dependence on Python 2.
pfring-7.4.0-2835.el7.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2835.el7.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
Here is the announcement of PF_Ring 7.4.
pfring-7.4.0-2836.el6.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2836.el6.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-2242.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
5.4.18-200 for FC31
5.4.17-200 for FC31
5.4.15-200 for FC31
5.4.14-200 for FC31
5.4.13-201 for FC31
5.4.12-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-10.noarch.rpm -
Support for the following kernels were added for LiME:
5.4.18-200 for FC31
5.4.17-200 for FC31
5.4.15-200 for FC31
5.4.14-200 for FC31
5.4.13-201 for FC31
5.4.12-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.28.noarch.rpm -
Support for the following kernels were added for Fmem:
5.4.18-100 for FC30
5.4.17-100 for FC30
5.4.14-100 for FC30
5.4.12-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-28.noarch.rpm -
Support for the following kernels were added for LiME:
5.4.18-100 for FC30
5.4.17-100 for FC30
5.4.14-100 for FC30
5.4.12-100 for FC30
fmem-kernel-modules-el7-x86_64-1.6-1.63.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1062.12.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-63.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1062.12.1 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.62.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.27.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-62.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.27.1 for EL6
January 17, 2020:
The following changes have been made:
fmem-kernel-modules-fc31-x86_64-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
5.4.10-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-9.noarch.rpm -
Support for the following kernels were added for LiME:
5.4.10-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem:
5.4.10-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-27.noarch.rpm -
Support for the following kernels were added for LiME:
5.4.10-100 for FC30
fmem-kernel-modules-el8-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-147.3.1 for EL8
4.18.0-147.0.3 for EL8
4.18.0-147 for EL8
lime-kernel-modules-el8-x86_64-1.1.r17-4.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-147.3.1 for EL8
4.18.0-147.0.3 for EL8
4.18.0-147 for EL8
January 10, 2020:
The following changes have been made:
snort-2.9.15.1-1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-2.9.15.1-1.{fc31,el7,el8}.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
snort-sample-rules-2.9.15.1-1.{fc26,fc27,fc28,fc29,fc30,fc31,el6,el7,el8}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.1.15-1.{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.15.1-1.{fc31,el7,el8}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
pfring-7.4.0-2804.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2804.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-2155.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
fmem-kernel-modules-fc31-x86_64-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
5.4.8-200 for FC31
5.4.7-200 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-8.noarch.rpm -
Support for the following kernels were added for LiME:
5.4.8-200 for FC31
5.4.7-200 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem:
5.4.7-100 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-26.noarch.rpm -
Support for the following kernels were added for LiME:
5.4.7-100 for FC30
January 3, 2020:
The following changes have been made:
libluksde{,-devel,-python2,-python3,-tools}-20200101-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libluksde{,-devel,-python2,-tools}-20200101-1.el6.{i686,x86_64}.rpm, libluksde{,-devel,-python2,-python36,-tools}-20200101-1.el7.x86_64.rpm, and libluksde{,-devel,-python2,-python3,-tools}-20200101-1.{fc31,el8}.x86_64.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
libvslvm{,-devel,-python2,-python3}-20200102-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvslvm{,-devel,-python2}-20200102-1.el6.{i686,x86_64}.rpm, libvslvm{,-devel,-python2,-python36}-20200102-1.el7.x86_64.rpm, and libvslvm{,-devel,-python2,-python3}-20200102-1.{fc31,el8}.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
December 27, 2019:
The following changes have been made:
libbde{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libbde{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libbde{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libbde{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
libesedb{,-devel,-python2,-python3}-20192120-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libesedb{,-devel,-python2}-20192120-1.el6.{i686,x86_64}.rpm, libesedb{,-devel,-python2,-python36}-20192120-1.el7.x86_64.rpm, and libesedb{,-devel,-python2,-python3}-20192120-1.{fc31,el8}.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
libevt{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevt{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libevt{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libevt{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevtx{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libevtx{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
libexe{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libexe{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libexe{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libexe{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libexe is a library and tools to access the executable (EXE) format.
libfsapfs{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libfsapfs{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
libfsntfs{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libfvde{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfvde{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libfvde{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libfvde{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
libfwnt{,-devel,-python2,-python3}-20191222-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwnt{,-devel,-python2}-20191222-1.el6.{i686,x86_64}.rpm, libfwnt{,-devel,-python2,-python36}-20191222-1.el7.x86_64.rpm, and libfwnt{,-devel,-python2,-python3}-20191222-1.{fc31,el8}.x86_64.rpm -
LibFWNT is a library for Windows NT data types.
libfwps{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwps{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libfwps{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libfwps{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
LibFWPS is a library for Windows Property Store data types.
libfwsi{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwsi{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libfwsi{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libfwsi{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
liblnk{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, liblnk{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and liblnk{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
libmsiecf{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libmsiecf{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
libolecf{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libolecf{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libolecf{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libolecf{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
libqcow{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libqcow{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libqcow{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libqcow{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
libregf{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libregf{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libregf{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libregf{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
libsigscan{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsigscan{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libsigscan{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libsigscan{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
libsmdev{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libsmdev{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
libsmraw{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsmraw{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libsmraw{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libsmraw{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
libvhdi{,-devel,-python2,-python3,-tools}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20191221-1.el6.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-python36,-tools}-20191221-1.el7.x86_64.rpm, and libvhdi{,-devel,-python2,-python3,-tools}-20191221-1.{fc31,el8}.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libvmdk{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvmdk{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libvmdk{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libvmdk{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
libvshadow{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvshadow{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libvshadow{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libvshadow{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
libvslvm{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvslvm{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libvslvm{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libvslvm{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
libwrc{,-devel,-python2,-python3}-20191221-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libwrc{,-devel,-python2}-20191221-1.el6.{i686,x86_64}.rpm, libwrc{,-devel,-python2,-python36}-20191221-1.el7.x86_64.rpm, and libwrc{,-devel,-python2,-python3}-20191221-1.{fc31,el8}.x86_64.rpm -
Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
plaso-20191203-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20191203-1.{fc31,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
python{2,3}-xlsxwriter-1.2.7-1.{fc26,fc27,fc28,fc29,fc30,el8}.noarch.rpm and python{2,36}-xlsxwriter-1.2.7-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
libscca{,-devel,-python2,-python3,-tools}-20191222-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, ibscca{,-devel,-python2,-tools}-20191222-1.el6.{i686,x86_64}.rpm, libscca{,-devel,-python2,-python36,-tools}-20191222-1.el7.x86_64.rpm, and libscca{,-devel,-python2,-python3,-tools}-20191222-1.{fc31,el8}.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
python{2,3}-pyparsing-2.4.6-1.{fc26,fc27,fc28,fc29,fc30,fc31,el8}.noarch.rpm, python{2,36}-pyparsing-2.4.6-1.el7.noarch.rpm, and pyparsing-doc-2.4.6-1.{fc26,fc27,fc28,fc29,fc30,fc31,el7,el8}.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
The pyparsing module provides a library of classes that client code uses to construct the grammar directly in Python code.
pfring-7.4.0-2795.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2795.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-2144.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.61.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.25.3 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-61.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.25.3 for EL6
December 20, 2019:
The following changes have been made:
libfwnt{,-devel,-python2,-python3}-20191219-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwnt{,-devel,-python2}-20191219-1.el6.{i686,x86_64}.rpm, libfwnt{,-devel,-python2,-python36}-20191219-1.el7.x86_64.rpm, and libfwnt{,-devel,-python2,-python3}-20191219-1.{fc31,el8}.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
libfsntfs{,-devel,-python2,-python3,-tools}-20191218-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2,-tools}-20191218-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2,-python36,-tools}-20191218-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python2,-python3,-tools}-20191218-1.{fc31,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
fmem-kernel-modules-fc31-x86_64-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.16-300 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-7.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.16-300 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.25.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.16-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-25.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.16-200 for FC30
fmem-kernel-modules-el7-x86_64-1.6-1.62.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
3.10.0-1062.9.1 for EL7
3.10.0-1062.7.1 for EL7
3.10.0-1062.4.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-62.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
3.10.0-1062.9.1 for EL7
3.10.0-1062.7.1 for EL7
3.10.0-1062.4.2 for EL7
December 12, 2019:
The following changes have been made:
liblnk{,-devel,-python2,-python3,-tools}-20191209-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-tools}-20191209-1.el6.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-python36,-tools}-20191209-1.el7.x86_64.rpm, liblnk{,-devel,-python2,-python3,-tools}-20191209-1.{fc31,el8}.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
pfring-7.4.0-2780.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2780.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-2120.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc31-x86_64-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.15-300 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-6.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.15-300 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.24.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.15-200 for FC30
5.3.14-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-24.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.15-200 for FC30
5.3.14-200 for FC30
fmem-kernel-modules-el7-x86_64-1.6-1.61.noarch.rpm -
Support for the following kernels were added for Fmem:
3.10.0-1062.9.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-61.noarch.rpm -
Support for the following kernels were added for LiME:
3.10.0-1062.9.1 for EL7
December 7, 2019:
The following changes have been made:
pfring-7.4.0-2774.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2774.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-2104.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
December 6, 2019:
The following changes have been made:
certifi-2019.11.28-1.{fc26,fc27,fc28,fc29,fc30,fc31,el7,el8}.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
libfsntfs{,-devel,-python2,-python3,-tools}-20191201-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2,-tools}-20191201-1.el6.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2,-python36,-tools}-20191201-1.el7.x86_64.rpm, and libfsntfs{,-devel,-python2,-python3,-tools}-20191201-1.{fc31,el8}.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
liblnk{,-devel,-python2,-python3,-tools}-20191203-1.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-tools}-20191203-1.el6.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-python36,-tools}-20191203-1.el7.x86_64.rpm, liblnk{,-devel,-python2,-python3,-tools}-20191203-1.{fc31,el8}.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
fmem-kernel-modules-fc31-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.14-300 for FC31
5.3.13-300 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-5.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.14-300 for FC31
5.3.13-300 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.23.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.13-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-23.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.13-200 for FC30
fmem-kernel-modules-el7-x86_64-1.6-1.60.noarch.rpm -
Support for the following kernels were added for Fmem:
3.10.0-1062.7.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-60.noarch.rpm -
Support for the following kernels were added for LiME:
3.10.0-1062.7.1 for EL7
Fedora 25 - Updates to Fedora 25 for both the i686 and x86_64 CPU architectures has ceased.
November 27, 2019:
The following changes have been made:
python{2,3}-psutil-5.6.7-1.el7.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
pfring-7.4.0-2768.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2768.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-2086.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc31-x86_64-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.12-300 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-4.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.12-300 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.22.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.12-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-22.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.12-200 for FC30
November 22, 2019:
The following changes have been made:
python{2,3}-elasticsearch-7.1.0-1.i{fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm, python{2,36}-elasticsearch-7.1.0-1.el7.x86_64.rpm, and python{2,3}-elasticsearch-7.1.0-1.{fc31,el8}.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
python{2,3}-xlsxwriter-1.2.6-1.{fc26,fc27,fc28,fc29,fc30,el7,el8}.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
python3-zmq{,-tests}-18.1.1-el8.x86_64.rpm and zmq{,-tests}-18.1.1-el8.x86_64.rpm -
ZMQ is the Python bindings for ØMQ. This documentation currently contains notes on some important aspects of developing PyZMQ and an overview of what the ØMQ API looks like in Python.
For information on how to use ØMQ in general, see the many examples in the excellent ØMQ Guide, all of which have a version in Python.
python2-haystack-0.42-3.{fc25,fc26,fc26,fc27,fc28,fc29,fc30,fc31,el6,el7,el8}.noarch.rpm -
Python-Haystack is an heap analysis framework, focused on searching and reversing of C structure in allcoated memory.
libffi{,-devel}-3.1-19.el8.x86_64.rpm -
Libffi is a portable foreign function interface library.
This package was built to support the packaging of python-cffi.
python{2,3}-ply-3.11-2.el8.noarch.rpm -
Python-PLY is an implementation of lex and yacc parsing tools for Python.
This package was built to support the packaging of Python-PYCParser.
python{2,3}-pycparser-2.14-18.el8.noarch.rpm -
Python-PYCParser is a complete C99 parser in pure Python.
This package was built to support the packaging of Python-CFFI.
python{2,3}-cffi-1.11.5-7.el8.x86_64.rpm and python-cffi-doc-1.11.5-7.el8.noarch.rpm -
Python-CFFI is a C Foreign Function Interface for Python.
Interact with almost any C code from Python, based on C-like declarations that you can often copy-paste from header files or documentation.
This package was built to support the packaging of python-ssdeep.
python{2,3}-ssdeep-3.2-1.el8.x86_64.rpm -
Python-SSDeep is a Python wrapper for SSDeep fuzzy hashing library.
This package was built to support the packaging of Volatility-community-plugins.
python2-dpapick-0.3-1.{fc25,fc26,fc26,fc27,fc28,fc29,fc30,fc31,el6,el7,el8}.noarch.rpm -
Python-DPAPick is a Python toolkit to provide a platform-independant implementation of Microsoft's cryptography subsytem called DPAPI (Data Protection API).
This package was built to support the packaging of Volatility-community-plugins.
python2-ioc_writer-0.3.3-1.{fc25,fc26,fc26,fc27,fc28,fc29,fc30,fc31,el6,el7,el8}.noarch.rpm -
Python-IOCWriter is a Python library that provides a limited CRUD for manipulating OpenIOC formatted Indicators of Compromise.
This package was built to support the packaging of Volatility-community-plugins.
python2-pycoin-0.77-0.{fc25,fc26,fc26,fc27,fc28,fc29,fc30,fc31,el6,el7,el8}.noarch.rpm -
Python-PYCoin is a Python library implements many of utilities useful when dealing with bitcoin and some bitcoin-like alt-coins.
It has been tested with Python 2.7, 3.6 and 3.7.
This package was built to support the packaging of Volatility-community-plugins.
python2-colorama-0.3.9-4.el8.noarch.rpm -
Python-Colorama is a Python library that makes ANSI escape character sequences (for producing colored terminal text and cursor positioning) work under MS Windows.
This package was built to support the packaging of Volatility-community-plugins.
python{2,3}-m2crypto-0.30.1-2.el8.x86_64.rpm -
M2Crypto is a Python library that allows you to call OpenSSL functions from Python 2 and 3 scripts.
This package was built to support the packaging of Python-Typing.
python2-typing-3.6.2-4.el8.noarch.rpm -
Python-Typing is a Python library that defines a standard notation for type annotations.
This package was built to support the packaging of Volatility-community-plugins.
python{2,3}-future-0.16.0-4.el8.noarch.rpm -
Python-Future is the missing compatibility layer between Python 2 and Python 3.
It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.
This package was built to support the packaging of Python-PEFile
which in turn is needed to support the packaging of Volatility-community-plugins.
Volatility-community-plugins-20190729-3.el8.noarch.rpm -
The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community.
This packages was added to CentOS/RHEL 8.
python{2,3}-pyfixbuf-0.8.1-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm, python2-pyfixbuf-0.8.1-1.el6.{i686,x86_64}.rpm, python{2,36}-pyfixbuf-0.8.1-1.el7.x86_64.rpm -
Pyfixbuf is a Python API for libfixbuf,
an implementation of the IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this and all releases.
ghidra-9.1-PUBLIC_20191023.1.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and ghidra-9.1-PUBLIC_20191023.1.{fc25,fc26,fc31,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvement here.
python{2,3}-requests-2.22.0-2.fc26.{i686,x86_64}.rpm and python36-requests-2.22.0-2.el7.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
In this release, the dependencies for urllib3 were updated.
plaso-20190916-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20190708-1.{fc31,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This release uses Python 3 instead of Python 2.
Please note that for Fedora 25, of all of the ancillary packages needed by plaso use the pip program in a Python
Virtual Environment.
Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
For Fedora 25, this package contains a program named update-plaso, the purpose of which is to update the packages that plaso depends upon.
Note that this updates the dependent packages but not plaso.
The recommendation is to run update-plaso routinely to keep the plaso dependencies updated.
November 15, 2019:
The following changes have been made:
python{2,3}-xlsxwriter-1.2.5-1.{fc26,fc27,fc28,fc29,fc30,fc31,el7,el8}.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
python{2,3}-pyparsing-2.4.5-1.{fc26,fc27,fc28,fc29,el8}.noarch.rpm, python2-pyparsing-2.4.4-1.el6.noarch.rpm, and pyparsing-doc-2.4.4-1.{fc26,fc27,fc28,fc29,el6,el8}.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
The pyparsing module provides a library of classes that client code uses to construct the grammar directly in Python code.
libesedb{,-devel,-python2,-python3,-tools}-20191111-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libesedb{,-devel,-python2,-tools}-20191111-1.el6.{i686,x86_64}.rpm, libesedb{,-devel,-python2,-python36,-tools}-20191111-1.el7.x86_64.rpm, and libesedb{,-devel,-python2,-python3,-tools}-20191111-1.el8.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
libsmdev{,-devel,-python2,-python3,-tools}-20191112-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-tools}-20191112-1.el6.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-python36,-tools}-20191112-1.el7.x86_64.rpm, and libsmdev{,-devel,-python2,-python3,-tools}-20191112-1.el8.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
pfring-7.4.0-2751.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2751.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-2057.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc31-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.11-300 for FC31
5.3.9-300 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-3.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.11-300 for FC31
5.3.9-300 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.21.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.11-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-21.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.11-200 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.37.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.11-100 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-37.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.11-100 for FC29
fmem-kernel-modules-el7-x86_64-1.6-1.59.noarch.rpm -
Support for the following kernels were added for Fmem:
3.10.0-1062.4.3 for EL7
3.10.0-1062.4.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-59.noarch.rpm -
Support for the following kernels were added for LiME:
3.10.0-1062.4.3 for EL7
3.10.0-1062.4.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.60.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.23.3 for EL6
2.6.32-754.23.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-60.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.23.3 for EL6
2.6.32-754.23.2 for EL6
November 8, 2019:
The following changes have been made:
daq{,-devel,-modules}-2.0.6-8.1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and daq{,-devel,-modules}-2.0.6-8.1.{el7,el8}.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
libregf{,-devel,-python2,-python3,-tools}-20191102-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libregf{,-devel,-python2,-tools}-20191102-1.el6.{i686,x86_64}.rpm, libregf{,-devel,-python2,-python36-tools}-20191102-1.el7.x86_64.rpm, and libregf{,-devel,-python2,-python3-tools}-20191102-1.el8.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
libsmdev{,-devel,-python2,-python3,-tools}-20191103-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-tools}-20191103-1.el6.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-python36,-tools}-20191103-1.el7.x86_64.rpm, and libsmdev{,-devel,-python2,-python3,-tools}-20191103-1.el8.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
libsmraw{,-devel,-python2,-python3,-tools}-20191103-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsmraw{,-devel,-python2,-tools}-20191103-1.el6.{i686,x86_64}.rpm, libsmraw{,-devel,-python2,-python36,-tools}-20191103-1.el7.x86_64.rpm, and libsmraw{,-devel,-python2,-python3,-tools}-20191103-1.el8.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
libvshadow{,-devel,-python2,-python3,-tools}-20191103-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvshadow{,-devel,-python2,-tools}-20191103-1.el6.{i686,x86_64}.rpm, libvshadow{,-devel,-python2,-python36,-tools}-20191103-1.el7.x86_64.rpm, and libvshadow{,-devel,-python2,-python3,-tools}-20191103-1.el8.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
libqcow{,-devel,-python2,-python3,-tools}-20191103-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libqcow{,-devel,-python2,-tools}-20191103-1.el6.{i686,x86_64}.rpm, libqcow{,-devel,-python2,-python36,-tools}-20191103-1.el7.x86_64.rpm, and libqcow{,-devel,-python2,-python3,-tools}-20191103-1.el8.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
libfsapfs{,-devel,-python2,-python3,-tools}-20191104-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-tools}-20191104-1.el6.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-python36,-tools}-20191104-1.el7.x86_64.rpm, and libfsapfs{,-devel,-python2,-python3,-tools}-20191104-1.el8.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
libfvde{,-devel,-python2,-python3,-tools}-20191104-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfvde{,-devel,-python2,-tools}-20191104-1.el6.{i686,x86_64}.rpm, libfvde{,-devel,-python2,-python36,-tools}-20191104-1.el7.6_64.rpm, and libfvde{,-devel,-python2,-python3,-tools}-20191104-1.el7.6_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
libfwnt{,-devel,-python2,-python3}-20191104-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwnt{,-devel,-python2}-20191104-1.el6.{i686,x86_64}.rpm, libfwnt{,-devel,-python2,-python36}-20191104-1.el7.x86_64.rpm, and libfwnt{,-devel,-python2,-python3}-20191104-1.el8.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
libmsiecf{,-devel,-python2,-python3,-tools}-29101104-1.{fc25,fc26,fc26,fc27,fc29,fc30}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2,-tools}-29101104-1.el6.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2,-python36,-tools}-29101104-1.el7.x86_64.rpm, and libmsiecf{,-devel,-python2,-python3,-tools}-29101104-1.el8.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
libolecf{,-devel,-python2,-python3,-tools}-20191104-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libolecf{,-devel,-python2,-tools}-20191104-1.el6.{i686,x86_64}.rpm, libolecf{,-devel,-python2,-python36,-tools}-20191104-1.el7.x86_64.rpm, and libolecf{,-devel,-python2,-python3,-tools}-20191104-1.el8.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
libscca{,-devel,-python2,-python3,-tools}-20191104-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, ibscca{,-devel,-python2,-tools}-20191104-1.el6.{i686,x86_64}.rpm, libscca{,-devel,-python2,-python36,-tools}-20191104-1.el7.x86_64.rpm, and libscca{,-devel,-python2,-python3,-tools}-20191104-1.el8.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
libvhdi{,-devel,-python2,-python3,-tools}-20191104-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20191104-1.el6.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-python36,-tools}-20191104-1.el7.x86_64.rpm, and libvhdi{,-devel,-python2,-python3,-tools}-20191104-1.el8.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libvmdk{,-devel,-python2,-python3,-tools}-20191104-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvmdk{,-devel,-python2,-tools}-20191104-1.el6.{i686,x86_64}.rpm, libvmdk{,-devel,-python2,-python36,-tools}-20191104-1.el7.x86_64.rpm, and libvmdk{,-devel,-python2,-python3,-tools}-20191104-1.el8.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
libbde{,-devel,-python2,-python3,-tools}-20191104-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libbde{,-devel,-python2,-tools}-20191104-1.el6.{i686,x86_64}.rpm, libbde{,-devel,-python2,-python36,-tools}-20191104-1.el7.x86_64.rpm, and libbde{,-devel,-python2,-python3,-tools}-20191104-1.el8.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
libevt{,-devel,-python2,-python3,-tools}-20191104-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevt{,-devel,-python2,-tools}-20191104-1.el6.{i686,x86_64}.rpm, libevt{,-devel,-python2,-python36,-tools}-20191104-5.el7.x86_64.rpm, and libevt{,-devel,-python2,-python3,-tools}-20191104-5.el8.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx{,-devel,-python2,-python3,-tools}-20191104-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-tools}-20191104-1.el6.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-python36,-tools}-20191104-1.el7.x86_65.rpm, and libevtx{,-devel,-python2,-python3,-tools}-20191104-1.el8.x86_65.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
libvslvm{,-devel,-python2,-python3,-tools}-20191104-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvslvm{,-devel,-python2,-tools}-20191104-1.el6.{i686,x86_64}.rpm, libvslvm{,-devel,-python2,-python36,-tools}-20191104-1.el7.x86_64.rpm, and libvslvm{,-devel,-python2,-python3,-tools}-20191104-1.el8.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
Volatility-community-plugins-20190729-3.{fc25,fc26,fc27,fc28,fc29,fc30,el6,el7}.noarch.rpm -
The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community.
This package was updated to change dependencies.
python2-haystack-0.42-2.{fc25,fc26,fc26,fc27,fc28,fc29,fc30,el6,el7}.noarch.rpm -
Python-Haystack is an heap analysis framework, focused on searching and reversing of C structure in allcoated memory.
rifiuti2-0.7.0-3.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and rifiuti2-0.7.0-3.el7.x86_64.rpm -
rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
This package was updated to avoid a conflict with the rifiuti package.
python{2,3}-pyparsing-2.4.4-1.{fc26,fc27,fc28,fc29,el8}.noarch.rpm, python2-pyparsing-2.4.4-1.el6.noarch.rpm, and pyparsing-doc-2.4.4-1.{fc26,fc27,fc28,fc29,el6,el8}.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
The pyparsing module provides a library of classes that client code uses to construct the grammar directly in Python code.
python{2,3}-psutil-5.6.5-1.el7.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
python{2,3}-xlsxwriter-1.2.3-1.{fc26,fc27,fc28,fc29,fc30,el7,el8}.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
pfring-7.4.0-2741.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2741.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-2048.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc31-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.8-300 for FC31
lime-kernel-modules-fc31-x86_64-1.1.r17-2.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.8-300 for FC31
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.20.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.8-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-20.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.8-200 for FC30
fmem-kernel-modules-1.6-1.18.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 31 x86_64 architecture was added.
lime-kernel-modules-1.1.r17-18.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 31 x86_64 architecture was added.
Fedora 31 - The repository now supports Fedora 31
for the x86_64 CPU architecture.
Here is the list of tools provided for Fedora 31:
November 1, 2019:
The following changes have been made:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.0-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.0-1.{el7,el8}.x86_64.rpm and -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
libipa{,-devel,python}-0.5.2-3.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and libipa{,-devel,python}-0.5.2-3.{el6,el7,el8}.x86_64.rpm -
LibIPA an IP address annotation system.
IPA provides a flexible and efficient repository of IP address information, tools for querying and maintaining the data, and shared libraries and modules for data access.
For more information, read the IPA documentation.
Note: this release provides no new functionality.
This package was rebuild to change the name from ipa to libipa to address a conflict with CentOS/RHEL 8.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.0-2.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.19.0-2.{el6,el7,el8}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-5.11.3-2.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.11.3-2.{el7,el8}.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt to use silk 3.19.0.
prism-1.2-7.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and prism-1.2-7.{el7,el8}.x86_64.rpm -
The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
This package was rebuilt to use silk 3.19.0.
super_mediator-1.7.1-1.{fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.7.1-1.{el7,el8}.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
See here for a list of changes in this version.
libfwsi{,-devel,-python2,-python3}-20191025-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwsi{,-devel,-python2}-20191025-1.el6.{i686,x86_64}.rpm, libfwsi{,-devel,-python2,-python36}-20191025-1.el7.x86_64.rpm, and libfwsi{,-devel,-python2,-python36}-20191025-1.el8.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
liblnk{,-devel,-python2,-python3,-tools}-20191027-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-tools}-20191027-1.el6.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-python36,-tools}-20191027-1.el7.x86_64.rpm, and liblnk{,-devel,-python2,-python36,-tools}-20191027-1.el8.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
python{2,3}-yara-3.11.0-1.{i386,x86_64}.fc30.rpm, python2-yara-3.11.0-1.{i386,x86_64}.el6.rpm, and python{2,3}-yara-3.11.0-1.x86_64.el8.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
libregf{,-devel,-python2,-python3,-tools}-20191029-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-tools}-20191029-1.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-python36-tools}-20191029-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
libscca{,-devel,-python2,-python3,-tools}-20191029-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and libscca{,-devel,-python2,-python36,-tools}-20191029-1.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
pfring-7.4.0-2736.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2736.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-2011.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.19.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.7-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-19.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.7-200 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.36.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.6-100 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-36.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.6-100 for FC29
fmem-kernel-modules-el7-x86_64-1.6-1.58.noarch.rpm -
Support for the following kernels were added for Fmem:
3.10.0-1062.4.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-58.noarch.rpm -
Support for the following kernels were added for LiME:
3.10.0-1062.4.1 for EL7
October 25, 2019:
The following changes have been made:
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.18.noarch.rpm -
No additional modules were added for Fmem.
This package was only updates for revision number equality with LiME.
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-18.noarch.rpm -
Modules for the following kernels were rebuilt to use the latest version of LiME:
5.3.6-200 5.3.5-200 5.2.18-200 5.2.17-200
5.2.16-200 5.2.15-200 5.2.14-200 5.2.13-200
5.2.11-200 5.2.9-200 5.2.8-200 5.2.7-200
5.2.6-200 5.2.5-200 5.1.20-300 5.1.19-300
5.1.18-300 5.1.17-300 5.1.16-300 5.1.15-300
5.1.12-300 5.1.11-300 5.1.9-300 5.1.8-300
5.1.7-300 5.1.6-300 5.1.5-300 5.0.17-300
5.0.16-300 5.0.14-300 5.0.13-300 5.0.11-300
5.0.10-300 5.0.9-301
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.35.noarch.rpm -
No additional modules were added for Fmem.
This package was only updates for revision number equality with LiME.
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-35.noarch.rpm -
Support for the following kernels were added for LiME:
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.42.noarch.rpm -
No additional modules were added for Fmem.
This package was only updates for revision number equality with LiME.
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-42.noarch.rpm -
Support for the following kernels were added for LiME:
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.44.noarch.rpm -
No additional modules were added for Fmem.
This package was only updates for revision number equality with LiME.
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-44.noarch.rpm -
Support for the following kernels were added for LiME:
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.38.noarch.rpm -
No additional modules were added for Fmem.
This package was only updates for revision number equality with LiME.
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-38.noarch.rpm -
Support for the following kernels were added for LiME:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.50.noarch.rpm -
No additional modules were added for Fmem.
This package was only updates for revision number equality with LiME.
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-50.noarch.rpm -
Support for the following kernels were added for LiME:
fmem-kernel-modules-el8-x86_64-1.6-1.3.noarch.rpm -
No additional modules were added for Fmem.
This package was only updates for revision number equality with LiME.
lime-kernel-modules-el8-x86_64-1.1.r17-3.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-80.11.2
4.18.0-80.11.1
4.18.0-80.7.2
4.18.0-80.7.1
4.18.0-80.4.2
4.18.0-80.1.2
4.18.0-80
fmem-kernel-modules-el7-x86_64-1.6-1.57.noarch.rpm -
No additional modules were added for Fmem.
This package was only updates for revision number equality with LiME.
lime-kernel-modules-el7-x86_64-1.1.r17-57.noarch.rpm -
Support for the following kernels were added for LiME:
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.59.noarch.rpm -
No additional modules were added for Fmem.
This package was only updates for revision number equality with LiME.
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-59.noarch.rpm -
Support for the following kernels were added for LiME:
lime-kernel-modules-common-1.1.r17-5.noarch.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page.
The changes are the following:
LiME code up to date as of October 21, 2019.
CaptureMemoryWithLime fixes an error where the image file name contained spaces.
fmem-kernel-modules-common-1.6-1.4.noarch.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
This package contains the source code for making the FMEM kernel modules and the install-fmem script.
The changes are the following:
Fmem code up to date as of October 21, 2019.
install-mem fixes an error where the path to the kernel modules was wrong.
pfring-7.4.0-2734.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2734.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-2002.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
python{2,3}-distorm3-3.4.1-2.{fc25,fc26,fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm, python2-distorm3-3.4.1-2.el6.{i386,x86_64}.rpm, python{2,36}-distorm3-3.4.1-2.el7.x86_64.rpm, and python{2,3}-distorm3-3.4.1-2.el8.x86_64.rpm -
Distorm3 is a lightweight, easy-to-use and fast decomposer library.
It disassembles instructions in 16, 32 and 64 bit modes.
Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
Distorm3 is used by The Volatility Framework.
October 18, 2019:
The following changes have been made:
libfwsi{,-devel,-python2,-python3}-20191012-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwsi{,-devel,-python2}-20191012-1.el6.{i686,x86_64}.rpm, libfwsi{,-devel,-python2,-python36}-20191012-1.el7.x86_64.rpm, and libfwsi{,-devel,-python2,-python3}-20191012-1.el8.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
ADIA -
This item is the VMware and Virtual Box-based appliances built with CentOS 7.7.1908 for the x86_64 architecture.
See here for more details.
The release consists of the following:
python{2,3}-xlsxwriter-1.2.2-1.{fc26,fc27,fc28,fc29,fc30}.noarch.rpm and {python2,36}-xlsxwriter-1.2.2-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
pfring-7.4.0-2710.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2710.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-1979.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.17.noarch.rpm -
Support for the following kernels were added for Fmem:
5.3.6-200 for FC30
5.3.5-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-17.noarch.rpm -
Support for the following kernels were added for LiME:
5.3.6-200 for FC30
5.3.5-200 for FC30
fmem-kernel-modules-el8-x86_64-1.6-1.2.noarch.rpm -
Support for the following kernels were added for Fmem:
4.18.0-80.11.2 for EL8
4.18.0-80.11.1 for EL8
4.18.0-80.7.2 for EL8
4.18.0-80.7.1 for EL8
4.18.0-80.4.2 for EL8
4.18.0-80.1.2 for EL8
lime-kernel-modules-el8-x86_64-1.1.r17-2.noarch.rpm -
Support for the following kernels were added for LiME:
4.18.0-80.11.2 for EL8
4.18.0-80.11.1 for EL8
4.18.0-80.7.2 for EL8
4.18.0-80.7.1 for EL8
4.18.0-80.4.2 for EL8
4.18.0-80.1.2 for EL8
October 11, 2019:
The following changes have been made:
CentOS 8 - The repository now supports CentOS 8
for the x86_64 CPU architecture.
Here is the list of tools provided for CentOS 8:
lime-kernel-modules-1.1.r17-17.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for CentOS/RHEL 8 x86_64 architecture was added.
fmem-kernel-modules-1.6-1.17.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for CentOS/RHEL 8 x86_64 architecture was added.
ghostpdl-9.27-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and ghostpdl-9.27-1.{el7,el8}.x86_64.rpm -
Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages.
Ghostpdl is used by Xplico.
python{2,3}-elasticsearch-7.0.5-1.i{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python{2,36}-elasticsearch-7.0.5-1.el7.x86_64.rpm, and python{2,3}-elasticsearch-7.0.5-1.el8.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
libfwsi{,-devel,-python2,-python3}-20191006-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwsi{,-devel,-python2}-20191006-1.el6.{i686,x86_64}.rpm, libfwsi{,-devel,-python2,-python36}-20191006-1.el7.x86_64.rpm, and libfwsi{,-devel,-python2,-python3}-20191006-1.el8.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
liblnk{,-devel,-python2,-python3,-tools}-20191006-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-tools}-20191006-1.el6.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-python36,-tools}-20191006-1.el7.x86_64.rpm, and liblnk{,-devel,-python2,-python3,-tools}-20191006-1.el8.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
libsigscan{,-devel,-python2,-python3,-tools}-20191006-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsigscan{,-devel,-python2,-tools}-20191006-1.el6.{i686,x86_64}.rpm, libsigscan{,-devel,-python2,-python36,-tools}-20191006-1.el7.x86_64.rpm, and libsigscan{,-devel,-python2,-python3,-tools}-20191006-1.el8.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.72-1.{fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libpst{,-devel,-devel-doc,-doc,-libs,-python36}-0.6.72-1.el7.x86_64.rpm, and libpst{,-devel,-devel-doc,-doc,-libs,-python3}-0.6.72-1.el8.x86_64.rpm -
The libpst utilities convert Outlook .pst files to other formats.
See here for the list of changes.
ntfs-3g{,-devel}-2017.3.23-11.el6.{i686,x86_64}.rpm and ntfs-3g{,-devel}-2017.3.23-11.{el7,el8}.x86_64.rpm -
NTFS-3g is a stable, full-featured, read-write NTFS driver for Linux, Android, Mac OS X, FreeBSD, NetBSD, OpenSolaris, QNX, Haiku, and other operating systems.
It provides safe handling of the Windows XP, Windows Server 2003, Windows 2000, Windows Vista, Windows Server 2008, Windows 7, Windows 8 and Windows 10 NTFS file systems.
snort-2.9.15-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-2.9.15-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
snort-sample-rules-2.9.15-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6,el7}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.15-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.15-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
pfring-7.4.0-2707.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2707.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-3.0.0-1978.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.16.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.18-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-16.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.18-200 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.34.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.18-100 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-34.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.18-100 for FC29
October 4, 2019:
The following changes have been made:
pfring-7.4.0-2700.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2700.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1951.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.33.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.17-100 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-33.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.17-100 for FC29
fmem-kernel-modules-el7-x86_64-1.6-1.56.noarch.rpm -
Support for the following kernels were added for Fmem:
3.10.0-1062.1.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-56.noarch.rpm -
Support for the following kernels were added for LiME:
3.10.0-1062.1.2 for EL7
September 27, 2019:
The following changes have been made:
pfring-7.4.0-2682.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2682.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1885.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.15.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.17-200 for FC30
5.2.16-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-15.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.17-200 for FC30
5.2.16-200 for FC30
September 20, 2019:
The following changes have been made:
python{2,3}-xlsxwriter-1.2.1-1.{fc26,fc27,fc28,fc29,fc30}.noarch.rpm and {python2,36}-xlsxwriter-1.2.1-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
analysis-pipeline-5.11.3-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.11.3-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes.
pfring-7.4.0-2675.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2675.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1875.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.14.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.15-200 for FC30
5.2.14-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-14.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.15-200 for FC30
5.2.14-200 for FC30
fmem-kernel-modules-el7-x86_64-1.6-1.55.noarch.rpm -
Support for the following kernels were added for Fmem:
3.10.0-1062.1.1 for EL7
3.10.0-1062 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-55.noarch.rpm -
Support for the following kernels were added for LiME:
3.10.0-1062.1.1 for EL7
3.10.0-1062 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.57.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.22.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-57.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.22.1 for EL6
September 13, 2019:
The following changes have been made:
libvslvm{,-devel,-python2,-python3,-tools}-20181227-5.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvslvm{,-devel,-python2,-tools}-20181227-5.el6.{i686,x86_64}.rpm, and libvslvm{,-devel,-python2,-python36,-tools}-20181227-5.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
Note: This is a repackaging of the libvslvm tools version 20160110.
certifi-2019.9.11-1.{fc26,fc27,fc28,fc29,fc30,el7}.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
pfring-7.4.0-2658.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2658.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1848.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.13.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.13-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-13.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.13-200 for FC30
September 6, 2019:
The following changes have been made:
ADIA -
This item is the VMware and Virtual Box-based appliances built with CentOS 7.6.1810 for the x86_64 architecture.
See here for more details.
The release consists of the following:
pfring-7.4.0-2643.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2643.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1820.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.12.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.11-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-12.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.11-200 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.32.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.11-100 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-32.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.11-100 for FC29
August 30, 2019:
The following changes have been made:
python{2,3}-xlsxwriter-1.2.0-1.{fc26,fc27,fc28,fc29,fc30}.noarch.rpm and {python2,36}-xlsxwriter-1.2.0-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
CERT-Forensics-Tools-1.0-86.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-86.el7.x86_64.rpm -
Removed the dependency of the kernel-PAE-modules-extra package for Fedora 28 and beyond.
libewf{,-devel,-tools,-python2,-python3,-tools}-20160718-20140806.4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libewf{,-devel,-tools,-python2,-tools}-20160718-20140806.4.el6.{i686,x86_64}.rpm, and
libewf{,-devel,-tools,-python2,-python36,-tools}-20160718-20140806.4.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
This package is built from the libewf source code dated 20140806 but to make it the latest version, the version number was changed to the build date (20160718)
and the release number changed to include the source code release date (20140806).
This release obsoletes (which causes the removal of) the ewftools package which is provided by Fedora.
libfixbuf{,-devel}-2.4.0-1.{,fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and libfixbuf{,-devel}-2.4.0-1.el7.x86_64.rpm -
Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.3-1.{fc25,fc26,fc27,fc28,fc29,fc30,fc30,el6}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.3-1.el7.x86_64.rpm and -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.3-2.{fc25,fc26,fc27,fc28,fc29,fc30,fc30}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.3-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
See here for a list of changes in this version.
libschemaTools{,-devel}-1.3-6.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and libschemaTools{,-devel}-1.3-6.el7.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
This package was rebuilt to use libfixbuf 2.4.0.
python{2,3}-pyfixbuf-0.8.0-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm, python2-pyfixbuf-0.8.0-1.el6.{i686,x86_64}.rpm, and python{2,36}-pyfixbuf-0.8.0-1.el7.x86_64.rpm -
Pyfixbuf is a Python API for libfixbuf,
an implementation of the IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this and all releases.
analysis-pipeline-5.11.2-2.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.11.2-2.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt to use libfixbuf 2.4.0.
super_mediator-1.7.0-4.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and super_mediator-1.7.0-4.el7.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
This package was rebuilt to use libfixbuf 2.4.0.
yaf{,-devel}-2.11.0-3.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.11.0-3.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 6 and 7 for the x86_64 architecture, yaf has been built to use PF_Ring.
This package was rebuilt to use libfixbuf 2.4.0.
pfring-7.4.0-2623.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2623.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1797.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
August 23, 2019:
The following changes have been made:
jdk-12.0.2_linux-x64_bin.rpm -
JDK is the Java SE Development Kit 12.0.2 from Oracle.
This package has been installed in the Fedora 25 and 26 and CentOS/RHEL 7 repositories for the x86_64 architecture.
ghidra-9.0.4-PUBLIC_20190516.3.{fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and ghidra-9.0.4-PUBLIC_20190516.3.{fc25,fc26,el7}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvement here.
Note: this release no longer requires JDK from Oracle for Fedora 27 through 30, relying instead on the latest version of OpenJDK provided by Fedora, specified as java-latest for Fedora 28 and beyond and java-11 for Fedora 27.
However, for Fedora 25 and 26 and CentOS/RHEL 7, JDK Version 11 or higher is required and this package has been added to the appropriate repositories.
In addition, this release also contains a ghidra.desktopfile that supports the GNOME and Mate Window managers.
sleuthkit{,-devel,-libs}-4.6.7-1.1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and sleuthkit{,-devel,-libs}-4.6.7-1.1.el7.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
jdk-8u221-linux-x64.rpm -
JDK is the Java SE Development Kit 8, Update 221 from Oracle.
This package has been installed in the CentOS/RHEL 7 repository for the x86_64 architecture and in the CentOS/RHEL 6 repoositories for the i386 and x86_64 architectures.
autopsy-4.12.0-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and autopsy-4.12.0-1.el7.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Note: this release no longer requires JDK from Oracle for Fedora 25 through 30, relying instead on version 1.8.0 of OpenJDK version provided by Fedora, along with version 1.8.0 of OpenJFX, also provided by Fedora.
However, for CentOS/RHEL 6 and 7, the latest version of JDK 8 from Oracle is required and this package has been added to the appropriate repositories.
In addition, this release also contains a autopsy.desktopfile that supports the GNOME and Mate Window managers.
python{2,3}-xlsxwriter-1.1.9-1.{fc26,fc27,fc28,fc29,fc30}.noarch.rpm and {python2,36}-xlsxwriter-1.1.9-1.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
bro{,-core,ctl,-debugsource,-devel,-libcaf-devel}-2.6.3-0.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libbroker-devel-2.6.3-0.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, bro{,-core,ctl,-debugsource,-devel,-libcaf-devel}-2.6.3-0.el7.x86_64.rpm, and libbroker-devel-2.6.3-0.el7.x86_64.rpm -
Bro (nee Zeek) is a powerful network analysis framework that is much different from the typical IDS you may know.
(Zeek is the new name for the long-established Bro system. Note that parts of the system retain the "Bro" name, and it also often appears in the documentation and distributions.)
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
python{2,3}-elasticsearch-7.0.4-1.i{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and python{2,36}-elasticsearch-7.0.4-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
pfring-7.4.0-2612.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2612.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1770.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.11.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.9-200 for FC30
5.2.8-200 for FC30
5.2.7-200 for FC30
5.2.6-200 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-11.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.9-200 for FC30
5.2.8-200 for FC30
5.2.7-200 for FC30
5.2.6-200 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.31.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.7-100 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-31.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.7-100 for FC29
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.56.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.18.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-56.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.18.2 for EL6
August 8, 2019:
The following changes have been made:
libregf{,-devel,-python2,-python3,-tools}-20190805-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-tools}-20190805-1.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-python36,-tools}-20190805-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
snort-2.9.14.1-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-2.9.14.1-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
snort-sample-rules-2.9.14.1-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6,el7}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.14.1-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.14.1-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
ghidra-9.0.4-PUBLIC_20190516.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and ghidra-9.0.4-PUBLIC_20190516.el7.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvement here.
Please note that you must install the JDK for Ghidra to work.
In testing, The Java Development Kit (JDK) version 11.0.2 was used and worked successfully.
Ghidra expects a program named java to be available in the directories named in the PATH variable.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.10.noarch.rpm -
Support for the following kernels were added for Fmem:
5.2.5-300 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-10.noarch.rpm -
Support for the following kernels were added for LiME:
5.2.5-300 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.30.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.21-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-30.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.21-200 for FC29
5.1.18-200 for FC29
August 2, 2019:
The following changes have been made:
python{2,3}-pyparsing-2.4.2-1.{fc26,fc27,fc28,fc29}.noarch.rpm, python2-pyparsing-2.4.2-1.el6.noarch.rpm, and pyparsing-doc-2.4.2-1.{fc26,fc27,fc28,fc29,el6}.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
The pyparsing module provides a library of classes that client code uses to construct the grammar directly in Python code.
python-yara-3.9.0-2.{i386,x86_64}.el6.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
fmem-kernel-modules-el7-x86_64-1.6-1.54.noarch.rpm -
Support for the following kernels were added for Fmem:
3.10.0-957.27.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-54.noarch.rpm -
Support for the following kernels were added for LiME:
3.10.0-957.27.2 for EL7
July 31, 2019:
The following changes have been made:
python{2,3}-dfvfs-20190714-1.{fc25,fc26,fc27,fc28,fc29,fc30}.noarch.rpm and python{2,36}-dfvfs-20190714-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
libregf{,-devel,-python2,-python3,-tools}-20190714-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-tools}-20190714-1.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-python36,-tools}-20190714-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
plaso-20190708-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20190708-1.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This release uses Python 3 instead of Python 2.
Please note that for Fedora 25, of all of the ancillary packages needed by plaso use the pip program in a Python
Virtual Environment.
Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
For Fedora 25, this package contains a program named update-plaso, the purpose of which is to update the packages that plaso depends upon.
Note that this updates the dependent packages but not plaso.
The recommendation is to run update-plaso routinely to keep the plaso dependencies updated.
testdisk-7.1-1.1.el6.{i686,x86_64}.rpm and qphotorec-7.0-4.1.el6.{i386,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
These releases were built to use the latest version of libewf that is installed in this repository.
analysis-pipeline-5.11.2-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.11.2-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
apfs-fuse-20190723-1.{fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm and apfs-fuse-20190723-1.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far).
Thus, the driver may return compressed files instead of uncompressed ones.
Although most of the time it should just report an error.
cutter-1.8.3-20190701.fc30.{i686,x86_64}.rpm -
Cutter is a Qt and C++
GUI for radare2 reverse engineering framework.
Its goal is making an advanced, customizable, and FOSS (free and open-source software) reverse-engineering platform while keeping the user experience at mind.
Cutter is created by reverse engineers for reverse engineers.
This version is built with the source code that is available on 2019-05-14.
Note that this release is only available for Fedora 30 because it relies on Qt version 5.12.
python{2,3}-dfwinreg-20190714-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and python{2,36}-dfwinreg-20190714-1.el7.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
libguytools-2.1.0-1.{fc25,fc26,fc27,fc28,fc28,fc30}.{i686,x86_64}.rpm and libguytools-2.1.0-1.el7.x86_64,rpm -
Libguytools is a package of subroutines and header files needed to
build and operate guymager.
The changes are:
Cleaned up for C++14, some minor prototype changes to ensure same bit widths on different architectures
Some debugging (handling user errors in configuration files)
Understands # at beginning of line (first non-blank char) for remarks (REM still remains valid)
guymager-0.8.11-1.{fc25,fc26,fc27,fc28.fc29,fc30,el6}.{i686,x86_64}.rpm and guymager-0.8.11-1.el7.x86_64.rpm -
Guymager is a forensic imaging package.
See here for the list of changes.
libmodi{,-devel,-python2,-python3,-tools}-20190513-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libmodi{,-devel,-python2,-tools}-20190513-1.el6.{i686,x86_64}.rpm, and libmodi{,-devel,-python2,-python36,-tools}-20190513-1.el7.x86_64.rpm -
Libmodi is a lbrary and tools to access the Mac OS disk image formats.
libphdi{,-devel,-python,-python3,-tools}-20190506-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libphdi{,-devel,-python,-tools}-20190506-1.el6.{i686,x86_64}.rpm, and libphdi{,-devel,-python,-python36,-tools}-20190506-1.el7.x86_64.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
Volatility-2.6.1-3.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i386,x86_64}.rpm and Volatility-2.6.1-3.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6.1 that has been patched to July 29, 2019.
You can read about this version here.
To install this update on Fedora 25 and CentOS/RHEL 6 and 7, you must first do the following:
sudo rpm -ev yara-python --nodeps
Volatility-community-plugins-20190729-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6,el7}.noarch.rpm -
The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community.
Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun.
Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation.
These plugins are installed in /usr/share/volatility/plugins/community/ and to use them you need to specify this location on the command line thusly:
volatility --plugins=/usr/share/volatility/plugins/community ...
Note: The following plugins were removed all systems: AlexanderTarasenko, ThomasWhite, ProcessFuzzyHash, AFF4, JavierVallejo, PeterCasey, LorenzLiebler, Citronneur, AlizHammon, and TranVienHa,
and the following were also removed for el6: BartoszInglot, DaveLasalle, ESET_Browserhooks, FrankBlock, LoicJaquemet, PhilipHuppert, ThomasChopitea, TranVienHa, and YingLi.
pfring-7.4.0-2604.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2604.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1753.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.20-300 for FC30
5.1.19-300 for FC30
5.1.18-300 for FC30
5.1.17-300 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-9.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.20-300 for FC30
5.1.19-300 for FC30
5.1.18-300 for FC30
5.1.17-300 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.20-200 for FC29
5.1.18-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-29.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.20-200 for FC29
5.1.18-200 for FC29
July 12, 2019:
The following changes have been made:
pfring-7.4.0-2598.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2598.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1645.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.8.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.16-300 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-8.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.16-300 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.28.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.16-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-28.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.16-200 for FC29
July 3, 2019:
The following changes have been made:
libsigscan{,-devel,-python2,-python3,-tools}-20190629-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsigscan{,-devel,-python2,-tools}-20190629-1.el6.{i686,x86_64}.rpm, and libsigscan{,-devel,-python2,-python36,-tools}-20190629-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
libevtx{,-devel,-python2,-python3,-tools}-20190619-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-tools}-20190619-1.el6.{i686,x86_64}.rpm, and libevtx{,-devel,-python2,-python36,-tools}-20190619-1.el7.x86_65.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
libbde{,-devel,-python2,-python3,-tools}-20190701-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libbde{,-devel,-python2,-tools}-20190701-1.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python2,-python36,-tools}-20190701-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
pfring-7.4.0-2595.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2595.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1641.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
rifiuti2-0.7.0-2.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and rifiuti2-0.7.0-2.el7.x86_64.rpm -
rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.7.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.15-300 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-7.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.15-300 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.15-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-27.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.15-200 for FC29
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.55.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.17.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-55.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.17.1 for EL6
June 28, 2019:
The following changes have been made:
libewf-experimental{,-devel,-tools,-python2,-python3,-tools}-20190317-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libewf-experimental{,-devel,-tools,-python2,-tools}-20190317-1.el6.{i686,x86_64}.rpm, and
libewf-experimental{,-devel,-tools,-python2,-python36,-tools}-20190317-1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
See this page for the list of supported and unsupported formats.
Libewf-Experimental installs packages in /usr/local so that it can be optionally installed along with the conventional Libewf packages, where package contents are installed in /usr.
Further, the Libewf-Experimental packages have been installed in the forensics-test repository.
You will need to enable this repository with this command for Fedora:
pfring-7.4.0-2580.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2580.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1619.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.6.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.12-300 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-6.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.12-300 for FC30
June 21, 2019:
The following changes have been made:
certifi-2019.6.16-1.{fc25,fc26,fc27,fc28,fc29,fc30,el7}.noarch.rpm -
Certifi is a carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
python{2,3}-dfvfs-20190609-1.{fc25,fc26,fc27,fc28,fc29,fc30}.noarch.rpm and python{2,36}-dfvfs-20190609-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.2-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.2-1.el7.x86_64.rpm and -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.2-2.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm,
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.2-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-5.11.1-2.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.11.1-2.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
Note: This release was built to add JSON alerting capabilities.
prism-1.2-6.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and prism-1.2-6.el7.x86_64.rpm -
The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
This package was rebuilt to use silk 3.18.2.
super_mediator-1.7.0-3.{fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.7.0-3.el7.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
This package was rebuilt to use libfixbuf 3.18.2.
plaso-20190531-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20190531-1.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This release uses Python 3 instead of Python 2.
Please note that for Fedora 25, of all of the ancillary packages needed by plaso use the pip program in a Python
Virtual Environment.
Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
For Fedora 25, this package contains a program named update-plaso, the purpose of which is to update the packages that plaso depends upon.
Note that this updates the dependent packages but not plaso.
The recommendation is to run update-plaso routinely to keep the plaso dependencies updated.
snort-2.9.13-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-2.9.13-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for .the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
snort-sample-rules-2.9.13-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6,el7}.noarch.rpm -
These rules are sample rules only and are intended to allow snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.13-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.13-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
pfring-7.4.0-2567.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2567.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1601.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.11-300 for FC30
5.1.9-300 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-5.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.11-300 for FC30
5.1.9-300 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.11-200 for FC29
5.1.9-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-26.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.11-200 for FC29
5.1.9-200 for FC29
fmem-kernel-modules-el7-x86_64-1.6-1.53.noarch.rpm -
Support for the following kernels were added for Fmem:
3.10.0-957.21.3 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-53.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-957.21.3 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.54.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.15.3 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-54.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.15.3 for EL6
June 14, 2019:
The majority of changes made in this announcement rename packages for CentOS/RHEL to conform to the CentOS/RHEL standard of Python 3 packages including
the Python version in the package name.
For example, where the package for Fedora 30 is named python3-artifacts, the CentOS/RHEL version is named python36-artifacts.
For version and release consistency, the Fedora packages have been updated even though they contain no new functionality.
With this release, Plaso is now provided as conventional package rather than as a Python virtual environment for CentOS/RHEL 7 and
Fedora 26.
In addition, the CentOS/RHEL repositories were audited and packages that are provided by CentOS/RHEL, EPEL, or are no longer needed have been archived.
These packages have been removed from the CentOS/RHEL repository as the result of an audit:
aff{lib,lib-devel,tools}-3.7.4-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
bokken-1.8-3.el7.x86_64.rpm - Removed: No longer needed.
capstone{,-python2,-python3}-3.0.4-6.el7.x86_64.rpm - Removed: Provided by EPEL.
catdoc-0.94.2-6.el7.x86_64.rpm - Removed: Provided by EPEL.
daemonize-1.7.3-7.el7.x86_64.rpm - Removed: Provided by EPEL.
dcfldd-1.3.4.1-2.el7.x86_64.rpm - Removed: Provided by EPEL.
dd_rescue-1.99.8-1.el7.x86_64.rpm - Removed: Provided by EPEL.
dino-1.5-2.el7.noarch.rpm - Removed: Provided by EPEL.
dislocker{,-libs}-0.7.1-1.el7.x86_64.rpm and fuse-dislocker-0.7.1-1.el7.86_64.rpm - Removed: Provided by EPEL.
dummy-1.0-2.el7.x86_64.rpm - Removed: No longer needed.
efilter-1-1.5-1.el7.x86_64.rpm - Removed: No longer needed.
fontawesome-fonts-4.1.0-1.el7.noarch.rpm - Removed: No longer needed.
fontawesome-fonts-web-4.1.0-1.el7.noarch.rpm - Removed: No longer needed.
fred-0.1.1-1.el7.x86_64.rpm - Removed: No longer needed.
fuse-exfat-1.0.1-1.el7.x86_64.rpm - Removed: No longer needed.
fuseext2-0.3-1.el7.x86_64.rpm - Removed: No longer needed.
ghex{,-devel,-libs}-3.18.0-1.el7.x86_64.rpm - Removed: No longer needed.
hashcat-3.00-1.el7.x86_64.rpm - Removed: No longer needed.
jansson{,-devel,-devel-doc}-2.9-1.el7.x86_64.rpm - Removed: No longer needed.
lame{,-devel,-libs,-mp3x}-3.99.5-1.el7.x86_64.rpm - Removed: Provided by EPEL.
LogAnalysisToolKit-1.7-1.el7.noarch.rpm - Removed: No longer needed.
luajit{,-devel}-2.0.2-9.el7.x86_64.rpm - Removed: Provided by EPEL.
mac-robber-1.02-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
mathjax-2.2-4.el7.noarch.rpm - Removed: Provided by CentOS/RHEL.
md5deep-4.4-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
mdbtools{,-devel,-gui,-libs}-0.7-43.13.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
null-package-1.0-4.el7.noarch.rpm - Removed: No longer needed.
partclone-0.3.6-2.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
perl-Alien-wxWidgets-0.67-6.el7.x86_64.rpm - Removed: No longer needed.
perl-Carp-Assert-0.20-4.el7.noarch.rpm - Removed: Provided by EPEL.
perl-Digest-CRC-0.16-1.el7.x86_64.rpm - Removed: Provided by EPEL.
perl-Digest-Crc32-0.01-1.el7.noarch.rpm - Removed: No longer needed.
perl-Image-ExifTool-8.50-1.el7.noarch.rpm - Removed: Provided by EPEL.
perl-Net-Pcap-0.16-2.el7.x86_64.rpm - Removed: Provided by EPEL.
protobuf-2.5.0-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
protobuf-compiler-2.5.0-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
protobuf-devel-2.5.0-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
protobuf-lite-2.5.0-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
protobuf-lite-devel-2.5.0-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
protobuf-lite-static-2.5.0-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
protobuf-python-2.5.0-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
protobuf-static-2.5.0-1.el7.x86_64.rpm - Removed: Provided by EPEL.
protobuf-vim-2.5.0-1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
protobuf-c{,-devel}-0.15-2.1.el7.x86_64.rpm - Removed: Provided by CentOS/RHEL.
psycopg2-2.8.1-1.el7.x86_64.rpm - Removed: No longer needed.
pyew-2.3.0.0-2.el7.x86_64.rpm - Removed: No longer needed.
pygtksourceview{,-devel,-doc}-2.8.0-1.el7.x86_64.rpm - Removed: Provided by EPEL.
pyparsing{,-doc}-2.4.0-1.el7.noarch.rpm - Removed: Provided by CentOS/RHEL.
pyPdf-1.12-4.el7.noarch.rpm - Removed: No longer needed.
python2-certifi-2019.3.9-2.el7.noarch.rpm - Removed: No longer needed.
python2-efilter-1.5-1.el7.noarch.rpm - Removed: No longer needed.
python2-elasticsearch5-5.5.5-2.el7.x86_64.rpm - Removed: No longer needed.
python2-idna-2.5-1.el7.noarch.rpm - Removed: No longer needed.
python2-scapy-2.4.0-5.el7.noarch.rpm - Removed: No longer needed.
python3-certifi-2019.3.9-2.el7.noarch.rpm - Removed: No longer needed.
python3-idna-2.5-1.el7.noarch.rpm - Removed: No longer needed.
python3-psycopg2-2.8.1-1.el7.x86_64.rpm - Removed: No longer needed.
python3-pyparsing-2.4.0-1.el7.noarch.rpm - Removed: No longer needed.
python3-scapy-2.4.0-5.el7.noarch.rpm - Removed: No longer needed.
python3shim-1.0-1.el7.noarch.rpm - Removed: No longer needed.
python-dpkt-1.8-2.el7.noarch.rpm - Removed: No longer needed.
python-elasticsearch5-5.5.5-1.el7.x86_64.rpm - Removed: No longer needed.
python-httplib2-0.7.7-3.el7.noarch.rpm - Removed: No longer needed.
python-ipython-2.2.0-1.el7.noarch.rpm - Removed: No longer needed.
python-ipython-console-2.2.0-1.el7.noarch.rpm - Removed: No longer needed.
python-ipython-doc-2.2.0-1.el7.noarch.rpm - Removed: No longer needed.
python-ipython-gui-2.2.0-1.el7.noarch.rpm - Removed: No longer needed.
python-ipython-notebook-2.2.0-1.el7.noarch.rpm - Removed: No longer needed.
python-ipython-sphinx-2.2.0-1.el7.noarch.rpm - Removed: No longer needed
python-ipython-tests-2.2.0-1.el7.noarch.rpm - Removed: No longer needed.
python-M2Crypto-0.26.0-0.x86_64.rpm - Removed: No longer needed.
python-path-3.0.1-2.el7.noarch.rpm - Removed: No longer needed.
python-prettytable-0.7.2-4.el7.noarch.rpm - Removed: No longer needed.
python-psycopg2{,-doc}-2.5.1-3.el7.x86_64.rpm - Removed: No longer needed.
python-radare-2.1.6.0-1.el7.x86_64.rpm - Removed: No longer needed.
python-radare2-2.9.0-1.el7.x86_64.rpm - Removed: Provided by EPEL.
python-tidy-0.2-1.1.el7.noarch.rpm - Removed: No longer needed.
python-tornado{,-doc}-3.2.1-3.el7.x86_64.rpm - Removed: No longer needed.
pytsk-20150406-4.el7.x86_64.rpm - Removed: Removed - replaced by pytsk3.
radare{,-devel,-extras}-2.1.6.0-1.el7.x86_64.rpm - Removed: No longer needed.
radare2{,-common,-devel}-2.9.0-1.el7.x86_64.rpm - Removed: No longer needed.
scalpel-2.0-2.el7.x86_64.rpm - Removed: Provided by EPEL.
socat-1.7.3.2-1.1.el7.x86_64.rpm - Removed: Provided by EPEL.
ssdeep-2.14.1-1.el7.x86_64.rpm - Removed: Provided by EPEL.
tcpflow-1.4.4-12.el7.x86_64.rpm - Removed: Provided by EPEL.
tcpxtract-1.0.1-10.el7.2.x86_64.rpm - Removed: Provided by EPEL.
ttembed-1.1-3.el7.x86_64.rpm - Removed: Provided by EPEL.
testdisk-6.14-3.3.el7.x86_64.rpm - Removed: Provided by EPEL.
umview-0.8.2-1.1.el7.x86_64.rpm - Removed: No longer needed.
valabind-0.10.0-4.el7.x86_64.rpm - Removed: No longer needed.
xapian-core{,-devel,-libs}-1.2.7-2.el7.x86_64.rpm - Removed: No longer needed.
xmount-0.7.6-3.el7.x86_64.rpm - Removed: Provided by EPEL.
xrdp-0.5.0-0.13.el7.x86_64.rpm - Removed: Provided by EPEL.
yara{,-devel,-doc}-3.5.0-7.1.el7.x86_64.rpm - Removed: Provided by EPEL.
zeromq{,-devel}-2.2.0-4.el7.x86_64.rpm - Removed: Provided by EPEL.
These changes were also made:
python{2,3}-artifacts-20190320-2.{fc26,fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm, artifacts-data-20190320-2.{fc26,fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm,
python{2,36}-artifacts-20190320-2.el7.x86_64.rpm, and artifacts-data-20190320-2.el7.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-artifacts and python36-artifacts.
The package names for Fedora are unchanged.
python{2,3}-bencode-2.1.0-1.{fc26,fc27,fc28,fc29,fc30}.noarch.rpm and python{2,36}-bencode-2.1.0-1.el7.noarch.rpm -
Bencode re-packages the existing bencoding
and bdecoding implemention from the ‘official’ BitTorrent client as a separate, light-weight package for re-using them without having the entire BitTorrent software as a dependency.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-bencode and python36-bencode.
The package names for Fedora are unchanged.
python{2,3}-biplist-1.0.3-3.{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and python{2,36}-biplist-1.0.3-3.el7.x86_64.rpm -
Biplist is a library for reading/writing binary plists.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-biplist and python36-biplist.
The package names for Fedora are unchanged.
python{2,3}-chardet-3.0.4-3.fc26.{i686,x86_64}.rpm and python{2,36}-chardet-3.0.4-3.el7.x86_64.rpm -
Chardet is a universal character encoding detector.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-chardet and python36-chardet.
The package names for Fedora are unchanged.
python{2,3}-dfdatetime-20190517-2.{fc25,fc26,fc27,fc28,fc29,fc30}.noarch.rpm and python{2,36}-dfdatetime-20190517-2.el7.noarch.rpm -
dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-dfdatetime and python36-dfdatetime.
The package names for Fedora are unchanged.
python{2,3}-dfvfs-20190511-1.{fc25,fc26,fc27,fc28,fc29,fc30}.noarch.rpm and python{2,36}-dfvfs-20190511-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
Note: The package for CentOS/RHEL 7 are named python2-dfvfs and python36-dfvfs.
python{2,3}-dfwinreg-20190517-2.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and python{2,36}-dfwinreg-20190329-2.el7.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-dfwinreg and python36-dfwinreg.
The package names for Fedora are unchanged.
python{2,3}-dpkt-1.9.2-2.fc26.{i686,x86_64}.rpm and python{2,36}-dpkt-1.9.2-2.el7.x86_64.rpm -
Python-dpkt is a fast, simple packet creator and parser, with definitions for the basic TCP/IP protocols, for Python.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-dpkt and python36-dpkt.
The package names for Fedora are unchanged.
python{2,3}-dtfabric-20190120-3.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and python{2,36}-dtfabric-20190120-3.el7.x86_64.rpm -
Dtfabric is a project to manage data types and structures,
as used in the libyal projects.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-dtfabric and python36-dtfabric.
The package names for Fedora are unchanged.
python{2,3}-elasticsearch-7.0.2-1.i{fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and python{2,36}-elasticsearch-7.0.2-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for
Elasticsearch. Its goal is to provide common ground for all Elasticsearch-related code in Python;
because of this it tries to be opinion-free and very extendable.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-elasticsearch and python36-elasticsearch.
The package names for Fedora are unchanged.
libbde{,-devel,-python2,-python3,-tools}-20190317-3.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libbde{,-devel,-python2,-tools}-20190317-3.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python2,-python36,-tools}-20190317-3.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libbde and python36-libbde.
All other package names are unchanged.
libesedb{,-devel,-python2,-python3,-tools}-20181229-5.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libesedb{,-devel,-python2,-tools}-20181229-5.el6.{i686,x86_64}.rpm, and libesedb{,-devel,-python2,-python36,-tools}-20181229-5.el7.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libesedb and python36-libesedb.
All other package names are unchanged.
libevt{,-devel,-python2,-python3,-tools}-20181227-5.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevt{,-devel,-python2,-tools}-20181227-5.el6.{i686,x86_64}.rpm, and libevt{,-devel,-python2,-python36,-tools}-20181227-5.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libevt and python36-libevt.
All other package names are unchanged.
libevtx{,-devel,-python2,-python3,-tools}-20181227-5.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-tools}-20181227-5.el6.{i686,x86_64}.rpm, and libevtx{,-devel,-python2,-python36,-tools}-20181227-5.el7.x86_65.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libevtx and python36-libevtx.
All other package names are unchanged.
libewf{,-devel,-tools,-python2,-python3,-tools}-20160718-20140806.3.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libewf{,-devel,-tools,-python2,-tools}-20160718-20140806.3.el6.{i686,x86_64}.rpm, and
libewf{,-devel,-tools,-python2,-python36,-tools}-20160718-20140806.3.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
This package is built from the libewf source code dated 20140806 but to make it the latest version, the version number was changed to the build date (20160718)
and the release number changed to include the source code release date (20140806).
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libevtx and python36-libevtx.
All other package names are unchanged.
libfsapfs{,-devel,-python2,-python3,-tools}-20190510-2.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-tools}-20190510-2.el6.{i686,x86_64}.rpm, and libfsapfs{,-devel,-python2,-python36,-tools}-20190510-2.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libfsapfs and python36-libfsapfs.
All other package names are unchanged.
libfsntfs{,-devel,-python2,-python3,-tools}-20190104-5.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2,-tools}-20190104-5.el6.{i686,x86_64}.rpm, and libfsntfs{,-devel,-python2,-python36,-tools}-20190104-5.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libfsntfs and python36-libfsntfs.
All other package names are unchanged.
libfvde{,-devel,-python2,-python3,-tools}-20190104-4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfvde{,-devel,-python2,-tools}-20190104-4.el6.{i686,x86_64}.rpm, and libfvde{,-devel,-python2,-python36,-tools}-20190104-4.el7.6_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libfvde and python36-libfvde.
All other package names are unchanged.
libfwnt{,-devel,-python2,-python3}-20181227-4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwnt{,-devel,-python2}-20181227-4.el6.{i686,x86_64}.rpm and libfwnt{,-devel,-python2,-python36}-20181227-4.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libfwnt and python36-libfwnt.
All other package names are unchanged.
libfwsi{,-devel,-python2,-python3}-20181227-4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libfwsi{,-devel,-python2}-20181227-4.el6.{i686,x86_64}.rpm, and libfwsi{,-devel,-python2,-python36}-20181227-4.el7.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libfwsi and python36-libfwsi.
All other package names are unchanged.
liblnk{,-devel,-python2,-python3,-tools}-20181227-4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-tools}-20181227-4.el6.{i686,x86_64}.rpm, and liblnk{,-devel,-python2,-python36,-tools}-20181227-4.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-liblnk and python36-liblnk.
All other package names are unchanged.
libmsiecf{,-devel,-python2,-python3,-tools}-20181227-4.{fc25,fc26,fc26,fc27,fc29,fc30}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2,-tools}-20181227-4.el6.{i686,x86_64}.rpm, and libmsiecf{,-devel,-python2,-python36,-tools}-20181227-4.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libmsiecf and python36-libmsiecf.
All other package names are unchanged.
libolecf{,-devel,-python2,-python3,-tools}-20181231-4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libolecf{,-devel,-python2,-tools}-20181231-4.el6.{i686,x86_64}.rpm, and libolecf{,-devel,-python2,-python36,-tools}-20181231-4.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libolecf and python36-libolecf.
All other package names are unchanged.
libqcow{,-devel,-python2,-python3,-tools}-20181227-5.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libqcow{,-devel,-python2,-tools}-20181227-5.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python2,-python36,-tools}-20181227-5.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libqcow and python36-libqcow.
All other package names are unchanged.
libregf{,-devel,-python2,-python3,-tools}-20190303-3.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-tools}-20190303-3.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-python36,-tools}-20190303-3.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libregf and python36-libregf.
All other package names are unchanged.
libscca{,-devel,-python2,-python3,-tools}-20190605-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libscca{,-devel,-python2,-tools}-20190605-1.el6.{i686,x86_64}.rpm, and libscca{,-devel,-python2,-python36,-tools}-20190605-1.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
Note: The package for CentOS/RHEL 7 are named python2-libscca and python36-libscca.
libsigscan{,-devel,-python2,-python3,-tools}-20190103-4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsigscan{,-devel,-python2,-tools}-20190103-4.el6.{i686,x86_64}.rpm, and libsigscan{,-devel,-python2,-python36,-tools}-20190103-4.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libsigscan and python36-libsigscan.
All other package names are unchanged.
libsmdev{,-devel,-python2,-python3,-tools}-20190315-3.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-tools}-20190315-3.el6.{i686,x86_64}.rpm, and libsmdev{,-devel,-python2,-python36,-tools}-20190315-23el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libsmdev and python36-libsmdev.
All other package names are unchanged.
libsmraw{,-devel,-python2,-python3,-tools}-20181227-5.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libsmraw{,-devel,-python2,-tools}-20181227-5.el6.{i686,x86_64}.rpm, and libsmraw{,-devel,-python2,-python36,-tools}-20181227-5.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libsmraw and python36-libsmraw.
All other package names are unchanged.
libvhdi{,-devel,-python2,-python3,-tools}-20181227-5.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20181227-5.el6.{i686,x86_64}.rpm and libvhdi{,-devel,-python2,-python36,-tools}-20181227-5.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libvhdi and python36-libvhdi.
All other package names are unchanged.
libvmdk{,-devel,-python2,-python3,-tools}-20181227-5.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvmdk{,-devel,-python2,-tools}-20181227-5.el6.{i686,x86_64}.rpm, and libvmdk{,-devel,-python2,-python36,-tools}-20181227-5.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libvmdk and python36-libvmdk.
All other package names are unchanged.
libvshadow{,-devel,-python2,-python3,-tools}-20190323-3.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvshadow{,-devel,-python2,-tools}-20190323-3.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python2,-python36,-tools}-20190323-3.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libvshadow and python36-libvshadow.
All other package names are unchanged.
libvslvm{,-devel,-python2,-python3,-tools}-20181227-4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libvslvm{,-devel,-python2,-tools}-20181227-4.el6.{i686,x86_64}.rpm, and libvslvm{,-devel,-python2,-python36,-tools}-20181227-4.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libvslvm and python36-libvslvm.
All other package names are unchanged.
python{2,3}-pefile-2019.4.18-2.{fc26,fc27,fc28,fc29,fc30}.noarch.rpm and python{2,36}-pefile-2019.4.18-2.el7.noarch.rpm -
PEFile is a Portable Executable reader module.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-pefile and python36-pefile.
The package names for Fedora are unchanged.
python36-urllib3-1.24.1-1.el7.x86_64.rpm -
Python-urllib3 is a powerful, sanity-friendly HttP client for Python.
Much of the Python ecosystem already uses urllib3.
urllib3 brings many critical features that are missing from the Python standard libraries:
Thread safety.
Connection pooling.
Client-side SSL/TLS verification.
File uploads with multipart encoding.
Helpers for retrying requests and dealing with HttP redirects.
python{2,36}-lz4-0.10.0-1.el7.x86_64.rpm -
LZ4 contains the python bindings for the lz4 compression library.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-lz4 and python36-lz4.
The package names for Fedora are unchanged.
python{2,36}-psutil-5.4.3-4.el7.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-psutil and python36-psutil.
python{2,3}-pytsk3-20190507-2.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, python2-pytsk3-20190507-2.el6.{i686,x86_64}.rpm, and python{2,36}-pytsk3-20190507-2.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
python{2,3}-requests-2.22.0-1.fc26.{i686,x86_64}.rpm and python36-requests-2.22.0-1.el7.x86_64.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
python{2,3}-xlsxwriter-1.1.8-2.{fc26,fc27,fc28,fc29,fc30}.noarch.rpm and {python2,36}-xlsxwriter-1.1.8-2.el7.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-xlsxwriter and python36-xlsxwriter.
The package names for Fedora are unchanged.
plaso-20190429-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20190429-1.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This release uses Python 3 instead of Python 2.
Please note that for Fedora 25, of all of the ancillary packages needed by plaso use the pip program in a Python
Virtual Environment.
Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
For Fedora 25, this package contains a program named update-plaso, the purpose of which is to update the packages that plaso depends upon.
Note that this updates the dependent packages but not plaso.
The recommendation is to run update-plaso routinely to keep the plaso dependencies updated.
Finally, for CentOS/RHEL 7, plaso no longer relies on a Python
Virtual Environment.
sleuthkit{,-devel,-libs}-4.6.6-1.1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and sleuthkit{,-devel,-libs}-4.6.6-1.1.el7.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
This version was built with a higher revision than that provided by Fedora.
winreg-kb-20190507-1.el7.x86_64.rpm -
Winreg-kb winreg-kb is a project to build a Windows Registry Knowledge Base.
winregrc is a Python module part of winreg-kb to allow reuse of Windows Registry Resources.
See these scripts that make use of package.
winevt-kb-20190507-1.el7.x86_64.rpm -
Winevt-kb is a project to build a Windows Event Log knowledge base.
winevtrc is the Python module part of winevt-kb to allow reuse of Windows Event Log resources.
See this resource for an explanation of the scripts included with this package - export.py, extract.py, query.py - and how to use them.
This version uses Python 3.
libwrc{,-devel,-python2,-python3,-tools}-20181203-4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libwrc{,-devel,-python2,-tools}-20181203-4.el6.{i686,x86_64}.rpm, and libwrc{,-devel,-python2,-python36,-tools}-20181203-3.el7.x86_64.rpm -
Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libwrc and python36-libwrc.
All other package names are unchanged.
libexe{,-devel,-python2,-python3,-tools}-20181128-4.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libexe{,-devel,-python2,-tools}-20181128-4.el6.{i686,x86_64}.rpm, and libexe{,-devel,-python2,-python36,-tools}-20181128-4.el7.x86_64.rpm -
Libexe is a library and tools to access the executable (EXE) format.
Note: This release contains no new capabilities.
The only differences is that the packages for CentOS/RHEL 7 are named python2-libexe and python36-libexe.
All other package names are unchanged.
python{2,3}-construct-2.5.2-4.{fc25,fc26,fc27,fc28,fc29}.noarch.rpm, python2-construct-2.5.2-4.el6.noarch.rpm, and python{2,36}-construct-2.5.2-4.el7.noarch.rpm -
Python-construct is a powerful declarative parser (and builder) for binary data.
rekall-forensics-1.7.2.rc1-1.{fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and rekall-forensics-1.7.2.rc1-1.el7.x86_64.rpm -
Rekall is an advanced forensic and incident response framework.
While it began life purely as a memory forensic framework, it has now evolved into a complete platform.
Rekall implements the most advanced analysis techniques in the field, while still being developed in the open, with a free and open source license. Many of the innovations implemented within Rekall have been published in
peer reviewed papers.
The program to run is named rekall.py.
Please note that the installation of all of these ancillary packages neede by rekall use the pip program in a Python
Virtual Environment.
Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
vmfs-tools-0.2.5-3.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm, vmfs-tools-0.2.5-3.el7.x86_64.rpm, libvmfs-devel-0.2.5-3.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm, and libvmfs-devel-0.2.5-3.el7.x86_64.rpm -
VMfs-tools is a collection of command-line tools for operating on VMware's VMFS file system.
Included in this release is limited VMFS version 5 support.
Note: The tools in the vmfs-tools package are named debugvmfs, fsck.vmfs, vmfs-fuse, vmfs-lvm.
The tools installed are also named debugvmfs5, fsck.vmfs5, vmfs5-fuse, vmfs5-lvm.
vmfs6-tools-0.0.0.844.1195-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm, vmfs6-tools-0.0.0.844.1195-1.el7.x86_64.rpm, libvmfs6-devel-0.0.0.844.1195-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm, and libvmfs6-devel-0.0.0.844.1195-1.el7.x86_64.rpm -
VMFS6-tools is a collection of command-line tools for operating on VMware's VMFS file system.
Included in this release is limited VMFS version 6 support.
Note: The tools in the vmfs6-tools package are named debugvmfs6, fsck.vmfs6, vmfs6-fuse, vmfs6-lvm.
xva-img-1.3-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and xva-img-1.3-1.el7.x86_64.rpm -
XVA-IMG is a tool for working with Citrix XEN disk images.
Citrix Xen uses a custom virtual appliance format for import/export called "XVA".
It's basically a strangely crafted tar-file.
You don't need this program to unpack this tar-file, just use your favourite tar unpacker (tar, gtar, bsdtar).
Once unpacked you will end up with a lot of different files, ova.xml (which contains the settings for the virtual appliance, think VMware vmx) and a number of folders called Ref:/, this is your disks.
Each of these folders contain hundreds of files named 00000000, 00000001 with a accompanying .CHECKSUM file (SHA1).
Each file is a 1MB slice of the disk, but some of the files in the sequence will probably be missing this is because XVA do not use compression; instead it will exclude slices of the disk that only contains zeros (are empty).
This tool can assemble the disk for you (you will end up with a RAW disk) that can easily be mounted and modified.
It can then also split the file again and generate checksum.
Once ready, you will probably want to use the "package" command to rebuild the XVA file.
CERT-Forensics-Tools-1.0-85.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-85.el7.x86_64.rpm -
The changes since the last release (1.0-84) are the following:
cert-forensics-tools-release-{25,26,27,28,29,30,6,7}-14.noarch.rpm -
cert-forensics-tools-release is the package that connects a Fedora-based computer system to the CERT Linux Forensics Tools Repository (LiFTeR).
This package has been changed to require either a Fedora release or a Generic release to be able to install this package.
autopsy-4.11.0-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and autopsy-4.11.0-1.el7.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
In addition, the Java™ Platform, Standard Edition Development Kit (JDK™) from Oracle also needs to be installed before running autopsy.
That package can be found here.
Testing has been verified to work with JDK 11.0.2.
pfring-7.4.0-2553.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2553.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1596.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.4.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.8-300 for FC30
5.1.7-300 for FC30
5.1.6-300 for FC30
5.1.5-300 for FC30
5.0.17-300 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-4.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.8-300 for FC30
5.1.7-300 for FC30
5.1.6-300 for FC30
5.1.5-300 for FC30
5.0.17-300 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.25.noarch.rpm -
Support for the following kernels were added for Fmem:
5.1.6-200 for FC29
5.0.19-200 for FC29
5.0.17-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-25.noarch.rpm -
Support for the following kernels were added for LiME:
5.1.6-200 for FC29
5.0.19-200 for FC29
5.0.17-200 for FC29
fmem-kernel-modules-el7-x86_64-1.6-1.52.noarch.rpm -
Support for the following kernels were added for Fmem:
3.10.0-957.21.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-52.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-957.21.2 for EL7
Fedora 24 - Updates to Fedora 24 for both the i686 and x86_64 CPU architectures has ceased.
cutter-1.8.1-20190514.fc30.{i686,x86_64}.rpm -
Cutter is a Qt and C++
GUI for radare2 reverse engineering framework.
Its goal is making an advanced, customizable, and FOSS (free and open-source software) reverse-engineering platform while keeping the user experience at mind.
Cutter is created by reverse engineers for reverse engineers.
This version is built with the source code that is available on 2019-05-14.
Note that this release is only available for Fedora 30 because it relies on Qt version 5.12.
pfring-7.4.0-2519.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2519.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1571.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
python{2,3}-dfdatetime-20190517-1.{fc24,fc25,fc26,fc27,fc28,fc29,fc30,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
python{2,3}-dfwinreg-20190517-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and python{2,3}-dfwinreg-20190329-1.el7.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.16-300 for FC30
5.0.14-300 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.16-300 for FC30
5.0.14-200 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.16-200 for FC29
5.0.14-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.16-200 for FC29
5.0.14-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.41.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.16-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-41.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.16-100 for FC28
fmem-kernel-modules-el7-x86_64-1.6-1.51.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-957.12.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-51.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-957.12.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.53.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.14.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-53.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.14.2 for EL6
May 10, 2019:
The following changes have been made:
Fedora 30 - The repository now supports Fedora 30
for the x86_64 and i386 CPU architectures.
Here is the list of tools provided for Fedora 30:
lime-kernel-modules-1.1.r17-16.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 30 x86_64 and i386 architectures was added.
fmem-kernel-modules-1.6-1.16.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 30 x86_64 and i386 architectures was added.
CERT-Forensics-Tools-1.0-84.{fc24,fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-84.el7.x86_64.rpm -
The changes since the last release (1.0-83) are the following:
The kracked package is not installed on Fedora 30.
python{2,3}-xlsxwriter-1.1.8-1.{fc24,fc25,fc26,fc27,fc28,fc29,fc30,el7}.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.1.7).
libfsapfs{,-devel,-python2,-python3,-tools}-20190510-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-tools}-20190510-1.el6.{i686,x86_64}.rpm, and libfsapfs{,-devel,-python2,-python3,-tools}-20190510-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
sleuthkit{,-devel,-libs}-4.6.6-1.{fc24,fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and sleuthkit{,-devel,-libs}-4.6.6-1.el7.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.6.5) released to this repository.
pytsk3-20190507-1.{fc24,fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and pytsk3-20190507-1.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
python{2,3}-dpkt-1.9.2-1.fc26.{i686,x86_64}.rpm -
Python-dpkt is a fast, simple packet creator and parser, with definitions for the basic TCP/IP protocols, for Python.
This package was built to support plaso.
plaso-20190331-2.{fc24,fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20190331-2.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This release uses Python 3 instead of Python 2.
Please note that for Fedora 24 and 25 and CentOS/RHEL 7, of all of the ancillary packages needed by plaso use the pip program in a Python
Virtual Environment.
Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
For Fedora 24 and 25 and CentOS/RHEL 7, this package contains a program named update-plaso, the purpose of which is to update the packages that plaso depends upon.
Note that this updates the dependent packages but not plaso.
The recommendation is to run update-plaso routinely to keep the plaso dependencies updated.
winreg-kb-20190507-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm -
Winreg-kb winreg-kb is a project to build a Windows Registry Knowledge Base.
winregrc is a Python module part of winreg-kb to allow reuse of Windows Registry Resources.
See these scripts that make use of package.
Note that winreg-kb is not available for CentOS/RHEL 6 because of the old version of Python 2.
This version uses Python 3.
winevt-kb-20190507-1.{fc24,fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm -
Winevt-kb is a project to build a Windows Event Log knowledge base.
winevtrc is the Python module part of winevt-kb to allow reuse of Windows Event Log resources.
See this resource for an explanation of the scripts included with this package - export.py, extract.py, query.py - and how to use them.
This version uses Python 3.
daq{,-devel,-modules}-2.0.6-7.1.{fc24,fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and daq{,-devel,-modules}-2.0.6-7.1.el7.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
pfring-7.4.0-2504.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2504.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1564.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
guymager-0.8.8-2.{fc24,fc25,fc26,fc27,fc28.fc29,fc30,el6}.{i686,x86_64}.rpm and guymager-0.8.8-2.el7.x86_64.rpm -
Guymager is a forensic imaging package.
See here for the list of changes.
This release contains no new functionality and was rebuilt to include a patch for GCC 8 which is standard on Fedora 28, 29, and 30.
fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.13-300 for FC30
5.0.11-300 for FC30
lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.13-300 for FC30
5.0.11-300 for FC30
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.13-200 for FC29
5.0.11-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.13-200 for FC29
5.0.11-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.40.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.13-100 for FC28
5.0.11-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-40.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.13-100 for FC28
5.0.11-100 for FC28
May 3, 2019:
The following changes have been made:
httplib2-0.12.3-1.el7.noarch.rpm - Httpib2 is comprehensive HttP client library, httplib2 supports many features left out of other HttP libraries.
This package was installed for CentOS/RHEL 7 to support xplico.
Please note that for CentOS/RHEL 7, this package was built incorrectly and was not usable.
These build problems have been fixed in this release.
nDPI{,-devel}-2.9.0-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and nDPI{,-devel}-2.9.0-1.el7.x86_64.rpm -
nDPI is a ntop-maintained superset of the popular OpenDPI library.
Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI.
In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
xplico-1.2.2-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and xplico-1.2.2-2.el7.x86_64.rpm -
xplico is an Internet traffic decoder.
The changes include:
CakePHP updated to 2.10.17
Migration from GeoIP to GeoIP2
nDPI updated to 2.9
ghidra-9.0.2-PUBLIC_20190403.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and ghidra-9.0.2-PUBLIC_20190403.el7.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvement here.
Please note that you must install the JDK for Ghidra to work.
In testing, The Java Development Kit (JDK) version 11.0.2 was used and worked successfully.
Ghidra expects a program named java to be available in the directories named in the PATH variable.
python{2,3}-bencode-2.0.0-2.el7.noarch.rpm -
Bencode re-packages the existing bencoding
python{2,3}-biplist-1.0.3-2.el7.x86_64.rpm -
Biplist is a library for reading/writing binary plists.
Binary Property List (plist) files provide a faster and smaller serialization format for property lists on OS X.
This is a library for generating binary plists which can be read by OS X, iOS, or other clients.
python{2,3}-dfdatetime-20190116-2.el7.noarch.rpm - dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
python{2,3}-dfwinreg-20190329-1.el7.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
python2-dtfabric-20190120-2.el7.x86_64.rpm -
Dtfabric is a project to manage data types and structures, as used in the libyal projects.
python{2,3}-elasticsearch-6.3.1-2.el7.x86_64.rpm -
ElasticSearch is the official low-level client for
Elasticsearch. Its goal is to provide common ground for all Elasticsearch-related code in Python;
because of this it tries to be opinion-free and very extendable. For a more high level client library with more limited scope, have a
look at elasticsearch-dsl - a more pythonic library sitting on top of elasticsearch-py. It provides a more convenient and idiomatic way
to write and manipulate queries. It stays close to the Elasticsearch JSON DSL, mirroring its terminology and structure while exposing the
whole range of the DSL from Python either directly using defined classes or a queryset-like expressions. It also provides an optional
persistence layer for working with documents as Python objects in an ORM-like fashion: defining mappings, retrieving and saving documents,
wrapping the document data in user-defined classes.
idna-2.5-1.el7.noarch.rpm -
IDNA provides support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891. This is the latest version of the protocol and is sometimes referred to as "IDNA 2008".
April 26, 2019:
The following changes have been made:
python{2,3}-dfvfs-20190301-1.{fc25,fc26,fc27,fc28,fc29,fc30}.noarch.rpm and python2-dfvfs-20190301-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types,
volume systems and file systems.
python{2,3}-xlsxwriter-1.1.7-1.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.1.5).
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.9-200 for FC29
5.0.8-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.9-200 for FC29
5.0.8-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.39.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.8-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-39.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.8-100 for FC28
April 19, 2019:
The following changes have been made:
pfring-7.4.0-2489.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
To install this package, you must first do the following:
sudo rpm -ev pfring pfring-dkms --nodeps
followed by:
sudo yum -y install pfring pfring-dkms
ndpi-2.8.0-1540.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
python{2,3}-pefile-2019.4.18-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm -
PEFile is a Portable Executable reader module.
python{2,3}-artifacts-20190320-1.el7.x86_64.rpm and artifacts-data-20190320-1.el7.x86_64.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
libfixbuf{,-devel}-2.3.1-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and libfixbuf{,-devel}-2.3.1-1.el7.x86_64.rpm -
Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-3.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-3.el7.x86_64.rpm and -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This package was rebuilt to use libfixbuf 2.3.1.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-4.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm,
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-4.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This package was rebuilt to use libfixbuf 2.3.1.
libschemaTools{,-devel}-1.3-5.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and libschemaTools{,-devel}-1.3-5.el7.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
This package was rebuilt to use libfixbuf 2.3.1.
pyfixbuf-0.7.0-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and pyfixbuf-0.7.0-2.el7.x86_64.rpm -
Pyfixbuf is a Python API for libfixbuf,
an implementation of the IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this and all releases.
This package was rebuilt to use libfixbuf 2.3.1.
analysis-pipeline-5.10-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.10-2.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt to use libfixbuf 2.3.1.
super_mediator-1.7.0-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.7.0-2.el7.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
This package was rebuilt to use libfixbuf 2.3.1.
yaf{,-devel}-2.11.0-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.11.0-2.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 6 and 7 for the x86_64 architecture, yaf has been built to use PF_Ring.
This package was rebuilt to use libfixbuf 2.3.1.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.7-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.7-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.38.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.7-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-38.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.7-100 for FC28
April 12, 2019:
The bulk of the changes this week deal with the release of Python 3.6 in the Extra Packages for Enterprise Linux (EPEL) repository for CentOS/RHEL 7.
This release is the preferred package which obsoletes Python 3.3.2 that was previously provided in LiFTeR.
To that end, Python 3.3.2 was removed from LiFTeR and most of the following packages have been rebuilt to use Python 3.6 for CentOS/RHEL 7.
For all other releases, these same packages were simply rebuilt to maintain release numbering consistency and contain no new functionality.
The following changes have been made:
pfring-7.4.0-2489.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2489.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1537.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
capstone{,-devel}-3.0.5-1.el6.{i386,x86_64}.rpm and python2-capstone-3.0.5-1.el6.{i386,x86_64}.rpm -
Capstone is a lightweight multi-platform, multi-architecture disassembly framework.
See here for the list of changes and future features.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
This release also renames the Python package as -python2 and provides backward compatibility to the -python named package.
pyew-2.3.0.0-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and pyew-2.3.0.0-2.el7.x86_64.rpm -
Pyew is a (command line) python tool to analyse malware.
It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an
API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports
OLE2 format, PDF format and more.
It also supports plugins to add more features to the tool.
This package was rebuilt for CentOS/RHEL 6 because of the new capstone package. The other systems were rebuilt to maintain release numbering consistency.
libcreg{,-devel,-python2,-python3,-tools}-20181101-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libcreg{,-devel,-python2,-tools}-20181101-2.el6.{i686,x86_64}.rpm, and libcreg{,-devel,-python2,-python3,-tools}-20181101-2.el7}.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
This release also renames the Python package as -python2 and provides backward compatibility to the -python named package.
libesedb{,-devel,-python2,-python3,-tools}-20181229-4.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libesedb{,-devel,-python2,-tools}-20181229-4.el6.{i686,x86_64}.rpm, and libesedb{,-devel,-python2,-python3,-tools}-20181229-3.el7}.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libevt{,-devel,-python2,-python3,-tools}-20181227-4.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libevt{,-devel,-python2,-tools}-20181227-4.el6.{i686,x86_64}.rpm, and libevt{,-devel,-python2,-python3,-tools}-20181227-4.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libevtx{,-devel,-python2,-python3,-tools}-20181227-4.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-tools}-20181227-4.el6.{i686,x86_64}.rpm, and libevtx{,-devel,-python2,-python3,-tools}-20181227-5.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libewf{,-devel,-tools,-python2,-python3,-tools}-20160718-20140806.2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libewf{,-devel,-tools,-python2,-tools}-20160718-20140806.2.el6.{i686,x86_64}.rpm, and libewf{,-devel,-tools,-python2,-python3,-tools}-20160718-20140806.2.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
This package is built from the libewf source code dated 20140806 but to make it the latest version, the version number was changed to the build date (20160718)
and the release number changed to include the source code release date (20140806).
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libexe{,-devel,-python2,-python3,-tools}-20181128-3.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libexe{,-devel,-python2,-tools}-20181128-3.el6.{i686,x86_64}.rpm, and libexe{,-devel,-python2,-python3,-tools}-20181128-3.el7.x86_64.rpm -
Libexe is a library and tools to access the executable (EXE) format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libfsapfs{,-devel,-python2,-python3,-tools}-20190210-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-tools}-20190210-3.el6.{i686,x86_64}.rpm, and libfsapfs{,-devel,-python2,-python3,-tools}-20190210-3.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libfsext{,-devel,-python2,-python3,-tools}-20190115-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsext{,-devel,-python2,-tools}-20190115-2.el6.{i686,x86_64}.rpm, and libfsext{,-devel,-python2,-python3,-tools}-20190115-2.el7.x86_64.rpm -
Libfsext is a lbrary and tools to access the Extended File System (EXT).
Note that this project currently only focuses on the analysis of the format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
This release also renames the Python package as -python2 and provides backward compatibility to the -python named package.
libfshfs{,-devel,-python2,-python3,-tools}-20181101-4.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.{i686,x86_64}.rpm, libfshfs{,-devel,-python2,-tools}-20181101-4.el6.{i686,x86_64}.rpm, and libfshfs{,-devel,-python2,-python3,-tools}-20181101-3.el7.x86_64.rpm -
Libfshfs is a lbrary and tools to access the Hierarchical File System (HFS).
Note that this project currently only focuses on the analysis of the format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libfsntfs{,-devel,-python2,-python3,-tools}-20190104-4.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2,-tools}-20190104-4.el6.{i686,x86_64}.rpm, and libfsntfs{,-devel,-python2,-python3,-tools}-20190104-4.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libfvde{,-devel,-python2,-python3,-tools}-20190104-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfvde{,-devel,-python2,-tools}-20190104-3.el6.{i686,x86_64}.rpm, and libfvde{,-devel,-python2,-python3,-tools}-20190104-3.el7.6_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libfwnt{,-devel,-python2,-python3}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfwnt{,-devel,-python2}-20181227-3.el6.x86_64.rpm, and libfwnt{,-devel,-python2,-python3}-20181227-3.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
liblnk{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and liblnk{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libluksde{,-devel,-python2,-python3,-tools}-20180514-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libluksde{,-devel,-python2,-python3,-tools}-20180514-1.el7.x86_64.rpm, and libluksde{,-devel,-python,-tools}-20180514-1.el6.{i686,x86_64}.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
See here for the list of changes.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
This release also renames the Python package as -python2 and provides backward compatibility to the -python named package.
libmodi{,-devel,-python2,-python3,-tools}-20181101-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libmodi{,-devel,-python2,-tools}-20181101-2.el6.{i686,x86_64}.rpm, and libmodi{,-devel,-python2,-python3,-tools}-20181101-2.el7.x86_64.rpm -
Libmodi is a lbrary and tools to access the Mac OS disk image formats.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
This release also renames the Python package as -python2 and provides backward compatibility to the -python named package.
libnk2{,-devel,-python2,-python3,-tools}-20181101-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libnk2{,-devel,-python2,-tools}-20181101-2.el6.{i686,x86_64}.rpm, and libnk2{,-devel,-python2,-python3,-tools}-20181101-2.el7.x86_64.rpm -
Libnk2 is a lbrary and tools to access Microsoft Outlook Nickfile (NK2) format files.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
This release also renames the Python package as -python2 and provides backward compatibility to the -python named package.
libpff{,-devel,-python2,-python3,-tools}-20180714-4.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libpff{,-devel,-python2,-tools}-20180714-4.{i686,x86_64}.rpm, and libpff{,-devel,-python2,-python3,-tools}-20180714-4.el7.x86_64.rpm -
Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
This release also renames the Python package as -python2 and provides backward compatibility to the -python named package.
libphdi{,-devel,-python2,-python3,-tools}-20181101-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libphdi{,-devel,-python2,-tools}-20181101-1.el6.{i686,x86_64}.rpm, and libphdi{,-devel,-python2,-python3,-tools}-20181101-2.el7.x86_64.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
This release also renames the Python package as -python2 and provides backward compatibility to the -python named package.
libqcow{,-devel,-python2,-python3,-tools}-20181227-4.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libqcow{,-devel,-python2,-tools}-20181227-4.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python2,-python3,-tools}-20181227-4.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libregf{,-devel,-python2,-python3,-tools}-20190303-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libregf{,-devel,-python2,-tools}-20190303-2.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-python3,-tools}-20190303-2.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libscca{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libscca{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and libscca{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libsigscan{,-devel,-python2,-python3,-tools}-20190103-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsigscan{,-devel,-python2,-tools}-20190103-3.el6.{i686,x86_64}.rpm, and libsigscan{,-devel,-python2,-python3,-tools}-20190103-3.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libsmdev{,-devel,-python2,-python3,-tools}-20190315-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-tools}-20190315-2.el6}.{i686,x86_64}.rpm, and libsmdev{,-devel,-python2,-python3,-tools}-20190315-2.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libsmraw{,-devel,-python2,-python3,-tools}-20181227-4.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmraw{,-devel,-python2,-tools}-20181227-4.el6.{i686,x86_64}.rpm and libsmraw{,-devel,-python2,-python3,-tools}-20181227-4.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libvhdi{,-devel,-python2,-python3,-tools}-20181227-4.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20181227-4.el6.{i686,x86_64}.rpm, and libvhdi{,-devel,-python2,-python3,-tools}-20181227-4.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libvmdk{,-devel,-python2,-python3,-tools}-20181227-4.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvmdk{,-devel,-python2,-tools}-20181227-4.el6.{i686,x86_64}.rpm, and libvmdk{,-devel,-python2,-python3,-tools}-20181227-4.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libvshadow{,-devel,-python2,-python3,-tools}-20190323-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvshadow{,-devel,-python2,-tools}-20190323-2.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python2,-python3,-tools}-20190323-2.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libvslvm{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvslvm{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and libvslvm{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
libvsmbr{,-devel,-python2,-python3,-tools}-20180731-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvsmbr{,-devel,-python2,-tools}-20180731-2.el6.{i686,x86_64}.rpm, and libvsmbr{,-devel,-python2,-python3,-tools}-20180731-2.el7.x86_64.rpm -
Libvsmbr is a library and tools to access the Master Boot Record (MBR) volume system.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
This release also renames the Python package as -python2 and provides backward compatibility to the -python named package.
libwrc{,-devel,-python2,-python3,-tools}-20181203-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libwrc{,-devel,-python2,-tools}-20181203-3.el6.{i686,x86_64}.rpm, and libwrc{,-devel,-python2,-python3,-tools}-20181203-3.el7.x86_64.rpm -
Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
certifi-2019.3.9-2.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm - Certifi is a
carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
python{2,3}-construct-2.5.2-3.{fc24,fc25,fc26,fc27,fc28,fc29}.noarch.rpm, python2-construct-2.5.2-3.el6.noarch.rpm, and python{2,36}-construct-2.5.2-3.el7.noarch.rpm -
Python-construct is a powerful declarative parser (and builder) for binary data.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
python{2,3}-pefile-2018.8.8-2.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm -
PEFile is a Portable Executable reader module.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
pyparsing{,-doc}-2.4.0-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.noarch.rpm, python3-pyparsing-2.4.0-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.noarch.rpm, pyparsing{,-doc}-2.4.0-1.el7.noarch.rpm, python3-pyparsing-2.4.0-1.el7.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
The pyparsing module provides a library of classes that client code uses to construct the grammar directly in Python code.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
pytsk3-20190316-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and pytsk3-20190316-2.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
python{2,3}-xlsxwriter-1.1.6-1.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.1.5).
This release now references Python 3.6 from the EPEL repository for CentOS/RHEL 7. The other systems were rebuilt to maintain release numbering consistency.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.6-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.6-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.37.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.6-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-37.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.6-100 for FC28
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.52.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.12.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-52.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.12.1 for EL6
April 8, 2019:
The following changes have been made:
EMERGENCY RELEASE: CentOS/RHEL 7 now includes Python 3.6 in the EPEL library for CentOS and RHEL.
To install the changes noted below, the following must be done first:
sudo rpm -ev python3 python3-libs --nodeps
httplib2-0.12.1-1.el7.noarch.rpm - Httpib2 is comprehensive HttP client library, httplib2 supports many features left out of other HttP libraries.
This package was installed for CentOS/RHEL 7 to support xplico.
Note: the packages installed are named python2-httplib2 and python3-httplib2.
psycopg2{,-debug,-docs}-2.8.1-1.el7.x86_64.rpm - Python-psycopg2 is a PostgreSQL adapter for the Python programming language.
At its core it fully implements the Python DB API 2.0 specifications.
Several extensions allow access to many of the features offered by PostgreSQL.
This package was installed for CentOS/RHEL 7 to support xplico.
Note: the packages installed are named python2-psycopg2 and python3-psycopg2.
xplico-1.2.1-2.el7.x86_64.rpm - xplico is an Internet traffic decoder.
This package was rebuilt because of the inclusion of Python 3.6 in the EPEL library.
libfwsi{,-devel,-python2,-python3}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfwsi{,-devel,-python2}-20181227-3.el6.{i686,x86_64}.rpm, and libfwsi{,-devel,-python2,-python3}-20181227-3.el7.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
This release fixes a package revision error.
liblnk{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and liblnk{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
This release fixes a package revision error.
libmsiecf{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc26,fc27,fc29}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and libmsiecf{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
This release fixes a package revision error.
libolecf{,-devel,-python2,-python3,-tools}-20181231-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libolecf{,-devel,-python2,-tools}-20181231-3.el6.{i686,x86_64}.rpm, and libolecf{,-devel,-python2,-python3,-tools}-20181231-3.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
This release fixes a package revision error.
scapy-2.4.0-5.el7.noarch.rpm - Scapy is a powerful interactive packet manipulation program.
It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.
It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping,
tcpdump, tethereal, p0f, etc.).
It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames,
combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.
This package was rebuilt because of the inclusion of Python 3.6 in the EPEL library.
April 5, 2019:
The following changes have been made:
pfring-7.4.0-2483.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2483.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1534.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
python{2,3}-dfwinreg-20190329-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
certifi-2019.3.9-1.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm - Certifi is a
carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
Note: the packages installed are named python2-certifi and python3-certifi for Fedora 24 through 29 and CentOS/RHEL 7.
python{2,3}-requests-2.21.0-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
Volatility-2.6.1-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i386,x86_64}.rpm and Volatility-2.6.1-2.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6.1 that has been patched to April 3, 2019.
You can read about this version here
plaso-20190331-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and plaso-20190331-1.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
The changes to this release are noted here.
Please note that for Fedora 24, 25, and 26, and CentOS/RHEL 7, of all of the ancillary packages needed by plaso use the pip program in a Python
Virtual Environment.
Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
For Fedora 24, 25, 26, and CentOS/RHEL 7, this package contains a program named update-plaso, the purpose of which is to update the packages that plaso depends upon.
Note that this updates the dependent packages but not plaso.
The recommendation is to run update-plaso routinely to keep the plaso dependencies updated.
For Fedora 27, 28, and 29, this version of plaso no longer requires either elasticsearch5 or efilter.
They may be safely removed with the following:
Note that for Fedora 24, 25, 26 and CentOS/RHEL 7, these packages are automatically removed from the Python Virtual Environment.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.5-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.5-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.5-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.5-100 for FC28
March 29, 2019:
The following changes have been made:
libbde{,-devel,-python2,-python3,-tools}-20190317-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libbde{,-devel,-python2,-tools}-20190317-1.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python2,-python3,-tools}-20190317-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
libsmdev{,-devel,-python2,-python3,-tools}-20190315-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-tools}-20190315-1.el6}.{i686,x86_64}.rpm, and libsmdev{,-devel,-python2,-python3,-tools}-20190315-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
pytsk3-20190316-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and pytsk3-20190316-1.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
Note: the packages installed are named python2-pytsk3 and python3-pytsk3 for Fedora 24 through 29 and CentOS/RHEL 7 but there is no Python 3 version for CentOS/RHEL 6.
pfring-7.4.0-2468.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2468.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1527.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
python{2,3}-artifacts-20190320-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm and artifacts-data-20190320-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
libvshadow{,-devel,-python2,-python3,-tools}-20190323-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvshadow{,-devel,-python2,-tools}-20190323-1.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python2,-python3,-tools}-20190323-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
libfixbuf{,-devel}-2.3.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and libfixbuf{,-devel}-2.3.0-1.el7.x86_64.rpm -
Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
pyfixbuf-0.7.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and pyfixbuf-0.7.0-1.el7.x86_64.rpm -
Pyfixbuf is a Python API for libfixbuf,
an implementation of the IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this and all releases.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-1.el7.x86_64.rpm and -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm,
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
libschemaTools{,-devel}-1.3-4.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and libschemaTools{,-devel}-1.3-4.el7.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
See here for the list of changes for this release.
This package was rebuilt to use libfixbuf 2.3.0.
analysis-pipeline-5.10-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.10-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes.
super_mediator-1.7.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.7.0-1.el7.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
yaf{,-devel}-2.11.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.11.0-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 6 and 7 for the x86_64 architecture, yaf has been built to use PF_Ring.
dcp-1.0.6-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and dcp-1.0.6-1.el7.x86_64.rpm -
Dcp combines cp,stat,md5sum and shasum to streamline mirroring and gathering information about all the files copied.
All information gathered is written to an output file.
The output file can be fed back into dcp when copying snapshots of a directory, this allows only files which differ in location or hash to be copied.
femto-1.3.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and femto-1.3.0-1.el7.x86_64.rpm -
FEMTO is an indexing and search system for queries on sequences of bytes.
FEMTO stands for the FM-index for External Memory with Throughput Optimizations.
This tool supports building large indexes in parallel with MPI and then searching large indexes with a multithreaded server.
ghidra-9.0-PUBLIC_20190228.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and ghidra-9.0-PUBLIC_20190228.el7.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the
National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
Please note that you must install the JDK for Ghidra to work.
In testing, The Java Development Kit (JDK) version 11.0.2 was used and worked successfully.
Ghidra expects a program named java to be available in the directories named in the PATH variable.
CERT-Forensics-Tools-1.0-83.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-83.el7.x86_64.rpm -
The changes since the last release (1.0-82) are the following:
The dcp package is installed except for CentOS/RHEL 6.
The ghidra package is installed except for CentOS/RHEL 6.
examiner-tooldocumentation-1.18-10.el7.noarch.rpm - The following packages were updated to added to the documetation suite found on the desktop:
dcp
ghidra
femto_index
femto_search
appcompatcache.py
application_identifiers.py
mru.py
msie_zone_info.py
process_tree.py
profiles.py
programscache.py
sam.py
services.py
shellfolders.py
srum_extensions.py
sysinfo.py
task_cache.py
type_libraries.py
userassist.py
Once this package has been updated, run the following command:
sudo manage-examiner-login -S -v
to install these changes in the examiner's desktop.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
5.0.4-200 for FC29
5.0.3-200 for FC29
4.20.16-200 for FC29
4.20.15-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
5.0.4-200 for FC29
5.0.3-200 for FC29
4.20.16-200 for FC29
4.20.15-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.17-100 for FC28
4.20.16-100 for FC28
4.20.15-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.17-100 for FC28
4.20.16-100 for FC28
4.20.15-100 for FC28
fmem-kernel-modules-el7-x86_64-1.6-1.49.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-957.10.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-49.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-957.10.1 for EL7
March 15, 2019:
The following changes have been made:
python{2,3}-dfvfs-20190301-1.{fc24,fc25,fc26,fc27,fc28,fc29}.noarch.rpm and python2-dfvfs-20190301-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types,
volume systems and file systems.
python{2,3}-dfwinreg-20190311-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and python2-dfwinreg-20190329-2.el7.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
pfring-7.4.0-2456.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2456.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1507.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.14-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.14-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.14-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.14-100 for FC28
March 8, 2019:
The following changes have been made:
pfring-7.4.0-2446.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2446.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.8.0-1499.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
libregf{,-devel,-python2,-python3,-tools}-20190303-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libregf{,-devel,-python2,-tools}-20190303-1.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-python3,-tools}-20190303-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
apfs-fuse-20190304-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm and apfs-fuse-20181116-1.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far).
Thus, the driver may return compressed files instead of uncompressed ones.
Although most of the time it should just report an error.
autopsy-4.10.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and autopsy-4.10.0-1.el7.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
In addition, the Java™ Platform, Standard Edition Development Kit (JDK™) from Oracle also needs to be installed before running autopsy.
That package can be found here.
Testing has been verified to work with JDK 11.0.2.
ddrescue-1.24-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
See here for the changes since the last version (1.23) released to this repository.
libodraw{,-devel,-tools}-20190118-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and libodraw{,-devel,-tools}-20190118-1.el7.x86_64.rpm -
Libodraw is a library to access to optical disc (split) RAW image files (bin/cue, iso/cue).
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.13-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.13-200 for FC29
March 1, 2019:
The following changes have been made:
python{2,3}-xlsxwriter-1.1.5-1.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.1.4).
pfring-7.4.0-2433.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2433.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.6.0-1492.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
python{2,3}-artifacts-20190227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm, artifacts-data-20190227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm,
python2-artifacts-20190227-1.el7.x86_64.rpm, and artifacts-data-20190227-1.el7.x86_64.rpm -
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.12-200 for FC29
4.20.11-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.12-200 for FC29
4.20.11-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.11-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.11-100 for FC28
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.51.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.11.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-51.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.11.1 for EL6
February 21, 2019:
The following changes have been made:
pfring-7.4.0-2417.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2417.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.6.0-1489.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.10-200 for FC29
4.20.8-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.10-200 for FC29
4.20.8-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.8-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.8-100 for FC28
February 15, 2019:
The bulk of the changes noted here consist of new revisions of existing packages that have been rebuilt to eliminate errors that arose when the Python 2 and Python 3 versions of packages were installed on the same machine.
Earlier packages were built incorrectly.
The following changes have been made:
python{2,3}-xlsxwriter-1.1.4-1.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm and python2-xlsxwriter-1.1.4-1.el6.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.1.2).
Note: the packages installed are named python2-xlsxwriter and python3-xlsxwriter for Fedora 24 through 29 and CentOS/RHEL 7 but there is no Python 3 version for CentOS/RHEL 6.
libfsapfs{,-devel,-python2,-python3,-tools}-20190210-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-tools}-20190210-2.el6.{i686,x86_64}.rpm and libfsapfs{,-devel,-python2,-python3,-tools}-20190210-2.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
Note that this project currently only focuses on the analysis of the format.
plaso-20190131-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and plaso-20190131-2.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This revision changed some of the dependencies for the Python Virtual Environment-based version for Fedora 24 and 25 and CentOS/RHEL 7.
For Fedora 24 and 25 and CentOS/RHEL 7, this package contains a program named update-plaso, the purpose of which is to update the packages that plaso depends upon.
Note that this updates the dependent packages but not plaso.
The recommendation is to run update-plaso routinely to keep the plaso dependencies updated.
For Fedora 24 and 25, the recommended way to install this update is the following:
pfring-7.4.0-2414.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2414.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.6.0-1488.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
libbde{,-devel,-python2,-python3,-tools}-20190102-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libbde{,-devel,-python2,-tools}-20190102-3.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python2,-python3,-tools}-20190102-3.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libesedb{,-devel,-python2,-python3,-tools}-20181229-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libesedb{,-devel,-python2,-tools}-20181229-3.el6.{i686,x86_64}.rpm, and libesedb{,-devel,-python2,-python3,-tools}-20181229-3.el7}.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libevt{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libevt{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and libevt{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libevtx{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and libevtx{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libfshfs{,-devel,-python2,-python3,-tools}-20181101-3.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.{i686,x86_64}.rpm, libfshfs{,-devel,-python,-tools}-20181101-3.el6.{i686,x86_64}.rpm, and libfshfs{,-devel,-python2,-python3,-tools}-20181101-3.el7.x86_64.rpm -
Libfshfs is a lbrary and tools to access the Hierarchical File System (HFS).
Note that this project currently only focuses on the analysis of the format.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system and renames the python version to python2.
libfsntfs{,-devel,-python2,-python3,-tools}-20190104-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2,-tools}-20190104-3.el6.{i686,x86_64}.rpm, and libfsntfs{,-devel,-python2,-python3,-tools}-20190104-3.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libfwsi{,-devel,-python2,-python3}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfwsi{,-devel,-python2}-20181227-2.el6.{i686,x86_64}.rpm, and libfwsi{,-devel,-python2,-python3}-20181227-2.el7.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
liblnk{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and liblnk{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libmsiecf{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc26,fc27,fc29}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libmsiecf{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libolecf{,-devel,-python2,-python3,-tools}-20181231-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libolecf{,-devel,-python2,-tools}-20181231-3.el6.{i686,x86_64}.rpm, and libolecf{,-devel,-python2,-python3,-tools}-20181231-3.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libpff{,-devel,-python2,-python3,-tools}-20180714-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libpff{,-devel,-python,-tools}-20180714-3.{i686,x86_64}.rpm, and libpff{,-devel,-python2,-python3,-tools}-20180714-3.el7.x86_64.rpm -
Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libqcow{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libqcow{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libregf{,-devel,-python2,-python3,-tools}-20181231-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libregf{,-devel,-python2,-tools}-20181231-3.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-python3,-tools}-20181231-3.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libsmdev{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-tools}-20181227-3.el6}.{i686,x86_64}.rpm, and libsmdev{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libsmraw{,-devel,-python2,-python3,-tool2}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmraw{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm and libsmraw{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libvshadow{,-devel,-python2,-python3,-tools}-20190127-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvshadow{,-devel,-python2,-tools}-20190127-3.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python2,-python3,-tools}-20190127-3.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libvhdi{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and libvhdi{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
libvmdk{,-devel,-python2,-python3,-tools}-20181227-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvmdk{,-devel,-python2,-tools}-20181227-3.el6.{i686,x86_64}.rpm, and libvmdk{,-devel,-python2,-python3,-tools}-20181227-3.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
This release fixes a problem where the python2 and python3 versions were to be installed on the same system.
python{2,3}-dfvfs-20190128-4.{fc24,fc25,fc26,fc27,fc28,fc29}.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types,
volume systems and file systems.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.7-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.7-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.7-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.7-100 for FC28
February 8, 2019:
The following changes have been made:
python{2,3}-biplist-1.0.3-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and python2-biplist-1.0.3-2.el7.x86_64.rpm -
Biplist is a library for reading/writing binary plists.
Binary Property List (plist) files provide a faster and smaller serialization format for property lists on OS X.
This is a library for generating binary plists which can be read by OS X, iOS, or other clients.
elasticsearch5-5.5.5-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and elasticsearch5-5.5.5-2.el7.x86_64.rpm -
ElasticSearch5 is a low-level client for
Elasticsearch. Its goal is to provide common ground for all Elasticsearch-related code in Python;
because of this it tries to be opinion-free and very extendable. For a more high level client library with more limited scope, have a
look at elasticsearch-dsl - a more pythonic library sitting on top of elasticsearch-py. It provides a more convenient and idiomatic way
to write and manipulate queries. It stays close to the Elasticsearch JSON DSL, mirroring its terminology and structure while exposing the
whole range of the DSL from Python either directly using defined classes or a queryset-like expressions. It also provides an optional
persistence layer for working with documents as Python objects in an ORM-like fashion: defining mappings, retrieving and saving documents,
wrapping the document data in user-defined classes.
python{2,3}-elasticsearch-6.3.1-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, python2-elasticsearch-6.3.1-2.el6.{i686,x86_64}.rpm, and python2-elasticsearch-6.3.1-2.el7.x86_64.rpm -
ElasticSearch is the official low-level client for
Elasticsearch. Its goal is to provide common ground for all Elasticsearch-related code in Python;
because of this it tries to be opinion-free and very extendable. For a more high level client library with more limited scope, have a
look at elasticsearch-dsl - a more pythonic library sitting on top of elasticsearch-py. It provides a more convenient and idiomatic way
to write and manipulate queries. It stays close to the Elasticsearch JSON DSL, mirroring its terminology and structure while exposing the
whole range of the DSL from Python either directly using defined classes or a queryset-like expressions. It also provides an optional
persistence layer for working with documents as Python objects in an ORM-like fashion: defining mappings, retrieving and saving documents,
wrapping the document data in user-defined classes.
plaso-20190131-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and plaso-20190131-1.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This version was changed to use the new package names for the packages noted above.
For Fedora 24 and 25 and CentOS/RHEL 7, this package contains a program named update-plaso, the purpose of which is to update the packages that plaso depends upon.
Note that this updates the dependent packages but not plaso.
The recommendation is to run update-plaso routinely to keep the plaso dependencies updated.
For Fedora 24 and 25, the recommended way to install this update is the following:
pfring-7.4.0-2398.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2398.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
libfsapfs{,-devel,-python2,-python3,-tools}-20190206-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-tools}-20190206-1.el6.{i686,x86_64}.rpm and libfsapfs{,-devel,-python2,-python3,-tools}-20190206-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
Note that this project currently only focuses on the analysis of the format.
crunch-3.6-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i386,x86_64}.rpm and crunch-3.6-1.el7.x86_64.rpm -
Crunch is a wordlist generator where you can specify a standard character set or a character set you specify. crunch can generate all possible combinations and permutations.
Here are its features:
generates wordlists in both combination and permutation ways
can breakup output by number of lines or file size
now has resume support
pattern now supports number and symbols
pattern now supports upper and lower case characters separately
adds a status report when generating multiple files
new -l option for literal support of @, $, and ^
new -d option to limit duplicate characters; see man page for details
now has unicode support
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.6-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.6-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.6-100 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.6-100 for FC28
fmem-kernel-modules-el7-x86_64-1.6-1.48.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-957.5.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-48.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-957.5.1 for EL7
February 1, 2019:
The bulk of the changes noted here consist of new revisions of existing packages that have been rebuilt to rename packages to include
the appropriate Python version, currently either Python 2 or Python 3.
For example, the package libfsntfs-python has been rebuilt and the package named libfsntfs-python2.
Further the Python 2 version of these packages also provides the previous package name, libfsntfs-python in this case, for backward compatibility.
In other cases, some packages previously built for Python 2 only have been rebuilt for both Python 2 and Python 3 and the packages appropriately renamed.
Again, the Python 2 versions of these packages also provide the previous simple package name for backward combability.
As an example, the package previous known as dtfabric now consists of two packages named python2-dtfabric and python3-dtfabric,
with the package python2-dtfabric also providing dtfabric again for backward compatibility.
The following changes have been made:
sleuthkit{,-devel,-libs}-4.6.5-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and sleuthkit{,-devel,-libs}-4.6.5-1.el7.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.6.3) released to this repository.
pytsk3-20190121-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and pytsk3-20190122-1.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
Note: the packages installed are named python2-pytsk3 and python3-pytsk3 for Fedora 24 through 29 and CentOS/RHEL 7 but there is no Python 3 version for CentOS/RHEL 6.
python{2,3}-dtfabric-20190120-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and python2-dtfabric-20190120-2.el7.x86_64.rpm -
Dtfabric is a project to manage data types and structures, as used in the libyal projects.
libfsapfs{,-devel,-python2,-python3,-tools}-20181215-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-tools}-20181205-2.el6.{i686,x86_64}.rpm and libfsapfs{,-devel,-python2,-python3,-tools}-20181205-2.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
Note that this project currently only focuses on the analysis of the format.
libbde{,-devel,-python2,-python3,-tools}-20190102-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libbde{,-devel,-python2,-tools}-20190102-2.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python2,-python3,-tools}-20190102-2.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
libesedb{,-devel,-python2,-python3,-tools}-20181229-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libesedb{,-devel,-python2,-tools}-20181229-2.el6.{i686,x86_64}.rpm, and libesedb{,-devel,-python2,-python3,-tools}-20181229-2.el7}.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
libevt{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, and libevt{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm ,libevt{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, and libevtx{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
libfsntfs{,-devel,-python2,-python3,-tools}-20190104-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2,-tools}-20190104-2.el6.{i686,x86_64}.rpm, and libfsntfs{,-devel,-python2,-python3,-tools}-20190104-2.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libfwnt{,-devel,-python2,-python3}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfwnt{,-devel,-python2}-20181227-2.el6.x86_64.rpm, and libfwnt{,-devel,-python2,-python3}-20181227-2.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
liblnk{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and liblnk{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
libmsiecf{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc26,fc27,fc29}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libmsiecf{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
libolecf{,-devel,-python2,-python3,-tools}-20181231-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libolecf{,-devel,-python2,-tools}-20181231-2.el6.{i686,x86_64}.rpm, and libolecf{,-devel,-python2,-python3,-tools}-20181231-2.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
libqcow{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libqcow{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
libregf{,-devel,-python2,-python3,-tools}-20181231-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libregf{,-devel,-python2,-tools}-20181231-2.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-python3,-tools}-20181231-2.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
libscca{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libscca{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libscca{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
libsigscan{,-devel,-python2,-python3,-tools}-20190103-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsigscan{,-devel,-python2,-tools}-20190103-2.el6.{i686,x86_64}.rpm, and libsigscan{,-devel,-python2,-python3,-tools}-20190103-2.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
libsmdev{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-tools}-20181227-2.el6}.{i686,x86_64}.rpm, and libsmdev{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
libsmraw{,-devel,-python2,-python3,-tool2}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmraw{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm and libsmraw{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
libvhdi{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libvhdi{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libvshadow{,-devel,-python2,-python3,-tools}-20190127-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvshadow{,-devel,-python2,-tools}-20190127-2.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python2,-python3,-tools}-20190127-2.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
libvslvm{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvslvm{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libvslvm{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
libvmdk{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvmdk{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libvmdk{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
libfvde{,-devel,-python2,-python3,-tools}-20190104-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfvde{,-devel,-python2,-tools}-20190104-2.el6.{i686,x86_64}.rpm, and libfvde{,-devel,-python2,-python3,-tools}-20190104-2.el7.6_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
python{2,3}-dfdatetime-20190116-2.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm - dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
python{2,3}-dfwinreg-20190122-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and python2-dfwinreg-20190122-2.el7.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
libexe{,-devel,-python2,-python3,-tools}-20181128-2.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libexe{,-devel,-python2,-tools}-20181128-2.el6.{i686,x86_64}.rpm, and libexe{,-devel,-python2,-python3,-tools}-20181128-2.el7.x86_64.rpm -
Libexe is a library and tools to access the executable (EXE) format.
libwrc{,-devel,-python2,-python3,-tools}-20181203-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libwrc{,-devel,-python2,-tools}-20181203-2.el6.{i686,x86_64}.rpm, and libwrc{,-devel,-python2,-python3,-tools}-20181203-2.el7.x86_64.rpm -
Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
libewf{,-devel,-tools,-python2,-python3,-tools}-20160718-20140806.1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libewf{,-devel,-tools,-python2,-tools}-20160718-20140806.1.el6.{i686,x86_64}.rpm, and libewf{,-devel,-tools,-python2,-python3,-tools}-20160718-20140806.1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
This package is built from the libewf source code dated 20140806 but to make it the latest version, the version number was changed to the build date (20160718)
and the release number changed to include the source code release date (20140806).
python{2,3}-construct-2.5.2-2.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm and python2-construct-2.5.2-2.el6.noarch.rpm -
Python-construct is a powerful declarative parser (and builder) for binary data.
Note: the packages installed are named python2-construct and python3-construct for Fedora 24 through 29 and CentOS/RHEL 7 but there is no Python 3 version for CentOS/RHEL 6.
python{2,3}-artifacts-20190113-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm, artifacts-data-20190113-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm,
python2-artifacts-20190113-2.el7.x86_64.rpm, and artifacts-data-20190113-2.el7.x86_64.rpm -
python{2,3}-bencode-2.0.0-2.{fc24,fc25,fc26,fc27,fc28,fc29}.noarch.rpm -
Bencode re-packages the existing bencoding
and bdecoding implemention from the ‘official’ BitTorrent client as a separate, light-weight package for re-using them without having the entire BitTorrent software as a dependency.
python{2,3}-xlsxwriter-1.1.2-2.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm and python2-xlsxwriter-1.1.2-2.el6.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.0.8).
Note: the packages installed are named python2-xlsxwriter and python3-xlsxwriter for Fedora 24 through 29 and CentOS/RHEL 7 but there is no Python 3 version for CentOS/RHEL 6.
efilter-1.5-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.noarch.rpm - Efilter
is a general purpose query language designed to be embedded in Python applications and libraries.
It supports SQL-like syntax to filter your application's data and provides a convenient way to directly search through the objects your applications manages.
A second use case for EFILTER is to translate queries from one query language to another, such as from SQL to OpenIOC and so on.
A basic SQL-like syntax and a POC lisp implementation are included with the language, and others are relatively simple to add.
Note: the packages installed are named python2-efilter and python3-efilter for Fedora 24 through 29 but there is no Python 3 version for CentOS/RHEL 6 and 7.
python{2,3}-dfvfs-20190128-1.{fc24,fc25,fc26,fc27,fc28,fc29}.noarch.rpm and python2-dfvfs-20190128-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types,
volume systems and file systems.
winreg-kb-20181223-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and winreg-kb-20181223-1.el7.x86_64.rpm -
Winreg-kb winreg-kb is a project to build a Windows Registry Knowledge Base.
winregrc is a Python module part of winreg-kb to allow reuse of Windows Registry Resources.
See these scripts that make use of package.
Note that winreg-kb is not available for CentOS/RHEL 6 because of the old version of Python 2.
winevt-kb-20181223-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and winevt-kb-20181223-1.el7.x86_64.rpm -
Winevt-kb is a project to build a Windows Event Log knowledge base.
winevtrc is the Python module part of winevt-kb to allow reuse of Windows Event Log resources.
See this resource for an explanation of the scripts included with this package - export.py, extract.py, query.py - and how to use them.
pyparsing{,-doc}-2.3.1-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6}.noarch.rpm, python3-pyparsing-2.3.1-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.noarch.rpm, pyparsing{,-doc}-2.3.1-1.el7.noarch.rpm, python3-pyparsing-2.3.1-1.el7.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
The pyparsing module provides a library of classes that client code uses to construct the grammar directly in Python code.
Pyparsing is provided by RedHat for Fedora 21.
Pyparsing version 2.3.3 is needed by plaso.
plaso-20181219-5.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and plaso-20181219-5.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This version was changed to use the new package names for the packages noted above.
For Fedora 24 and 25, the recommended way to install this update is the following:
pfring-7.4.0-2394.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2394.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.6.0-1485.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.5-200 for FC29
4.20.4-200 for FC29
4.20.3-200 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.5-200 for FC29
4.20.4-200 for FC29
4.20.3-200 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
4.20.5-100 for FC28
4.20.4-100 for FC28
4.19.16-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
4.20.5-100 for FC28
4.20.4-100 for FC28
4.19.16-200 for FC28
January 18, 2019:
The following changes have been made:
cutter-1.7.3-1.{fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and cutter-1.7.3-1.el7.x86_64.rpm - Cutter is a Qt and C++
GUI for radare2 reverse engineering framework.
Its goal is making an advanced, customizable, and FOSS (free and open-source software) reverse-engineering platform while keeping the user experience at mind.
Cutter is created by reverse engineers for reverse engineers.
This version of cutter is based on the code dated 2019-01-15 which was built to embed radare2 version 2.6.0 in it.
distorm3-3.4.1-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i386,x86_64}.rpm and distorm3-3.4.1-1.el7.x86_64.rpm -
Distorm3 is a lightweight, easy-to-use and fast decomposer library.
It disassembles instructions in 16, 32 and 64 bit modes.
Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
Distorm3 is used by The Volatility Framework.
libbde{,-devel,-python,-python3,-tools}-20190102-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libbde{,-devel,-python,-tools}-20190102-1.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python,-python3,-tools}-20190102-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
libbfio{,-devel}-20190112-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i386,x86_64}.rpm - Libbfio is a
library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access.
libfplist{,-devel}-20190101-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm - Libfplist is a library for plist formats.
Note: this is a library only - there are no tools provided by these packages.
libfsext{,-devel,-python,-python3,-tools}-20190115-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsext{,-devel,-python,-python3,-tools}-20190115-1.el7.x86_64.rpm, and libfsext{,-devel,-python,-tools}-20190115-1.el6.{i686,x86_64}.rpm -
Libfsext is a lbrary and tools to access the Extended File System (EXT).
Note that this project currently only focuses on the analysis of the format.
libfwevt{,-devel}-20190102-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm - Libfwevt
is a library for Windows XML Event Log (EVTX) data types.
Note: this is a library only - there are no tools provided by these packages.
libsigscan{,-devel,-python,-python3,-tools}-20190103-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsigscan{,-devel,-python,-tools}-20190103-1.el6.{i686,x86_64}.rpm, and libsigscan{,-devel,-python,-python3,-tools}-20190103-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
python-certifi-2018.11.29-1.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm - Certifi is a
carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
This package was supports plaso.
Volatility-2.6-6.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i386,x86_64}.rpm and Volatility-2.6-6.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6 that has been patched to November 19, 2018.
You can read about this version here
python-dfdatetime-20190116-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
pfring-7.4.0-2377.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2377.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.6.0-1476.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.15-300 for FC29
4.19.14-300 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.15-300 for FC29
4.19.14-300 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.15-200 for FC28
4.19.14-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.15-200 for FC28
4.19.14-300 for FC28
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.50.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.10.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-50.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.10.1 for EL6
January 14, 2019:
The following changes have been made:
pfring-7.4.0-2374.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2374.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
artifacts-20190113-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm and artifacts-20190113-1.el7.x86_64.rpm -
Artifacts is a free,
community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
Please note that with this release, it is no longer necessary to revert to version 20181213 of artifacts on Fedora 24, 25, or CentOS/RHEL 7 to fix a problem when using plaso.
To install this version of artifacts on Fedora 24, 25, or CentOS/RHEL 7, run the command update-plaso.
libvshadow{,-devel,-python,-python3,-tools}-20190112-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvshadow{,-devel,-python,-tools}-20190112-1.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python,-python3,-tools}-20190112-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
To install this version of libvshadow on Fedora 24, 25, or CentOS/RHEL 7, run the command update-plaso.
January 11, 2019:
The following changes have been made:
libfsntfs{,-devel,-python,-python3,-tools}-20190104-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python,-tools}-20190104-1.el6.{i686,x86_64}.rpm, and libfsntfs{,-devel,-python,-python3,-tools}-20190104-1.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libfvde{,-devel,-python,-python3,-tools}-20190104-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfvde{,-devel,-python,-tools}-20190104-1.el6.{i686,x86_64}.rpm, and libfvde{,-devel,-python,-python3,-tools}-20190104-1.el7.6_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
plaso-20181219-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and plaso-20181219-3.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Here are the recent changes:
Release 2
For Fedora 24 and 25 and CentOS/RHEL 7, this release contains a new program named update-plaso, the purpose of which is to update the packages installed via pip for the Python Virtual Environment built for plaso.
The recommendation is to run update-plaso routinely to keep plaso updated.
No changes were made for the Fedora 26, 27, 28, and 29 revisions of plaso.
Release 3
For CentOS/RHEL 7, the version of Python 2 installed by default is 2.7.5 which is fairly old.
This version causes problems in plaso.
To solve these problems, the version of Python 2 - 2.7.13 - that is distributed as part of the RedHat Software Collections Library (SCL) is used for plaso.
This resulted in a re-engineering of the installation and the installed scripts to use the scl program.
This version contains those re-engineered versions.
Use this version of plaso, run the following command:
sudo yum -y install centos-release-scl-rh
No changes were made for the Fedora 24, 25, 26, 27, 28, and 29 revisions of plaso.
Please note that the pip package artifacts, version 20190111, causes plaso to generate errors and exit prematurely.
To solve this problem after installing or updating plaso on Fedora 24 or 25 or CentOS/RHEL 7, do the following:
pfring-7.4.0-2370.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2370.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.6.0-1459.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
January 4, 2019:
The following changes have been made:
pfring-7.4.0-2360.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2360.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.6.0-1458.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
libbde{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libbde{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm , and libbde{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
libesedb{,-devel,-python,-python3,-tools}-20181229-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libesedb{,-devel,-python,-tools}-20181229-1.el6.{i686,x86_64}.rpm, and libesedb{,-devel,-python,-python3,-tools}-20181229-1.el7}.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
libevt{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libevt{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm, and libevt{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libevtx{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm, and libevtx{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
libfwnt{,-devel,-python,-python3}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfwnt{,-devel,-python}-20181227-1.el6.x86_64.rpm, and libfwnt{,-devel,-python,-python3}-20181227-1.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
libfwsi{,-devel,-python,-python3}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfwsi{,-devel,-python}-20181227-1.el6.{i686,x86_64}.rpm, and libfwsi{,-devel,-python,-python3}-20181227-1.el7.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
liblnk{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, liblnk{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm, and liblnk{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
libmsiecf{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc26,fc27,fc29}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm, and libmsiecf{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
libqcow{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libqcow{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
libscca{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libscca{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm, and libscca{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
libsmdev{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmdev{,-devel,-python,-tools}-20181227-1.el6}.{i686,x86_64}.rpm, and libsmdev{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
libsmraw{,-devel,-python,-python3,-tool2}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmraw{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm, and libsmraw{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
libvhdi{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvhdi{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm, and libvhdi{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libvmdk{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvmdk{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm, and libvmdk{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
libvslvm{,-devel,-python,-python3,-tools}-20181227-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvslvm{,-devel,-python,-tools}-20181227-1.el6.{i686,x86_64}.rpm, and libvslvm{,-devel,-python,-python3,-tools}-20181227-1.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
libolecf{,-devel,-python,-python3,-tools}-20181231-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libolecf{,-devel,-python,-tools}-20181231-1.el6.{i686,x86_64}.rpm, and libolecf{,-devel,-python,-python3,-tools}-20181231-1.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
libregf{,-devel,-python,-python3,-tools}-20181231-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libregf{,-devel,-python,-tools}-20181231-1.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python,-python3,-tools}-20181231-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
python{2,3}-urllib3-1.24.1-2.fc26.{i686,x86_64}.rpm - Python-urllib3 is a powerful, sanity-friendly HttP client for Python.
Much of the Python ecosystem already uses urllib3.
urllib3 brings many critical features that are missing from the Python standard libraries:
Thread safety.
Connection pooling.
Client-side SSL/TLS verification.
File uploads with multipart encoding.
Helpers for retrying requests and dealing with HttP redirects.
python{2,3}-requests-2.20.0-1.fc26.{i686,x86_64}.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
This package was built to support plaso.
plaso-20181219-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and plaso-20181219-1.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Please note that for Fedora 24 and 25 and CentOS/RHEL 7, of all of the ancillary packages needed by plaso use the pip program in a Python
Virtual Environment.
Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
rekall-forensics-1.7.1-1.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.{i686,x86_64}.rpm - Rekall is an advanced forensic and incident response framework.
While it began life purely as a memory forensic framework, it has now evolved into a complete platform.
Rekall implements the most advanced analysis techniques in the field, while still being developed in the open, with a free and open source license. Many of the innovations implemented within Rekall have been published in
peer reviewed papers.
Please note that the installation of all of these ancillary packages neede by rekall use the pip program in a Python
Virtual Environment.
Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
Please also note that to install this package, you will first need to remove rekall-1.7.2 which was previously installed in the forensics-test repository.
To do this, do the following:
The program to run is now named rekall.py due to conflicts with another package named rekall.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.13-300 for FC29
4.19.12-301 for FC29
4.19.10-300 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.13-300 for FC29
4.19.12-301 for FC29
4.19.10-300 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.13-200 for FC28
4.19.12-200 for FC28
4.19.10-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.13-200 for FC28
4.19.12-200 for FC28
4.19.10-200 for FC28
December 18, 2018:
The following changes have been made:
artifacts-20181213-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm and artifacts-20181213-1.el7.x86_64.rpm -
Artifacts is a free,
community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
libfsapfs{,-devel,-python,-python3,-tools}-20181215-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python,-tools}-20181205-1.el6.{i686,x86_64}.rpm, and libfsapfs{,-devel,-python,-python3,-tools}-20181205-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
Note that this project currently only focuses on the analysis of the format.
libfwnt{,-devel,-python,-python3}-20181215-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfwnt{,-devel,-python,-python3}-20181215-1.el7.x86_64.rpm, and libfwnt{,-devel,-python,-python3}-20181215-1.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
libfwsi{,-devel,-python,-python3}-20181215-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfwsi{,-devel,-python}-20181215-1.el6.{i686,x86_64}.rpm, and libfwsi{,-devel,-python,-python3}-20181215-1.el7.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
libmsiecf{,-devel,-python,-python3,-tools}-20181215-1.{fc24,fc25,fc26,fc26,fc27,fc29}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python,-tools}-20181215-1.el6.{i686,x86_64}.rpm, and libmsiecf{,-devel,-python,-python3,-tools}-20181215-1.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
libsigscan{,-devel,-python,-python3,-tools}-20181215-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsigscan{,-devel,-python,-tools}-20181215-1.el6.{i686,x86_64}.rpm, and libsigscan{,-devel,-python,-python3,-tools}-20181215-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
libsmdev{,-devel,-python,-python3,-tools}-20181215-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmdev{,-devel,-python,-tools}-20181215-1.el6}.{i686,x86_64}.rpm, and libsmdev{,-devel,-python,-python3,-tools}-20181215-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
libsmraw{,-devel,-python,-python3,-tools}-20181215-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmraw{,-devel,-python,-tools}-20181215-1.el6.{i686,x86_64}.rpm, and libsmraw{,-devel,-python,-python3,-tools}-20181215-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
libwrc{,-devel,-python,-python3,-tools}-20181203-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libwrc{,-devel,-python,-python3,-tools}-20181203-1.el7.x86_64.rpm, and libwrc{,-devel,-python,-tools}-20181203-1.el6.{i686,x86_64}.rpm -
Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
libevtx{,-devel,-python,-python3,-tools}-20181016-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libevtx{,-devel,-python,-tools}-20181016-1.el6.{i686,x86_64}.rpm, and libevtx{,-devel,-python,-python3,-tools}-20181016-1.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
libvslvm{,-devel,-python,-python3,-tools}-20181216-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvslvm{,-devel,-python,-tools}-20181216-1.el6.{i686,x86_64}.rpm, and libvslvm{,-devel,-python,-python3,-tools}-20181216-1.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
dfvfs-20181215-1.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
This release is testing APFS support in plaso.
libevt{,-devel,-python,-python3,-tools}-20181216-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libevt{,-devel,-python,-tools}-20181216-1.el6.{i686,x86_64}.rpm, and libevt{,-devel,-python,-python3,-tools}-20181216-1.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
libqcow{,-devel,-python,-python3,-tools}-20181216-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libqcow{,-devel,-python,-tools}-20181216-1.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python,-python3,-tools}-20181216-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
libvshadow{,-devel,-python,-python3,-tools}-20181216-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvshadow{,-devel,-python,-tools}-20181216-1.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python,-python3,-tools}-20181216-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
This version uses the external version of libbfio to support
DFF, the Digital Forensics Framework.
silk-ipset-{devel,lib,tools}-3.18.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and silk-ipset{-devel,-lib,-tools}-3.18.0-1.el7.x86_64.rpm -
The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.0-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.0-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-5.9-3.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.9-3.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes.
This package was rebuilt to use silk 3.18.0.
prism-1.2-5.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm - The prism
trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
This package was rebuilt to use silk 3.18.0.
super_mediator-1.6.0-5.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.6.0-5.el7.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
This package was rebuilt to use silk 3.18.0.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.9-300 for FC29
4.19.8-300 for FC29
4.19.7-300 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.9-300 for FC29
4.19.8-300 for FC29
4.19.7-300 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.8-200 for FC28
4.19.7-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.8-200 for FC28
4.19.7-200 for FC28
December 7, 2018:
The following changes have been made:
libregf{,-devel,-python,-python3,-tools}-20181129-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libregf{,-devel,-python,-tools}-20181129-1.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python,-python3,-tools}-20181129-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
dfvfs-20181202-1.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
This release is testing APFS support in plaso.
libfsapfs{,-devel,-python,-python3,-tools}-20181205-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python,-tools}-20181205-1.el6.{i686,x86_64}.rpm, and libfsapfs{,-devel,-python,-python3,-tools}-20181205-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
Note that this project currently only focuses on the analysis of the format.
libfixbuf{,-devel}-2.2.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
pyfixbuf-0.6.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf
is a Python API for libfixbuf, an implementation of the
IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this and all releases.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.2-5.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
This version was rebuilt for libfixbuf-2.2.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.2-6.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.2-6.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This version was rebuilt for libfixbuf-2.1.0.
libschemaTools{,-devel}-1.3-3.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and libschemaTools{,-devel}-1.3-3.el7.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
See here for the list of changes for this release.
This package was rebuilt to use libfixbuf 2.2.0.
analysis-pipeline-5.9-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.9-2.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes.
This package was rebuilt to use libfixbuf 2.2.0.
super_mediator-1.6.0-4.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.6.0-4.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
This package was rebuilt to use libfixbuf 2.2.0.
yaf{,-devel}-2.10.0-3.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.10.0-3.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 6 and 7 for the x86_64 architecture, yaf has been built to use PF_Ring.
This package was rebuilt to use libfixbuf 2.2.0.
lime-kernel-modules-1.1.r17-15.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 29 x86_64 and i386 architectures was added.
fmem-kernel-modules-1.6-1.15.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 29 x86_64 and i386 architectures was added.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.6-300 for FC29
4.19.5-300 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.6-300 for FC29
4.19.5-300 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.6-200 for FC28
4.19.5-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.6-200 for FC28
4.19.5-200 for FC28
fmem-kernel-modules-el7-x86_64-1.6-1.47.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-957.1.3 for EL7
3.10.0-957 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-47.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-957.1.3 for EL7
3.10.0-957 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.49.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.9.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-49.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.9.1 for EL6
Fedora 23 - Updates to Fedora 23 for both the i686 and x86_64 CPU architectures has ceased.
November 29, 2018:
The following changes have been made:
pfring-7.2.0-2285.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2285.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
libbde{,-devel,-python,-python3,-tools}-20181124-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libbde{,-devel,-python,-tools}-20181124-1.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python,-python3,-tools}-20181124-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
libfsapfs{,-devel,-python,-python3,-tools}-20181125-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python,-tools}-20181125-1.el6.{i686,x86_64}.rpm, and libfsapfs{,-devel,-python,-python3,-tools}-20181125-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
Note that this project currently only focuses on the analysis of the format.
libqcow{,-devel,-python,-python3,-tools}-20181124-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libqcow{,-devel,-python,-tools}-20181124-1.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python,-python3,-tools}-20181124-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
libvhdi{,-devel,-python,-python3,-tools}-20181125-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvhdi{,-devel,-python,-tools}-20181125-1.el6.{i686,x86_64}.rpm, and libvhdi{,-devel,-python,-python3,-tools}-20181125-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libvmdk{,-devel,-python,-python3,-tools}-20181124-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvmdk{,-devel,-python,-tools}-20181124-1.el6.{i686,x86_64}.rpm, and libvmdk{,-devel,-python,-python3,-tools}-20181124-1.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
libregf{,-devel,-python,-python3,-tools}-20181127-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libregf{,-devel,-python,-tools}-20181127-1.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python,-python3,-tools}-20181127-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
dfvfs-20181128-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
This release is testing APFS support in plaso.
super_mediator-1.6.0-3.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.6.0-3.el7.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
This release - 3 - was built to properly support SiLK IPSet support, allowing the IN_LIST and NOT_IN_LIST operators in filters.
Thanks to Braden Licastro of the IT department at the Software Engineering Institute for requesting SiLK IPSet support and for testing the updated packages on RHEL 6.
libscca{,-devel,-python,-python3,-tools}-20181128-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libscca{,-devel,-python,-tools}-20181101-1.el6.{i686,x86_64}.rpm, and libscca{,-devel,-python,-python3,-tools}-20181128-1.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
dtfabric-20181128-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and dtfabric-20181128-1.el7.x86_64.rpm -
Dtfabric
is a project to manage data types and structures, as used in the libyal projects.
libexe{,-devel,-python,-python3,-tools}-20181128-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libexe{,-devel,-python,-tools}-20181128-1.el6.{i686,x86_64}.rpm, and libexe{,-devel,-python,-python3,-tools}-20181128-1.el7.x86_64.rpm -
Libexe is a library and tools to access the executable (EXE) format.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.4-300 for FC29
4.19.3-300 for FC29
4.19.2-301 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.4-300 for FC29
4.19.3-300 for FC29
4.19.2-301 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.4-200 for FC28
4.19.3-200 for FC28
4.19.2-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.4-200 for FC28
4.19.3-200 for FC28
4.19.2-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.43.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.19-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-43.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.19-100 for FC27
November 20, 2018:
The following changes have been made:
pfring-7.2.0-2239.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2239.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
libqcow{,-devel,-python,-python3,-tools}-20181117-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libqcow{,-devel,-python,-tools}-20181117-1.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python,-python3,-tools}-20181117-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
libvhdi{,-devel,-python,-python3,-tools}-20181118-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvhdi{,-devel,-python,-tools}-20181118-1.el6.{i686,x86_64}.rpm, and libvhdi{,-devel,-python,-python3,-tools}-20181118-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
libbde{,-devel,-python,-python3,-tools}-20181117-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libbde{,-devel,-python,-tools}-20181117-1.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python,-python3,-tools}-20181117-1.el7.x86_64.rpm -
Libbde
is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
libvmdk{,-devel,-python,-python3,-tools}-20181118-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvmdk{,-devel,-python,-tools}-20181118-1.el6.{i686,x86_64}.rpm, and libvmdk{,-devel,-python,-python3,-tools}-20181118-1.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
Volatility-2.6-5.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i386,x86_64}.rpm and Volatility-2.6-5.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6 that has been patched to November 19, 2018.
You can read about this version here
Since the Volatility-community-plugins contain the mimikatz plugin, that plugin is no longer packaged with Volatility.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
4.19.2-300 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
4.19.2-300 for FC29
November 16, 2018:
The following changes have been made:
pfring-7.2.0-2232.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2232.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
libfsapfs{,-devel,-python,-python3,-tools}-20181110-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python,-tools}-20181110-1.el6.{i686,x86_64}.rpm, and libfsapfs{,-devel,-python,-python3,-tools}-20181110-1.el7.x86_64.rpm -
libfsapfs
is a library to access the Apple File System (APFS).
Note that this project currently only focuses on the analysis of the format.
CERT-Forensics-Tools-1.0-82.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-82.el7.x86_64.rpm -
The changes since the last release (1.0-81) are the following:
rekall-1.7.2-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el7}.{i686,x86_64}.rpm - Rekall is an advanced forensic and incident response framework.
While it began life purely as a memory forensic framework, it has now evolved into a complete platform.
Rekall implements the most advanced analysis techniques in the field, while still being developed in the open, with a free and open source license. Many of the innovations implemented within Rekall have been published in
peer reviewed papers.
Note that this package has been installed in the forensics-test repository for now.
To install rekall on your system, you first need to enable this repository by running this command for Fedora:
Please note that the installation of all of these ancillary packages neede by rekall use the pip program in a Python
Virtual Environment.
Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
autopsy-4.9.1-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and autopsy-4.9.1-1.el7.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Note that autopsy has been promoted from the forensics-test repository.
In addition, the Java™ Platform, Standard Edition Development Kit (JDK™) from Oracle also needs to be installed before running autopsy.
That package can be found here.
Testing has been verified to work with JDK 8, update 191.
coreutilsshim-1.0-1.fc29.noarch.rpm - CoreutilsShim is a package that resolves dependencies from changes to the coreutils package for Fedora 29.
sleuthkit{,-devel,-libs}-4.6.4-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.6.3) released to this repository.
apfs-fuse-20181116-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i386,x86_64}.rpm and apfs-fuse-20181116-1.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far).
Thus, the driver may return compressed files instead of uncompressed ones.
Although most of the time it should just report an error.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.18-300 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.18-300 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.18-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.18-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.42.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.18-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-42.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.18-100 for FC27
November 12, 2018:
The following changes have been made:
pfring-7.2.0-2229.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2229.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
packetexaminer-0.9-4.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el7}.{i686,x86_64}.rpm - PacketExaminer is a harness to perform PCAP analysis.
In this release, the packages needed to support the --graph, --url, --netmap, and --timeseries command line options are now installed by default.
Furthermore, the previously required scapy and prettytable packages have been similarly replaced.
Please note that the installation of all of these ancillary packages uses the pip3 program.
Insure that pip3 works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found
here.
November 9, 2018:
The following changes have been made:
pfring-7.2.0-2226.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2226.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
xmount-0.7.6-3.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types.
cutter-1.7.2-2.{fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and cutter-1.7.2-2.el7.x86_64.rpm - Cutter is a Qt and C++
GUI for radare2 reverse engineering framework.
Its goal is making an advanced, customizable, and FOSS (free and open-source software) reverse-engineering platform while keeping the user experience at mind.
Cutter is created by reverse engineers for reverse engineers.
This version of cutter is based on the code dated 2018-11-08 which was built to embed radare2 version 2.6.0 in it.
CERT-Forensics-Tools-1.0-81.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-81.el7.x86_64.rpm -
The changes since the last release (1.0-78) are the following:
wireshark-gnome is not installed on Fedora 29-based systems because this package is not provided by RedHat.
Cutter replaces bokken for Fedora 26 through 29 systems and for CentOS/RHEL 7 systems.
In addition, python-radare2 has also been obsoleted on Fedora 26 through 29 systems and for CentOS/RHEL 7 systems since it is no longer needed and
incompatible with the latest version of radare2 on Fedora systems.
python{2,3}-scapy-2.4.0-4.{fc23,fc24,fc25,el7}.noarch.rpm - Scapy is a powerful interactive packet manipulation program.
It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.
It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping,
tcpdump, tethereal, p0f, etc.).
It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames,
combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.
python{,3}-prettytable-0.7.2-3.el7.noarch.rpm - Python-PrettyTable is a simple Python library designed to make it quick
and easy to represent tabular data in visually appealing ASCII tables.
It was inspired by the ASCII tables used in the PostgreSQL shell psql.
PrettyTable allows for selection of which columns are to be printed, independent alignment of columns (left or right justified or centred) and printing of “sub-tables” by specifying a row range.
packetexaminer-0.9-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el7}.{i686,x86_64}.rpm - PacketExaminer is a harness to perform PCAP analysis that
a security engineer may do during an incident response or when looking at network security.
The author found that they were frequently using a collection of tools and techniques again and again and thought it would be helpful to create a program that would do this.
This hopefully automates some routine functions that one would do manually.
examiner-tooldocumentation-1.18-8.el7.noarch.rpm - The following packages were updated to added to the documetation suite found on the desktop:
packetexaminer
and the following packages were removed:
bokken
Once this package has been updated, run the following command:
sudo manage-examiner-login -S -v
to install these changes in the examiner's desktop.
fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.17-300 for FC29
lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.17-300 for FC29
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.17-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.17-200 for FC28
November 5, 2018:
The following changes have been made:
pfring-7.2.0-2215.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2215.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
libmdmp{,-devel,-tools}-20181031-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - Libmdmp
is a library to access the Windows Minidump (MDMP) format.
Note that this project currently only focuses on the analysis of the format.
libhibr{,-devel,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - libhibr
is a lbrary and tools to access the Windows Hibernation File (hiberfil.sys) format.
Note that this project currently only focuses on the analysis of the format.
libfshfs{,-devel,-python,-python3,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.{i686,x86_64}.rpm and libfshfs{,-devel,-python,-tools}-20181101-1.el6.{i686,x86_64}.rpm - Libfshfs
is a lbrary and tools to access the Hierarchical File System (HFS).
Note that this project currently only focuses on the analysis of the format.
libmodi{,-devel,-python,-python3,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libmodi{,-devel,-python,-tools}-20181101-1.el6.{i686,x86_64}.rpm, and libmodi{,-devel,-python,-python3,-tools}-20181101-1.el7.x86_64.rpm -
Libmodi is a lbrary and tools to access the Mac OS disk image formats.
libfsext{,-devel,-python,-python3,-tools}-20181101-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libfsext{,-devel,-python,-tools}-20181101-1.el6.{i686,x86_64}.rpm - Libfsext
is a lbrary and tools to access the Extended File System (EXT).
Note that this project currently only focuses on the analysis of the format.
libnk2{,-devel,-python,-python3,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.{i686,x86_64}.rpm and libnk2{,-devel,-python,-tools}-20181101-1.el6.{i686,x86_64}.rpm - Libnk2
is a lbrary and tools to access Microsoft Outlook Nickfile (NK2) format files.
libphdi{,-devel,-python,-python3,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libphdi{,-devel,-python,-tools}-20181101-1.el6.{i686,x86_64}.rpm, and libphdi{,-devel,-python,-python3,-tools}-20181101-1.el7.x86_64.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
libexe{,-devel,-python,-python3,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libexe{,-devel,-python,-tools}-20181101-1.el6.{i686,x86_64}.rpm, and libexe{,-devel,-python,-python3,-tools}-20181101-1.el7.x86_64.rpm -
Libexe is a library and tools to access the executable (EXE) format.
libwtcdb{,-devel,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm libwtcdb{,-devel,-tools}-20181101-1.el6.{i686,x86_64}.rpm -
Libwtcdb is a library and tools to access the Windows (Vista/7) Explorer thumbnail cache database format (thumbcache.db).
libagdb{,-devel,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - Libagdb
is a library to access the SuperFetch database format.
libcreg{,-devel,-python,-python3,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.{i686,x86_64}.rpm and libcreg{,-devel,-python,-tools}-20181101-1.el6.{i686,x86_64}.rpm - Libcreg
is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
libscca{,-devel,-python,-python3,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libscca{,-devel,-python,-tools}-20181101-1.el6.x86_64.rpm, libscca{,-devel,-python,-python3,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.{i686,x86_64}.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
See here for the list of changes.
libfsntfs{,-devel,-python,-python3,-tools}-20181101-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python,-tools}-20181101-1.el6.{i686,x86_64}.rpm, and libfsntfs{,-devel,-python,-python3,-tools}-20181101-1.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
Fedora 29 - The repository now supports Fedora 29
for the x86_64 and i386 CPU architectures.
Here is the list of tools provided for Fedora 29:
radare2{,-devel,-common}-2.9.0-1.el7.x86_64.rpm - Radare
is a framework for doing reverse engineering.
python-radare2-2.9.0-1.el7.x86_64.rpm - Python-Radare
are bindings that allow Radare to be used from Python.
These updates were made to keep pace with the Radare2 package installed in CentOS/RHEL 7.
dtfabric-20181103-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and dtfabric-20181103-1.el7.x86_64.rpm -
Dtfabric
is a project to manage data types and structures, as used in the libyal projects.
python-dfdatetime-20181025-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
splunk-7.2.0-8c86330ac18-linux-2.6-x86_64.rpm and splunk-7.2.0-8c86330ac18.i386.rpm - This version of
Splunk was added to the Splunk repository for Fedora through 29 and Fedora 6 and 7 for the i386 and x86_64 architectures.
Follow these instructions after upgrading
to this version.
Make sure that you following these instruction after upgrading but before rebooting.
If you do not following these instructions your system may hang when it reboots.
splunkshim-1.0-1.fc29.noarch.rpm - SplunkShim is a package that resolves dependencies from changes to the coreutils package for Fedora 29.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.41.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.16-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-41.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.16-100 for FC27
October 26, 2018:
The following changes have been made:
pfring-7.2.0-2205.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2205.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
apfs-fuse-20181022-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i386,x86_64}.rpm and apfs-fuse-20181008-1.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far).
Thus, the driver may return compressed files instead of uncompressed ones.
Although most of the time it should just report an error.
xlsxwriter-1.1.2-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and xlsxwriter-1.1.2-1.el7.x86_64.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.0.8).
autopsy-4.9.0-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and autopsy-4.9.0-1.el7.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Note that this package has been installed in the forensics-test repository for now.
To install autopsy on your system, you first need to enable this repository by running this command for Fedora: sudo dnf config-manager --set-enabled forensics-test
or this command for CentOS/RHEL: sudo yum-config-manager --enable forensics-test.
In addition, the Java™ Platform, Standard Edition Development Kit (JDK™) from Oracle also needs to be installed before running autopsy.
That package can be found here.
Testing has been verified to work with JDK 8, update 191.
If you encounter problems with this version of autopsy, please send an email to:
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.15-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.15-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.40.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.15-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-40.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.15-100 for FC27
October 19, 2018:
The following changes have been made:
snort-2.9.12-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and snort-2.9.12-1.el7.x86_64.rpm-
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
This release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
snort-sample-rules-2.9.12-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HttP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.12-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.12-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
Volatility-2.6-4.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i386,x86_64}.rpm and Volatility-2.6-4.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6 that has been patched to October 15, 2018.
You can read about this version here
Since the Volatility-community-plugins contain the mimikatz plugin, that plugin is no longer packaged with Volatility.
sleuthkit{,-devel,-libs}-4.6.3-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.6.2) released to this repository.
regripper-plugins-20181017-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.noarch.rpm - Regripper-plugins
are the plugins packaged separately from the regripper application.
This package is taken from the plugins directory at the Github source code site as of 2018-10-17.
python-certifi-2018.10.15-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.noarch.rpm - Certifi is a
carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
This package was supports plaso.
pfring-7.2.0-2190.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2190.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.14-200 for FC28
4.18.13-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.14-200 for FC28
4.18.13-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.39.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.13-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-39.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.13-100 for FC27
October 11, 2018:
The following changes have been made:
apfs-fuse-20181008-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i386,x86_64}.rpm and apfs-fuse-20181008-2.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far).
Thus, the driver may return compressed files instead of uncompressed ones.
Although most of the time it should just report an error.
exfat-utils-1.3.0-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
See here for the list of changes since the last released version (1.2.8).
pfring-7.2.0-2174.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2174.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
cutter-1.7.2-1.{fc26,fc27,fc28,el7}.x86_64.rpm - Cutter is a Qt and C++
GUI for radare2 reverse engineering framework.
Its goal is making an advanced, customizable, and FOSS (free and open-source software) reverse-engineering platform while keeping the user experience at mind.
Cutter is created by reverse engineers for reverse engineers.
libbfio{,-devel}-20180910-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i386,x86_64}.rpm - Libbfio is a
library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access.
See here for the list of changes.
libqcow{,-devel,-python,-python3,-tools}-20180831-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libqcow{,-devel,-python,-tools}-20180831-1.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python,-python3,-tools}-20180831-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
See here for the list of changes.
CERT-Forensics-Tools-1.0-78.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-78.el7.x86_64.rpm -
This package was updated to add the cutter package for
Fedora 26 through 28 for the x86_64 architecture and CentOS/RHEL 7 for the x86_64 architecture.
examiner-tooldocumentation-1.18-7.el7.noarch.rpm - This package was updated to add the following programs to the documetation suite found on the desktop:
cutter
Once this package has been updated, run sudo manage-examiner-login -S -v to install these changes in the examiner's desktop.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.12-200 for FC28
4.18.11-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.12-200 for FC28
4.18.11-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.38.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.11-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-38.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.11-100 for FC27
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.48.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.6.3 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-48.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.6.3 for EL6
October 5, 2018:
The following changes have been made:
sleuthkit{,-devel,-libs}-4.6.2-2.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.6.0) released to this repository.
pfring-7.2.0-2167.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2167.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.10-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.10-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.37.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.10-100 for FC27
4.18.9-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-37.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.10-100 for FC27
4.18.9-100 for FC27
fmem-kernel-modules-el7-x86_64-1.6-1.46.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-862.14.4 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-46.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-862.14.4 for EL7
October 2, 2018:
The following changes have been made:
plaso-20180930-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and plaso-20180930-1.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline
for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 23, 24, 25, 26, 27, and 28 for the i686 and x86_64
architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
python-radare2-2.9.0-1.{fc27,fc28}.{i686,x86_64}.rpm - Python-Radare
are bindings that allow Radare to be used from Python.
These updates were made to keep pace with the Radare2 package installed in Fedora 27 and 28.
September 28, 2018:
The following changes have been made:
pfring-7.2.0-2163.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2163.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.9-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.9-200 for FC28
September 21, 2018:
The following changes have been made:
pfring-7.2.0-2154.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2154.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.8-200 for FC28
4.18.7-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.8-200 for FC28
4.18.7-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.7-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.7-100 for FC27
September 15, 2018:
The following changes have been made:
yara-python-3.8.1-1.x86_64.el7.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
This version was rebuilt because of an update to yara in CentOS/RHEL 7.
September 14, 2018:
The following changes have been made:
pfring-7.2.0-2150.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2150.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
4.18.5-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
4.18.5-200 for FC28
September 7, 2018:
The following changes have been made:
pfring-7.2.0-2133.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2133.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
dfvfs-20180831-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
pyfixbuf-0.5.0-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf
is a Python API for libfixbuf, an implementation of the
IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this
and all releases.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.19-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.19-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.19-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.19-100 for FC27
August 30, 2018:
The following changes have been made:
artifacts-20180827-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm and artifacts-20180827-1.el7.x86_64.rpm -
Artifacts is a free,
community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
xlsxwriter-1.0.8-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and xlsxwriter-1.0.8-1.el7.x86_64.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.0.5).
python-certifi-2018.8.24-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.noarch.rpm - Certifi is a
carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
This package was built to support plaso.
dfvfs-20180827-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
pfring-7.2.0-2128.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2128.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.18-200 for FC28
4.17.17-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.18-200 for FC28
4.17.17-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.17-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.17-100 for FC27
August 24, 2018:
The following changes have been made:
pfring-7.2.0-2113.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2113.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
python-elasticsearch5-5.5.5-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.{i686,x86_64}.rpm - ElasticSearch5 is a low-level client for
Elasticsearch. Its goal is to provide common ground for all Elasticsearch-related code in Python;
because of this it tries to be opinion-free and very extendable. For a more high level client library with more limited scope, have a
look at elasticsearch-dsl - a more pythonic library sitting on top of elasticsearch-py. It provides a more convenient and idiomatic way
to write and manipulate queries. It stays close to the Elasticsearch JSON DSL, mirroring its terminology and structure while exposing the
whole range of the DSL from Python either directly using defined classes or a queryset-like expressions. It also provides an optional
persistence layer for working with documents as Python objects in an ORM-like fashion: defining mappings, retrieving and saving documents,
wrapping the document data in user-defined classes.
python-elasticsearch-6.3.1-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and python-elasticsearch-6.3.1-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for
Elasticsearch. Its goal is to provide common ground for all Elasticsearch-related code in Python;
because of this it tries to be opinion-free and very extendable. For a more high level client library with more limited scope, have a
look at elasticsearch-dsl - a more pythonic library sitting on top of elasticsearch-py. It provides a more convenient and idiomatic way
to write and manipulate queries. It stays close to the Elasticsearch JSON DSL, mirroring its terminology and structure while exposing the
whole range of the DSL from Python either directly using defined classes or a queryset-like expressions. It also provides an optional
persistence layer for working with documents as Python objects in an ORM-like fashion: defining mappings, retrieving and saving documents,
wrapping the document data in user-defined classes.
python-setuptools_scm-1.15.7-2.el7.x86_64.rpm - Python-Setuptools_scm
is a package that handles managing your python package versions in scm metadata.
It also handles file finders for the suppertes scms.
This package was required to build LZ4 for CentOS/RHEL 7.
python-lz4-0.10.0-1.{fc25,fc24,fc23}.{i386,x86_64}.rpm and python-lz4-0.10.0-1.el7.x86_64.rpm - LZ4
contains the python bindings for the lz4 compression library.
This package was built for CentOS/RHEL 7 to support Plaso
plaso-20180818-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and plaso-20180818-1.el7.x86_64.rpm -
Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 23, 24, 25, 26, 27, and 28 for the i686 and x86_64
architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
August 17, 2018:
The following changes have been made:
pfring-7.2.0-2096.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2096.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.14-202 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.14-202 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.14-102 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.14-102 for FC27
fmem-kernel-modules-el7-x86_64-1.6-1.45.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-862.11.6 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-45.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-862.11.6 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.47.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.3.5 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-47.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.3.5 for EL6
August 10, 2018:
The following changes have been made:
libbde{,-devel,-python,-python3,-tools}-20180806-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libbde{,-devel,-python,-tools}-20180806-1.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python,-python3,-tools}-20180806-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
dtfabric-20180808-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and dtfabric-20180808-1.el7.x86_64.rpm -
Dtfabric
is a project to manage data types and structures, as used in the libyal projects.
python{2,3}-pefile-2018.8.8-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.noarch.rpm -
PEFile is a Portable Executable reader module.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.11-200 for FC28
4.17.12-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.11-200 for FC28
4.17.12-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.12-100 for FC27
4.17.11-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.12-100 for FC27
4.17.11-100 for FC27
August 3, 2018:
The following changes have been made:
pfring-7.2.0-2083.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2083.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
apfs-fuse-20180731-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i386,x86_64}.rpm and apfs-fuse-20180731-2.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far).
Thus, the driver may return compressed files instead of uncompressed ones.
Although most of the time it should just report an error.
libpff{,-devel,-python,-python3,-tools}-20180714-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libpff{,-devel,-python,-python3,-tools}-20180714-1.el7.x86_64.rpm, and libpff{,-devel,-python,-tools}-20180714-1.{i686,x86_64}.rpm - Libpff
is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
Libpff is used by DFF,the Digital Forensics Framework.
libvsmbr{,-devel,-python,-python3,-tools}-20180731-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libvsmbr{,-devel,-python,-python3,-tools}-20180731-1.el7.x86_64.rpm, and libvsmbr{,-devel,-python,-tools}-20180731-1.el6.{i686,x86_64}.rpm - Libvsmbr
is a library and tools to access the Master Boot Record (MBR) volume system.
plaso-20180703-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and plaso-20180703-1.el7.x86_64.rpm -
Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 23, 24, 25, 26, 27, and 28 for the i686 and x86_64
architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.9-200 for FC28
4.17.7-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.9-200 for FC28
4.17.7-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.9-100 for FC27
4.17.7-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.9-100 for FC27
4.17.7-100 for FC27
July 20, 2018:
The following changes have been made:
libfwsi{,-devel,-python,-python3}-20180630-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.{i686,x86_64}.rpm, libfwsi{,-devel,-python}-20180630-1.el6.{i686,x86_64}.rpm, and libfwsi{,-devel,-python,-python3}-20180630-1.el7.x86_64.rpm -
Libfwsi
is a library to access the Windows Shell Item format.
plaso-20180630-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and plaso-20180630-1.el7.x86_64.rpm -
Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 23, 24, 25, 26, 27, and 28 for the i686 and x86_64
architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
pfring-7.2.0-2060.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2060.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
python-dfdatetime-20180704-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
dtfabric-20180707-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and dtfabric-20180707-1.el7.x86_64.rpm -
Dtfabric
is a project to manage data types and structures, as used in the libyal projects.
dfwinreg-20180712-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and dfwinreg-20180712-1.{el6,el7}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
dfvfs-20180703-1.{fc23,fc24,fc25,fc26,fc27,fc28,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
libfixbuf{,-devel}-2.1.0-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
pyfixbuf-0.4.0-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf
is a Python API for libfixbuf, an implementation of the
IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this
and all releases.
This package was rebuilt to use libfixbuf 2.1.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.2-3.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
This version was rebuilt for libfixbuf-2.1.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.2-4.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.2-4.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This version was rebuilt for libfixbuf-2.1.0.
libschemaTools{,-devel}-1.3-2.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and libschemaTools{,-devel}-1.3-2.el7.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
See here for the list of changes for this release.
This package was rebuilt to use libfixbuf 2.1.0.
analysis-pipeline-5.8-2.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.8-2.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt to use libfixbuf 2.1.0.
super_mediator-1.6.0-2.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and super_mediator-1.6.0-2.el7.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the list of changes for this release.
This package was rebuilt to use libfixbuf 2.1.0.
yaf{,-devel}-2.10.0-2.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.10.0-2.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 6 and 7 for the x86_64 architecture, yaf has been built to use PF_Ring.
This package was rebuilt to use libfixbuf 2.1.0.
apfs-fuse-20180720-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i386,x86_64}.rpm and apfs-fuse-20180720-2.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far).
Thus, the driver may return compressed files instead of uncompressed ones.
Although most of the time it should just report an error.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.6-200 for FC28
4.17.5-200 for FC28
4.17.4-200 for FC28
4.17.3-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.6-200 for FC28
4.17.5-200 for FC28
4.17.4-200 for FC28
4.17.3-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.6-100 for FC27
4.17.5-100 for FC27
4.17.3-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.6-100 for FC27
4.17.5-100 for FC27
4.17.3-100 for FC27
fmem-kernel-modules-el7-x86_64-1.6-1.44.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-862.9.1 for EL7
3.10.0-862.6.3 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-44.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-862.9.1 for EL7
3.10.0-862.6.3 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.46.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-754.2.1 for EL6
2.6.32-754 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-46.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-754.2.1 for EL6
2.6.32-754 for EL6
June 29, 2018:
The following changes have been made:
pfring-7.2.0-2043.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2043.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.2-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.2-2.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.2-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
artifacts-20180628-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i386,x86_64}.rpm and artifacts-20180628-1.el7.x86_64.rpm -
Artifacts is a free,
community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
libfwsi{,-devel,-python,-python3}-20180623-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libfwsi{,-devel,-python}-20180623-1.el6.{i686,x86_64}.rpm, and libfwsi{,-devel,-python,-python3}-20180623-1.el7.x86_64.rpm -
Libfwsi is a library to access the
Windows Shell Item format.
liblnk{,-devel,-python,-python3,-tools}-20180626-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, liblnk{,-devel,-python,-tools}-20180826-1.el6.{i686,x86_64}.rpm, and liblnk{,-devel,-python,-python3,-tools}-20180626-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
See here for the list of changes.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
4.17.2-200 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
4.17.2-200 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.16-200 for FC27
4.17.2-100 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.16-200 for FC27
4.17.2-100 for FC27
June 22, 2018:
The following changes have been made:
Volatility-2.6-3.{fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i386,x86_64}.rpm and Volatility-2.6-3.el7.x86_64.rpm-
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6 that has been patched to June 15, 2018.
You can read about this version here
Since the Volatility-community-plugins contain the mimikatz plugin, that plugin is no longer packaged with Volatility.
pfring-7.2.0-2026.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2026.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.16-300 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.16-300 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.15-200 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.15-200 for FC27
fmem-kernel-modules-el7-x86_64-1.6-1.43.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-862.3.3 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-43.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-862.3.3 for EL7
June 15, 2018:
The following changes have been made:
pfring-7.2.0-2003.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.2.0-2003.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
pyfixbuf-0.3.0-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf
is a Python API for libfixbuf, an implementation of the
IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this
and all releases.
This package was rebuilt to use libfixbuf 2.0.0.
python-dfdatetime-20180606-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
dtfabric-20180604-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and dtfabric-20180604-1.el7.x86_64.rpm -
Dtfabric
is a project to manage data types and structures, as used in the libyal projects.
ssdeep-2.14.1-1.{fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered
piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.15-300 for FC28
4.16.14-300 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.15-300 for FC28
4.16.14-300 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.14-200 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.14-200 for FC27
June 8, 2018:
The following changes have been made:
apfs-fuse-20180604-2.{fc23,fc24,fc25,fc26,fc27,fc28}.{i386,x86_64}.rpm and apfs-fuse-20180604-2.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
In this version the assembly language code was removed and replaced by zlib and lzfse.
libluksde{,-devel,-python2,-python3,-tools}-20180514-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm, libluksde{,-devel,-python2,-python3,-tools}-20180514-1.el7.x86_64.rpm, and libluksde{,-devel,-python,-tools}-20180514-1.el6.{i686,x86_64}.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
See here for the list of changes.
radare2{,-devel}-2.7.0-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and radare2{,-devel}-2.7.0-1.el7.x86_64.rpm - Radare
is a framework for doing reverse engineering.
python-radare2-2.6.0-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and python-radare2-2.6.0-1.el7.x86_64.rpm -
Python-Radare are bindings that allow Radare to be used from Python.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.13-300 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.13-300 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.13-200 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.13-200 for FC27
June 1, 2018:
The following changes have been made:
pfring-7.0.0-1976.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1976.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.12-300 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.12-300 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.12-200 for FC27
4.16.11-200 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.12-200 for FC27
4.16.11-200 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.37.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.11-100 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-37.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.11-100 for FC26
libfixbuf{,-devel}-2.0.0-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
libschemaTools{,-devel}-1.3-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and libschemaTools{,-devel}-1.3-1.el7.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
See here for the list of changes for this release.
This package was rebuilt to use libfixbuf 2.0.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.1-2.{fc22,fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.17.1-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-ipset-{devel,lib,tools}-3.17.0-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
prism-1.2-4.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.{i686,x86_64}.rpm - The prism
trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
This is a new release keeping up with the latest SiLK 3 tools.
super_mediator-1.6.0-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and super_mediator-1.6.0-1.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the list of changes for this release.
yaf{,-devel}-2.10.0-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.10.0-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 6 and 7 for the x86_64 architecture, yaf has been built to use PF_Ring.
analysis-pipeline-5.8-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.8-1.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt to use silk 3.17.1 and libfixbuf 2.0.0.
Fedora 22 - Updates to Fedora 22 for both the i686 and x86_64 CPU architectures has ceased.
May 27, 2018:
The following changes have been made:
pfring-7.0.0-1970.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1970.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
dtfabric-20180522-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and dtfabric-20180522-1.el7.x86_64.rpm -
Dtfabric
is a project to manage data types and structures, as used in the libyal projects.
xlsxwriter-1.0.5-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el6}.{i686,x86_64}.rpm and xlsxwriter-1.0.5-1.el7.x86_64.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.0.4).
python-biplist-1.0.3-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and python-biplist-1.0.3-1.el7.x86_64.rpm -
Biplist is a library for reading/writing binary plists.
Binary Property List (plist) files provide a faster and smaller serialization format for property lists on OS X.
This is a library for generating binary plists which can be read by OS X, iOS, or other clients.
python-elasticsearch5-5.5.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el7}.{i686,x86_64}.rpm - ElasticSearch5 is a low-level client for
Elasticsearch. Its goal is to provide common ground for all Elasticsearch-related code in Python;
because of this it tries to be opinion-free and very extendable. For a more high level client library with more limited scope, have a
look at elasticsearch-dsl - a more pythonic library sitting on top of elasticsearch-py. It provides a more convenient and idiomatic way
to write and manipulate queries. It stays close to the Elasticsearch JSON DSL, mirroring its terminology and structure while exposing the
whole range of the DSL from Python either directly using defined classes or a queryset-like expressions. It also provides an optional
persistence layer for working with documents as Python objects in an ORM-like fashion: defining mappings, retrieving and saving documents,
wrapping the document data in user-defined classes.
python{2,3}-psutil-5.4.3-4.{fc23,fc24,fc25}.{i686,x86_64}.rpm, python2-psutil-5.4.3-4.fc22.{i686,x86_64}.rpm, and python2-psutil-5.4.3-4.el7}.x86_64.rpm -
Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network) in Python.
This package was built to support plaso.
plaso-20180524-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and plaso-20180524-1.el7.x86_64.rpm -
Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 22, 23, 24, 25, 26, 27, and 28 for the i686 and x86_64
architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.11-300 for FC28
4.16.10-300 for FC28
4.16.9-300 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.11-300 for FC28
4.16.10-300 for FC28
4.16.9-300 for FC28
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.9-200 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.9-200 for FC27
fmem-kernel-modules-el7-x86_64-1.6-1.42.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-862.3.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-42.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-862.3.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.45.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.30.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-45.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.30.1 for EL6
May 18, 2018:
The following changes have been made:
pfring-7.0.0-1949.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1949.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
python-dfdatetime-20180510-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
dfvfs-20180510-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
artifacts-20180505-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28}.{i386,x86_64}.rpm and artifacts-20180505-1.el7.x86_64.rpm -
Artifacts is a free,
community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
dfwinreg-20180329-1.{fc22,fc23,fc24,fc25,fc26,fc27,fc28}.{i686,x86_64}.rpm and dfwinreg-20180329-1.{el6,el7}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
icu-57.1-9.1.fc27.{i686,x86_64}.rpm, libicu{,-devel}-57.1-9.1.fc27.{i686,x86_64}.rpm, and libicu-doc-57.1-9.1.fc27.noarch.rpm - ICU
is a mature, widely used set of C/C++ and Java libraries providing Unicode and Globalization support for software applications.
ICU is widely portable and gives applications the same results on all platforms and between C/C++ and Java software.
Note that there is a bug in the Fedora-provided version for Fedora 27 that is explained and patched here.
This patch has been applied in version 9.1 of this package.
ICU is needed for the QTMLTFS package.
qtmltfs-2.2.2-2.{fc28,fc27,el6}.{i686,x86_64}.rpm and qtmltfs-2.2.2-2.el7.x86_64.rpm -
QTMLTFS
(Quantum Linear Tape File System) enables standard file operations on LTO-5 and LTO-6 tape media.
Note that this packages is not available for Fedora 24 through 26 due to problems with ICU package.
fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.8-300 for FC28
lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.8-300 for FC28
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.7-100 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.7-100 for FC26
fmem-kernel-modules-el7-x86_64-1.6-1.41.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-862.2.3 for EL7
3.10.0-862 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-41.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-862.2.3 for EL7
3.10.0-862 for EL7
May 11, 2018:
The following changes have been made:
pfring-7.0.0-1926.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1926.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
libnk2{,-devel,-python,-python3,-tools}-20180503-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libnk2{,-devel,-python,-tools}-20180503-1.el6.{i686,x86_64}.rpm - Libnk2
is a lbrary and tools to access Microsoft Outlook Nickfile (NK2) format files.
libscca{,-devel,-python,-python3,-tools}-20180509-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, libscca{,-devel,-python,-tools}-20180509-1.el6.x86_64.rpm, and libscca{,-devel,-python,-python3,-tools}-20180509-1.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
See here for the list of changes.
Fedora 28 - The repository now supports Fedora 28
for the x86_64 and i386 CPU architectures.
Here is the list of tools provided for Fedora 28:
lime-kernel-modules-1.1.r17-14.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 28 x86_64 and i386 architectures was added.
fmem-kernel-modules-1.6-1.14.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 28 x86_64 and i386 architectures was added.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
4.16.7-200 for FC27
4.16.6-202 for FC27
4.16.5-200 for FC27
4.16.4-200 for FC27
4.16.3-200 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
4.16.7-200 for FC27
4.16.6-202 for FC27
4.16.5-200 for FC27
4.16.4-200 for FC27
4.16.3-200 for FC27
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.44.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.28.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-44.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.28.1 for EL6
April 27, 2018:
The following changes have been made:
pfring-7.0.0-1887.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1887.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
apfs-fuse-20180424-1.{fc24,fc25,fc26,fc27}.{i386,x86_64}.rpm and apfs-fuse-20180424-1.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
See here for a list of the changes since the last version (20180303).
aimage-3.2.5-3.{el6,el7}.{i386,x86_64}.rpm - Aimage (the advanced imager) is an imaging tool which is part of AFF, the Advanced Forensic Format.
Aimage can create files in raw, AFF, AFD, or AFM formats.
AFF and AFD formats can be compressed or uncompressed.
Aimage can optionally compress and calculate MD5 or SHA-1 hash residues while the data is being copied.
It has intelligent error recovery, similar to what is in ddrescue.
CERT-Forensics-Tools-1.0-76.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-76.el7.x86_64.rpm -
This package was updated to add the apfs-fuse package to the systems where it is supported.
This releasae also installs aimage, libluksde, and libluksde-tools for CentOS/RHEL 7, and aimage for CentOS/RHEL 6.
examiner-tooldocumentation-1.18-6.el7.noarch.rpm - This package was updated to add the following programs to the documetation suite found on the desktop:
aimage
apfs-dump-quick
apfs-dump
apfs-fuse
luksdeinfo
luksdemount
lzfse
partclone.f2fs
psteal.py
usnjls
Once this package has been updated, run sudo manage-examiner-login -S -v to install these changes in the examiner's desktop.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.17-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.17-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.17-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.17-200 for FC26
April 20, 2018:
The following changes have been made:
libfwsi{,-devel,-python,-python3}-20180408-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, libfwsi{,-devel,-python}-20180408-1.el6.{i686,x86_64}.rpm, and libfwsi{,-devel,-python,-python3}-20180408-1.el7.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
Here are the changes:
Improved Python bindings
Fixed issues in m4/libclocale.m4
Made changes to setup.py for sdist
Applied updates
Worked on tests
Made changes to URI and URI sub shell items
xlsxwriter-1.0.4-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and xlsxwriter-1.0.4-1.el7.x86_64.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.0.2).
pfring-7.0.0-1846.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1846.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.16-300 for FC27
4.15.15-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.16-300 for FC27
4.15.15-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.16-200 for FC26
4.15.15-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.16-200 for FC26
4.15.15-200 for FC26
April 10, 2018:
The following changes have been made:
pfring-7.0.0-1833.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1833.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
April 6, 2018:
The following changes have been made:
cert-forensics-tools-release-{6,7,22,23,24,25,26,27}-13.noarch.rpm - cert-forensics-tools-release is the package
that connects a Fedora- and CentOS/RHEL-based computer system to the CERT Linux Forensics Tools Repository (LiFTeR).
This package has been changed to include a new Forensics team key which is also available here.
pfring-7.0.0-1826.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1826.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.14-300 for FC27
4.15.13-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.14-300 for FC27
4.15.13-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.14-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.14-200 for FC26
April 2, 2018:
The following changes have been made:
yara-python-3.7.1-1.x86_64.el6.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
This version was rebuilt because of an update to yara in CentOS/RHEL 6.
March 30, 2018:
The following changes have been made:
dtfabric-20180325-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and dtfabric-20180325-1.el7.x86_64.rpm -
Dtfabric
is a project to manage data types and structures, as used in the libyal projects.
dfvfs-20180326-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
pfring-7.0.0-1816.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1816.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
sleuthkit{,-devel,-libs}-4.6.0-3.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.5.0) released to this repository.
In this release, the file /usr/share/java/sleuthkit-4.6.0.jar was moved from sleuthkit-devel to sleuthkit.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.12-301 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.12-301 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.12-201 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.12-201 for FC26
March 26, 2018:
The following changes have been made:
bro{,-core,ctl}-2.5.3-1.2.el7.x86_64.rpm and libbroccoli{,-devel}-2.5.3-1.2.el7.x86_64.rpm - Bro
was recomplied for CentOS/RHEL 7 to use PF_Ring.
See the instructions here that explains this capability.
Note that since PF_Ring does not support Fedora, Bro for those systems were not recompiled.
March 23, 2018:
The following changes have been made:
libevt{,-devel,-python,-python3,-tools}-20180317-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, libevt{,-devel,-python,-tools}-20180317-1.el6.{i686,x86_64}.rpm, and libevt{,-devel,-python,-python3,-tools}-20180317-1.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
See here for the list of changes.
snort-2.9.11.1-2.{el6,el7}.x86_64.rpm - Snort is an open
source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
This release was recomplied to use PF_Ring.
snort-openappid-2.9.11.1-2.{el6,el7}.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
python-dfdatetime-20180318-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
bro{,-core,ctl}-2.5.3-1.1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libbroccoli{,-devel}-2.5.3-1.1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm - Bro
is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Bro provides a comprehensive platform for more general network traffic analysis as well.
Well grounded in more than 15 years of research, Bro has successfully bridged the traditional gap between academia and operations since its inception.
Today, it is relied upon operationally in particular by many scientific environments for securing their cyberinfrastructure.
Bro's user community includes major universities, research labs, supercomputing centers, and open-science communities.
pfring-7.0.0-1804.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1804.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
guymager-0.8.8-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and guymager-0.8.8-1.el7.x86_64.rpm -
Guymager is a forensic imaging package.
See here for the list of changes.
ddrescue-1.23-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
See here for the changes since the last version (1.22) released to this repository.
March 16, 2018:
The following changes have been made:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.1-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.1-2.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.1-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This package was rebuilt to use libfixbuf 1.8.0.
analysis-pipeline-5.7-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.7-2.el7.86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
This package was rebuilt to use silk 3.16.1.
silk-ipset-{devel,lib,tools}-3.16.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.8-300 for FC27
4.15.7-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.8-300 for FC27
4.15.6-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.7-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.7-200 for FC26
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.43.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.23.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-43.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.23.1 for EL6
March 9, 2018:
The following changes have been made:
apfs-fuse-20180303-1.{fc24,fc25,fc26,fc27}.x86_64.rpm and apfs-fuse-20180303-1.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
This is from the README:
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
dislocker{,-libs}-0.7.1-1.{el6,el7}.{i686,x86_64}.rpm and fuse-dislocker-0.7.1-1.{el6,el7}.{i686,x86_64}.rpm -
Dislocker reads BitLocker encrypted partitions under a Linux system.
The driver has the capability to read/write on:
Windows Vista, 7, 8, 8.1 and 10 encrypted partitions - that's AES-CBC, AES-XTS, 128 or 256 bits, with or without the Elephant diffuser, encrypted partitions;
The core driver is composed of a library, with multiple binaries (see the NOTES section below) using this library.
Two binaries are of interest when wanting to decrypt a BitLocker encrypted partition:
dislocker-fuse: binary using FUSE to dynamically decrypt the BitLocker-ed partition.
You have to give it a mount point where, once keys are decrypted, a file named dislocker-file appears.
This file is a virtual NTFS partition, so you can mount it as any NTFS partition and then read from or write to it.
Note that writing to the NTFS virtual file will change the underlying BitLocker partition's content.
dislocker-file: binary decrypting a BitLocker encrypted partition into a flat file.
This file has to be given through command line and, once dislocker-file is finished, will be an NTFS partition.
It won't have any link to the original BitLocker partition.
Therefore, if you write to this file, the BitLocker volume won't change, only the NTFS file will.
Note that this may take a long time to create that file, depending on the size of the encrypted partition.
But afterward, once the partition is decrypted, the access to the NTFS partition will be faster.
Another thing to think about is the size on your disk this binary needs: the same size as the volume you're trying to decrypt.
Nevertheless, once the partition is decrypted, you can mount your file as any NTFS partition.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.6-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.6-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.6-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.6-200 for FC26
fmem-kernel-modules-el7-x86_64-1.6-1.40.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-693.21.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-40.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-693.21.1 for EL7
pfring-7.0.0-1797.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1797.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
March 1, 2018:
The following changes have been made:
pfring-7.0.0-1788.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1788.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.4-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.4-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.4-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.4-200 for FC26
sleuthkit{,-devel,-libs}-4.6.0-2.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.5.0) released to this repository.
pytsk3-20180228-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
yara-python-3.7.1-1.x86_64.el7.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
This version was rebuilt because of an update to yara in CentOS/RHEL 7.
February 21, 2018:
The following changes have been made:
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.3-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.3-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
4.15.3-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
4.15.3-200 for FC26
February 16, 2018:
The following changes have been made:
exfat-utils-1.2.8-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
See here for the list of changes since the last released version (1.2.7).
ddrescueview-0.4.a3-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm - Ddrescueview is a small tool that allows
the user to graphically examine ddrescue's log files in a user friendly GUI application.
The Main window displays a block grid with each block's color representing the block types it contains.
Many people know this type of view from defragmentation programs.
The program is written in Object Pascal using the Lazarus IDE.
libfplist{,-devel}-20180125-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Libfplist
is a library for plist formats.
Note: this is a library only - there are no tools provided by these packages.
libfwevt{,-devel}-20180124-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Libfwevt
is a library for Windows XML Event Log (EVTX) data types.
Note: this is a library only - there are no tools provided by these packages.
radare2{,-devel}-2.3.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and radare2{,-devel}-2.3.0-1.el7.x86_64.rpm - Radare
is a framework for doing reverse engineering.
acr-1.4-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - ACR
tries to replace autoconf functionality generating a full-compatible 'configure' script (runtime flags).
But using shell-script instead of m4. This means that ACR is faster, smaller and easy to use.
python-radare2-2.3.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and python-radare2-2.3.0-1.el7.x86_64.rpm- Python-Radare
are bindings that allow Radare to be used from Python.
pfring-7.0.0-1764.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1764.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.18-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.18-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.18-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.18-200 for FC26
February 9, 2018:
The following changes have been made:
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.16-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.16-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.16-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.16-200 for FC26
February 2, 2018:
The following changes have been made:
pfring-7.0.0-1736.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1736.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.42.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.20.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-42.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.20.1 for EL6
python-certifi-2018.1.18-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - Certifi is a
carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
This package was built to support plaso.
libsmraw{,-devel,-python,-python3,-tools}-20180123-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, libsmraw{,-devel,-python,-tools}-20180123-1.el6.{i686,x86_64}.rpm, and libsmraw{,-devel,-python,-python3,-tools}-20180123-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
libwrc{,-devel,-python,-python3,-tools}-20180124-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, libwrc{,-devel,-python,-tools}-20180124-1.el6.{i686,x86_64}.rpm, and libwrc{,-devel,-python,-python3,-tools}-20180124-1.el7.x86_64.rpm - Libwrc
is a library and tools to access the Windows Resource Compiler (WRC) format.
plaso-20180127-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and plaso-20180127-1.el7.x86_64.rpm -
Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 21, 22, 23, 24, 25, 26, and 27 for the i686 and x86_64
architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
January 26, 2018:
The following changes have been made:
pfring-7.0.0-1727.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1727.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.14-300 for FC27
4.14.13-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.14-300 for FC27
4.14.13-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.14-200 for FC26
4.14.13-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.14-200 for FC26
4.14.13-200 for FC26
fmem-kernel-modules-el7-x86_64-1.6-1.39.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-693.17.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-39.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-693.17.1 for EL7
January 19, 2018:
The following changes have been made:
pfring-7.0.0-1707.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1707.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
artifacts-20180115-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i386,x86_64}.rpm and artifacts-20180115-1.el7.x86_64.rpm -
Artifacts is a free,
community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
libguytools-2.0.5-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and libguytools-2.0.5-1.el7.x86_64.rpm -
Libguytools is a package of subroutines and header files needed to
build and operate guymager.
The changes are:
Moved to Qt5
Adapted to Debian 8 (Jessie)
guymager-0.8.7-2.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and guymager-0.8.7-2.el7.x86_64.rpm -
Guymager is a forensic imaging package.
This release was rebuilt for libguytools-2.0.5 .
libfwnt{,-devel,-python,-python3}-20180117-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, libfwnt{,-devel,-python}-20180117-1.el6.x86_64.rpm, and libfwnt{,-devel,-python,-python3}-20180117-1.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
See here for the list of changes.
January 12, 2018:
The following changes have been made:
libsmdev{,-devel,-python,-python3,-tools}-20171112-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, libsmdev{,-devel,-python,-tools}-20171112-1.el6.{i686,x86_64}.rpm, and libsmdev{,-devel,-python,-python3,-tools}-20171112-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
libfvde{,-devel,-python,-python3,-tools}-20180108-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm, libfvde{,-devel,-python,-tools}-20180108-1.el6.{i686,x86_64}.rpm, and libfvde{,-devel,-python,-python3,-tools}-20180108-1.el7.x86_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
python-dfdatetime-20180110-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
libfplist{,-devel}-20180108-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Libfplist
is a library for plist formats.
Note: this is a library only - there are no tools provided by these packages.
pfring-7.0.0-1684.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1684.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
January 5, 2018:
The following changes have been made:
pfring-7.0.0-1677.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1677.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
python-dfdatetime-20171228-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
dfvfs-20171230-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
sleuthkit{,-devel,-libs}-4.5.0-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.4.2) released to this repository.
pytsk3-20171108-2.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
plaso-20171231-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and plaso-20171231-1.el7.x86_64.rpm -
Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 21, 22, 23, 24, 25, 26, and 27 for the i686 and x86_64
architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
analysis-pipeline-5.7-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.7-1.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes for this release.
dd_rescue-1.99.8-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
See here for the changes since the last version (1.99.5) released to this repository.
libodraw{,-devel,-tools}-20171105-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm and libodraw{,-devel,-tools}-20171105-1.el6.{i686,x86_64}.rpm - Libodraw
is a library to access to optical disc (split) RAW image files (bin/cue, iso/cue).
nDPI{,-devel}-2.3-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
radare2{,-devel}-2.2.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and radare2{,-devel}-2.2.0-1.el7.x86_64.rpm - Radare
is a framework for doing reverse engineering.
valabind-0.10.0-4.el7.x86_64.rpm - Valabind is a tool to parse vala
or vapi files to transform them into swig interface files, C++,
NodeJS-ffi, or GIR.
With swig, you can create language bindings for any API written in vala or C with a vapi interface.
It can also generate bindings for C++.
This release was built for CentOS/RHEL 7 to build Python-Radare2 .
python-radare2-2.1.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and python-radare2-2.2.0-1.el7.x86_64.rpm- Python-Radare
are bindings that allow Radare to be used from Python.
xplico-1.2.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
See here for the changes since the last version (1.2.0) released to this repository.
yaf{,-devel}-2.9.3-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.9.3-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Volatility-2.6-2.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i386,x86_64}.rpm and Volatility-2.6-2.el7.x86_64.rpm -
The Volatility Framework is a completely
open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6 that has been patched to January 2, 2018.
You can read about this version here
Since the Volatility-community-plugins contain the mimikatz plugin, that plugin is no longer packaged with Volatility.
python{2,3}-ssdeep-3.2-1.{fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and python2-ssdeep-3.2-1.{el6,el7}.{i686,x86_64}.rpm - Python-SSDeep
is a Python wrapper for ssdeep by Jesse Kornblum, which is a library for computing context triggered piecewise hashes (CTPH).
Also called fuzzy hashes, CTPH can match inputs that have homologies.
Such inputs have sequences of identical bytes in the same order, although bytes in between these sequences may be different in both content and length.
Volatility-community-plugins-20180102-2.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - The Volatility Community Plugins
is a collection of Volatility plugins written and maintained by authors in the forensics community.
Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun.
Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation.
These plugins are installed in /usr/share/volatility/plugins/community/ and to use them you need to specify this location on the command line thusly:
Note: The following plugins were removed the el6: BartoszInglot, ESET_Browserhooks, LoicJaquemet, ThomasChopitea, TranVienHa, and YingLi.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.11-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.11-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.11-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.11-200 for FC26
fmem-kernel-modules-el7-x86_64-1.6-1.38.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-693.11.6 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-38.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-693.11.6 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.41.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.18.7 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-41.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.18.7 for EL6
snort-2.9.11.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and snort-2.9.11.1-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.11.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HttP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.11.1-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.13-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
In addition, this release includes support for PF_Ring for CentOS/RHEL 6 and 7 for the x86_64 architecture.
December 29, 2017:
The following changes have been made:
pfring-7.0.0-1664.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1664.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.7-300 for FC27
4.14.8-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.7-300 for FC27
4.14.8-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.8-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.8-200 for FC26
dfvfs-20171228-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
December 21, 2017:
The following changes have been made:
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.5-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.5-200 for FC26
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.6-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.6-200 for FC26
dfvfs-20171216-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
python{2,3}-bencode-2.0.0-1.{fc22,fc23,fc24,fc25,fc26,fc27}.noarch.rpm -
Bencode re-packages the existing bencoding
and bdecoding implemention from the ‘official’ BitTorrent client as a separate, light-weight package for re-using them without having the entire BitTorrent software as a dependency.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.6-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.6-300 for FC27
xlsxwriter-1.0.2-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and xlsxwriter-1.0.2-1.el7.x86_64.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
pfring-7.0.0-1659.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1659.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
December 15, 2017:
The following changes have been made:
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.5-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.5-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.4-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.4-200 for FC26
pfring-7.0.0-1616.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1616.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
December 13, 2017:
The following changes have been made:
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for
Fmem:
4.14.3-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for
LiME:
4.14.3-300 for FC27
pfring-7.0.0-1600.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1600.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
python-dfdatetime-20171129-1.{fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
yara-python-3.7.0-1.x86_64.el7.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
This version was rebuilt because of an update to yara in CentOS/RHEL 7.
December 8, 2017:
The following changes have been made:
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.16-302 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.16-302 for FC27
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.16-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.16-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.16-202 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.16-202 for FC26
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.16-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.16-200 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.49.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.16-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-49.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.16-100 for FC25
fmem-kernel-modules-el7-x86_64-1.6-1.37.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-693.11.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-37.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-693.11.1 for EL7
pfring-7.0.0-1592.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1592.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
dfvfs-20171203-1.{fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
December 1, 2017:
The following changes have been made:
pfring-7.0.0-1569.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1569.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.15-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.15-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.15-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.15-200 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.48.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.15-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-48.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.15-100 for FC25
Fedora 21 - Updates to Fedora 21 for both the i686 and x86_64 CPU architectures has ceased.
ADIA - This item is the VMware and VirtualBox-based appliances built with CentOS 7 for the x86_64 architecture.
See here for more details.
The release consists of the following:
lime-kernel-modules-1.1.r17-12.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 27 x86_64 and i386 architectures was added.
fmem-kernel-modules-1.6-1.12.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 27 x86_64 and i386 architectures was added.
snort-2.9.11-1.{fc21,fc22,fc23,fc24,fc25,fc26,fc27,el6}.{i686,x86_64}.rpm and snort-2.9.11.1-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.11-1.{fc21,fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HttP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.11-1.{fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.11-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
Note: This version of snort is not yet avaiable for Fedora 26 or 27.
snarf{,-devel,-python}-0.3.0-3.{fc21,fc22,fc23,fc24,fc25,fc26,fc27,el7}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system.
Applications can use snarf's C and Python APIs to construct and send network alert messages,
which can then be routed to multiple destinations in a configurable manner.
See here for the list of changes for this release.
This version uses zeromq3.
Note: due to the changing package requirements of snarf, there is no support for CentOS/RHEL 6.
pfring-7.0.0-1560.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1560.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
python-dfdatetime-20170719-1.{fc21,fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
python-construct-2.5.2-1.{fc21,fc22,fc23,fc24,fc25,fc26,fc27,el6,el7}.noarch.rpm -
Python-construct is a powerful declarative parser (and builder) for binary data.
dfvfs-20171022-1.{fc21,fc22,fc23,fc24,fc25,fc26,fc27,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
plaso-20171118-1.{fc21,fc22,fc23,fc24,fc25,fc26,fc27}.{i686,x86_64}.rpm and plaso-20171118-1.el7.x86_64.rpm -
Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 21, 22, 23, 24, 25, 26, and 27 for the i686 and x86_64
architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.9-300 for FC27
4.13.13-300 for FC27
lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.9-300 for FC27
4.13.13-300 for FC27
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.13-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.13-200 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.47.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.13-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-47.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.13-100 for FC25
November 17, 2017:
The following changes have been made:
pfring-7.0.0-1557.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1557.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.46.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.12-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-46.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.12-100 for FC25
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.12-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.12-200 for FC26
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.40.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.16.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-40.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.16.1 for EL6
November 10, 2017:
The following changes have been made:
fmem-kernel-modules-fc26-{i386,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.11-200 for FC26
lime-kernel-modules-fc26-{i386,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.11-200 for FC26
fmem-kernel-modules-fc26-x86_64-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.10-200 for FC26
lime-kernel-modules-fc26-x86_64-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.10-200 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.45.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.11-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-45.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.11-100 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.44.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.8-100 for FC25
4.13.10-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-44.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.8-100 for FC25
4.13.10-100 for FC25
pfring-7.0.0-1535.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1535.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
libfwsi{,-devel,-python,-python3}-20171103-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpmlibfwsi{,-devel,-python}-20171103-1.el6.{i686,x86_64}.rpm, and libfwsi{,-devel,-python,-python3}-20171103-1.el7.x86_64.rpm -
Libfwsi is a library to access the
Windows Shell Item format.
See here for the list of changes.
liblnk{,-devel,-python,-python3,-tools}-20171101-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, liblnk{,-devel,-python,-tools}-20171101-1.el6.{i686,x86_64}.rpm, abnd liblnk{,-devel,-python,-python3,-tools}-20171101-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the
Windows Shortcut File (LNK) format file.
See here for the list of changes.
libsmdev{,-devel,-python,-python3,-tools}-20171105-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, libsmdev{,-devel,-python,-tools}-20171105-1.el6}.{i686,x86_64}.rpm, and libsmdev{,-devel,-python,-python3,-tools}-20171105-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
libsmraw{,-devel,-python,-python3,-tools}-20171105-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, libsmraw{,-devel,-python,-tools}-20171105-1.el6.{i686,x86_64}.rpm, and libsmraw{,-devel,-python,-python3,-tools}-20171105-1.el7.86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
artifacts-20171107-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i386,x86_64}.rpm and artifacts-20171107-1.el7.x86_64.rpm -
Artifacts is a free,
community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
This package was built to support plaso.
python-certifi-2016.9.26-2.{fc21,fc22,fc23,fc24,fc25,el7}.noarch.rpm - Certifi is a
carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
This package was built to support plaso.
python{2,3}-future-0.16.0-4.{fc21,fc22,fc23}.noarch.rpm - Future is
the missing compatibility layer between Python 2 and Python 3. It allows you to use a single, clean Python 3.x-compatible codebase to support both Python 2 and Python 3 with minimal overhead.
This package was built to support plaso.
python{2,3}-idna-2.5-1.{fc21,fc22,fc23,el7}.noarch.rpm - IDNA provides
support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in RFC 5891. This is the latest version of the protocol and is sometimes referred to as "IDNA 2008".
This package was built to support plaso.
python{2,3}-pefile-2017.5.26-2.{fc21,fc22,fc23,fc24}.noarch.rpm and python-pefile-2017.5.26-2.el7.noarch.rpm -
PEFile is a Portable Executable reader module.
This package was built to support plaso.
plaso-20170930-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm and plaso-201709301-1.el7.x86_64.rpm -
Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 21, 22, 23, 24, 25, and 26 for i686 and x86_64
architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
libfixbuf{,-devel}-1.8.0-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
Libsmraw contains supports for multiple (split) RAW naming schemes.
yaf{,-devel}-2.9.2-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.9.2-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
analysis-pipeline-5.6-4.{fc21,fc22,fc23,fc24,fc25,fc26,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.6-4.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes for this release.
This package was rebuilt to use libfixbuf 1.8.0.
libschemaTools{,-devel}-1.2.1-2.{fc21,fc22,fc23,fc24,fc25,fc26,el6}.{i686,x86_64}.rpm and libschemaTools{,-devel}-1.2.1-2.el7.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
See here for the list of changes for this release.
This package was rebuilt to use libfixbuf 1.8.0.
pyfixbuf-0.2.1-2.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf
is a Python API for libfixbuf, an implementation of the
IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this
and all releases.
This package was rebuilt to use libfixbuf 1.8.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.0-3.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
This package was rebuilt to use libfixbuf 1.8.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.0-4.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.0-4.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This package was rebuilt to use libfixbuf 1.8.0.
super_mediator-1.5.3-2.{fc21,fc22,fc23,fc24,fc25,fc26,el6}.{i686,x86_64}.rpm and super_mediator-1.5.3-2.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the list of changes for this release.
This package was rebuilt to use libfixbuf 1.8.0.
October 27, 2017:
The following changes have been made:
yaf{,-devel,-common}-2.9.0-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6}.{i686,x86_64}.rpm and yaf{,-devel,-common}-2.9.0-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
See here for the changes since the last released version (2.8.4).
fmem-kernel-modules-el7-x86_64-1.6-1.36.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-693.5.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-36.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-693.5.2 for EL7
super_mediator-1.5.3-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6}.{i686,x86_64}.rpm and super_mediator-1.5.3-1.el7.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the list of changes for this release.
pfring-7.0.0-1513.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1513.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
October 22, 2017:
The following changes have been made:
pfring-7.0.0-1506.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-7.0.0-1506.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
yaf{,-devel}-2.8.4-3.{el6,el7}.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
This package has been rebuilt for a new version of pf_ring.
To install PF_Ring on your CentOS/RHEL system, please follow the directions found here.
October 20, 2017:
The following changes have been made:
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.39.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.13.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-39.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.13.2 for EL6
pfring-6.6.0-1459.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1459.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.43.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.5-100 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-43.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.5-100 for FC25
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.5-200 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.5-200 for FC26
October 6, 2017:
The following changes have been made:
libbde{,-devel,-python,-python3,-tools}-20170902-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, libbde{,-devel,-python,-tools}-20170902-1.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python,-python3,-tools}-20170902-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
libolecf{,-devel,-python,-python3,-tools}-20170825-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, libolecf{,-devel,-python,-tools}-20170825-1.el6.{i686,x86_64}.rpm, and libolecf{,-devel,-python,-python3,-tools}-20170825-1.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
libvshadow{,-devel,-python,-python3,-tools}-20170902-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, libvshadow{,-devel,-python,-tools}-20170902-1.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python,-python3,-tools}-20170902-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
This version uses the external version of libbfio to support
DFF, the Digital Forensics Framework.
pyparsing{,-doc}-2.2.0-1.{el6,el7}.noarch.rpm and python3-pyparsing-2.2.0-1.el7.noarch.rpm - Pyparsing is a module that provides an alternative approach to creating and executing simple grammars,
vs. the traditional lex/yacc approach, or the use of regular expressions.
The pyparsing module provides a library of classes that client code uses to construct the grammar directly in Python code.
Pyparsing is provided by RedHat for Fedora 21.
Pyparsing is needed by plaso.
sleuthkit{,-devel,-libs}-4.4.2-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.4.1) released to this repository.
libfvde{,-devel,-python,-python3,-tools}-20170930-1.{fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, libfvde{,-devel,-python,-tools}-20170930-1.el6.{i686,x86_64}.rpm, and libfvde{,-devel,-python,-python3,-tools}-20170930-1.el7.x86_64.rpm -
Libfvde
is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.42.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.14-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-42.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.14-200 for FC25
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
4.13.4-200 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
4.13.4-200 for FC26
guymager-0.8.7-1.{fc21,fc22,fc23,fc24,fc25,fc26,el6}.{i686,x86_64}.rpm and guymager-0.8.7-1.el7.x86_64.rpm -
Guymager is a forensic imaging package.
See here for the list of changes.
September 29, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.41.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.13-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-41.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.13-200 for FC25
pfring-6.6.0-1435.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1435.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
xplico-1.2.0-3.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
This version adds the missing documetation file /usr/share/doc/xplico-1.2.0/README.md .
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.14-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.14-300 for FC26
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.38.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.10.3 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-38.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.10.3 for EL6
September 22, 2017:
The following changes have been made:
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.13-300 for FC26
4.12.12-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.13-300 for FC26
4.12.12-300 for FC26
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.37.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.10.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-37.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.10.2 for EL6
September 15, 2017:
The following changes have been made:
fmem-kernel-modules-el7-x86_64-1.6-1.35.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-693.2.2 for EL7
3.10.0-693.2.1 for EL7
3.10.0-693.1.1 for EL7
3.10.0-693 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-35.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-693.2.2 for EL7
3.10.0-693.2.1 for EL7
3.10.0-693.1.1 for EL7
3.10.0-693 for EL7
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.11-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.11-300 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.40.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.11-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-40.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.11-200 for FC25
September 8, 2017:
The following changes have been made:
snarf{,-devel,-python}-0.2.4-2.el6.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system.
Applications can use snarf's C and Python APIs to construct and send network alert messages,
which can then be routed to multiple destinations in a configurable manner.
This version was rebuilt for CentOS/RHEL 6 to solve a dependency problem.
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.9-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.9-300 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.39.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.9-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-39.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.9-200 for FC25
pfring-6.6.0-1401.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1401.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
September 1, 2017:
The following changes have been made:
pfring-6.6.0-1396.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1396.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
August 25, 2017:
The following changes have been made:
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.8-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.8-300 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.38.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.8-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-38.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.8-200 for FC25
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.10.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.10.1 for EL6
August 18, 2017:
The following changes have been made:
fmem-kernel-modules-fc26-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
4.12.5-300 for FC26
lime-kernel-modules-fc26-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
4.12.5-300 for FC26
Fedora 20 - Updates to Fedora 20 for both the i686 and x86_64 CPU architectures has ceased.
August 11, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.37.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.12-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-37.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.12-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.47.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.12-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-47.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.12-100 for FC24
yara-python-3.6.3-1.{i386,x86_64}.{el6,el7}.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
This version was rebuilt because of an update to yara in CentOS/RHEL 6 and 7.
artifacts-20170727.-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26}.{i386,x86_64}.rpm and artifacts-8209;20170727-1.el7.x86_64.rpm -
Artifacts is a free,
community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
This package was built to support plaso.
binplist-0.1.5-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Binplist is a binary property list (plist) parser module written in python.
python-dfdatetime-20170719-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
dfvfs-20170723-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
libfsntfs{,-devel,-python,-python3,-tools}-20170315-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python,-tools}-20170315-1.el6.{i686,x86_64}.rpm, and libfsntfs{,-devel,-python,-python3,-tools}-20170315-1.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
See here for the list of changes.
libfwnt{,-devel,-python,-python3}-20170115-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, libfwnt{,-devel,-python}-20170115-1.el6.x86_64.rpm, libfwnt{,-devel,-python,-python3}-20170115-1.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
See here for the list of changes.
This package is needed by dfvfs and plaso.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.71-1.1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
See here for the list of changes.
libscca{,-devel,-python,-python3,-tools}-20170205-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libscca{,-devel,-python,-tools}-20170205-1.el6.x86_64.rpm, and libscca{,-devel,-python,-python3,-tools}-20170205-1.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
See here for the list of changes.
libsmraw{,-devel,-python,-python3,-tools}-20170803-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, libsmraw{,-devel,-python,-tools}-20170803-1.el6.{i686,x86_64}.rpm, and libsmraw{,-devel,-python,-python3,-tools}-20170803-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
libvshadow{,-devel,-python,-python3,-tools}-20170715-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm, libvshadow{,-devel,-python,-tools}-20170715-1.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python,-python3,-tools}-20170715-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
This version uses the external version of libbfio to support
DFF, the Digital Forensics Framework.
libwrc{,-devel,-python,-python3,-tools}-20170304-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm and libwrc{,-devel,-python,-tools}-20170304-1.el6.{i686,x86_64}.rpm - Libwrc
is a library and tools to access the Windows Resource Compiler (WRC) format.
epub-0.5.2-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i386,x86_64}.rpm - Epub is the distribution and interchange format
standard for digital publications and documents based on Web Standards. Epub defines a method for representing, packaging, and encoding structured and semantically enhanced
web content - including XHTML, CSS, SVG, images, and other resources - for distribution in a single-file format.
Epub allows publishers to produce and send a single digital publication file through distribution and offers interoperability between consumers
software / hardware for unencrypted reflowable digital books and other publications.
Epub is a helper application for recoll.
ghostpdl-9.21-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el6}.{i686,x86_64}.rpm and ghostpdl-9.21-1.el7.x86_64.rpm -
Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages.
Ghostpdl is used by Xplico.
nDPI{,-devel}-2.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
xplico-1.2.0-3.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
This version was recompiled for nDPI-2.0 and add python3.6 list of valid Python executables.
perl-File-Mork-0.4-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el6,el7}.noarch.rpm - perl-File-Mork
is a module to read Mozilla URL history files.
perl-Mac-PropertyList-1.412-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el7}.noarch.rpm - perl-Mac-PropertyList
is a low-level interface to the Mac OS X Property List (plist) format.
See here for the list of changes
perl-Alien-wxWidgets-0.67-6.el7.x86_64.rpm - perl-Alien-wxWudgets
can be used to detect and get configuration settings from an installed wxWidgets.
perl-Wx-0.9928-3.el7.x86_64.rpm - perl-Wx
is a wrapper for the wxWidgets (formerly known as wxWindows) GUI toolkit.
This module comes with extensive documentation in HTML format; you can download it from http://wxperl.sourceforge.net.
perl-Parse-Win32Registry-1.0-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el6,el7}.noarch.rpm - perl-Parse-Win32Registry
is a module for parsing Windows Registry files, allowing you to read the keys and values of a registry file without going through the Windows API.
It provides an object-oriented interface to the keys and values in a registry file.
Registry files are structured as trees of keys, with each key containing further subkeys or values.
The module is intended to be cross-platform, and run on those platforms where Perl will run.
It supports both Windows NT registry files (Windows NT, 2000, XP, 2003, Vista, 7) and Windows 95 registry files (Windows 95, 98, Millennium Edition).
It is intended to be used to parse offline registry files.
If a registry file is currently in use, you will not be able to open it.
However, you can save part or all of a currently loaded registry file using the Windows reg command if you have the appropriate administrative access.
pfring-6.6.0-1377.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1377.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
python-apsw-3.19.3-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Python-apsw
is a Python wrapper for the SQLite embedded relational database engine.
In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.
python-haystack-0.42-1.{fc20,fc21,fc22,fc23.f24,fc25,fc26,el6,el7.}noarch.rpm - Python-Haystack
is an heap analysis framework, focused on searching and reversing of C structure in allcoated memory.
python-rarfile-3.0-1.{fc20,fc21,fc22,fc213,fc24,fc25,fc26,el6,el7}.{i686,x86_64}.rpm - Python-rarfile is a
Python module for RAR archive reading.
See here for the list of changes since the last release version (2.6);
regripper-plugins-20170809-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26,el6,el7}.noarch.rpm - Regripper-plugins
are the plugins packaged separately from the regripper application.
This package is taken from the plugins directory at the Github source code site as of 2017-08-09.
radare{,-devel}-2.1.6.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm and radare{,-devel}-2.1.6.0-1.el7.x86_64.rpm - Radare
is a framework for doing reverse engineering.
python-radare-2.1.6.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,fc26}.{i686,x86_64}.rpm and python-radare-2.1.6.0-1.el7.x86_64.rpm- Python-Radare
are bindings that allow Radare to be used from Python.
rifiuti2-0.6.1-1.{fc20,fc21,fc22,fc213,fc24,fc25,fc26,el6}.{i686,x86_64}.rpm and rifiuti2-0.6.1-1.el7.x86_64.rpm -
rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
July 27, 2017:
The following changes have been made:
Fedora 26 - The repository now supports Fedora 26
for the i386 CPU architecture.
Support for the x86_64 architecture was previously announced.
Here is the list of tools provided for Fedora 26:
lime-kernel-modules-1.1.r17-11.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 26 i386 architecture was added.
fmem-kernel-modules-1.6-1.11.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 26 i386 architecture was added.
July 26, 2017:
The following changes have been made:
fmem-kernel-modules-fc26-x86_64-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.11-300 for FC26
lime-kernel-modules-fc26-x86_64-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.11-300 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.11-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.11-200 for FC25
yara-python-3.6.3-1.{fc24,fc25}.x86_64.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
This version was rebuilt because of an update to yara in Fedora 24 and 25.
pfring-6.6.0-1372.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1372.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
July 21, 2017:
The following changes have been made:
Fedora 26 - The repository now supports Fedora 26
for the x86_64 CPU architecture only.
Here is the list of tools provided for Fedora 26:
lime-kernel-modules-1.1.r17-10.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 26 x86_64 architecture was added.
fmem-kernel-modules-1.6-1.10.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 26 x86_64 architecture was added.
fmem-kernel-modules-fc26-x86_64-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.10-300 for FC26
lime-kernel-modules-fc26-x86_64-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.10-300 for FC26
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.10-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.10-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.46.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.10-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-46.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.10-100 for FC24
pfring-6.6.0-1353.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1353.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
CERT-Forensics-Tools-1.0-75.fc26.{i686,x86_64}.rpm -
This package was updated not install tools that are only OpenSSL 1.0 compliant,
namely aimage, bloom, bulk_extractor, bulk_extractor-stoplist, and frag_find.
July 14, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.9-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.9-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.8-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.8-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.7-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.7-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.44.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.8-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-44.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.8-100 for FC24
fmem-kernel-modules-el7-x86_64-1.6-1.34.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-514.26.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-34.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-514.26.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.6.3 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.6.3 for EL6
libfsext{,-devel,-python,-python3,-tools}-20170624-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libfsext{,-devel,-python,-tools}-20170624-1.el6.{i686,x86_64}.rpm - Libfsext
is a lbrary and tools to access the Extended File System (EXT).
Note that this project currently only focuses on the analysis of the format.
libfshfs{,-devel,-python,-python3,-tools}-20170626-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libfshfs{,-devel,-python,-tools}-20170626-1.el6.{i686,x86_64}.rpm - Libfshfs
is a lbrary and tools to access the Hierarchical File System (HFS).
Note that this project currently only focuses on the analysis of the format.
libhibr{,-devel,-tools}-20170530-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libhibr{,-devel,-tools}-20170530-1.el6.{i686,x86_64}.rpm - libhibr
is a lbrary and tools to access the Windows Hibernation File (hiberfil.sys) format.
Note that this project currently only focuses on the analysis of the format.
libmdmp{,-devel,-tools}-20170522-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libmdmp{,-devel,-tools}-20170522-1.el6.{i686,x86_64}.rpm - Libmdmp
is a library to access the Windows Minidump (MDMP) format.
Note that this project currently only focuses on the analysis of the format.
libmodi{,-devel,-python,-python3,-tools}-20170527-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm, libmodi{,-devel,-python,-tools}-20170527-1.el6.{i686,x86_64}.rpm, and libmodi{,-devel,-python,-python3,-tools}-20170527-1.el7.x86_64.rpm -
Libmodi is a lbrary and tools to access the Mac OS disk image formats.
libnk2{,-devel,-python,-python3,-tools}-20170527-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libnk2{,-devel,-python,-tools}-20170527-1.el6.{i686,x86_64}.rpm - Libnk2
is a lbrary and tools to access Microsoft Outlook Nickfile (NK2) format files.
libodraw{,-devel,-tools}-20170217-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libodraw{,-devel,-tools}-20170217-1.el6.{i686,x86_64}.rpm - Libodraw
is a library to access to optical disc (split) RAW image files (bin/cue, iso/cue).
libphdi{,-devel,-python,-python3,-tools}-20170529-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libphdi{,-devel,-python,-tools}-20170529-1.el6.{i686,x86_64}.rpm, and libphdi{,-devel,-python,-python3,-tools}-20170529-1.el7.x86_64.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
libexe{,-devel,-python,-python3,-tools}-20170123-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libexe{,-devel,-python,-tools}-20170123-1.el6.{i686,x86_64}.rpm, and libexe{,-devel,-python,-python3,-tools}-20170123-1.el7.x86_64.rpm -
Libexe is a library and tools to access the executable (EXE) format.
libwtcdb{,-devel,-tools}-20170201-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm libwtcdb{,-devel,-tools}-20170201-1.el6.{i686,x86_64}.rpm - Libwtcdb
is a library and tools to access the Windows (Vista/7) Explorer thumbnail cache database format (thumbcache.db).
libfplist{,-devel}-20170112-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libfplist
is a library for plist formats.
Note: this is a library only - there are no tools provided by these packages.
libfwevt{,-devel}-20170114-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libfwevt
is a library for Windows XML Event Log (EVTX) data types.
Note: this is a library only - there are no tools provided by these packages.
libagdb{,-devel,-tools}-20170201-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libagdb
is a library to access the SuperFetch database format.
libcreg{,-devel,-python,-python3,-tools}-20170119-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libcreg{,-devel,-python,-tools}-20170119-1.el6.{i686,x86_64}.rpm - Libcreg
is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
libvsmbr{,-devel,-tools}-20170525-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libvsmbr
is a library and tools to access the Master Boot Record (MBR) volume system.
libwrc{,-devel,-python,-python3,-tools}-20160419-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libwrc{,-devel,-python,-tools}-20160419-1.el6.{i686,x86_64}.rpm - Libwrc
is a library and tools to access the Windows Resource Compiler (WRC) format.
winevt-kb-20170527-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and winevt-kb-20170527-1.el7.x86_64.rpm -
Winevt-kb is a project to build a Windows Event Log knowledge base.
winevtrc is the Python module part of winevt-kb to allow reuse of Windows Event Log resources.
See this resource for an explanation of the scripts included with this package - export.py, extract.py, query.py - and how to use them.
Note that winevt-kb is not available for CentOS/RHEL 6 because of the old version of Python 2.
dtfabric-20170630-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and dtfabric-20170630-1.el7.x86_64.rpm -
Dtfabric
is a project to manage data types and structures, as used in the libyal projects.
winreg-kb-20170525-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and winreg-kb-20170525-1.el7.x86_64.rpm -
Winreg-kb winreg-kb is a project to build a Windows Registry Knowledge Base.
winregrc is a Python module part of winreg-kb to allow reuse of Windows Registry Resources.
See these scripts that make use of package.
Note that winreg-kb is not available for CentOS/RHEL 6 because of the old version of Python 2.
dfwinreg-20170706-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and dfwinreg-20170706-1.{el6,el7}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
CERT-Forensics-Tools-1.0-74.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-74.el7.x86_64.rpm -
This package was updated as follows:
libagdb-tools
libcreg-tools
libexe-tools
libfsext-tools
libfshfs-tools
libhibr-tools
libmdmp-tools
libmodi-tools
libnk2-tools
libodraw-tools
libphdi-tools
libvsmbr-tools
libwrc-tools
libwtcdb-tools
winevt-kb (not for CentOS/RHEL 6)
winreg-kb (not for CentOS/RHEL 6)
pfring-6.6.0-1334.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1334.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
yara-python-3.6.2-1.{fc24,fc25}.x86_64.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
This version was rebuilt because of an update to yara in Fedora 24 and 25.
June 30, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.6-201 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.6-201 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.43.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.6-101 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-43.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.6-101 for FC24
fmem-kernel-modules-el7-x86_64-1.6-1.33.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-514.26.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-33.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-514.26.1 for EL7
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.0-2.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.16.0-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-ipset-{devel,lib,tools}-3.16.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
analysis-pipeline-5.6-3.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.6-3.el7.86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes for this release.
This package was rebuilt to use silk 3.16.0.
June 26, 2017:
The following changes have been made:
partclone-0.3.6-2.el7.x86_64.rpm and partclone-0.3.6-2.el6.{i386,x86_64}.rpm- Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage.
Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system
by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), exfat, xfs, vmfs3 and vmfs5.
See the /usr/share/doc/partclone/ChangeLog for the list of changes in this release.
This version was rebuilt because of an update to ntfs-3g in EL6 and EL7.
testdisk-7.0-4.1.el6.{i686,x86_64}.rpm and qphotorec-7.0-4.1.el6.{i386,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
These releases were built to use the latest version of libewf that is installed in this repository.
June 23, 2017:
The following changes have been made:
fmem-kernel-modules-el7-x86_64-1.6-1.32.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-514.21.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-32.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-514.21.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.3.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.3.2 for EL6
June 20, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.5-200 for FC25
4.11.4-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.5-200 for FC25
4.11.4-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.42.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.5-100 for FC24
4.11.4-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-42.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.5-100 for FC24
4.11.4-100 for FC24
yara-python-3.6.0-1.{fc24,fc25}.x86_64.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
This version was rebuilt because of an update to yara in Fedora 24 and 25.
partclone-0.3.6-2.{fc24,fc25}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage.
Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system
by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), exfat, xfs, vmfs3 and vmfs5.
See the /usr/share/doc/partclone/ChangeLog for the list of changes in this release.
This version was rebuilt because of an update to ntfs-3g in Fedora 24 and 25.
June 19, 2017:
The following changes have been made:
yara-python-3.6.0-1.el7.x86_64.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
This version was rebuilt because of the update to yara in EPEL for CentOS/RHEL 7.
June 14, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.3-202 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.3-202 for FC25
partclone-0.3.6-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage.
Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system
by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), exfat, xfs, vmfs3 and vmfs5.
See the /usr/share/doc/partclone/ChangeLog for the list of changes in this release.
exfat-utils-1.2.7-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
See here for the list of changes since the last released version (1.2.3).
xmount-0.7.5-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following:
Here are the changes for this version:
New for version 0.7.5
Improved and fixed the way fsname is built.
Added a patch fixing a bug in libxmount_input_aewf (supplied by Guy Voncken)
New for version 0.7.4
Re-enabled full OSx support
libxmount_input_aewf input library is now able to decompress EWF chunks in parallel, which will increase read speed
sleuthkit{,-devel,-libs}-4.4.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.4.0) released to this repository.
June 2, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for
Fmem:
4.11.3-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for
LiME:
4.11.3-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.17-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.17-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.41.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.17-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-41.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.17-100 for FC24
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.3.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.3.1 for EL6
lime-kernel-modules-common-1.1.r17-4.noarch.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page.
This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects.
This repackaging increases the number of packages but decreases their size.
This revision fixes a problem that resulted from the release of the
4.11 kernel for Linux.
Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-25 and CentOS 6 and 7
If you use rsync, make certain that you use the -H option to preserve those hard links.
May 26, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.16-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.16-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.40.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.15-100 for FC24
4.10.16-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-40.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.15-100 for FC24
4.10.16-100 for FC24
fmem-kernel-modules-el7-x86_64-1.6-1.31.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-514.21.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-31.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-514.21.1 for EL7
jansson{,-devel}-2.9-1.el7.x86_64.rpm and jansson-devel-doc-2.9-1.el7.noarch.rpm - Jansson
is a C library for encoding, decoding and manipulating JSON data. It features:
Simple and intuitive API and data model
Comprehensive documentation
No dependencies on other libraries
Full Unicode support (UTF-8)
Extensive test suite
This tool was built to be used by yara-python.
yara{,-doc,-devel}-3.5.0-7.1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
Note that the -devel and -doc packages split out the files needed for development and documentation respectively.
yara-python-3.5.0-7.1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
dislocker{,-libs}-0.7.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm and fuse-dislocker-0.7.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm -
Dislocker reads BitLocker encrypted partitions under a Linux system.
The driver has the capability to read/write on:
Windows Vista, 7, 8, 8.1 and 10 encrypted partitions - that's AES-CBC, AES-XTS, 128 or 256 bits, with or without the Elephant diffuser, encrypted partitions;
The core driver is composed of a library, with multiple binaries (see the NOTES section below) using this library.
Two binaries are of interest when wanting to decrypt a BitLocker encrypted partition:
dislocker-fuse: binary using FUSE to dynamically decrypt the BitLocker-ed partition.
You have to give it a mount point where, once keys are decrypted, a file named dislocker-file appears.
This file is a virtual NTFS partition, so you can mount it as any NTFS partition and then read from or write to it.
Note that writing to the NTFS virtual file will change the underlying BitLocker partition's content.
dislocker-file: binary decrypting a BitLocker encrypted partition into a flat file.
This file has to be given through command line and, once dislocker-file is finished, will be an NTFS partition.
It won't have any link to the original BitLocker partition.
Therefore, if you write to this file, the BitLocker volume won't change, only the NTFS file will.
Note that this may take a long time to create that file, depending on the size of the encrypted partition.
But afterward, once the partition is decrypted, the access to the NTFS partition will be faster.
Another thing to think about is the size on your disk this binary needs: the same size as the volume you're trying to decrypt.
Nevertheless, once the partition is decrypted, you can mount your file as any NTFS partition.
CERT-Forensics-Tools-1.0-73.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-73.el7.x86_64.rpm -
This package was updated as follows:
The dislocker suite was added for all supported systems.
May 19, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.15-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.15-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.39.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.14-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-39.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.14-100 for FC24
pfring-6.6.0-1231.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.6.0-1231.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
aeskeyfind-1.0-3.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Aeskeyfind
illustrates automatic techniques for locating 128-bit and 256-bit AES keys in a captured memory image.
The program uses various algorithms and also performs a simple entropy test to filter out blocks that are not keys.
It counts the number of repeated bytes and skips blocks that have too many repeats.
This method works even if several bits of the key schedule have been corrupted due to memory decay.
This package is useful to several activities, as forensics investigations.
CERT-Forensics-Tools-1.0-72.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-72.el7.x86_64.rpm -
This package was updated as follows:
The package aeskeyfind was added for all supported systems.
May 8, 2017:
The following changes have been made:
nDPI{,-devel}-1.8-3.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
This version eliminates a dependency for CentOS/RHEL 6 for the x86_64 architecture.
The other revisions for all other systems and architectures are to maintain revision compatibility.
April 28, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.10-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.10-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.9-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.9-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.38.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.10-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-38.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.10-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.37.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.9-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-37.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.9-100 for FC24
fmem-kernel-modules-el7-x86_64-1.6-1.30.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-514.16.1 for EL&
3.10.0-514.10.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-30.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-514.16.1 for EL&
3.10.0-514.10.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696.1.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696.1.1 for EL6
libvslvm{,-devel,-python,-python3,-tools}-20160110-2.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libvslvm{,-devel,-python,-tools}-20160110-2.el6.{i686,x86_64}.rpm, and libvslvm{,-devel,-python,-python3,-tools}-20160110-2.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
This release added the missing FUSE dependencies.
CERT-Forensics-Tools-1.0-71.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-71.el7.x86_64.rpm -
This package was updated as follows:
The package libvslvm-tools was added for all supported systems.
April 13, 2017:
The following changes have been made:
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-696 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-696 for EL6
Volatility-community-plugins-20170405-2.fc25.noarch.rpm - The Volatility Community Plugins for Fedora 25 had
an incorrect dependency which has been fixed.
April 7, 2017:
The following changes have been made:
sleuthkit{,-devel,-libs}-4.4.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.3.0) released to this repository.
pytsk3-20170324-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
ddrescue-1.22-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
See here for the changes since the last version (1.21) released to this repository.
ddrutility-2.8-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to
gnuddrescue.
It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
dd_rescue-1.99.5-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
See here for the changes since the last version (1.99) released to this repository.
dc3dd-7.2.646-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,x86_64}.rpm - dc3dd is a patched version of GNU dd that
includes several features useful for computer forensics.
guymager-0.8.4-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and guymager-0.8.4-1.el7.x86_64.rpm -
Guymager is a forensic imaging package.
See here for the list of changes.
dfvfs-20170324-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
libbde{,-devel,-python,-python3,-tools}-20170204-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libbde{,-devel,-python,-tools}-20170204-1.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python,-python3,-tools}-20170204-1.el7.x86_64.rpm -
Libbde
is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the list of changes.
libbfio{,-devel}-20170123-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,x86_64}.rpm - Libbfio is a
library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access.
See here for the list of changes.
libesedb{,-devel,-python,-python3,-tools}-20170121-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libesedb{,-devel,-python,-tools}-20170121-1.el6.{i686,x86_64}.rpm, and libesedb{,-devel,-python,-python3,-tools}-20170121-1.el7.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
See here for the list of changes.
libevt{,-devel,-python,-python3,-tools}-20170120-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libevt{,-devel,-python,-tools}-20170120-1.el6.{i686,x86_64}.rpm, and libevt{,-devel,-python,-python3,-tools}-20170120-1.el7.x86_64rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
See here for the list of changes.
libevtx{,-devel,-python,-python3,-tools}-20170122-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libevtx{,-devel,-python,-tools}-20170120-1.el6.{i686,x86_64}.rpm, and libevt{,-devel,-python,-python3,-tools}-20170120-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
libfwsi{,-devel,-python,-python3}-20160110-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libfwsi{,-devel,-python}-20160110-1.el6.{i686,x86_64}.rpm, and libfwsi{,-devel,-python,-python3}-20160110-1.el7.x86_64.rpm -
Libfwsi is a library to access the
Windows Shell Item format.
See here for the list of changes.
libiconv{,-devel,-static,-utils}-1.15-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libiconv
provides an iconv() implementation, for use on systems which don't have one, or whose implementation cannot convert from/to Unicode.
Due to conflicts with other packages, notably glibc, the libiconv packages are installed in /usr/libiconv.
This release makes the library files also available at /usr/liboconv/lib for the x86_64 architecture which makes the package easier to use when building
packages that use libiconv.
liblnk{,-devel,-python,-python3,-tools}-20170111-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, liblnk{,-devel,-python,-tools}-20170111-1.el6.{i686,x86_64}.rpm, liblnk{,-devel,-python,-python3,-tools}-20170111-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the
Windows Shortcut File (LNK) format file.
See here for the list of changes.
libmsiecf{,-devel,-python,-python3,-tools}-20170116-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python,-tools}-20170116-1.el6.{i686,x86_64}.rpm, and libmsiecf{,-devel,-python,-python3,-tools}-20170116-1.el7.x86_64}.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
See here for the list of changes.
libolecf{,-devel,-python,-python3,-tools}-20170129-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libolecf{,-devel,-python,-tools}-20170129-1.el6.{i686,x86_64}.rpm, and libolecf{,-devel,-python,-python3,-tools}-20170129-1.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
libqcow{,-devel,-python,-python3,-tools}-20170222-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libqcow{,-devel,-python,-tools}-20170222-1.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python,-python3,-tools}-20170222-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
See here for the list of changes.
libsigscan{,-devel,-python,-python3,-tools}-20170124-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libsigscan{,-devel,-python,-tools}-20170124-1.el6.{i686,x86_64}.rpm, and libsigscan{,-devel,-python,-python3,-tools}-20170124-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
See here for the list of changes.
libsmdev{,-devel,-python,-python3,-tools}-20170225-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libsmdev{,-devel,-python,-tools}-20170225-1.el6}.{i686,x86_64}.rpm, and libsmdev{,-devel,-python,-python3,-tools}-20170225-1.el7.86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
libvhdi{,-devel,-python,-python3,-tools}-20170223-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libvhdi{,-devel,-python,-tools}-20170223-1.el6.{i686,x86_64}.rpm, and libvhdi{,-devel,-python,-python3,-tools}-20170223-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status.
See here for the list of supported disk formats.
libvmdk{,-devel,-python,-python3,-tools}-20170226-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm, libvmdk{,-devel,-python,-tools}-20170226-1.el6.{i686,x86_64}.rpm, and libvmdk{,-devel,-python,-python3,-tools}-20170226-1.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
See here the list of changes.
nDPI{,-devel}-1.8-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
This version brings the code base used to build this package up to 2017-03-28.
partclone-0.2.90-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage.
Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system
by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
See here for the list of changes in this release.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.15.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.15.0-2.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.15.0-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-ipset-{devel,lib,tools}-3.15.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
analysis-pipeline-5.6-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.6-2.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes for this release.
This package was rebuilt to use silk 3.15.0.
capstone{,-devel,-python,-python3}-3.0.4-4.{fc20,fc21}.{i686,x86_64}.rpm and capstone-java-3.0.4-4.noarch.rpm - Capstone is a
lightweight multi-platform, multi-architecture disassembly framework.
See here for the list of changes and future features.
capstone{,-devel,-python,-python3}-3.0.4-4.el7.x86_64.rpm - Capstone is a
lightweight multi-platform, multi-architecture disassembly framework.
See here for the list of changes and future features.
capstone{,-devel,-python,}-3.0.4-4.el6.{i386,x86_64}.rpm - Capstone is a
lightweight multi-platform, multi-architecture disassembly framework.
See here for the list of changes and future features.
pyew-2.3.0.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Pyew is a (command line) python tool to analyse malware.
It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an
API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports
OLE2 format, PDF format and more.
It also supports plugins to add more features to the tool.
radare{,-devel}-2.1.3.0-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and radare{,-devel}-2.1.3.0-1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
python-radare-2.1.3.0-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and python-radare-2.1.3.0-1.el7.x86_64.rpm- Python-Radare are
bindings that allow Radare to be used from Python.
Volatility-2.6-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i386,x86_64}.rpm and Volatility-2.6-1.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6.
You can read about this version here
Since the Volatility-community-plugins contain the mimikatz plugin, that plugin is no longer packaged with Volatility.
Volatility-community-plugins-20170405-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.noarch.rpm - The Volatility Community Plugins
is a collection of Volatility plugins written and maintained by authors in the forensics community.
Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun.
Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation.
These plugins are installed in /usr/share/volatility/plugins/community/.
Note: The following plugins were removed the el6: PhilipHuppert, ThomasChopitea, TranVienHa, YingLi, DaveLasalle, LoïcJaquemet, and artoszInglot.
python-haystack-0.36-0.noarch.rpm - Python-Haystack is an heap analysis framework, focused on searching and reversing of
C structure in allcoated memory.
python-pycoin-0.77-0.noarch.rpm - Python-Pycoin is an implementation of several utility routines that may be useful when dealing with
bitcoin and some alt-coins. It has been tested with Python 2.7, 3.3, 3.4 and 3.5.
python-dpapick-0.3-0.noarch.rpm - Python-Dpapick is a Python toolkit to provide a platform-independant implementation
of Microsoft's cryptography subsytem called DPAPI (Data Protection API).
It can be used either as a library or as a standalone tool.
It is also the first open-source tool that allows decryption of DPAPI structures in an offline way and, moreover, from another plateform than Windows.
It is provided with some application probes that includes the built-in logic to retreive the corresponding secrets that are protected.
For more information go here.
python-typing-3.6.1.0-0.noarch.rpm - Python-Typing is a backport of the standard library typing module to Python versions older than 3.6.
Typing defines a standard notation for Python function and variable type annotations.
The notation can be used for documenting code in a concise, standard format, and it has been designed to also be used by static and runtime type checkers, static analyzers, IDEs and other tools.
Note: this package was installed only for Fedora 20, 21, and 22.
All other versions of Fedora and CentOS provide this package.
python-M2Crypto-0.26.0-0.noarch.rpm - Python-M2Crypto is the most complete Python wrapper for OpenSSL
featuring RSA, DSA, DH, EC, HMACs, message digests, symmetric ciphers (including AES); SSL functionality to implement clients and servers; HttPS extensions to Python’s httplib, urllib, and xmlrpclib;
unforgeable HMAC’ing AuthCookies for web session management; FTP/TLS client and server; S/MIME; ZServerSSL: A HttPS server for Zope and ZSmime: An S/MIME messenger for Zope.
M2Crypto can also be used to provide SSL for Twisted.
Smartcards are supported through the Engine interface.
python-ioc_writer-0.3.3-0.noarch.rpm - Python-IOC_Writer is a Python library that allows for basic creation and editing of
OpenIOC objects. It supports a basic CRUD (Create, Read, Update, Delete) for various items.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.8-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.8-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.6-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.6-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.5-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.5-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.8-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.8-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for
Fmem:
4.10.6-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for
LiME:
4.10.6-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.17-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.17-100 for FC24
March 20, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.13-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.13-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.13-201 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.13-201 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.13-101 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.13-101 for FC24
March 10, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.13-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.13-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.13-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.13-100 for FC24
super_mediator-1.5.2-1.{fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and super_mediator-1.5.2-1.el7.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the list of changes for this release.
snarf{,-devel,-python}-0.3.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system.
Applications can use snarf's C and Python APIs to construct and send network alert messages,
which can then be routed to multiple destinations in a configurable manner.
See here for the list of changes for this release.
Note: due to the changing package requirements of snarf, there is no support for Fedora 20 and CentOS/RHEL 6.
CERT-Forensics-Tools-1.0-70.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-70.el7.x86_64.rpm -
This package was updated as follows:
The package xplico is now installed for Fedora 25.
The package snarf is now installed for Fedora 25, 24, 23, 22, and 20, and CentOS/RHEL 6 and 7.
Snarf is not available for Fedora 21.
March 3, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.11-200 for FC25
4.9.12-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.11-200 for FC25
4.9.12-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.12-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.12-100 for FC24
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-642.13.2 for EL6
2.6.32-642.15.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-642.13.2 for EL6
2.6.32-642.15.1 for EL6
February 23, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.10-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.10-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.9-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.9-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.8-201 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.8-201 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.10-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.10-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.9-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.9-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.8-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.8-100 for FC24
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-418 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-418 for EL5
pyfixbuf-0.2.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf
is a Python API for libfixbuf, an implementation of the
IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this
and all releases.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.70-1.1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
See here for the list of changes.
socat-1.7.3.2-1.1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Socat is a relay for bidirectional data transfer between two independent data channels.
Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an
SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these.
These modes include generation of "listening" sockets, named pipes, and pseudo terminals.
Socat can be used, e.g., as TCP port forwarder (one-shot or daemon), as an external socksifier, for attacking weak firewalls, as a shell interface to UNIX
sockets, IP6 relay, for redirecting TCP oriented programs to a serial line, to logically connect serial lines on different computers, or to establish a
relatively secure environment (su and chroot) for running client or server shell scripts with network connections.
See the change log that is part of the RPM package for a list of changes since the last version (1.7.3.0).
pfring-6.4.1-1143.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.4.1-1143.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
bokken-1.8-2.{fc20,fc21,fc22,fc23,fc24,fc24,el6,el7}.{i686,x86_64}.rpm and bokken-1.8-1.{el6,el7}.x86_64.rpm - Bokken is a GUI for the
Pyew and Radare projects so it offers almost all the same features that
Pyew has and and some of the Radare's ones.
It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
This release was built to correct a configuration error in the bokken script that set the shell variable BOKKEN_DIR incorrectly for systms of the x86_64 architecture.
February 10, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.7-201 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.7-201 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.7-101 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.7-101 for FC24
February 4, 2017:
The following changes have been made:
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.6-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.6-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.5-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.5-200 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.4-201 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.4-201 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.3-200 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.3-200 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.6-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.6-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.5-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.5-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
4.9.4-100 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
4.9.4-100 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.16-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.16-200 for FC24
fmem-kernel-modules-el7-x86_64-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-514.6.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-514.6.1 for EL7
xplico-1.2.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
Here are the chanes for this version:
pfring-6.4.1-1064.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
pfring-dkms-6.4.1-1064.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
yaf{,-devel}-2.8.4-2.{el6,el7}.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
This package has been rebuilt to assert the --with-pfring configuration option.
Note that this is a package that supports PR_Ring sockets.
To install PF_Ring on your CentOS/RHEL system, please follow the directions found here.
January 15, 2017:
The following changes have been made:
super_mediator-1.5.0-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and super_mediator-1.5.0-1.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the list of changes for this release.
libschemaTools{,-devel}-1.2.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and libschemaTools{,-devel}-1.2.1-1.el7.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
See here for the list of changes for this release.
analysis-pipeline-5.6-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.6-1.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes for this release.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.16-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.16-300 for FC25
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-642.13.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-642.13.1 for EL6
December 31, 2016:
The following changes have been made:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.15-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.15-200 for FC24
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.15-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.15-300 for FC25
fmem-kernel-modules-el7-x86_64-1.6-1.28.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-514.2.2 for EL7
3.10.0-514 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-28.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-514.2.2 for EL7
3.10.0-514 for EL7
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-417 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-417 for EL5
daq-2.0.6-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i386,x86_64}.rpm and aq-2.0.6-2.el7.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
Changes made to support NFQ which is the new and improved way to process iptables packets.
snort-2.9.9.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and snort-2.9.9.0-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-openappid-2.9.9.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.9.0-1.el7.x86_64.rpm-
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
snort-sample-rules-2.9.9.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HttP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
December 22, 2016:
The following changes have been made:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.14-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.14-200 for FC24
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.14-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.14-300 for FC25
December 15, 2016:
The following changes have been made:
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.13-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.13-100 for FC23
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.12-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.12-100 for FC23
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.13-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.13-200 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.12-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.12-200 for FC24
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.13-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.13-300 for FC25
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.12-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.12-300 for FC25
December 12, 2016:
The following changes have been made:
Fedora 8 - The repository files for Fedora 8 have beem removed.
Fedora 9 - The repository files for Fedora 9 have beem removed.
Fedora 10 - The repository files for Fedora 10 have beem removed.
Fedora 11 - The repository files for Fedora 11 have beem removed.
Fedora 12 - The repository files for Fedora 12 have beem removed.
Fedora 13 - The repository files for Fedora 13 have beem removed.
Fedora 14 - The repository files for Fedora 14 have beem removed.
Fedora 15 - The repository files for Fedora 15 have beem removed.
Fedora 16 - The repository files for Fedora 16 have beem removed.
December 8, 2016:
The following have been released:
Fedora 25 - The repository now supports Fedora 25
for the i686 and x86_64 CPU architectures.
Here is the list of tools provided for Fedora 25:
fmem-kernel-modules-1.6-1.9.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 25 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-9.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 25 x86_64 and i686 architectures was added.
fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.11-300 for FC25
lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.11-300 for FC25
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.11-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.11-200 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.10-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.10-200 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.8-200 for FC24
4.8.7-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.8-200 for FC24
4.8.7-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.11-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.11-100 for FC23
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.10-100 for FC23
4.8.8-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.10-100 for FC23
4.8.8-100 for FC23
libpff-20161119-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,x86_64}.rpm - Libpff is a library
and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
Libpff is used by DFF,the Digital Forensics Framework.
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.14.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.14.0-2.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.14.0-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-5.5-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.5-2.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks,
to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
This release was built using SiLKSiLK version 3.14.0.
silk-ipset-{devel,lib,tools}-3.14.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
Volatility-community-plugins-20161202-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.noarch.rpm - The Volatility Community Plugins
is a collection of Volatility plugins written and maintained by authors in the forensics community.
Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun.
Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation.
These plugins are installed in /usr/share/volatility/plugins/community/.
dff-1.3.6-20161201.1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF)
is both a digital investigation tool and a development platform.
The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide.
Written in Python and C++,
it exclusively uses Open Source technologies.
DFF combines an intuitive user interface with a modular and cross-platform architecture.
This version is the developer version as of December 1, 2016.
xplico-1.1.1-6.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.x86_64.rpm - xplico is an Internet traffic decoder.
Xplico needs various variables set in the /etc/php.ini file.
These used to be set in the scripts provided by the package and in the script that starts Xplico.
They are now set in the configuration file for the Apache Web Server.
Nonetheless, when Xplico is installed, the Apache Web Server must be restarted if it was running and started otherwise.
Note also that Xplico is not avaible for Fedora 25. This is because of an incompatibility between PHP 7 which is provided
with Fedora 25 and the version of CakePHP that was used to build Xplico (1.3.20).
CERT-Forensics-Tools-1.0-69.fc25.{i686,x86_64}.rpm -
This package was updated as follows:
The package Xplico was temporarily removed for Fedora 25. It will be re-added when it supports PHP 7.
November 14, 2016:
The following have been released:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.6-201 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.6-201 for FC24
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.69-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.13.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.13.0-2.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.13.0-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-5.5-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.5-1.el7.x86_64.rpm -
The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
See here for the changes since the last version (5.4.1).
silk-ipset-{devel,lib,tools}-3.13.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
super_mediator-1.4.0-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and super_mediator-1.4.0-1.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
This release was rebuilt to use silk-ipset-3.13.0.
libvshadow{,-devel,-python,-tools}-20161111-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libvshadow{,-devel,-python,-tools}-20161111-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
This version uses the external version of libbfio to support
DFF, the Digital Forensics Framework.
libfwnt{,-devel,-python,-python3}-20151103-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libfwnt{,-devel,-python}-20160418-1.el6.{i686,x86_64}.rpm, and libfwnt{,-devel,-python,-python3}-20151103-1.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
See here for the list of changes.
This package is needed by dfvfs and plaso.
libscca{,-devel,-python,-python3,-tools}-20161031-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libscca{,-devel,-python,-tools}-20161031-1.el6.x86_64.rpm, and libscca{,-devel,-python,-python3,-tools}-20161031-1.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
See here for the list of changes.
November 8, 2016:
The following have been released:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
4.8.4-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
4.8.4-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.10-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.10-100 for FC23
python-dfdatetime-20161104-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm -
dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
October 31, 2016:
The following have been released:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.9-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.9-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.9-100 for FC23
4.7.8-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.9-100 for FC23
4.7.8-100 for FC23
fmem-kernel-modules-el7-x86_64-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.36.3 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.36.3 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-642.11.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-642.11.1 for EL6
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-642.6.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-642.6.2 for EL6
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-416 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-416 for EL5
xplico-1.1.1-5.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.x86_64.rpm - xplico is an Internet traffic decoder.
Xplico needs various variables set in the /etc/php.ini file.
In all releases before this one, these variables were set only when the package was installed, and unset when the package was removed.
This method did not take into account new releases of the package of which /etc/php.ini is a part.
To solve this problem, the script that start xplico - /usr/sbin/xplico - has been changed to set these variables
every time xplico is started and return them to their previous values when xplico is stopped.
This technique makes xplico immune to changes in other packages installed on a system.
artifacts-20161022-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i386,x86_64}.rpm and artifacts-20161022-1.el7.x86_64.rpm -
Artifacts is a free,
community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
This package was built to support plaso.
python-dfdatetime-20161017-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
This package is needed by dfvfs.
libexe{,-devel,-python,-python3,-tools}-20160418-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libexe{,-devel,-python,-tools}-20160418-2.el6.{i686,x86_64}.rpm, and libexe{,-devel,-python,-python3,-tools}-20160418-1.el7.x86_64.rpm -
Libexe is a library to access the executable (EXE) format.
See here for the list of changes.
libwrc{,-devel,-python,-python3,-tools}-20160418-1.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libwrc{,-devel,-python,-tools}-20160418-2.el6.{i686,x86_64}.rpm - Libwrc
is a library to access the Windows Resource Compiler (WRC) format.
See here for the list of changes.
pytsk3-20160721-1.{fc20,fc21,fc22,fc23,fc24,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
Note that this version is now named pytsk3 and it obsoletes pytsk.
plaso-1.5.1-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, plaso-1.5.0-1.el7.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the 1.5.0 release announcement here.
There is no comprehensive list of changes for 1.5.1.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64
architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of plaso.
Installation as an update and as a new install of have been successfully tested.
dfvfs-20160918-2.{fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
This version was rebuilt to use the renamed pytsk3.
October 21, 2016:
The following have been released:
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.7-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.7-100 for FC23
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.7-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.7-200 for FC24
xplico-1.1.1-4.el7.x86_64.rpm - xplico is an Internet traffic decoder.
This release uses systemctl instead of systemon CentOS/RHEL 7.
xplico-1.1.1-3.el7.x86_64.rpm - xplico is an Internet traffic decoder.
This release was rebuilt to use the Python 3.3 code for CentOS/RHEL 7.
October 14, 2016:
The following have been released:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.6-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.6-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.6-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.6-100 for FC23
fmem-kernel-modules-el7-x86_64-1.6-1.26.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.36.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-26.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.36.2 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-642.6.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-642.6.1 for EL6
October 7, 2016:
The following have been released:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.5-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.5-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.5-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.5-100 for FC23
September 30, 2016:
The following have been released:
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.4-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.4-100 for FC23
September 23, 2016:
The following have been released:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.4-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.4-200 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.3-200 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.3-200 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.3-100 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.3-100 for FC23
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.68-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
See here for the list of changes.
libbde{,-devel,-python,-python3,-tools}-20160731-2.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libbde{,-devel,-python,-tools}-20160731-2.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python,-python3,-tools}-20160731-2.el7.x86_64.rpm -
Libbde
is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the list of changes.
libesedb{,-devel,-python,-python3,-tools}-20160622-2.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libesedb{,-devel,-python,-tools}-20160622-2.el6.{i686,x86_64}.rpm, and libesedb{,-devel,-python,-python3,-tools}-20160622-2.el7.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
See here for the list of changes.
libmsiecf{,-devel,-python,-python3,-tools}-20160904-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python,-tools}-20160904-2.el6.{i686,x86_64}.rpm, and libmsiecf{,-devel,-python,-python3,-tools}-20160904-1.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
See here for the list of changes.
libfvde{,-devel,-python,-python3,-tools}-20160918-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libfvde{,-devel,-python,-tools}-20160918-1.el6.{i686,x86_64}.rpm, and libfvde{,-devel,-python,-python3,-tools}-20160918-1.el7.x86_64.rpm -
Libfvde
is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
See here for a list of changes since the last release (20150222).
libsmraw{,-devel,-python,-python3,-tools}-20160424-2.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libsmraw{,-devel,-python,-tools}-20160424-2.el6.{i686,x86_64}.rpm, and libsmraw{,-devel,-python,-python3,-tools}-20160424-2.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
This release was rebuilt to remove debugging information and to support Python 3 where possible and practical.
dfvfs-20160918-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
dfwinreg-20160428-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and dfwinreg-20160428-1.{el6,el7}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
xlsxwriter-0.9.3-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and xlsxwriter-0.9.3-1.el7.x86_64.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
efilter-1-1.5-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and efilter-1-1.5-1.el7.x86_64.rpm - Efilter
is a general purpose query language designed to be embedded in Python applications and libraries.
It supports SQL-like syntax to filter your application's data and provides a convenient way to directly search through the objects your applications manages.
A second use case for EFILTER is to translate queries from one query language to another, such as from SQL to OpenIOC and so on.
A basic SQL-like syntax and a POC lisp implementation are included with the language, and others are relatively simple to add.
python-psutil-2.1.3-1.el6.{i686,x86_64}.rpm - Python-psutil is a cross-platform library for retrieving information onrunning processes and
system utilization (CPU, memory, disks, network) in Python.
This package was built to support plaso.
plaso-1.5.0-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, plaso-1.5.0-1.{el6,el7}.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See the release announcement here.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64
architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of plaso.
Installation as an update and as a new install of CERT-Forensics-Tools have been successfully tested.
fmem-kernel-modules-el7-x86_64-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.36.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-25.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.36.1 for EL7
September 11, 2016:
The following have been released:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.2-201 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.2-201 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
4.7.2-101 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for
LiME:
4.7.2-101 for FC23
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-412 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-412 for EL5
fmem-kernel-modules-common-1.6-1.3.noarch.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
This package contains the source code for making the FMEM kernel modules and the install-fmem script.
Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7.
If you use rsync, make certain that you use the -H option
to preserve those hard links.
lime-kernel-modules-common-1.1.r17-3.noarch.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page.
This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects.
This repackaging increases the number of packages but decreases their size.
Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7
If you use rsync, make certain that you use the -H option to preserve those hard links.
yara{,-doc,-devel}-3.5.0-5.1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
This release (5.1) was rebuilt to coincide with the version from Fedora (3.5.0-5)but to eliminate some dependency problems on Fedora 23 and 24.
Note also that the -devel and -doc packages split out the files needed for development and documentation respectively.
August 26, 2016:
The following have been released:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for
Fmem:
4.6.7-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for
LiME:
4.6.7-300 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
4.6.7-200 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
4.6.7-200 for FC23
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-642.4.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-642.4.2 for EL6
analyzeMFT-2.0.19-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - AnalyzeMFT is a tool that fully parses
the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple formats.
See here for the changes since the previously installed version 2.0.19.
August 22, 2016:
The following have been released:
yara-3.5.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
Here are the changes since the last version (3.4.0):
Match length operator (http://yara.readthedocs.io/en/v3.5.0/writingrules.html#match-length)
Performance improvements
Less memory consumption while scanning processes
Exception handling when scanning memory blocks
Negative integers in meta fields
Added the --stack-size command-argument
Functions import_ordinal, is_dll, is_32bit and is_64bit added to PE module
Functions rich_signature.toolid and rich_signature.version added to PE module
Lots of bug fixes
yara-python-3.5.0-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
Here are the changes since the last version (3.4.0):
Match length operator (http://yara.readthedocs.io/en/v3.5.0/writingrules.html#match-length)
Performance improvements
Less memory consumption while scanning processes
Exception handling when scanning memory blocks
Negative integers in meta fields
Added the --stack-size command-argument
Functions import_ordinal, is_dll, is_32bit and is_64bit added to PE module
Functions rich_signature.toolid and rich_signature.version added to PE module
Lots of bug fixes
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
4.6.6-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
4.6.6-300 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
4.6.6-200 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
4.6.6-200 for FC23
cert-forensics-tools-release-2{3,4}-12.noarch.rpm - cert-forensics-tools-release is the package
that connects a Fedora-based computer system to the CERT Linux Forensics Tools Repository (LiFTeR).
This package has been changed to require either a Fedora release or a Generic release to be able to install this package.
Note that this feature is entitied Boolean Dependencies and as such requires a version of rpm version 4.13 or newer.
See here for an explanation of Boolean Dependencies.
fmem-kernel-modules-el7-x86_64-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.28.3 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.28.3 for EL7
August 12, 2016:
The following have been released:
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
4.6.5-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
4.6.5-300 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
4.6.5-200 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
4.6.5-200 for FC23
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.67-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
See here for the list of changes.
August 5, 2016:
The following have been released:
opencl-headers-1.2-7.el6.noarch.rpm - OpenCL-Headers:
The OpenCL registry contains specifications of the core API and the OpenCL C language; a portable intermediate representation of
OpenCL programs; specifications of Khronos- and vendor-approved OpenCL extensions; and links to header files corresponding to the
specifications, which are now hosted in the OpenCL-Headers Github repository.
hashcat-3.00-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Hashcat is the world's fastest
and most advanced password recovery utility, supporting five unique modes of attack for over 160 highly-optimized hashing algorithms.
Hashcat currently supports CPUs, GPUs other hardware-accelerators on Linux, Windows and OSX, and has facilities to help enable distributed password cracking.
fmem-kernel-modules-el7-x86_64-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.28.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.28.2 for EL7
RPMForge -
According to this website: https://wiki.centos.org/AdditionalResources/Repositories,
the RPMForge and RepoForge repositories are dead and are no longer recommended for use.
To that end, all of the packages used by CentOS/RHEL 6 and 7 have been added to this repository.
To remove these packages and the RPMForge repository from your system and to install the needed replacement packages from the CERT Linux Forensics Tools Repository, do the following:
This is the list of tools that have been rebuilt and added to the CERT Linux Forensics Tools Repository.
2hash-0.2-1.el6.{i686,x86_64}.rpm - 2hash is a tool to calculate the md5 and sha1 hashes of a file in a single read.
If you’re regularly checking/calculating hashes of large files this’ll save you a lot of disk I/O.
adns-0.2-1.el6.{i686,x86_64}.rpm - ADNS is a resolver library for C (and C++) programs, and a collection of useful DNS resolver utilities.
cryptcat-1.2.1-1.1-{el6,el7}.{i686,x86_64}.rpm - Cryptcat is the standard netcat enhanced with twofish encryption
with ports for Windows NT, BSD and Linux. Twofish is courtesy of counterpane, and cryptix.
TCP/IP swiss army knife extended with twofish encryption - Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or
UDP protocol while encrypting the data being transmitted.
It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts.
At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.
Cryptcat has been added to the CERT Linux Forensics Tools (LFTR) Repository from the now defunct RPMForge repository.
etherape-0.9.13-1.el6.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after
etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.
It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.
fatback-1.3-1.el6.{i686,x86_64}.rpm - Fatback is a tool that undeletes files from FAT filesystems.
lame{,-libs}-3.99.5-1.el6.{i686,x86_64}.rpm - LAME > is an open source MP3 encoder whose quality and speed matches commercial encoders.
LAME handles MPEG1,2 and 2.5 layer III encoding with both constant and variable bitrates.
missidentify-1.0-1.el6.{i686,x86_64}.rpm - missidentify is a program to find Win32 applications.
In its default mode it displays the filename of any executable that does not have an executable extension (i.e. exe, dll, com, sys, cpl, hxs, hxi, olb, rll, or tlb).
The program can also be run to display all executables encountered, regardless of the extension.
This is handy when looking for all of the executables on a drive.
Other options allow the user to record the strings found in an executable and to work recursively.
See the manual page for more information.
mount_ewf-20090113-1.el6.noarch.rpm - Mount_ewf is a tool that mounts
EWF files as mounted images using the loopback capability.
pasco-1.0-1.el6.{i686,x86_64}.rpm - Pasco is a tool that parses the information in an index.dat file and output the
results in a field delimited manner so that it may be imported into your favorite spreadsheet program.
Pasco is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.
perl-Data-Hexify-1.00-1.el6.noarch.rpm - perl-Data-Hexify formats arbitrary (possible binary) data into a format suitable for hex dumps in the style of xdor hexl.
perl-File-Mork-0.3-1.el6.{i686,x86_64}.rpm - perl-File-Mork is a module to read Mozilla URL history files.
perl-Mac-PropertyList-1.33-1.el7.noarch.rpm - perl-Mac-PropertyList is a low-level interface to the Mac OS X Property List (plist) format.
perl-Parse-Win32Registry-0.51-1.el6.noarch.rpm - perl-Parse-Win32Registry is a module for parsing Windows Registry files,
allowing you to read the keys and values of a registry file without going through the Windows API.
It provides an object-oriented interface to the keys and values in a registry file. Registry files are structured as trees of keys, with each key containing further subkeys or values.
The module is intended to be cross-platform, and run on those platforms where Perl will run.
It supports both Windows NT registry files (Windows NT, 2000, XP, 2003, Vista, 7) and Windows 95 registry files (Windows 95, 98, Millennium Edition).
It is intended to be used to parse offline registry files. If a registry file is currently in use, you will not be able to open it. However, you can save part or all of a currently loaded registry file using the Windows reg command if you have the appropriate administrative access.
python-tidy-0.2-1.{el6,el7}.noarch.rpm - Python-tidy pleans up, regularizes, and reformats the text of
Python scripts.
rar-5.3.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Rar is a powerful archive manager.
It can backup your data and reduce the size of email attachments, decompress RAR, ZIP and other files downloaded from Internet and create new archives in RAR and ZIP file format.
See here for a list of changes in this version.
socat-1.7.3.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Socat is a relay for bidirectional data transfer between two independent data channels.
Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an
SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor (readline), a program, or a combination of two of these.
These modes include generation of "listening" sockets, named pipes, and pseudo terminals.
Socat can be used, e.g., as TCP port forwarder (one-shot or daemon), as an
external socksifier, for attacking weak firewalls, as a shell interface to UNIX
sockets, IP6 relay, for redirecting TCP oriented programs to a serial line, to
logically connect serial lines on different computers, or to establish a
relatively secure environment (su and chroot) for running client or server
shell scripts with network connections.
See the change log that is part of the RPM package for a list of changes.
tcpflow-1.4.4-1.el7.x86_64.rpm - Tcpflow is a program
that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction.
Tcpflow can also process stored tcpdump packet flows.
tre-0.8.0-1.el6.{i686,x86_64}.rpm - Tre is a lightweight, robust, and efficient POSIX compliant regexp
matching library with some exciting features such as approximate (fuzzy) matching.
The matching algorithm used in TRE uses linear worst-case time in the length of the text being searched, and quadratic worst-case time in the length of the used regular expression.
In other words, the time complexity of the algorithm is O(M^2N), where M is the length of the regular expression and N is the length of the text.
The used space is also quadratic on the length of the regex, but does not depend on the searched string.
This quadratic behaviour occurs only on pathological cases which are probably very rare in practice.
unrar-5.3.0-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Unrar is a powerful archive manager.
It can backup your data and reduce the size of email attachments, decompress RAR, ZIP and other files downloaded from Internet and create new archives in RAR and ZIP file format.
See here for a list of changes in this version.
July 27, 2016:
The following have been released:
plaso-1.4.0-4.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm, plaso-1.4.0-4.{el6,el7}.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This release is version 1.4.0 and not a beta release as was previously installed in the repository.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64
architectures and CentOS/RHEL versions 7 for the x86_64 architecture for this version of plaso.
dfvfs-20160726-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm -
dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
This version uses the source code dated 2016-03-06 to fix this error: https://github.com/log2timeline/plaso/issues/803.
python-dfdatetime-20160706-1.el6.noarch.rpm - dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
This package is needed by dfvfs.
July 24, 2016:
The following have been released:
undbx-0.21-1.el7.x86_64.rpm - Undbx extracts, recovers and undeletes e-mail messages from
Outlook Express .dbx files.
This package was orphaned in RedHat EPEL and has been installed in this repository.
July 22, 2016:
The following have been released:
fmem-kernel-modules-common-1.6-1.2.noarch.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
This package contains the source code for making the FMEM kernel modules and the install-fmem script.
Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7.
If you use rsync, make certain that you use the -H option
to preserve those hard links.
foremost-1.5.7-13.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Foremost is a console program to recover files
based on their headers, footers, and internal data structures.
This process is commonly referred to as data carving.
Foremost can work on image files, such as those generated by dd, Safeback,
EnCase, etc, or directly on a drive.
The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types.
These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
Originally developed by the United States Air Force Office Special Investigation and
Center for Information Systems Security Studies and Research, foremost has been opened to the general public.
Send any comments, suggestions, patches, or feedback you have on this program to namikus@users.sf.net.
libewf{,-devel,-tools,-python}-20160718-20140608.1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm, libewf{,-devel,-tools,-python}-20160718-20140608.1.el7.x86_64.rpm, ewftools-20160718-20140608.1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpmewftools-20160718-20140608.1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
This package is built from the libewf source code dated 20140608 but to make it the latest version, the version number was changed to the build date (20160718)
and the release number changed to include the source code release date (20140608).
To install this version, do the following:
Disable the forensics-test repository with this command: sudo yum-config-manager --disable forensics-test
Save the list of installed libewf tools with this command: LIBEWF=`rpm -qa|grep 'ewf.*2014060801'|sed 's/-2014.*//`
Remove this list of installed libewf tools with this command: sudo rpm -ev $LIBEWF --nodeps
Install the new versions of these libewf tools with this command: sudo yum -y install $LIBEWF
Update all packages with this command: sudo yum -y update
sleuthkit{,-devel,-libs}-4.2.0-4.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
This release was brought up to current with the version of code in github dated 2016-07-18.
Also, the code for srch_strings was reverted to the 4.1.3 version, fixing the double free error.
testdisk-7.0-3.1.el6.{i686,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
This release was built to use the latest version of libewf that is installed in this repository.
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
4.6.4-301 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
4.6.4-301 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
4.6.4-201 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
4.6.4-201 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.14-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.14-200 for FC22
July 15, 2016:
The following have been released:
Fedora 24 - The repository now supports Fedora 24
for the i686 and x86_64 CPU architectures.
Here is the list of tools provided for Fedora 24:
libpff-20160110-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Libpff is a library
and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
Libpff is used by DFF,the Digital Forensics Framework.
See here for the list of changes.
libvshadow{,-devel,-python,-tools}-20160110-2.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libvshadow{,-devel,-python,-tools}-20160110-2.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
This version uses the external version of libbfio to support
DFF, the Digital Forensics Framework.
dff-1.3.6-20160630.1.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF)
is both a digital investigation tool and a development platform.
The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide.
Written in Python and C++,
it exclusively uses Open Source technologies.
DFF combines an intuitive user interface with a modular and cross-platform architecture.
This version is the developer version as of June 30, 2016.
To support this version, the following were also installed:
libbde{,-devel,-python,-tools}-20160418-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20160418-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the list of changes.
libbfio{,-devel,-python}-20160108-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Libbfio is a
library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access.
libevt{,-devel,-python,-tools}-20160421-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools
to access the Windows Event Log (EVT) format files.
See here for the list of changes.
libevtx{,-devel,-python,-tools}-20160421-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libevtx{,-devel,-python,-tools}-20160421-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
liblnk{,-devel,-python,-tools}-20160420-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20160420-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the
Windows Shortcut File (LNK) format file.
See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20160421-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20160421-1.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
See here for the list of changes.
libfsntfs{,-devel,-python,-tools}-20160418-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools
to access the New Technology File System (NTFS).
See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20160423-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libolecf{,-devel-,-python,-tools}-20160423-1.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.66-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
See here for the list of changes.
libregf{,-devel,-python,-tools}-20160424-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libregf{,-devel,-python,-tools}-20160424-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20160424-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libsmraw{,-devel,-python,-tools}-20160424-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20160424-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20160424-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status.
See here for the list of supported disk formats.
fmem-kernel-modules-1.6-1.8.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 24 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-8.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 24 x86_64 and i686 architectures was added.
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
4.6.3-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
4.6.3-300 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.1.noarch.rpm - Support for the following kernels were added for
Fmem:
4.5.7-300 for FC24
4.5.5-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-1.noarch.rpm - Support for the following kernels were added for
LiME:
4.5.7-300 for FC24
4.5.5-300 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
4.5.7-202 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
4.5.7-202 for FC23
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-642.3.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-642.3.1 for EL6
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-411 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-411 for EL5
lime-kernel-modules-common-1.1.r17-2.noarch.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page.
This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects.
This repackaging increases the number of packages but decreases their size.
Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7
If you use rsync, make certain that you use the -H option to preserve those hard links.
snort-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and snort-2.9.8.3-1.el7.x86_64.rpm -
Snort is an open
source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-openappid-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.8.3-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
snort-sample-rules-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
dfvfs-20160706-1.{fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64 architectures
and CentOS/RHEL version 7 for the x86_64 architecture for this version of dfvfs.
libfwnt{,-devel,-python,-python3}-20160418-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libfwnt{,-devel,-python}-20160418-1.el6.{i686,x86_64}.rpm, and libfwnt{,-devel,-python,-python3}-20160418-1.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
See here for the list of changes.
This package is needed by dfvfs.
python-dfdatetime-20160706-1.{fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
This package is needed by dfvfs.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.2-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.2-2.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.2-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
distorm3-3.3.4-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i386,x86_64}.rpm and distorm3-3.3.4-1.el7.x86_64.rpm -
Distorm3 is a lightweight, easy-to-use and fast decomposer library.
It disassembles instructions in 16, 32 and 64 bit modes.
Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
Distorm3 is used by The Volatility Framework.
The changes are listed here.
Volatility-2.5-4.{fc20,fc21,fc22,fc23,fc24,el6}.{i386,x86_64}.rpm and Volatility-2.5-4.el7.x86_64.rpm -
The Volatility Framework is a completely
open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.5.
It also contains the mimikatz plugin.
This release was build using the code as of 2016-07-08.
Volatility-community-plugins-20160708-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - The Volatility Community Plugins
is a collection of Volatility plugins written and maintained by authors in the forensics community.
Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun.
Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation.
These plugins are installed in /usr/share/volatility/plugins/community/.
exfat-utils-1.2.4-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
See here for the list of changes since the last released version (1.2.3).
nDPI{,-devel}-1.8-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
xplico-1.1.1-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
This release was rebuilt to work with nDPI-1.8.
python-registry-1.2.0-1.{fc20,fc21,fc22,fc23,fc23,el6,el7}.{i386,x86_64}.rpm - Python-registry
provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE.
The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced
study of the Windows Registry.
valabind-0.10.0-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and valabind-0.10.0-1.el7.x86_64.rpm - Valabind is a tool to parse vala
or vapi files to transform them into swig interface files, C++,
NodeJS-ffi, or GIR.
With swig, you can create language bindings for any API written in vala or C with a vapi interface.
It can also generate bindings for C++.
radare{,-devel}-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and radare{,-devel}-2.0.10.4-1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
python-radare-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and python-radare-2.0.10.4-1.el7.x86_64.rpm- Python-Radare are
bindings that allow Radare to be used from Python.
radare-extras-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and radare-extras-2.0.10.4-1.el7.x86_64.rpm- Radare-Extras are
are extra plugins for radare2.
disktype-9-19.1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and disktype-9-19.1.el7.x86_64.rpm -
Disktype detects the content format of a disk or disk image.
This version is based on the standard version with support for
exfat,
LUKS,
f2fs,
btrfs, and
EXT 2, 3, and 4,
all courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA.
This version was rebuilt to increment the release number to be higher (19.1) than the current version provided for either Fedora (19) or CentOS/RHEL (12).
netsa-rayon-1.4.3-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations.
Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis.
Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo.
It can also be used in wxPython GUI applications.
Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of
Pycairo (for static output) or wxPython,/a> (for GUI output).
See here for a list of changes.
This release was rebuilt to use Syhinx version 1.2.2 to produce the documentation.
analysis-pipeline-5.4.1-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.4.1-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
See here for the changes since the last version (5,4).
June 24, 2016:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.13-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.13-200 for FC22
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
4.5.7-200 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
4.5.7-200 for FC23
fmem-kernel-modules-el7-x86_64-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.22.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.22.2 for EL7
June 10, 2016:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.12-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.12-200 for FC22
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
4.5.6-200 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
4.5.6-200 for FC23
analysis-pipeline-5.4-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.4-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
June 7, 2016:
The following have been released:
netsa-python-1.5-1.{fc20,fc21,fc22,fc23,el6,el7}.{i386,x86_64}.rpm, netsa_silk-1.5-1.{fc20,fc21,fc22,fc23,el6,el7}.{i386,x86_64}.rpm - Netsa-python is a
library of Python routines and frameworks that the NetSA team at CERT has found helpful when developing analyses using the SiLK toolkit. Of particular note are the
netsa.script NetSA Scripting Framework, which provides a standard framework for writing scripts that process flow data, and the netsa.util.shell command line
processing system, which provides tools for managing extremely complicated collections of shell processes that should fail or succeed together (extremely useful when working with named pipes).
Netsa-python is compatible with Python versions 2.4 and greater.
See here for a list of the changes since the last release which was version 1.4.3.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.33.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.11-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-33.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.11-200 for FC22
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-642.1.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-642.1.1 for EL6
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
4.5.5-201 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
4.5.5-201 for FC23
May 27, 2016:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.32.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.10-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-32.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.10-200 for FC22
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-642 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-642 for EL6
May 26, 2016:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.9-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.9-200 for FC22
May 16, 2016:
The following have been released:
CERT-Forensics-Tools-1.0-68.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-68.el7.x86_64.rpm -
This package was updated as follows:
The package fuse-exfat was incorrectly obsoleted by CERT-Forensics-Tools. This
incorrect obsoleting directive was removed since it was already in exfat-utils, where it belongs.
May 13, 2016:
The following have been released:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.1-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.1-2.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.1-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-410 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-410 for EL5
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.9-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.9-300 for FC23
fmem-kernel-modules-el7-x86_64-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.18.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.18.2 for EL7
May 9, 2016:
The following have been released:
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-573.26.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-573.26.1 for EL6
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.8-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.8-200 for FC22
libewf{,-devel,-tools,-python}-2014060801-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm, libewf{,-devel,-tools,-python}-2014060801-1.el7.x86_64.rpm, ewftools-2014060801-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm, andTT>ewftools-2014060801-1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
These packages have been installed in the forensics-test repository.
To use this repository, you will need to enable it with this command:
sudo yum-config-manager --enable forensics-test
sleuthkit{,-devel,-libs}-4.2.0-4.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
This release was brought up to current with the version of code in github dated 2015-10-07.
Also, the code for srch_strings was reverted to the 4.1.3 version, fixing the double free error.
These packages have been installed in the forensics-test repository.
To use this repository, you will need to enable it with this command: sudo yum-config-manager --enable forensics-test.
Note: if you install libewf-2014060801 you will need this version of The Sleuth Kit.
April 29, 2016:
The following have been released:
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.8-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.8-300 for FC23
April 21, 2016:
The following have been released:
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.7-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.7-300 for FC23
yaf{,-devel}-2.8.4-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.8.4-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
See here for the changes since the last released version (2.8.2).
partclone-0.2.88-1.{fc22,fc21,fc20}.x86_64.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage.
Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system
by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
See here for the list of changes in this release.
This version is being released due to changes dictated by the ntfs-3g, version 2016.2.22, which was released on April 21, 2016 for Fedora 22.
All other versions were rebuilt to maintain release numbering consistency.
April 14, 2016:
The following have been released:
partclone-0.2.88-1.el7.x86_64.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage.
Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system
by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
See here for the list of changes in this release.
This version is being released due to changes dictated by the ntfs-3g, version 2016.2.22, which was released on April 14, 2016 for CentOS/RHEL 7.
This version will be installed on all other supported OSes and architectures by April 22, 2016.
partclone-0.2.71-5.el6.{i386,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage.
Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system
by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
See here for the list of changes in this release.
This version is being released due to changes dictated by the ntfs-3g, version 2016.2.22, which was released on April 14, 2016 for CentOS/RHEL 6.
This version will be installed on all other supported OSes and architectures by April 22, 2016.
April 11, 2016:
The following have been released:
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.6-301 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.6-301 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.6-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.6-201 for FC22
partclone-0.2.88-1.fc23.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage.
Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system
by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
See here for the list of changes in this release.
This version is being released due to changes dictated by the ntfs-3g, version 2016.2.22, which was released on April 10, 2016 for Fedora 23.
This version will be installed on all other supported OSes and architectures by April 22, 2016.
April 8, 2016:
The following have been released:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.0-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.0-2.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.0-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-5.3.2-2.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.3.2-2.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
This version was rebuilt to use the latest version of SiLK, specifically 3.12.0.
silk-ipset-{devel,lib,tools}-3.12.0-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
super_mediator-1.3.0-2.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and super_mediator-1.3.0-2.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
This release was rebuilt to use silk-ipset-3.12.0.
yaf{,-devel}-2.8.2-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.8.2-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
See here for the changes since the last released version (2.8.1).
fmem-kernel-modules-el7-x86_64-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.13.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.13.1 for EL7
byacc-1.9.20130304-3.el6.{i386,x86_64}.rpm - BYacc is a parser generator utility that reads a grammar
specification from a file and generates an LR(1) parser for it.
The parsers consist of a set of LALR(1) parsing tables and a driver routine written in the C programming language.
It has a public domain license which includes the generated C.
Byacc was installed on CentOS/RHEL 6 so that libewf could be built.
libewf{-,devel,-python}-20160209-2.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm, libewf{,-devel,-python}-20160209-2.el7.x86_64.rpm, ewftools-20160209-2.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm, and ewftools-20160209-2.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
This version fixes the error that results when the deflate compression method (which is the default) is selected.
These packages have been installed in the forensics-test repository.
To use the, you will need to enable this repository in the /etc/yum.repos.d/cert-forensics-tools.repo file and you must be root to do this.
March 24, 2016:
The following have been released:
ddrescue-1.21-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
Here are the changes for this version (1.21):
mapbook.cc (Mapbook): Fix iobuf alignment. (Reported by Heikki Tauriainen).
Removed short option names '-1' and '-2'.
Allow only regular files for '--log-rates' and '--log-reads'.
Option '-D, --odirect' now works also in fill mode.
rescuebook.cc (copy_block): Return 1 on unaligned read error. Set e_code on any error if verify_on_error.
Option '-X, --exit-on-error' has been extended to all phases.
Assigned short name '-Z' to option '--max-read-rate'.
mapbook.cc (update_mapfile): 'fsync' the mapfile every 5 minutes.
Rescuebook: Show full range of sizes from non-tried to finished.
rescuebook.cc (show_status): Show percent rescued.
configure: Avoid warning on some shells when testing for g++.
Makefile.in: Detect the existence of install-info.
libguytools-2.0.4-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libguytools-2.0.4-1.el7.x86_64.rpm -
Libguytools is a package of subroutines and header files needed to
build and operate guymager.
The changes are:
Removed arch specific code in toolsignal.cpp.
guymager-0.8.1-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and guymager-0.8.1-1.el7.x86_64.rpm -
Guymager is a forensic imaging package.
See here for the list of changes.
libsigscan{,-devel,-python,-python3,-tools}-20160312-1.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm, libsigscan{,-devel,-python,-tools}-20160312-1.el6.{i686,x86_64}.rpm, and libsigscan{,-devel,-python,-python3,-tools}-20160312-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
See here for the list of changes.
libsmdev{,-devel,-python,-python3,-tools}-20160320-1.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm, libsmdev{,-devel,-python,-tools}-20160320-1.el6.{i686,x86_64}.rpm, and libsmdev{,-devel,-python,-python3,-tools}-20160320-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
dfvfs-20160306-1.{fc20,fc21,fc22,fc23,el6,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, and 23 for i686 and x86_64 architectures
and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.6-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.6-300 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.6-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.6-200 for FC22
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-573.22.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-573.22.1 for EL6
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-409 for EL5
2.6.18-408 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-409 for EL5
2.6.18-408 for EL5
March 18, 2016:
The following have been released:
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.5-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.5-300 for FC23
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.4-301 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.4-301 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.5-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.5-200 for FC22
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.4-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.4-200 for FC22
super_mediator-1.3.0-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and super_mediator-1.3.0-1.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the changes since the last released version (1.2.1).
March 11, 2016:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.3-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.3-201 for FC22
March 4, 2016:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
4.3.6-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
4.3.6-201 for FC22
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.3-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.3-300 for FC23
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
4.4.2-301 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
4.4.2-301 for FC23
ghex{,-devel,libs}-3.18.0-1.el7.x86_64.rpm - The Ghex hex editor
was installed for RHEL/CentOS 7.
The previous version for RHEL/CentOS 7 (2.24) required packages that are no longer provided as part of the standard RHEL/CentOS 7 distribution.
This version does not require those packages.
February 26, 2016:
The following have been released:
fmem-kernel-modules-el7-x86_64-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.10.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.10.1 for EL7
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
4.3.5-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
4.3.5-200 for FC22
analysis-pipeline-5.3.2-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.3.2-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
See here for the changes to the Version 5 release of analysis-pipeline.
February 12, 2016:
The following have been released:
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for
Fmem:
4.3.5-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
4.3.5-300 for FC23
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-573.18.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-573.18.1 for EL6
libewf{,-devel,-python}-20160209-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm, libewf{,-devel,-python}-20160209-1.el7.x86_64.rpm, ewftools-20160209-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm, and ewftools-20160209-1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
These packages have been installed in the forensics-test repository.
To use the, you will need to enable this repository in the /etc/yum.repos.d/cert-forensics-tools.repo file and you must be root to do this.
yaf{,-devel}-2.8.1-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.8.1-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
See here for the changes since the last released version (2.8.0).
libschemaTools{,-devel}-1.2.0-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libschemaTools{,-devel}-1.2.0-1.el7.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records. It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
analysis-pipeline-5.3.1-3.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.3.1-3.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
See here for the changes to the Version 5 release of analysis-pipeline.
February 7, 2016:
The following have been released:
libvslvm{,-devel,-python,-python3,-tools}-20160110-1.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm, libvslvm{,-devel,-python,-tools}-20160110-1.el6.{i686,x86_64}.rpm, and libvslvm{,-devel,-python,-python3,-tools}-20160110-1.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
See here for the list of changes.
dfvfs-20160203-1.{fc20,fc21,fc22,fc23,el6,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, and 23 for i686 and x86_64 architectures
and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
xlsxwriter-0.8.4-1.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm and xlsxwriter-0.8.4-1.{el6,el7}.x86_64.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more, including:
100% compatible Excel XLSX files.
Full formatting.
Merged cells.
Defined names.
Charts.
Autofilters.
Data validation and drop down lists.
Conditional formatting.
Worksheet PNG/JPEG images.
Rich multi-format strings.
Cell comments.
Integration with Pandas.
Textboxes.
Memory optimization mode for writing large files.
It supports Python 2.5, 2.6, 2.7, 3.1, 3.2, 3.3, 3.4, 3.5, Jython and PyPy and uses standard libraries only.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
plaso-1.4-3.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm, plaso-1.4-3.{el6,el7}.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This release adds the missing artifacts and python-requests dependencies.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, and 23 for i686 and x86_64
architectures and CentOS/RHEL versions 7 for the x86_64 architecture for this version of plaso.
February 5, 2016:
The following have been released:
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for
Fmem:
4.3.4-300 for FC23
4.3.3-303 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for
LiME:
4.3.4-300 for FC23
4.3.3-303 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
4.3.4-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
4.3.4-200 for FC22
fmem-kernel-modules-el7-x86_64-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.4.5 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.4.5 for EL7
splunk-6.3.2-aaff59bb082c-linux-2.6-x86_64.rpm and splunk-6.3.2-aaff59bb082c.i386.rpm - This version of
Splunk was added to the Splunk repository for Fedora 20 through 23 and Fedora 6 and 7 for the i386 and x86_64 architectures.
Follow these instructions after upgrading
to this version.
Make sure that you following these instruction after upgrading but before rebooting.
If you do not following these instructions your system may hang when it reboots.
libbde{,-devel,-python,-tools}-20160110-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20160110-1.el7}.86_64.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the list of changes.
libevt{,-devel,-python,-tools}-20160107-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools
to access the Windows Event Log (EVT) format files.
See here for the list of changes.
libevtx{,-devel,-python,-tools}-20160107-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libevtx{,-devel,-python,-tools}-20160107-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
libfwsi{,-devel,-python}-20160110-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libfwsi{,-devel,-python}-20160110-1.el7.x86_64.rpm -
Libfwsi is a library to access the
Windows Shell Item format.
See here for the list of changes.
liblnk{,-devel,-python,-tools}-20160107-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20160107-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the
Windows Shortcut File (LNK) format file.
See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20160107-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20160107-1.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20160107-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libolecf
contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
libqcow{,-devel,-tools,-python}-20160123-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libqcow{,-devel,-tools,-python}-20160123-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
See here for the list of changes.
libregf{,-devel,-python,-tools}-20160107-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libregf{,-devel,-python,-tools}-20160107-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
See here for the list of changes.
libsigscan{,-devel,-python,-tools}-20160108-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libsigscan{,-devel,-python,-tools}-20160108-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
See here for the list of changes.
libsmdev{,-devel,-python,-tools}-20160109-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libsmdev{,-devel,-python,-tools}-20160109-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20160108-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libsmraw{,-devel,-python,-tools}-20160108-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20160108-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20160108-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note that this project has an experimental status.
See here for the list of supported disk formats.
libvmdk{,-devel,-python,-tools}-20160119-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libvmdk
is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
See here the list of changes.
libvshadow{,-devel,-python,-tools}-20160110-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libvshadow{,-devel,-python,-tools}-20160110-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
dfwinreg-20160116-1.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm and dfwinreg-20160116-1.{el6,el7}.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
libscca{,-devel,-python,-python3,-tools}-20160108-1.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm and libscca{,-devel,-python,-python3,-tools}-20160108-1.{el6,el7}.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
See here for the list of changes.
plaso-1.4-2.{fc20,fc21,fc22,fc23}.{i686,x86_64}.rpm, plaso-1.4-2.{el6,el7}.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This release adds the missing artifacts and python-requests dependencies.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, and 23 for i686 and x86_64
architectures and CentOS/RHEL versions 7 for the x86_64 architecture for this version of plaso.
libfsntfs{,-devel,-python,-tools}-20160108-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS).
See here for the list of changes.
January 8, 2016:
The following have been released:
super_mediator-1.2.1-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and super_mediator-1.2.1-1.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the changes since the last released version (1.1.3).
yaf{,-devel}-2.8.0-1.{fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.8.0-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
See here for the changes since the last released version (2.7.1).
libesedb{,-devel,-python,-tools}-20151213-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libesedb{,-devel,-python,-tools}-20151213-1.el7.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
See here for the list of changes.
libevt{,-devel,-python,-tools}-20151206-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools
to access the Windows Event Log (EVT) format files.
See here for the list of changes.
libevtx{,-devel,-python,-tools}-20160103-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libevtx{,-devel,-python,-tools}-20160103-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
liblnk{,-devel,-python,-tools}-20151205-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20151205-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the
Windows Shortcut File (LNK) format file.
See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20151220-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20151220-1.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20151223-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - Libolecf
contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
libqcow{,-devel,-tools,-python}-20151219-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libqcow{,-devel,-tools,-python}-20151219-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
See here for the list of changes.
libsmdev{,-devel,-python,-tools}-20151219-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libsmdev{,-devel,-python,-tools}-20151219-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20151219-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libsmraw{,-devel,-python,-tools}-20151219-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20151220-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20151220-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note that this project has an experimental status.
See here for the list of supported disk formats.
libvshadow{,-devel,-python,-tools}-20151220-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libvshadow{,-devel,-python,-tools}-20151220-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
See here for the list of changes.
dfvfs-20151227-1.{fc20,fc21,fc22,fc23,el6,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, and 23 for i686 and x86_64 architectures
and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
libregf{,-devel,-python,-tools}-20151223-1.{fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and libregf{,-devel,-python,-tools}-20151223-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
See here for the list of changes.
exfat-utils-1.2.3-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
See here for the list of changes since the last released version (1.2.0).
nDPI{,-devel}-1.7.1-1.{fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
4.2.8-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
4.2.8-300 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
4.2.8-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
4.2.8-200 for FC22
fmem-kernel-modules-el7-x86_64-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.4.4 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.4.4 for EL7
Fedora 19 - Updates to Fedora 19 for both the i686 and x86_64 CPU architectures have ceased.
Fedora 18 - Updates to Fedora 18 for both the i686 and x86_64 CPU architectures have ceased.
Fedora 17 - Updates to Fedora 17 for both the i686 and x86_64 CPU architectures have ceased.
CentOS 5 - Updates to CentOS 5 for both the i686 and x86_64 CPU architectures have ceased.
December 18, 2015:
The following have been released:
fmem-kernel-modules-el7-x86_64-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-327.3.1 for EL7
3.10.0-327 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-327.3.1 for EL7
3.10.0-327 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-573.12.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-573.12.1 for EL6
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
4.2.7-300 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
4.2.7-300 for FC23
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
4.2.7-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
4.2.7-200 for FC22
regripper-28000000-5.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.noarch.rpm - Regripper is a
Windows Registry data extraction and correlation tool.
This package is contains version 2.8 of the regripper tool. The plugins are packaged separately.
This release contains version 08-26-13 of the auto_rip.pl.
See here for more details about this script.
This version is based on on the December 16, 2015 version of the regripper code.
regripper-plugins-20151216-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.noarch.rpm - Regripper-plugins are the plugins packaged separately from
the regripper application.
This package is taken from the plugins directory at the Github source code site.
libfsntfs{,-devel,-python,-tools}-20151205-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS).
See here for the list of changes.
libsmdev{,-devel,-python,-tools}-20151216-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6}.{i686,x86_64}.rpm and libsmdev{,-devel,-python,-tools}-20151216-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20151005-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6}.{i686,x86_64}.rpm and libsmraw{,-devel,-python,-tools}-20151005-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20150105-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note that this project has an experimental status.
See here for the list of supported disk formats.
pytsk-20150406-4.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
This version was rebuilt to use The Sleuth Kit version 4.2.0 for all systems except CentOS/RHEL 5 which uses The Sleuth Kit version 4.1.3.
In addition, it was rebuilt to specify the correct version of CC for Fedora 23.
dfvfs-20151218-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 17, 18, 19, 20, 21, 22, and 23 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture
for this version of dfvfs.
ghostpdl-9.18-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and ghostpdl-9.18-1.el7.x86_64.rpm -
Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages.
Ghostpdl is used by Xplico.
super_mediator-1.1.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6}.{i686,x86_64}.rpm and super_mediator-1.1.3-1.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the changes since the last version (1.1.2).
Fedora 19 Support for Fedora 19 i686 and x86_64 architectures - Updates to Fedora 19 for
both the i686 and x86_64 CPU architectures has ceased.
Fedora 18 Support for Fedora 18 i686 and x86_64 architectures - Updates to Fedora 18 for
both the i686 and x86_64 CPU architectures has ceased.
Fedora 17 Support for Fedora 17 i686 and x86_64 architectures - Updates to Fedora 17 for
both the i686 and x86_64 CPU architectures has ceased.
December 4, 2015:
The following have been released:
CERT-Forensics-Tools-1.0-67.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-67.el7.x86_64.rpm -
This package was updated as follows:
For CentOS/RHEL 7, the hexedit replaced the ghex program.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
4.2.6-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
4.2.6-201 for FC22
snort-2.9.8.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and snort-2.9.8.0-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-openappid-2.9.8.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.8.0-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
snort-sample-rules-2.9.8.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
November 30, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.13-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.13-100 for FC21
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
4.2.6-301 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
4.2.6-301 for FC23
November 20, 2015:
The following have been released:
distorm3-3.1-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i386,x86_64}.rpm and distorm3-3.1-1.el7.x86_64.rpm -
Distorm3 is a lightweight, easy-to-use and fast decomposer library.
It disassembles instructions in 16, 32 and 64 bit modes.
Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
Distorm3 is used by The Volatility Framework.
The changes are listed here.
This version is build from distorm3 version 3.1 which is needed to address the issue noted here.
Volatility-2.5-3.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6}.{i386,x86_64}.rpm and Volatility-2.5-3.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.5.
It also contains the mimikatz plugin.
This release was also built with Distorm3 version 3.1 as noted above.
Volatility-community-plugins-20151112-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6,el7}.noarch.rpm - The Volatility Community Plugins
is a collection of Volatility plugins written and maintained by authors in the forensics community.
Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun.
Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation.
These plugins are installed in /usr/share/volatility/plugins/community/.
CERT-Forensics-Tools-1.0-66.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el5,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-66.el7.x86_64.rpm -
This package was updated to add the following packages:
fmem-kernel-modules-1.6-1.7.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 23 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-7.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 23 x86_64 and i686 architectures was added.
nDPI{,-devel}-1.7-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
See here for the list of supported protocols.
Note that RHEL/CentOS 5 is not supported due to issues with autoconf.
xplico-1.1.1-1.{fc17,fc18,fc19,fc20,fc21,fc22,fc23,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
This release was rebuilt to work with nDPI-1.6. All other suported systems were upgraded for release version consistency.
Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
Here are the changes since the last version (1.1.0):
Whatsapp OS and Phone number
Added MGCP dissector
IMAP bug fixed
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-573.8.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-573.8.1 for EL6
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-407 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-407 for EL5
November 6, 2015:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
4.2.5-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
4.2.5-201 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.10-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.10-100 for FC21
fmem-kernel-modules-el7-x86_64-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-229.20.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-229.20.1 for EL7
October 30, 2015:
The following have been released:
super_mediator-1.1.2-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and super_mediator-1.1.2-1.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the changes since the last version (1.1.1).
October 23, 2015:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
4.2.3-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
4.2.3-200 for FC22
libfsntfs{,-devel,-python,-tools}-20150906-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS).
See here for the list of changes.
dfvfs-20151008-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 17, 18, 19, 20, 21, and 22 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture
for this version of dfvfs.
libbfio{,-devel,-python,-tools}-20150927-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Libbfio is a
library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access.
See here for the list of changes.
libevtx{,-devel,-python,-tools}-20150928-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and libevtx{,-devel,-python,-tools}-20150928-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
libfixbuf{,-devel}-1.7.1-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
pyfixbuf-0.2.0-3.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf is a Python API for libfixbuf, an implementation
of the IPFIX protocol used for building collecting and exporting processes.
PyFixBuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the content of the message before forwarding to another IPFIX collection point,
or in converting IPFIX to another format (text, database, JSON, etc.).
This release was rebuilt to use libfixbuf-1.7.1.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.11.0.1-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.11.0.1-2.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.11.0.1-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-4.4.1-3.{fc17,fc18,fc9,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and analysis-pipeline-4.4.1-3.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
This version was rebuilt to use the latest version of SiLK, specifically 3.11.0.
silk-ipset-{devel,lib,tools}-3.11.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
super_mediator-1.1.1-3.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and super_mediator-1.1.1-3.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
This release was rebuilt to use libfixbuf-1.7.1 and silk-ipset-3.11.0.
yaf{,-devel}-2.7.1-3.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.7.1-3.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
This release was rebuilt to use libfixbuf-1.7.1.
libfvde{,-devel,-tools}-20151013-1.{fc17,fc18,fc9,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and libfvde{,-devel,-tools}-20151013-1.el7.x86_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive
Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
See here for a list of changes since the last release (20150222).
Volatility-2.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i386,x86_64}.rpm and Volatility-2.5-1.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility uses the code as available from here as of 2015-10-20 which is identified as Volatility 2.5.
It also contains the mimikatz plugin.
October 16, 2015:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.10-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.10-200 for FC22
October 9, 2015:
The following have been released:
sleuthkit{,-devel,-libs}-4.2.0-2.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
This release was brought up to current with the version of code in github dated 2015-10-07.
Also, the code for srch_strings was reverted to the 4.1.3 version, fixing the double free error.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.8-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.8-200 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.8-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.8-100 for FC21
October 2, 2015:
The following have been released:
ADIA -
These items are VMware and VirtualBox-based forensic appliances built with Fedora 17 for the i686 and x86_64 architectures.
Please note that they are not a live CDs.
See here for more details.
The changes made are the folloing:
Latest CERT Forensics Key installed.
All packages updated as of September 24, 2015.
SElinux disabled on all releases.
snort-2.9.7.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and snort-2.9.7.6-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-openappid-2.9.7.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm and snort-openappid-2.9.7.6-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
snort-sample-rules-2.9.7.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
September 25, 2015:
The following have been released:
dd_rescue-1.99-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
Here are the changes from the previously distributed version (1.46):
Version 1.99 brings updates to the ddr_crypt plugin: It adds hardware
acceleration for ARMv8 CPUs/SOCs (even if in 32bit mode) -- this is a 10x
speedup on AES en/decryption operations. (An Cortex-A57 at 2.1GHz (Exy7420)
does ~1GB/s with AES128-CTR.) The ddr_crypt plugin xattr support has been
extended and it has an option to process openSSL compatible Salted__ files. A
bug in CTR initialization has been fixed. The main program sees improved write
error retry logic and better fault injection logic (support for ranges, using
absolute positions). There are now more variants of Android binaries.
ddrescue-1.20-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
Here are the changes for this version:
'logfile' has been renamed to 'mapfile' everywhere.
Changed short name of option '--synchronous' to '-y'.
Changed long name of option '-d' to '--idirect'.
Added new option '-D, --odirect'.
Added new option '-J, --verify-on-error'.
Added new option '--max-read-rate'.
rescuebook.cc (copy_block): Copy arbitrary blocks with '--idirect'.
Include only bad_sector blocks in 'errsize'.
rescuebook.cc (show_status): Show the estimated remaining time.
io.cc (format_time): Show time in days, hours, minutes and seconds.
Added per sector location data to fill mode.
mapbook.cc: Added emergency save of the mapfile.
Show device name with '--ask' or '-vv' on Haiku.
mapfile.cc (read_mapfile): Read read-only mapfiles from stdin.
ddrescuelog.cc: Allow multiple mapfiles for '-t, --show-status'.
ddrescuelog.cc (create_mapfile): '-' writes mapfile to stdout.
ddrescue.texi: Added new chapter 'Optical media'.
ddrescue.texi: Documented maximum size of the rescue domain.
configure: Option '--enable-linux' renamed to '--enable-non-posix'.
Makefile.in: Added new targets 'install*-compress'.
File 'ddrescue.h' renamed to 'mapbook.h'.
File 'logbook.cc' renamed to 'mapbook.cc'.
File 'logfile.cc' renamed to 'mapfile.cc'.
Files linux.{h,cc} renamed to non_posix.{h,cc}.
libbde{,-devel,-python,-tools}-20150905-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20150905-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the list of changes.
liblnk{,-devel,-python,-tools}-20150830-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20150830-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the
Windows Shortcut File (LNK) format file.
See here for the list of changes.
libfsntfs{,-devel,-python,-tools}-20150829-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS).
See here for the list of changes.
dfvfs-20150915-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 17, 18, 19, 20, 21, and 22 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture
for this version of dfvfs.
artifacts-20150409-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i386,x86_64}.rpm and artifacts-20150409-1.el7.x86_64.rpm -
Artifacts is a free, community-sourced, machine-readable knowledge base
of forensic artifacts that the world can use both as an information source and within other tools.
This package was built to support plaso.
python-dpkt-1.8-2.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and python-dpkt-1.8-2.{el6,el7}.x86_64.rpm - Python-dpkt is a fast, simple packet creator and parser,
with definitions for the basic TCP/IP protocols, for Python.
This package was built to support plaso.
python-pefile-1.2.10_139.2.{fc17,fc18,fc19,el6}.{i686,x86_64}.rpm and python-pefile-1.2.10_139.2.el7.{i686,x86_64}.rpm -
Python-pefile is a multi-platform Python module to parse and work with Portable Executable (aka PE) files.
Most of the information contained in the PE headers is accessible as well as all sections' details and their data.
This package was built to support plaso.
python-psutil-2.1.3-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Python-psutil is a cross-platform library for retrieving information onrunning processes and
system utilization (CPU, memory, disks, network) in Python.
This package was built to support plaso.
python-tornado-3.2.1-3.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Python-tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.
Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. By using non-blocking network I/O, Tornado can scale to tens of thousands of open connections, making it ideal for long polling,
WebSockets, and other applications that require a long-lived connection to each user.
This package was built to support plaso.
python-ipython{,-console,-doc,-gui,-notebook,-sphinx,-tests}-2.4.1-8.fc20.{i686,x86_64}.rpm - IPython is an enhanced interactive Python shell.
This package was built to support plaso.
python{,3}-requests-2.3.0-3.fc20.{i686,x86_64}.rpm -
Python-requests is an Apache2 Licensed HTTP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HTTP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
This package was built to support plaso.
plaso-1.3.0-2.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm, plaso-1.3.0-1.{el6,el7}.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This release adds the missing artifacts and python-requests dependencies.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, and 22 for i686 and x86_64 architectures and CentOS/RHEL versions 7 for the x86_64 architecture
for this version of plaso.
For Fedora 17, 18, and 19 and CentOS/RHEL 5 and 6 for the i686 and x86_64 architectures, all dependencies are satisfied but not all available packages mee the minimum requirements for plaso.
Effort to satisfy these out-of-date dependencies will be expended when there is a specific request to do so.
sleuthkit{,-devel,-libs}-4.2.0-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the list of changes in this release.
pytsk-20150406-3.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
This version was rebuilt to use The Sleuth Kit version 4.2.0 for all systems except CentOS/RHEL 5 which uses The Sleuth Kit version 4.1.3.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.7-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.7-200 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.7-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.7-100 for FC21
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-573.7.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-573.7.1 for EL6
yara-3.4.0-2.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
Here are the changes since the last version (3.3.0):
Short-circuit evaluation for conditions
New yr_rules_save_stream/yr_rules_load_stream APIs.
load() and save() methods in yara-python accept file-like objects
Improvements to the PE and ELF modules
Some performance improvements
New command-line option --print-module-data
Multiple bug fixes.
In addition, release 2 was built with openssl-devel
September 18, 2015:
The following have been released:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-5.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
The SiLK analysis suite has been recompiled to make use of the default UTC time rather than local time.
Please be aware of the following changes that will need to be made to any existing analytics or workflows if you would like to continue to make use of local time rather than UTC.
Any analytic or workflow that makes use of a SiLK tool that outputs time (e.g., rwcut, rwcount, etc.) will need to be changed to use the
--timestamp-format=local switch in the SiLK command(s).
Additionally, the TZ environment variable or system clock will need to be set to the local time zone that is desired.
Any analytic or workflow that makes use of a SiLK tool that takes time as an input (e.g., rwfilter, rwcount, etc.) will need to be changed to convert local time to UTC.
On a *nix system, this can be done by making use of the date(1) program.
See the man page for complete documentation.
An example command that can be used to convert a local date time to UTC for use in the --start-date switch is:
date -ud <local date time> +%Y/%m/%dT%H
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-6.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-6.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
These packages have also been recomplied to make use of the default UTC time rather than local time.
See above.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.6-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.6-201 for FC22
fmem-kernel-modules-el7-x86_64-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-229.14.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-229.14.1 for EL7
September 11, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.6-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.6-100 for FC21
libvhdi{,-devel,-python,-tools}-20150905-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20150905-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note that this project has an experimental status.
See here for the list of supported disk formats.
libpff-20131028-2.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Libpff is a library
and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
Libpff is used by DFF - the Digital Forensics Framework.
See here for the list of changes.
This version was rebuilt to reference libbfio externally rather than the internal version provided with libpff.
ffmpeg{-libs,-devel}-2.6.4-1.fc22.{i686,x86_64}.rpm - FFmpeg is a complete, cross-platform solution to record,
convert and stream audio and video. It includes libavcodec - the leading audio/video codec library.
These packages have been made available in are support of dff.
libavdevice-2.6.4-1.fc22.{i686,x86_64}.rpm - Libavdevice is a complementary library to libavf "libavformat".
It provides various "special" platform-specific muxers and demuxers, e.g. for grabbing devices, audio capture and playback etc.
These packages have been made available in are support of dff.
dff-1.3.5.20150908-2.{fc17,fc18,fc19,fc20,fc21,fc22,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF)
is both a digital investigation tool and a development platform.
The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide.
Written in Python and C++,
it exclusively uses Open Source technologies.
DFF combines an intuitive user interface with a modular and cross-platform architecture.
This version is the developer version as of September 8, 2015.
September 4, 2015:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.6-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.6-200 for FC22
exfat-utils-1.2.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
Here are the changes from the previous version (1.0.1):
1.2.0 (2015-08-26)
Switched from SCons to autotools.
Added musl libc support [Brendan Heading].
Worked around "FS is larger than device" error for memory cards formatted by Panasonic Lumix cameras.
Worked around "unknown entry type 0xe1" error for memory cards formatted by Sony cameras.
1.1.1 (2014-11-15)
Fixed mkfs crash on some sectors-per-cluster (-s option) values.
1.1.0 (2014-07-08)
Relicensed the project from GPLv3+ to GPLv2+.
OpenBSD support [Helg Bredow].
Improved I/O errors handling.
Implemented fsync() and fsyncdir().
Fixed crash on Mac OS X 10.5 caused by non-standard use of realpath(). Also fixed TrueCrypt disks unmounting.
Avoid extra erase on writes to the end of a file. This should improve linear write speed.
Allow arbitrary changing of lower 9 bits of mode. Allow owner/group changing to the same owner/group. This fixes rsync.
Fixed buffers overflows when handling lengthy file names.
Fixed "real size does not equal to size" error on volumes with pagefile.sys.
Fixed negative IUsed in "df -i" output.
In addition, because exfat-utils now includes mount.exfat and mount.exfat-fuse, exfat-utils obsoletes fuse-exfat.
CERT-Forensics-Tools-1.0-65.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-65.el7.x86_64.rpm -
This package was updated to add the following packages:
Obsoleted fuse-exfat for Fedora 17-22 and CentOS 6 and 7.
August 21, 2015:
The following have been released:
partclone-0.2.80-1.{fc17,fc18,fc19,fc20,fc21,fc22,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
See here for the list of changes in this release.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.5-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.5-200 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.5-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.5-100 for FC21
August 14, 2015:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.4-200 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.4-200 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.4-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.4-100 for FC21
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-573.3.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-573.3.1 for EL6
Fedora 20 Support for Fedora 20 i686 and x86_64 architectures - Updates to Fedora 20 for
both the i686 and x86_64 CPU architectures has ceased.
August 7, 2015:
The following have been released:
daq-2.0.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i386,x86_64}.rpm and daq-2.0.6-1.el7.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
See here for the changes in 2.0.6.
snort-2.9.7.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and snort-2.9.75-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-openappid-2.9.7.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.7.5-1.el7.x86_64.rpm -
This is the snort package built with the following additions:
The --enable-open-appid option was added to the configure script that configures the build of snort.
See here for more details.
The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
snort-sample-rules-2.9.7.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.3-201 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.3-201 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.3-100 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.3-100 for FC21
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-573.1.1 for EL6
2.6.32-573 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-573.1.1 for EL6
2.6.32-573 for EL6
fmem-kernel-modules-el7-x86_64-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-229.11.1 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-229.11.1 for EL7
July 31, 2015:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for
Fmem:
4.1.3-200 for FC22
4.1.2-200 for FC22
4.0.8-300 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
4.1.3-200 for FC22
4.1.2-200 for FC22
4.0.8-300 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
4.0.8-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
4.0.8-200 for FC21
plaso-1.3.0-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm, plaso-1.3.0-1.{el6,el7}.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Go here to read about all of the changes and features in this release.
dfvfs-20150730-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
libfwsi{,-devel,-python}-20150701-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and libfwsi{,-devel,-python}-20150701-1.el7.x86_64.rpm -
Libfwsi is a library to access the
Windows Shell Item format.
See here for the list of changes.
python-pefile-1.2.10_139.2.{el6,el7}.x86_64.rpm -
Python-pefile is a multi-platform Python module to parse and work with Portable Executable (aka PE) files.
Most of the information contained in the PE headers is accessible as well as all sections' details and their data.
This version was built for CentOS/RHEL 6 and 7 to support plaso.
python-construct-2.5.2-1.fc22.noarch.rpm - Python-construct is a powerful declarative parser (and builder) for binary data.
Support was added for Fedora 22.
July 17, 2015:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
4.0.7-300 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
4.0.7-300 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
4.0.7-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
4.0.7-200 for FC21
July 10, 2015:
The following have been released:
libfixbuf{,-devel}-1.7.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
pyfixbuf-0.2.0-2.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf is a Python API for libfixbuf, an implementation
of the IPFIX protocol used for building collecting and exporting processes.
PyFixBuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the content of the message before forwarding to another IPFIX collection point,
or in converting IPFIX to another format (text, database, JSON, etc.).
This release was rebuilt to use libfixbuf-1.7.0.
super_mediator-1.1.1-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and super_mediator-1.1.1-1.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the changes since the last version (1.1.1).
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-3.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This release was rebuilt to use libfixbuf-1.7.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-4.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-4.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
yaf{,-devel}-2.7.1-2.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.7.1-2.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
This release was rebuilt to use libfixbuf-1.7.0.
yaf{,-devel}-2.2.1-10.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter.
Note that this version of Yaf is only available for CentOS/RHEL 5.
This release was rebuilt to use libfixbuf-1.7.0.
dino-1.5-2.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.noarch.rpm - Dino, the drop in network observer, is a lightweight front end for network visualization.
Project:DINO, short for Drop In Network Observer, uses the open source network monitoring tools SiLK and
SNORT to create an easy to use dashboard for situational awareness.
It is built on PHP and Open Flash Chart, it is designed to be run
on Linux systems and has been tested on Fedora, Redhat and Ubuntu.
DINO queries flow records stored by SiLK and creates graphs of things like top talkers, incoming/outgoing traffic/hourly
traffic/top ports and snort alerts with the related flows records.
This release was rebuilt to use libfixbuf-1.7.0.
libevt{,-devel,-python,-tools}-20150706-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm -
Libevt
contains libraries and tools to access the Windows Event Log (EVT) format files.
See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20150630-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libolecf
contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
libregf{,-devel,-python,-tools}-20150704-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and libregf{,-devel,-python,-tools}-20150704-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
See here for the list of changes.
CERT-Forensics-Tools-1.0-64.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-64.el7.x86_64.rpm -
This package was updated to add the following packages:
Obsoleted snarf for CentOS/RHEL 7
July 2, 2015:
The following have been released:
fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
4.0.5-300 for FC22
4.0.6-300 for FC22
lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
4.0.5-300 for FC22
4.0.6-300 for FC22
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
4.0.6-200 for FC21
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
4.0.5-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
4.0.6-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
4.0.5-200 for FC21
fmem-kernel-modules-el7-x86_64-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-229.7.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-229.7.2 for EL7
bokken-1.8-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and bokken-1.8-1.{el6,el7}.x86_64.rpm - Bokken is a GUI for the
Pyew and Radare projects so it offers almost all the same features that
Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
Removed pyew entirely. Its support has been in a non-official deprecated
state for the past two years but we were trying not to do it. Pyew has
some dependencies that makes harder to package it, it's missing a lot of
features from r2, plus it sees very few releases.
Removed other almost useless features in their current form: Strings repr
and Interactive mode. We expect to bring those at some point in a proper way.
Added r2 console. It crashes here and there but we think it's rather usable.
Added interactive Python console.
Rearranged and simplified some tabs: Strings, Relocs and File info.
Some additional cleanups and fixes.
Note: Although bokken was installed for CentOS/RHEL6, it does not work correctly due to a bug in the librsvg2 library.
radare{,-devel}-2.0.9.9-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and radare{,-devel}-2.0.9.9-1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
valabind-0.9.2-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and valabind-0.9.2-1.el7.x86_64.rpm - Valabind is a tool to parse vala
or vapi files to transform them into swig interface files, C++,
NodeJS-ffi, or GIR.
With swig, you can create language bindings for any API written in vala or C with a vapi interface.
It can also generate bindings for C++.
python-radare-2.0.9.9-1.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and python-radare-2.0.9.9-1.el7.x86_64.rpm- Python-Radare are
bindings that allow Radare to be used from Python.
dd_rescue-1.98-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
Here are the changes from the previously distributed version (1.46):
It has a few improvements such as a few cleanups, a fault injection framework for
testing and significantly improved speed of the pseudo RNG. But the important feature
is the addtion of a crypt plugin. You can insert it into the plugin chain to de/encrypt
data using the AES family of algorithms. (More are planned for the future.) You can use
128/192/256 bit keys and optionally use a higher number of rounds to have an increased
security margin. Keys (and IVs) can be generated, saved, retrieved or generated from
password and salt. Please be aware that despite diligent testing this is a new plugin --
so be prepared that there will be some changes and bugfixes to it in the near future.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-2.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.2-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-ipset-{devel,lib,tools}-3.10.2-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
liblnk{,-devel,-python,-tools}-20150617-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20150617-1.el7.x86_64.rpm -
Liblnk
contains libraries and tools to access the Windows Shortcut File (LNK) format file.
See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20150629-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libolecf
contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
libvmdk{,-devel,-python,-tools}-20150516-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libvmdk
is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
See here the list of changes.
dfvfs-20150630-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
daq-2.0.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i386,x86_64}.rpm and daq-2.0.5-1.el7.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
See here for the changes in 2.0.5.
snort-2.9.7.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and snort-2.9.7.3-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-openappid-2.9.7.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.7.3-1.el7.x86_64.rpm -
This is the snort package built with the following additions:
The --enable-open-appid option was added to the configure script that configures the build of snort.
See here for more details.
The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
snort-sample-rules-2.9.7.3-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
nDPI{,-devel}-1.6-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
See here for the list of supported protocols.
Note that RHEL/CentOS 5 is not supported due to issues with autoconf.
xplico-1.1.0-3.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
This release was rebuilt to work with nDPI-1.6. All other suported systems were upgraded for release version consistency.
Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
pytsk-20150406-4.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
This version was primarily rebuilt to fix problems caused by GCC Version 5 on Fedora 22. The other systems were rebuilt to keep release consistency.
python-xlwt-1.0.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Python-xlwt is a library for generating spreadsheet files that
are compatible with Excel 97/2000/XP/2003, OpenOffice.org Calc, and Gnumeric. Python-xlwt has full support for Unicode. Excel spreadsheets can be generated on any platform without
needing Excel or a COM server.
See here for a list of changes since the previously released version (0.7.4).
Volatility-2.4-9.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i386,x86_64}.rpm and Volatility-2.4-9.el7.x86_64.rpm-
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility uses the code as available from here as of 2015-06-30.
It also contains the mimikatz plugin.
super_mediator-1.1.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and super_mediator-1.1.0-1.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
See here for the changes since the last version (0.3.0).
June 12, 2015:
The following have been released:
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-504.23.4 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-504.23.4 for EL6
June 5, 2015:
The following have been released:
Fedora 22 - The repository now supports Fedora 22
for the i686 and x86_64 CPU architectures.
Here is the list of tools provided for Fedora 22:
ssdeep-2.13-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered
piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
bokken-1.7-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm - Bokken is a GUI for the
Pyew and Radare projects so it offers almost all the same features that
Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
3.19.7-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
3.19.7-200 for FC21
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-406 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-406 for EL5
fmem-kernel-modules-1.6-1.5.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 22 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-5.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 22 x86_64 and i686 architectures was added.
May 15, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
3.19.7-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
3.19.7-200 for FC21
fmem-kernel-modules-el7-x86_64-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-229.4.2 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-229.4.2 for EL7
May 11, 2015:
The following have been released:
libewf{,-devel,-tools}-20100226-1.fc21.{i686,x86_64}.rpm and ewftools-20140608-1.fc21.{i686,x86_64}.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
This package contains the Version 1 API for the libewf tools and is needed to build the libewf-20140608 package.
libewf{,-devel,-python}-20140608-1.fc21.{i686,x86_64}.rpm and ewftools-20140608-1.fc21.{i686,x86_64}.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
Note: Version 20140608 is the latest production of libewf but there is a later version (20141129), an experimental version, in
the repository. We have received a report that version 20141129 has a bug and cannot handle split E01 files correctly. The report noted
this error in the plaso timeline tool.
The bug report is here.
If you wish to install the 20140608 version of libewf, do the following, all as root
rpm -ev $(rpm -qa | grep 'ewf.*20150105*') --nodeps
yum -y install {ewftools,libewf-python,libewf}-20140608-2
Then edit /etc/yum.repos.d/cert-forensics-tools.repo so that the beginning of the file looks like the following:
[forensics]
name=CERT Forensics Tools Repository
baseurl=http://www.cert.org/forensics/repository/fedora/cert/$releasever/$basearch
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-cert-forensics-2016-02-22
gpgcheck=1
proxy=_none_
deltarpm=0 exclude=ewftools* libewf*
This will install the last stable version of libewf which fixes the split E01 bug.
Note that when a new version of libewf becomes available, you will need to removed these chnages to /etc/yum.repos.d/cert-forensics-tools.repo.
Watch this page for that announcement.
May 1, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
3.19.5-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
3.19.5-200 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for
Fmem:
3.19.5-100 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for
LiME:
3.19.5-100 for FC20
partclone-0.2.71-4.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
This release was built to use the latest version of libntfs-3g.so for Fedora 20 and CentOS 6 and 7.
All other versions were rebuilt to maintain release consistency.
testdisk-6.14-3.3.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
This release was built to use the latest version of libntfs-3g.so..
Apr 24, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
3.19.4-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
3.19.4-200 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.30.noarch.rpm - Support for the following kernels were added for
Fmem:
3.19.4-100 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-30.noarch.rpm - Support for the following kernels were added for
LiME:
3.19.4-100 for FC20
lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
3.14.27-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
3.14.27-100 for FC19
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-504.16.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-504.16.2 for EL6
partclone-0.2.71-3.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
This release was built to use the latest version of libntfs-3g.so for Fedora 21.
All other versions were rebuilt to maintain release consistency.
libpff-20131028-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Libpff is a library
and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format.
PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
Libpff is used by DFF - the Digital Forensics Framework.
See here for the list of changes.
Apr 17, 2015:
The following have been released:
dfvfs-20150414-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20150413-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libolecf contains libraries and tools
to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
libesedb{,-devel,-python,-tools}-20150409-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libesedb-{,devel,python,tools}-20150409-1.el7.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
See here for the list of changes.
sleuthkit{,-devel,-libs}-4.1.3-6.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
The changes from the previous version - 4.1.3-5 - was to add a patch to support pytsk for CentOS/RHEL 7.
All other versions were updated to this release for consistency.
pytsk-20150406-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
See here for a list of changes.
Apr 10, 2015:
The following have been released:
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
3.19.3-100 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
3.19.3-100 for FC20
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-404 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-404 for EL5
Apr 3, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
3.19.3-200 for FC21
3.19.2-201 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
3.19.3-200 for FC21
3.19.2-201 for FC21
fmem-kernel-modules-el7-x86_64-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-229.1.2 for EL7
3.10.0-229 for EL7
lime-kernel-modules-el7-x86_64-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-229.1.2 for EL7
3.10.0-229 for EL7
March 27, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
3.19.1-201 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
3.19.1-201 for FC21
snort-openappid-2.9.7.2-2.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.7.2-2.el7.x86_64.rpm -
This is the snort package built with the following programs added to the /usr/bin directory.
See here for more details.
u2openappid
u2streamer
snort_dump_packets_control
Volatility-2.4-8.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i386,x86_64}.rpm and Volatility-2.4-8.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility uses the code as available from here as of 2015-03-23.
It also contains the mimikatz plugin.
daemonize-1.7.3-7.{el5,el6}.{i686,x86_64}.rpm and daemonize-1.7.3-7.el7.x86_64.rpm -
Daemonize daemonize runs a command as a Unix daemon.
As defined in W. Richard Stevens' 1990 book, Unix Network Programming
(Addison-Wesley, 1990), a daemon is a process that executes 'in the background' (i.e., without an associated
terminal or login shell) either waiting for some event to occur, or waiting to perform some specified task on a periodic basis.
libvmdk{,-devel,-python,-tools}-20150325-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libvmdk
is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
See here the list of changes.
python-construct-2.5.2-1.fc21.noarch.rpm -
Python-construct is a powerful declarative parser (and builder) for binary data.
Support was added for Fedora 21.
March 20, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
3.18.9-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
3.18.9-200 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.28.noarch.rpm - Support for the following kernels were added for
Fmem:
3.18.9-100 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-28.noarch.rpm - Support for the following kernels were added for
LiME:
3.18.9-100 for FC20
libmsiecf{,-devel,-python,-tools}-20150314-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20150314-1.el7.x86_64.rpm -
libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
See here for the list of changes.
libregf{,-devel,-python,-tools}-20150315-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libregf{,-devel,-python,-tools}-20150315-1.el7.x86_64.rpm -
libregf contains libraries and tools to access the Windows NT Registry File files.
See here for the list of changes.
umview-0.8.2-1.1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm and libumlib{,-devel}-0.8.2-1.1.(fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm -
UMview is a user-mode implementation of View-OS.
Processes are run with a controlling daemon that captures all the system calls (at present using the ptrace() system call) and uses dynamically loadable modules to change their semantic.
fuseext2-0.3-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Fuxeext2 is a module for the FUSE
kernel service allows any FUSE-enabled user to mount Second Extended file systems, e.g. disk images.
The module has been initially written for UMView, the user-mode implementation of View-OS.
March 13, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
3.18.8-201 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
3.18.8-201 for FC21
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-504.12.2 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-504.12.2 for EL6
snort-2.9.7.2-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and snort-2.9.7.2-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.7.2-1.{fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
snort-openappid-2.9.7.2-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.7.2-1.el7.x86_64.rpm -
This is the snort package built with the following additions:
The --enable-open-appid option was added to the configure script that configures the build of snort.
See here for more details.
The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
luajit{,-devel}-202-9.{fc17,fc18,el6,el7}.{i686,x86_64}.rpm - Luajit is a just-in-time compiler for the
LUA programming language.
Building snort-openappid for Fedora 17 and 18 and CentOS/RHEL 6 and 7 required luajit-devel.
March 6, 2015:
The following have been released:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.1-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.1-2.{fc17,fc18,fc19,fc20,fc21}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.1-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
libguytools-2.0.3-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libguytools-2.0.3-1.el7.x86_64.rpm -
Libguytools is a package of subroutines and header files needed to
build and operate guymager.
The changes are:
Corrected problem with trailing backslashes
Switched to my new developer email address (Guy Voncken )
guymager-0.7.4-2.{fc17,fc18,fc19,fc20,fc21,el6}.{i686,x86_64}.rpm and guymager-0.7.4-2.el7.x86_64.rpm -
Guymager is a forensic imaging package.
This version has been rebuilt to use version 2.0.3 of libguytools.
dfvfs-20150303-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
gettext{,-debugsource,-devel,-envsubst,-libs,runtime}-0.18.1.1-7.7.x86_64.rpm, gettext-common-devel-0.21-19.0.20220203.el8.noarch.rpm, and emacs-gettext-el8-0.18.1.1-7.7.noarch.rpm -
The Gettext utilities are a set of tools that provides a framework to help other GNU packages produce multi-lingual messages.
These tools include a set of conventions about how programs should be written to support message catalogs, a directory and file naming
organization for the message catalogs themselves, a runtime library supporting the retrieval of translated messages,
and a few stand-alone programs to massage in various ways the sets of translatable strings, or already translated strings.
A special GNU Emacs mode also helps interested parties in preparing these sets, or bringing them up to date.
These packages have been built for CentOS/RHEL 6 in support of the libfvde packages.
libfvde{,-devel,-tools}-20150222-1.{fc17,fc18,fc9,fc20,fc21,el6}.{i686,x86_64}.rpm and libfvde{,-devel,-tools}-20150222-1.el7.x86_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive
Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
Here are the changes from the last version (20130305):
20150222
Code clean up
Worked on documenation
Changes for handling 0x001a metadata with different plist key sequence
20150106
2015 update
20141226
changes for updated dependencies
20141130
code clean up
20141120
code clean up
20141018
removed README.macosx
20141017
changes for deployment
February 27, 2015:
The following have been released:
yara-3.3.0-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
Here are the changes since the last version (2.1.0):
Added support for negative integers and floating point numbers
Implemented operators , <, =, <= for strings
Implemented word boundary anchors (\b, \B) in regular expressions
New features in PE module
Math module
New --print-namespace command line argument
Better error handling in low memory conditions
BUGFIX: at operator not working with certain strings containing wildcards
BUGFIX: precedence of bitwise operators was incorrect
BUGFIX: incorrect imphash result for certain PE files importing functions by ordinal
BUGFIX: handle and memory leaks
BUGFIX: multiple segfaults
dfvfs-20150224-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
pyfixbuf-0.2.0-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf is a Python API for libfixbuf, an implementation
of the IPFIX protocol used for building collecting and exporting processes.
PyFixBuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the content of the message before forwarding to another IPFIX collection point,
or in converting IPFIX to another format (text, database, JSON, etc.).
See here for a list of changes.
python-registry-1.1.0-2.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i386,x86_64}.rpm - Python-registry provides read-only access
to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE.
The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced
study of the Windows Registry.
Python-registry is written in pure Python, making it portable across all major platforms.
This release brings python-registry up to date as of 2015-02-26.
February 20, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
3.18.6-200 for FC21 (added in release 7 of this package)
3.18.7-200 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
3.18.6-200 for FC21 (added in release 7 of this package)
3.18.7-200 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.27.noarch.rpm - Support for the following kernels were added for
Fmem:
3.18.6-100 for FC20 (added in release 26 of this package)
3.18.7-100 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-27.noarch.rpm - Support for the following kernels were added for
LiME:
3.18.6-100 for FC20 (added in release 26 of this package)
3.18.7-100 for FC20
ddrutility-2.7-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to
gnuddrescue.
It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
ddru_findbad
ddru_ntfsbitmap
ddru_ntfsfindbad
ddru_diskutility
Here are the changes since the last release (2.6):
ddru_ntfsfindbad 1.5 released:
Fixed possible program crash if partition boot sector error
Better partition boot sector error output
ddru_ntfsbitmap 1.5 released:
Fixed possible program crash if partition boot sector error
Better partition boot sector error output
dfvfs-20150217-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
python-registry-1.1.0-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i386,x86_64}.rpm - Python-registry provides read-only access
to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE.
The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced
study of the Windows Registry.
Python-registry is written in pure Python, making it portable across all major platforms.
shellbags-0.5.5-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - Shellbags Microsoft Windows uses a set of
registry keys known as "shellbags" to maintain the size, view, icon, and position of a folder when using Explorer. Shellbags persist information for
directories even after the directory is removed, which means that they can be used to enumerate past mounted volumes, deleted files, and user actions.
See Using shellbag information to reconstruct user activities for an overview of the
investigative value of shellbags.
February 13, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
3.18.5-201 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
3.18.5-201 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for
Fmem:
3.18.5-101 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for
LiME:
3.18.5-101 for FC20
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-402 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-402 for EL5
Volatility-2.4-6.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i386,x86_64}.rpm and Volatility-2.4-6.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility uses the code as available from here as of 2015-02-09
libbde{,-devel,-python,-tools}-20150204-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20150204-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the list of changes.
February 6, 2015:
The following have been released:
libsigscan{,-devel,-python,-tools}-20150125-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libsigscan{,-devel,-python,-tools}-20150125-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
See here for the list of changes.
libbde{,-devel,-python,-tools}-20150124-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20150124-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the list of changes.
dfvfs-20150203-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
January 31, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
3.18.3-201 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
3.18.3-201 for FC21
lime-kernel-modules-el7-x86_64-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-123.20.1 for EL7
fmem-kernel-modules-el7-x86_64-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-123.20.1 for EL7
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-504.8.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-504.8.1 for EL6
dfvfs-20150127-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
libluksde{,-devel,-python,-tools}-20150106-1.{fc17,fc18,fc19,fc20,fc21,el7}.{i686,x86_64}.rpm - Libluksde is a library and tools used to
access LUKS Disk Encryption encrypted volumes.
See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20150110-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20150110-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note that this project has an experimental status.
See here for the list of supported disk formats.
yaf{,-devel}-2.7.1-1.{fc17,fc18,fc19,fc20,fc21,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.7.1-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Here are the changes from the last version (2.6.0):
Fix a bug with --flow-stats in particular configurations
January 23, 2015:
The following have been released:
ddrutility-2.6-4.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to
gnuddrescue.
It is a set of utilities to help with hard drive data rescue.
The change in this release is to reference the correct location of the nfscluster for installed versions.
January 16, 2015:
The following have been released:
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
3.17.8-300 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
3.17.6-300 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
3.17.8-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
3.17.8-200 for FC20
January 9, 2015:
The following have been released:
lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
3.14.27-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
3.14.27-100 for FC19
distorm3-3.0-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i386,x86_64}.rpm and distorm3-3.0-1.el7.x86_64.rpm -
Distorm3 is a lightweight, easy-to-use and fast decomposer library.
It disassembles instructions in 16, 32 and 64 bit modes.
Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
Distorm3 is used by The Volatility Framework.
The changes are listed here.
ghostpdl-9.15-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and ghostpdl-9.15-1.el7}.x86_64.rpm -
Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages.
Ghostpdl is used by Xplico.
This is the eleventh full release in the stable 9.x series, and is primarily a maintenance release.
Highlights in this release include:
Ghostscript now supports the PDF security handler revision 6.
The pdfwrite and ps2write (and related) devices can now be forced to "flatten"
glyphs into "basic" marking operations (rather than writing fonts to the output),
by giving the -dNoOutputFonts command line option (defaults to "false")
PostScript programs can now use get_params or get_param to determine if a page contains color markings by reading the pageneutralcolor
state from the device (so whether the page is "color" or "mono").
Note that this is only accurate when in clist mode, so -dMaxBitmap=0 and -dGrayDetection=true should both be used.
The pdfwrite device now supports Link annotations with GoTo and GoToR actions
The pdfwrite device now supports BMC/BDC/EMC pdfmarks
Regarding the new color management for the pdfwrite device introduced in the previous release, the proscription on using the new color management when producing
PDF/A-1 compliant files is now lifted. To reiterate, also, with the new color management implementation, using the
UseCIEColor option is strongly discouraged.
For further information on the new pdfwrite color management,
see: Color Conversion and Management
Plus the usual round of bug fixes, compatibility changes, and incremental improvements.
To see all of the changes for all releases of ghostpdl, view ths file file:///usr/share/doc/ghostpdl/History9.htm on a system where ghostpdl is installed.
LogAnalysisToolKit-1.7-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.noarch.rpm - LogAnalysisToolkit is a collection of command line and web-based tools for
use in incident response and long-term analysis of web server and proxy server log data.
LATK can detect beaconing traffic in proxy logs and SQL injection, and XSS attempts in web server logs.
Often when responding to a security incident, the only files available are web server and proxy server logs.
LATK will aid you in detecting odd traffic, such as botnet beaconing and SQL injection attempts.
The data available in these files can be overwhelming, but the tools in LATK can be used to parse these files and build a MySQL database for querying.
dino-1.5-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.noarch.rpm - Dino, the drop in network observer, is a lightweight front end for network visualization.
Project:DINO, short for Drop In Network Observer, uses the open source network monitoring tools SiLK and
SNORT to create an easy to use dashboard for situational awareness.
It is built on PHP and Open Flash Chart, it is designed to be run
on Linux systems and has been tested on Fedora, Redhat and Ubuntu.
DINO queries flow records stored by SiLK and creates graphs of things like top talkers, incoming/outgoing traffic/hourly
traffic/top ports and snort alerts with the related flows records.
yaf{,-devel}-2.7.0-1.{fc17,fc18,fc19,fc20,fc21,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.7.0-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Here are the changes from the last version (2.6.0):
New YAF option --no-output to produce no IPFIX output
New YAF options --hash and --stime to search for a single flow with the given hash and start time
DNS DPI now exports query section of resource record for all responses with nonzero RCODE
Faster searching of pcap-meta files
Implement SAME_SIZE flag for TCP flows
Minor Bug Fixes
snarf{,-devel,-python}-0.2.4-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system.
Applications can use snarf's C and Python APIs to construct and send network alert messages,
which can then be routed to multiple destinations in a configurable manner.
Here are the changes:
Support non-flow ip address fields in alerts.
Fix ZeroMQ compatibility problems, now requires ZeroMQ 2.2.x.
Fix problem with certain GLib2 version / platform combinations.
libbde{,-devel,-python,-tools}-20150106-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm libbde{,-devel,-python,-tools}-20150106-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the list of changes.
libbfio{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Libbfio is a
library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access.
See here for the list of changes.
libevt{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools
to access the Windows XML Event Log (EVT) format files.
See here for the list of changes.
libevtx{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm and libevtx{,-devel,-python,-tools}-20150105-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
liblnk{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20150105-1.el7.x86_64.rpm -
liblnk contains libraries and tools
to access the Windows Shortcut File (LNK) format file.
See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20150106-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20150106-1.el7.x86_64.rpm -
libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20150106-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libolecf contains libraries and tools
to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
libqcow{,-devel,-tools,-python}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libqcow{,-devel,-tools,-python}-20150105-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
See here for the list of changes.
libregf{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libregf{,-devel,-python,-tools}-20150105-1.el7.x86_64.rpm -
libregf contains libraries and tools to access the Windows NT Registry File files.
See here for the list of changes.
libsmdev{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libsmdev{,-devel,-python,-tools}-20150105-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20141022-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libsmraw{,-devel,-python,-tools}-20141022-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20150105-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note that this project has an experimental status.
See here for the list of supported disk formats.
libvmdk{,-devel,-python,-tools}-20150105-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libvmdk{,-devel,-python,-tools}-20150105-1.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
See here the list of changes.
libvshadow{,-devel,-python,-tools}-20150106-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libvshadow{,-devel,-python,-tools}-20150106-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
See here for the list of changes.
December 24, 2014:
The following have been released:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.0-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.10.0-2.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-4.4.1-2.{fc17,fc18,fc9,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and analysis-pipeline-4.4.1-2.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
This version was rebuilt to use the latest version of SiLK, specifically 3.10.0-1.
silk-ipset-{devel,lib,tools}-3.10.0-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
lime-kernel-modules-el7-x86_64-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-123.13.2 for EL7
fmem-kernel-modules-el7-x86_64-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-123.13.2 for EL7
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-504.3.3 for EL6
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-504.3.3 for EL6
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-400.1.1 for EL5
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-400.1.1 for EL5
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
3.17.7-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
3.17.7-200 for FC20
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
3.17.7-300 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
3.17.7-300 for FC21
pytsk-20141220-1.{fc17,fc18,fc19,fc20,fc21,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
See here for a list of changes.
libfwsi{,-devel,-python}-20141116-1.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and libfwsi{,-devel,-python}-20141116-1.el7.x86_64.rpm -
Libfwsi is a library to access the
Windows Shell Item format.
See here for the list of changes.
dfvfs-20141220-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See hre for the list of changes.
pyparsing{,-doc}-2.0.3-1.{fc17,fc18,fc19,fc20,el6,el7}.{i386,x86_64}.rpm, python3-pyparsing-2.0.3-1.{fc17,fc18,fc19,fc20}.{i386,x86_64}.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars,
vs. the traditional lex/yacc approach, or the use of regular expressions.
The module provides a library of classes that client code uses to construct the grammar directly in Python code.
Pyparsing is provided by RedHat for Fedora 21.
Pyparsing version 2.0.3 is needed by plaso.
plaso-1.2.0-2.{fc17,fc18,fc19,fc20,fc21}.{i686,x86_64}.rpm, plaso-1.2.0-2.{el6,el7}.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Go here to read about all of the changes and features in this release.
In addition, this release is current up to the development version as of December 24, 2014.
December 15, 2014:
The following have been released:
Fedora 21 - The repository now supports Fedora 21
for the i686 and x86_64 CPU architectures.
Here is the list of tools provided for Fedora 21:
fmem-kernel-modules-1.6-1.4.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 21 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-4.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 21 x86_64 and i686 architectures was added.
fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
3.17.6-300 for FC21
3.17.4-302 for FC21
3.17.4-301 for FC21
3.17.4-300 for FC21
3.17.3-300 for FC21
3.17.1-302 for FC21
lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
3.17.6-300 for FC21
3.17.4-302 for FC21
3.17.4-301 for FC21
3.17.4-300 for FC21
3.17.3-300 for FC21
3.17.1-302 for FC21
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for
Fmem:
3.17.6-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for
LiME:
3.17.6-200 for FC20
CERT-Forensics-Tools-1.0-61.{fc17,fc18,fc19,fc20,fc21,el5,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-61.el7.x86_64.rpm -
This package was updated to add the following packages:
Removed snarf for Fedora 21
Added ddrescueview for all supported OSes and architectures.
December 12, 2014:
The following have been released:
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
3.17.4-200 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
3.17.4-200 for FC20
lime-kernel-modules-el7-x86_64-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-123.13.1 for EL7
fmem-kernel-modules-el7-x86_64-1.6-1.7.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-123.13.1 for EL7
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-400 for EL5
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-400 for EL5
lime-kernel-modules-{fc17,fc18,fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.1.r17-*.noarch.rpm - Building errors were discovered the solution to which was to rebuild all lime modules
for all supported versions of Fedora and CentOS/RHEL for all supported architectures.
Steps were taken to verify future builds for LiME for each OS/Architecture pair.
fmem-kernel-modules-{fc17,fc18,fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.1.r17-*.noarch.rpm - No changes were made but the release numbers were changed to remain in sync with the
lime-kernel-modules release numbers.
libewf{,-devel,-tools,-python}-20141129-1.{fc17,fc18}.{i686,x86_64}.rpm, libewf{,-devel,-tools,-python}-20141129-1.{fc19,fc20}.{i686,x86_64}.rpm, and ewftools-20141129-1.{fc19,fc20}.{i686,x86_64}.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Note: Beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
Note: This package is not provided for CentOS/RHEL 5 and 6.
Here are the changes from the previously released version (20140608):
20141129
code clean up
20141102
bug fixes
ewf.net added FileEntry::GetType
20141030
bug fix in Python-bindings
changes for updated dependencies
20141021
changes for deployment
20141012
bug fixes
20141007
updated dependencies and corresponding changes
worked on autogen.sh and synclibs.sh scripts
20141002
removed README.macosx
changes for project site move
20140801
bug fix in Python-bindings
In addition, this version was built to include the Version 1 API. Because of this, the shared object library libewf.so.1 and libewf.so.1.0.4 are no longer provided in this package.
If your application requires these shared object libraries, they should be rebuilt to use the shared objects that come with this package, namely libewf.so.2 and libewf.so.2.1.0.
aff{lib,lib-devel,tools}-3.7.4-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format.
pytsk-20141207-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
See here for a list of changes.
In addition, the following changes were also made:
The scripts ewf.py, tskfuse.py, and imgfuse.py were also installed in /usr/bin.
The runtime dependency fuse-python was also added.
libfixbuf{,-devel}-1.6.2-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-9.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This release was rebuilt with libfixbuf version 1.6.2.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-10.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This release was rebuilt with libfixbuf version 1.6.2.
super_mediator-0.3.0-8.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and super_mediator-0.3.0-8.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
This release was rebuilt to use libfixbuf version 1.6.2.
yaf{,-devel}-2.6.0-4.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.6.0-4.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
This release was rebuilt to use libfixbuf version 1.6.2.
yaf{,-devel}-2.2.1-9.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter.
Note that this version of Yaf is only available for CentOS/RHEL 5.
This release was rebuilt to use libfixbuf version 1.6.2.
November 26, 2014:
The following have been released:
xmount-0.7.3-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following:
Note that xmount is not available for CentOS/RHEL 5.
Here are the changes for this version:
New build system using cmake.
New command line syntax. Make sure to check the man page!
New --offset and --sizelimit command line parameters.
Support for multiple input images.
Support for image morphing. Currently supporting combine, raid (RAID0) and unallocated (HFS and FAT).
Internal support for ewf files.
Volatility-2.4-5.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm and Volatility-2.4-5.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility uses the code as available from here as of 2014-11-24.
ddrescueview-0.3-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Ddrescueview is a small tool that allows
the user to graphically examine ddrescue's log files in a user friendly GUI application.
The Main window displays a block grid with each block's color representing the block types it contains.
Many people know this type of view from defragmentation programs.
The program is written in Object Pascal using the Lazarus IDE.
ddrutility-2.6-3.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to
gnuddrescue.
It is a set of utilities to help with hard drive data rescue.
The change in this release is to reference the correct location of the nfscluster program for CentOS 6.
All other versions are unchanged but were rebuilt for revision number compatibility.
November 21, 2014:
The following have been released:
lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-8.noarch.rpm - Support for the following kernels were added for
LiME:
3.14.23-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.8.noarch.rpm - Support for the following kernels were added for
Fmem:
3.14.23-100 for FC19
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.19.noarch.rpm - Support for the following kernels were added for
Fmem:
3.17.3-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-19.noarch.rpm - Support for the following kernels were added for
LiME:
3.17.3-200 for FC20
libevtx{,-devel,-python,-tools}-20141112-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libevtx-{,devel,python,tools}-20141112-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
sleuthkit{,-devel,-libs}-4.1.3-5.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
The changes from the previous version - 4.1.3-3 - was to add a correct fix for java bindings.
Note that the version provided by Fedora - 4.1.3-4 - does not provide this support in the binary packages they provide nor can that support be added using their source packages.
Support for Fedora 21 x86_64 architecture - The repository now supports Fedora 21 for the x86_64 CPU architecture.
The cert-forensics-tool-release has been installed in the cert repository and all other packages have been installed in the forensics-test repository.
As root, you will need to enable this repository in the /etc/yum.repos.d/cert-forensics-tools.repo file.
To install the CERT-Forensics-Tools package, it was necesary to run sudo yum erase protobuf-c first.
This repository was built with the Fedora 21 development repository and the Fedora 21 testing updates repository.
When Fedora 21 is released, the CERT Forensics Tools repository will be entirely rebuilt using that distribution and support for the i686 architecture will be
added at that time.
If you find any problem with the packages in the CERT Linux Forensics Tools Repository, please send email to:
November 15, 2014:
The following have been released:
dfvfs-20141108-1.{fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
This version no longer scans VSS snapshot volumes by default.
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for:
Fmem:
3.17.2-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for:
LiME:
3.17.2-200 for FC20
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-504.1.3 for EL6
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-504.1.3 for EL6
libesedb{,-devel,-python,-tools}-20141110-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libesedb-{,devel,python,tools}-20141110-1.el7.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
See here for the list of changes.
ddrutility-2.6-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to
gnuddrescue.
It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
ddru_findbad
ddru_ntfsbitmap
ddru_ntfsfindbad
ddru_diskutility
The change in this release is to reference the correct location of the nfscluster program for CentOS 6.
partclone-0.2.71-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
This release was built to use the latest version of libntfs-3g.so for CentOS.
testdisk-6.14-3.2.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
This release was built to use the latest version of libntfs-3g.so for CentOS.
November 7, 2014:
The following have been released:
guymager-0.7.4-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and guymager-0.7.4-1.el7.x86_64.rpm -
Guymager is a forensic imaging package.
See here for the list of changes.
liblnk{,-devel,-python,-tools}-20141026-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20141026-1.el7.x86_64.rpm -
liblnk contains libraries and tools
to access the Windows Shortcut File (LNK) format file.
See here for the list of changes.
libregf{,-devel,-python,-tools}-20141030-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libregf{,-devel,-python,-tools}-20141030-1.el7.x86_64.rpm -
libregf contains libraries and tools to access the Windows NT Registry File files.
See here for the list of changes.
Volatility-2.4-4.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm and Volatility-2.4-4.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility uses the code as available from here as of 2014-11-03.
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for:
Fmem:
3.16.7-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for:
LiME:
3.16.7-200 for FC20
lime-kernel-modules-el7-x86_64-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-123.9.3 for EL7
fmem-kernel-modules-el7-x86_64-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-123.9.3 for EL7
October 31, 2014:
The following have been released:
analysis-pipeline-4.4.1-1.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm and analysis-pipeline-4.4.1-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
See here for the changes in this release.
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
3.16.6-203 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
3.16.6-203 for FC20
lime-kernel-modules-el7-x86_64-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-123.9.2 for EL7
fmem-kernel-modules-el7-x86_64-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-123.9.2 for EL7
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-504 for EL6
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-504 for EL6
libevt{,-devel,-python,-tools}-20141026-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm -
Libevt
contains libraries and tools to access the Windows Event Log (EVT) format files.
See here for the list of changes.
libevtx{,-devel,-python,-tools}-20141026-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libevtx-{,devel,python,tools}-20141026-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20141025-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20141025-1.el7.x86_64.rpm -
libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
See here for the list of changes.
libolecf{,-devel,-python,-tools}-20141026-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libolecf contains libraries and tools
to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
libsmraw{,-devel,-tools,-python}-20141026-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libsmraw{,-devel,-tools,-python}-20141026-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
See here for the list of changes.
mdbtools{,-devel,-gui}-0.7-43.13.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm and libmdbodbc1-0.7-43.13.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm -
The MDB Tools project is a effort to document the MDB file format used in Microsoft's Access
database package, and to provide a set of tools and applications to make that data available on other platforms.
Specifically, MDB Tools includes programs to export schema and data to other databases such as
MySQL,Oracle, Sybase, PostgreSQL, and others.
Also included is a SQL engine for performing simple SQL queries. The 0.5 release includes an updated GUI interface (screenshot is available here).
A sparse but functional ODBC driver is included as well.
MDB Tools currently has read-only support for Access 97 (Jet 3) and Access 2000/2002 (Jet 4) formats. Write support is currently being worked on and the first cut is expected to be included in the 0.6 release.
For more information check the FAQ and the Installation Guide.
ssdeep-2.12.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered
piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
Also see the SourceForge Page for forums, bugtracking, CVS, et al.
October 24, 2014:
The following have been released:
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
3.16.6-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
3.16.6-200 for FC20
lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-7.noarch.rpm - Support for the following kernels were added for
LiME:
3.14.22-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.7.noarch.rpm - Support for the following kernels were added for
Fmem:
3.14.22-100 for FC19
ddrutility-2.6-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to
gnuddrescue.
It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
ddru_findbad
ddru_ntfsbitmap
ddru_ntfsfindbad
ddru_diskutility
Here are the changes since the last release (2.5):
Changes have been made for compiling compatibility:
Some unneeded items removed from configure.ac
Added lib check for iconv
Some improvements have been made to the documentation:
Added examples to the --mftdomain option of ntfs_bitmap
Updated info about ddru_findbad being slow
Ddru_findbad 1.11 released:
No longer relies on bash
Fixed a bug dealing with bad ntfscluster results
Images are now accessed as read only
Ddru_ntfsfindbad 1.4 released:
Fixed potential memory bug with name conversions
Fixed iconv BOM issue
Fixed a bug with mft data run length
Fixed issue with current postition in logfile
Ddru_ntfsbitmap 1.4 released:
Fixed potential memory bug with name conversions
Fixed iconv BOM issue
Ddru_diskutility 1.3 released:
Initial release
distorm3-3-2.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm and distorm3-3-2.el7.x86_64.rpm -
Distorm3 is a lightweight, easy-to-use and fast decomposer library.
It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2,
SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX. Distorm3 is used by
The Volatility Framework.
This version used the code release on September 20, 2012.
libsmdev{,-devel,-tools,-python}-20141021-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libsmdev{,-devel,-tools,-python}-20141021-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
libsmraw{,-devel,-tools,-python}-20141022-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libsmraw{,-devel,-tools,-python}-20141022-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20141021-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20141021-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note that this project has an experimental status.
See here for the list of supported disk formats.
libvmdk{,-devel,-tools,-python}-20141021-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libvmdk{,-devel,-tools,-python}-20141021-1.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
See here the list of changes.
libbde{,-devel,-python,-tools}-20141023-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20141023-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here the list of changes.
libvshadow{,-devel,-tools,-python}-20141023-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libvshadow{,-devel,-tools,-python}-20141023-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
See here for the list of changes.
daq-2.0.4-1.{fc17,fc18,fc19,fc20,el6}.{i386,x86_64}.rpm and daq-2.0.4-1.el7.x86_64.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
Here are the changes since the last version:
Changes in 2.0.4 Released on 2014-09-06
api/daq_common.h
Changed name from 'priv_flow_id' to 'flow_id'.
Changed the 'flow_id' field to an uint32_t rather than void * since that's how it is used and will be safer to pass around.
m4/sf.m4, sfbpf/Makefile.am
Fix DAQ macros to allow users to edit libpcap version in cache file.
Also fixed a parallel build error for individual make targets in spfbf.
snort-2.9.7.0-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and snort-2.9.7.0-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.7.0-1.{fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
October 17, 2014:
The following have been released:
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.14.noarch.rpm - Support for the following kernels were added for
Fmem:
3.16.4-200 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-14.noarch.rpm - Support for the following kernels were added for
LiME:
3.16.4-200 for FC20
libfixbuf{,-devel}-1.6.1-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-7.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This release was rebuilt with libfixbuf version 1.6.1.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-8.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This release was rebuilt with libfixbuf version 1.6.1.
super_mediator-0.3.0-7.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and super_mediator-0.3.0-7.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
This release was rebuilt to use libfixbuf version 1.6.1.
yaf{,-devel}-2.6.0-3.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.6.0-3.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
This release was rebuilt to use libfixbuf version 1.6.1.
yaf{,-devel}-2.2.1-8.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter.
Note that this version of Yaf is only available for CentOS/RHEL 5.
This release was rebuilt to use libfixbuf version 1.6.1.
October 10, 2014:
The following have been released:
ddrescue-1.19-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
Here are the changes for this version:
Fixed a race condition at start of run with '--timeout=0'.
Added new option '-P, --data-preview'.
Added new option '-u, --unidirectional'.
Added new option '-X, --exit-on-error'.
Added new option '--ask' to ask for user confirmation.
Added new option '--cpass' to select passes during copying phase.
Added new option '--pause' to insert a pause between passes.
Removed option '-l, --logfile-size'.
Skip on the first error during the copying phase.
rescuebook.cc: Trimming done in one pass, may be run in reverse.
The splitting phase has been replaced by a scraping phase.
Changed long name of option '-n' to '--no-scrape'.
rescuebook.cc: Alternate direction of passes during retrying phase.
Show ATA model and serial number with '--ask' or '-vv' on Linux.
configure: Added new option '--enable-linux'.
New files linux.hlinux.cc.
License changed to GPL version 2 or later.
libsmdev{,-devel,-tools,-python}-20141004-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libsmdev{,-devel,-tools,-python}-20141004-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
partclone-0.2.71-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
Here are the changes for this version:
fix configure.ac and add libblkid-dev check
fix xfs
merger btrfs to 3.14 and update makefile
try to merge btrfs 3.14.1
fix restore-to-raw option
ptk-1.0.5-5.{fc17,fc18,fc19,fc20,el5,el6,el7}.noarch.rpm - PTK is a computer forensic framework for the command line
tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the
command line tool mysql_secure_installation or equivalent, and operating.
It also assumes a web server, for example Apache, has been configured and is operational.
Here are the list of changes:
For RHEL/CentOS 7, the package now depends on mysql-compat-server. All other versions are unchanged but were rebuilt for revision number compatibility.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-5.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This version correctly removes an incorrect Obsoletes: directive from the spec file.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-6.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This version was built to keep in step with the release 5 update noted above.
testdisk-6.14-3.1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
This release correctly removes an incorrect Obsoletes: directive from the spec file.
Volatility-2.4-3.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm and Volatility-2.4-3.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
See here for a list of changes and features in this major release.
This version of Volatility uses the code as available from here as of 2014-10-09.
October 3, 2014:
The following have been released:
bulk_extractor-1.5.5-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Bulk_extractor
bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without
parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or
processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more
common tend to be more important. This version fixes many issues. In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
Note that this release of bulk_extractor is not available for CentOS/RHEL 5 due to an outdated version of flex for that OS.
The change in this release fixes an issue where python3.2 was explicitly referenced in report_encodings.py.
dfvfs-20140928-1.{fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access
to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
xmount-0.7.2-1.{fc17,fc18,fc19,fc20,el7}.{i686,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following:
Note that xmount is not available for CentOS/RHEL 5 and 6.
Here are the changes for this version:
0.7.0
Changed build system from autoconf / automake to cmake
Moved input image support into external libs
Added morphing functionality including combine, raid and unallocated
Added --offset and --sizelimit command line parameter
Massive code cleanup including some small bug fixes
0.7.1
Fixed bug with --sizelimit command line option.
0.7.2
Fixed bug in FreeResources(). Do not free vdi.p_vdi_block_map as it is part of vdi.p_vdi_header
ssdeep-2.11-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered
piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for
LiME:
3.14.19-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for
Fmem:
3.14.19-100 for FC19
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-398 for EL5
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-398 for EL5
libfixbuf{,-devel}-1.6.0-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-3.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This release was rebuilt with libfixbuf version 1.6.0.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-4.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
This release was rebuilt with libfixbuf version 1.6.0.
super_mediator-0.3.0-6.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and super_mediator-0.3.0-6.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
This release was rebuilt to use libfixbuf version 1.6.0.
yaf{,-devel}-2.6.0-2.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.6.0-2.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
This release was rebuilt to use libfixbuf version 1.6.0.
yaf{,-devel}-2.2.1-7.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter.
Note that this version of Yaf is only available for CentOS/RHEL 5.
This release was rebuilt to use libfixbuf version 1.6.0.
fred-0.1.1-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and fred-0.1.1-1.{el6,el7}.x86_64.rpm - Fred Forensic Registry EDitor (fred) is a cross-platform Microsoft registry hive editor.
This project was born out of the need for a reasonably good registry hive viewer for Linux to conduct forensic analysis.
Therefore it includes some functions not found in normal "free" registry editors like a hex viewer with data interpreter and a reporting function that can easily be extended with custom ECMAScript report templates.
September 26, 2014:
The following have been released:
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-12.noarch.rpm - Support for the following kernels were added for
LiME:
3.16.2-201 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.12.noarch.rpm - Support for the following kernels were added for
Fmem:
3.16.2-201 for FC20
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for
LiME:
3.16.3-200 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for
Fmem:
3.16.3-200 for FC20
lime-kernel-modules-el7-x86_64-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
3.10.0-123.6.3 for EL7
3.10.0-123.8.1 for EL7
fmem-kernel-modules-el7-x86_64-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
3.10.0-123.6.3 for EL7
3.10.0-123.8.1 for EL7
Volatility-2.4-2.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm and Volatility-2.4-2.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
See here for a list of changes and features in this major release.
This version of Volatility uses the code as available from here as of 2014-09-23.
plaso-1.1.0-2.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.1.0-2.{el6,el7}.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
For this release, IPython was added as a dependency.
python-ipython{,-console,-doc,-gui,-notebook,-sphinx,-tests}-2.2.0-1.el7.x86_64.rpm - IPython is an enhanced interactive Python shell.
This package was only provided for CentOS/RHEL 7 for the x86_64 architecture.
python-tornado{,-doc}-3.2.1-3.el7.x86_64.rpm - Python-tornado Tornado is an open source version of the scalable,
non-blocking web server and tools. The framework is distinct from most mainstream web server frameworks (and certainly most Python frameworks) because it is non-blocking and
reasonably fast. Because it is non-blocking and uses epoll, it can handle thousands of simultaneous standing connections, which means it is
ideal for real-time web services.
python-path-3.0.1-2.el7.x86_64.rpm - Python-path implements a path objects as first-class entities, allowing common
operations on files to be invoked on those path objects directly. See documentation here.
matchjax-2.2-4.el7.noarch.rpm and mathjax{-ams,-caligraphic,-fraktur,-main,-math,-sansserif,-script,-size1,-size2,-size3,-size4,-typewriter,-winchrome,-winie6}-fonts-2.2-4.el7.noarch.rpm -
Matchjax is an open source JavaScript display engine for mathematics that works in all browsers.
fontawesome-fonts{,-web}-4.1.0-1.el7.noarch.rpm - Font Awesome provides scalable vector icons that can instantly be
customized — size, color, drop shadow, and anything that can be done with the power of CSS.
ttembed-1.1-3.el7.x86_64.rpm - TTembed removes embedding limitations from TrueType fonts by setting the fsType field in the OS/2 table to zero.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.9.0-2.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
analysis-pipeline-4.4-2.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm and analysis-pipeline-4.4-2.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
This version was rebuilt to use the latest version of SiLK, specifically 3.9.0-1.
silk-ipset-{devel,lib,tools}-3.9.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
September 19, 2014:
The following have been released:
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-11.noarch.rpm - Support for the following kernels were added for
LiME:
3.16.2-200 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.11.noarch.rpm - Support for the following kernels were added for
Fmem:
3.16.2-200 for FC20
dff-1.3.0.20140123-2.{fc17,fc18,fc19,fc20,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF)
is both a digital investigation tool and a development platform.
The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide.
Written in Python and C++,
it exclusively uses Open Source technologies.
DFF combines an intuitive user interface with a modular and cross-platform architecture.
This version is the developer version as of January 23, 2014.
The changes were to add missing dependencies, specifically PyQt4-webkit for CentOS/RHEL 7
and python-poppler-qt4 for all supported architectures.
python-poppler-qt4-0.16.2-8.el7.x86_64.rpm - Python-poppler-qt4 is a Python
interface to the Poppler Qt4 interface library, libpoppler-qt4, which is a library that allows Qt4 programmers to easily load and render
PDF files.
The Poppler Qt4 interface library uses poppler internally to do its job, but the Qt4 programmer will never have to worry about poppler internals.
analysis-pipeline-4.4-1.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm and analysis-pipeline-4.4-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
See here for the changes in this release.
libevtx{,-devel,-python,-tools}-20140901-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libevtx-{,devel,python,tools}-20140901-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
libfvde{,-devel,-tools}-20140907-1.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm and libfvde{,-devel,-tools}-20140907-1.el7.x86_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive
Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
Here are the changes from the last version (20130305):
exposed some encryption context plist functions in API
updated dependencies
updated msvscpp files, not operational yet
worked on libcthreads build support
liblnk{,-devel,-python,-tools}-20140905-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20140905-1.el7.x86_64.rpm -
liblnk contains libraries and tools
to access the Windows Shortcut File (LNK) format file.
Here are the changes from the last version (20140731):
updated libfwsi version check
bug fix in Python-bindings
worked on property store data block support
libregf{,-devel,-python,-tools}-20140905-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libregf{,-devel,-python,-tools}-20140905-1.el7.x86_64.rpm -
libregf contains libraries and tools to access the Windows NT Registry File files.
Here are the changes from the last version (20140803):
updated libfwsi version check
bug fix in Python-bindings
code clean
ssdeep-2.11-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered
piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
xplico-1.1.0-2.{fc17,el6}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
This release was rebuilt to work under CentOS/RHEL 7. All other suported systems were upgraded for release version consistency.
Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
bulk_extractor-1.5.5-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Bulk_extractor
bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without
parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or
processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more
common tend to be more important. This version fixes many issues. In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
Note that this release of bulk_extractor is not available for CentOS/RHEL 5 due to an outdated version of flex for that OS.
September 12, 2014:
The following have been released:
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
3.15.10-201 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
3.15.10-201 for FC20
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.32-431.29.2 for EL6
2.6.32-431.23.3 for EL6
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.32-431.29.2 for EL6
2.6.32-431.23.3 for EL6
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-4.noarch.rpm - Support for the following kernels were added for
LiME:
2.6.18-371.12.1 for EL5
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
2.6.18-371.12.1 for EL5
xplico-1.1.0-2.{fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
This release was rebuilt specifically for CentOS/RHEL 7. All other suported systems were upgraded for release version consistency.
Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
Note that Fedora 17 is not supported yet but support is expected soon.
python-psycopg2{,-debug,-docs}-2.5.1-2.el7.x86_64.rpm - Python-psycopg2 is a PostgreSQL adapter for the Python
programming language. At its core it fully implements the Python DB API 2.0 specifications.
Several extensions allow access to many of the features offered by PostgreSQL.
This package was installed for CentOS/RHEL 7 to support xplico.
yaf{,-devel}-2.6.0-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.6.0-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Here are the changes from the last version (2.5.0):
Added a new tool, ipfixDump, to read and dump the contents of IPFIX files. Requires Fixbuf 1.4.0 or later.
Add LDAP application label
Filedaemon can now move files from one directory to another without passing to a child program
SSL/TLS DPI modification to capture SSL record version
Update CERT PEN Information Elements to use full information model if Fixbuf 1.4.0 or later is available
Fix for Modbus application label to reduce false positives
Bug Fix for TOS field when running with --uniflow
Bug Fix in RPM spec file
Bug Fix for labeling malformed DNS packets
Bug Fix for processing out of order packets with --force-read-all
Bug Fix for exporting reverse payload
Other minor bug fixes
jafat-1.1.6-2.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i386,x86_64}.rpm - JAFAT
is an assortment of tools to assist in the forensic investigation of computer systems.
The changes in this release were to put the doc files in the correct place in the file system.
August 29, 2014:
The following have been released:
dfvfs-20140824-1.{fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access to file-system objects from
various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation
of the various storage media types, volume systems and file systems.
See here for the list of changes.
sqlite{,-devel,tcl}-3.7.17-4.l6}.x86_64.rpm, sqlite-doc-3.7.17-4.el6.noarch.rpm, and lemon-3.7.17-4.el6.x86_64.rpm - Sqlite,
is a software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine.
SQLite is the most widely deployed SQL database engine in the world. The source code for SQLite is in the public domain.
This version was installed for RHEL/CentOS 6 for the x86_64 archicture to support plaso.
CERT-Forensics-Tools-1.0-60.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-60.el7.x86_64.rpm -
This package was updated to add the following packages:
libesedb-tools , libqcow-tools , libsmdev-tools , libsmraw-tools , libvmdk-tools , and bokken.
libesedb-tools - Libesedb contains tools to access the Extensible Storage
Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
libqcow-tools - Libqcow contains tools used to access the QEMU Copy-On-Write (QCOW) image format.
libsmdev-tools - Libsmdev contains tools used to access storage media devices.
libsmraw-tools - Libsmraw contains tools used to read and write (split) RAW storage media bitstream copies.
libvmdk-tools - Libvmdk contains tools used to access the VMware Virtual Disk (VMDK) image format.
bokken - Bokken is a GUI for the Pyew and Radare
projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
pyew-2.0-1.el7.x86_64.rpm - Pyew is a (command line) Python tool to analyse malware.
It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and
ELF file formats (it performs code analysis and let you write scripts using an API to perform
many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports
OLE2 format, PDF format and more.
It also supports plugins to add more features to the tool.
radare-2.0.9.7-1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
valabind-0.7.4-2.el7.x86_64.rpm - Valabind is a tool to parse vala
or vapi files to transform them into swig interface files, C++,
NodeJS-ffi, or GIR.
With swig, you can create language bindings for any API written in vala or C with a vapi interface.
It can also generate bindings for C++.
python-radare-2.0.9.7-1.el7.x86_64.rpm - Python-Radare are
bindings that allow Radare to be used from Python.
python-tidy-0.2-1.el7.noarch.rpm - Python-tidy pleans up, regularizes, and reformats the text of
Python scripts.
August 22, 2014:
The following have been released:
lime-kernel-modules-fc19-{i686,x86_64}-1.1.r17-5.noarch.rpm - Support for the following kernels were added for
LiME:
3.14.17-100 for FC19
fmem-kernel-modules-fc19-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem:
3.14.17-100 for FC19
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-9.noarch.rpm - Support for the following kernels were added for
LiME:
3.15.9-200 for FC20
3.15.10-200 for FC20
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.9.noarch.rpm - Support for the following kernels were added for
Fmem:
3.15.9-200 for FC20
3.15.10-200 for FC20
dc3dd-7.2.641.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64} - dc3dd is a patched version of GNU dd that
includes several features useful for computer forensics. New in this version are the following:
Log output may be sent to multiple job logs and hash logs. Simply specify log=LOG and/or hlog=LOG more than once.
Verification of an image restored to a device larger than the image is now supported.
Specify hof=DEVICE to hash only the bytes dc3dd writes to the device.
Specify fhod=DEVICE to hash both the bytes dc3dd writes to the device and all the bytes that follow, up to the end of the device.
Specifying hof=DEVICE will now default to phod=DEVICE behavior (hash only the bytes output by dc3dd, not the full device).
dd_rescue-1.46-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
Here are the changes from the previously distributed version (1.46):
ddr_hash now supports calculating HMACS instead of plain hashes. The hash calculation
has been cleaned up a bit. When a seed val of 0 is passed on the command line, additional
randomness is created using the rdrand() command on x86/x86-64 (if available).
(2014-06-27) A vulnerability in most implementations of lzo decompression has been
reported. The liblzo2 library (up to and including v 2.06) used by the ddr_lzo plugin
(until dd_rescue-1.45) is affected. You need to feed specially crafted compressed
data in blocks of 16MB or larger to the decompressor on 32-bit platforms to exploit it,
see the report for more details. (This issue has ID LMS-20140616-1/ CVE-2014-4607.)
The man page ddr_lzo advises to be careful when feeding data from untrusted sources
to the decompressor; it seems that this advice has been wise. Fortunately, ddr_lzo
does not normally feed such large blocks to the decompressor; you'd need to manually
increase the soft block size to at least 8MB and ignore a warning to trigger this issue
with dd_rescue. But it is possible. So here's the advice:
Update liblzo2 to 2.07 (or a fixed 2.06 version) which has this issue fixed (your Linux
distributor should provide this very soon). This is enough to fix the issue, as the
ddr_lzo plugin of dd_rescue does dynamically link against liblzo2, except for Android.
libsmraw{,-devel,-tools,-python}-20140817-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libsmraw{,-devel,-tools,-python}-20140817-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
See here for the list of changes.
yaf{,-devel}-2.5.0-3.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.5.0-3.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
The RHEL/CentOS 5 package needed to be rebuilt with the latest verson of libfixbuf.
The RHEL/CentOS 6 package for the x86_64 archiecture was rebuilt with the correct version of libfixbuf so all other versions of yaf and yaf-devel were rebuilt to keep the release number consistent.
super_mediator-0.3.0-5.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and super_mediator-0.3.0-5.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
The Fedora 17 package for the i386 archiecture was rebuilt with the correct version of libfixbuf so all other versions of super_mediator were rebuilt to keep the release number consistent.
protobuf-c{,-devel}-0.15-2.2.el6.x86_64.rpm - Protobuf-c package provides a code generator and runtime libraries
to use Protocol Buffers from pure C (not C++).
This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
This RHEL/CentOS 6 package for the i386 architecture was rebuilt to use the latest version of protobuf-devel.
snarf{,-devel,-python}-0.2.2-3.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system.
Applications can use snarf's C and Python APIs to construct and send network alert messages,
which can then be routed to multiple destinations in a configurable manner.
This version was built to use version 0.15 of protobuf and protobuf-c-devel where required.
Note: Extra Packages for Enterprise Linux (EPEL) for RHEL/CentOS 7 includes a version of protobuf-c that is incompatible with
snarf and its installation causes problems when attempting to install snarf.
To solve this problem, you need to add the following exclude line to /etc/yum.repos.d/epel.repo file:
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
August 15, 2014:
The following have been released:
bulk_extractor-1.5.3-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Bulk_extractor
bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without
parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or
processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more
common tend to be more important. This version fixes many issues. In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
Note that this release of Bulk_extractor is not available for CentOS/RHEL 5 due to an outdated version of flex for that OS.
fmem-kernel-modules-{fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.6-1.4.noarch.rpm - Support for the following kernels were added for
Fmem:
3.14.15-100 for FC19
lime-kernel-modules-{fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.1.r17-*.noarch.rpm - Support for the following kernels were added for
LiME:
3.14.15-100 for FC19
libbde{,-devel,-python,-tools}-20140731-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20140731-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the support formats, protection methods, and additional features.
Here are the changes for this release:
added is locked function
bug fix in Python bindings
compression method is now forced to effective 16-bits
fixes for FreeBSD 8 compilation
moved password hashes to password keep
small change in bdemount for Dokan support
small improvements to error reporting
updated dependencies
updated msvscpp files
worked on bdemount
worked on exposing metadata
worked on exposing metadata via bdeinfo
worked on Python bindings
worked on setup.py
worked on tests
Volatility-2.4-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm and Volatility-2.4-1.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
See here for a list of changes and features in this major release.
August 8, 2014:
The following have been released:
fmem-kernel-modules-{fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.6-1.*.noarch.rpm - Support for the following kernels were added for
Fmem:
3.14.13-100 for FC19
3.15.8-200 for FC20
3.15.7-200 for FC20
3.15.6-200 for FC20
3.15.5-200 for FC20
2.6.18-371.11.1 for EL5
2.6.32-431.20.5 for EL6
3.10.0-123.4.4 for EL7
lime-kernel-modules-{fc19,fc20,el5,el6,el7}-{i686,x86_64}-1.1.r17-*.noarch.rpm - Support for the following kernels were added for
LiME:
3.14.13-100 for FC19
3.15.8-200 for FC20
3.15.7-200 for FC20
3.15.6-200 for FC20
3.15.5-200 for FC20
2.6.18-371.11.1 for EL5
2.6.32-431.20.5 for EL6
3.10.0-123.4.4 for EL7
dfvfs-20140727-1.{fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access to file-system objects from
various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation
of the various storage media types, volume systems and file systems.
libesedb{,-devel,-python,-tools}-20140803-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libesedb-{,devel,python,tools}-20140803-1.el7.x86_64.rpm -
Libesedb
contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
See here for the list of changes.
libevt{,-devel,-python,-tools}-20140731-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm -
Libevt
contains libraries and tools to access the Windows Event Log (EVT) format files.
See here for the list of changes.
libevtx{,-devel,-python,-tools}-20140731-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libevtx-{,devel,python,tools}-20140731-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
liblnk{,-devel,-python,-tools}-20140731-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20140731-1.el7.x86_64.rpm -
liblnk contains libraries and tools
to access the Windows Shortcut File (LNK) format file.
See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20140731-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20140731-1.el7.x86_64.rpm -
libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
See here for the list of changes.
libolecf{,-devel,-python,-tools}-20140801-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - libolecf contains libraries and tools
to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
libqcow{,-devel,-tools,-python}-20140729-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libqcow{,-devel,-tools,-python}-20140729-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
See here for the list of changes.
libregf{,-devel,-python,-tools}-20140803-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libregf{,-devel,-python,-tools}-20140803-1.el7.x86_64.rpm -
libregf contains libraries and tools
to access the Windows NT Registry File files.
See here for the list of changes.
libsmdev{,-devel,-tools,-python}-20140803-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libsmdev{,-devel,-tools,-python}-20140803-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
See here for the list of changes.
libsmraw{,-devel,-tools,-python}-20140728-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
See here for the list of changes.
libvshadow{,-devel,-tools,-python}-20140731-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and libvshadow{,-devel,-tools,-python}-20140731-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
See here for the list of changes.
python-registry-1.0.4-1.{fc17,fc18,fc19,fc20,el7}.{i386,x86_64}.rpm - Python-registry provides read-only access
to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE.
The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced
study of the Windows Registry.
Python-registry is written in pure Python, making it portable across all major platforms.
libfixbuf{,-devel}-1.5.0-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.3-3.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.3-4.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
super_mediator-0.3.0-4.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
This package was rebuilt to use libfixbuf version 1.5.0.
yaf{,-devel}-2.5.0-2.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.5.0-2.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap dumpfiles as generated by tcpdump, from live capture from an interface
using pcap, an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into
serialized IPFIX message streams (IPFIX files) on the local file system.
This package was rebuilt to use libfixbuf version 1.5.0.
July 24, 2014:
The following have been released:
ddrescue-1.18.1-2.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
A patch from the developer was applied that adds the following arguments:
--no-reverse-pass: do not switch direction for each pass
--skip-on-first-err start skipping on first error
--trim-sequentially don't trim small blocks first
--split-sequentially don't split large blocks first
--no-reverse: This makes the second pass also go in the same direction as the first.
This is for those who may ask for the option.
But in my benchmark testing I can say there is no real benefit to turning off reverse.
--skip-on-first-err: By default, ddrescue doesn't start skipping until 2 errors are
encountered in a row. Sometimes the errors are spread out so that skipping does not
happen very often if at all. This option will make ddrescue skip on the first error on the
first pass forwards, and also on the second pass in reverse. If used with --no-reverse,
the second forward pass skips on the second error like normal. Note that if used with
the --reverse option then ddrescue will behave as normal and this option will not do
anything. This option does best when setting a higher skip size, as when used with the
default skip size it does not have a positive effect.
--trim-sequentially: Normally ddrescue trims the smallest block first, which can cause
unwanted head movement. This option makes it trim in order in one pass in the direction
specified. My tests did not show any speed difference, but the small size of the test
also did not have excessive head movement to begin with.
--split-sequentially: Normally ddrescue splits the largest blocks first (which can
cause a lot of unwanted head movement), and then when there are only small blocks of
less than 7 sectors in size it will split sequentially. This option makes it split
in order in one pass in the direction specified. In my benchmarking tests this helped
slightly with overall recovery time, which is likely a result of drive read-ahead. This
was even with a small test size, so it is possible that there could be more to gain on
a full size recovery. Note that this speed increase would not normally be noticed due
to the amount of time errors take to process, and is a very small increase overall. The
biggest benefit is the head movement.
ddrutility-2.5-1.{fc17,fc18,fc19,fc20,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to
gnuddrescue.
It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
ddru_findbad
ddru_ntfsbitmap
ddru_ntfsfindbad
fmem-kernel-modules-1.6-1.3.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
This package is not linked between OS and Architectures.
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.6.noarch.rpm - Support for the following kernels were added for
Fmem:
3.15.6-200
3.15.5-200
ip4r-2.0.2-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and ip4r-2.0-1.{el6,el7}.x86_64.rpm - IP4R
and ip4 are types that contain a single IPv4 address and a range of IPv4 addresses respectively.
They can be used as a more flexible, indexable version of the cidr type.
This version has been built for PostgreSQL version 9.3.4 for Fedora and CentOS/RHEL 7
and version 9.2 for CentOS/RHEL using the CentOS
Software Collections Repository.
liblnk{,-devel,-python,-tools}-20140714-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20140714-1.el7.x86_64.rpm -
liblnk contains libraries and tools
to access the Windows Shortcut File (LNK) format file.
lime-kernel-modules-1.1.r17-3.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
This package is not linked between OS and Architectures.
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-6.noarch.rpm - Support for the following kernels were added for
LiME:
3.15.6-200
3.15.5-200
python-rarfile-2.6-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Python-rarfile is a
Python module for RAR archive reading.
snort-2.9.6.2-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm and snort-2.9.6.2-1.el7.x86_64.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.6.2-1.1.{fc17,fc18,fc19,fc20,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
yara-2.1.0-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
Here are the changes since the last version (1.7.2):
Improve regexp engine
Improve multithreading support
Case-insensitive and single-line matching modes for "matches" operator's regexps
Added "error_on_warning" argument to "match" in yara-python
Recognize x64 PE files
BUGFIX: Mutex handle leak
BUGFIX: NULL pointer dereferences
BUGFIX: Buffer overflow
BUGFIX: Crash while using compiled rules with yara64 in Windows
BUGFIX: Infinite loop while scanning 64bits process in Windows
BUGFIX: Side-effect on "externals" argument in yara-python's "match" function
BUGFIX: "x of them" not working with strings containing unbounded jumps
yara-python-2.1.0-1.{fc17,fc18,fc19,fc20,el5,el6,el7}.{i686,x86_64}.rpm - Yara-python is a Python
extension that gives access to Yara's powerful features from Python scripts.
Here are the changes since the last version (1.7.2):
Improve regexp engine
Improve multithreading support
Case-insensitive and single-line matching modes for "matches" operator's regexps
Added "error_on_warning" argument to "match" in yara-python
Recognize x64 PE files
BUGFIX: Mutex handle leak
BUGFIX: NULL pointer dereferences
BUGFIX: Buffer overflow
BUGFIX: Crash while using compiled rules with yara64 in Windows
BUGFIX: Infinite loop while scanning 64bits process in Windows
BUGFIX: Side-effect on "externals" argument in yara-python's "match" function
BUGFIX: "x of them" not working with strings containing unbounded jumps
July 17, 2014:
The following have been released:
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-5.noarch.rpm and
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.5.noarch.rpm - Support for the following kernels were added for
Fmem and LiME
3.15.4-200
3.15.3-200
3.14.9-200
CentOS 7 -
The repository now supports CentOS 7 for the x86_64 CPU architecture.
Here is the list of tools provided for CentOS 7:
All other packages installed when the CERT-Forensics-Tools package is installed are taken from the CentOS 7
Release,
Updates,
Extras,
EPEL, and
RPM Forge repositories.
July 2, 2014:
The following have been released:
plaso-1.1.0-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.1.0-1.el6.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Go here to read about all of the changes and features in this release.
libevt{,-devel,-python,-tools}-20140531-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Libevt
contains libraries and tools to access the Windows Event Log (EVT) format files.
python-construct-2.5.2-1.{fc17,fc18,fc19,fc20,el5,el6}.noarch.rpm -
Python-construct is a powerful declarative parser (and builder) for binary data.
bencode-1.0-1.{fc17,fc18,fc19,fc20,el5,el6}.noarch.rpm -
Bencode is the BitTorrent bencode module as light-weight, standalone package.
libesedb{,-devel,-python,-tools}-20140406-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libesedb contains a library and tools to access the Extensible Storage
Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
dfvfs-20140604-1.{fc17,fc18,fc19,fc20,el6}.noarch.rpm - Dfvfs, the Digital Forensics Virtual File System, provides read-only access to file-system objects from
various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation
of the various storage media types, volume systems and file systems.
libvhdi{,-devel,-python,-tools}-20140330-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note that this project has an experimental status.
See here for the list of supported disk formats.
libvshadow{,-devel,-tools,-python}-20140323-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here here the list of changes.
libvmdk{,-devel,-tools,-python}-20140421-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libvmdk
is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
Here here the list of changes.
libsmraw{,-devel,-tools,-python}-20140621-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libsmraw
is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes.
Here here the list of changes.
libsmdev{,-devel,-tools,-python}-20140529-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Libsmdev is a library and tools used to access storage media devices.
Here here the list of changes.
libqcow{,-devel,-tools,-python}-20140529-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Libqcow
is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
Here here the list of changes.
Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
The change from the previous release (1) is that python support has been added in package libewf-python
openssl{,-devel,-libs,-perl,-static}-1.0.1e-38.{fc17,fc18}.{i686,x86_64}.rpm -
OpenSSL is a collaborative effort to develop a robust, commercial-grade, full-featured, and
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.
The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
This packages provided for Fedora 17 and 18 because those versions of Fedora are no longer maintained by RedHat and in the case of ADIA for Fedora 17, OpenSSL is used to secure the
Webmin connection.
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-4.noarch.rpm and
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem and LiME
3.14.9-200 for FC20
June 27, 2014:
The following have been released:
dd_rescue-1.45-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
Note: these packages are available from the RPM Forge repository for CentOS/RHEL 5 and 6.
See here for more details on the RPM Forge repository.
Here are the changes from the previously distributed version (1.40):
Release 1.45-1:
ddr_hash received a bugfix (sha512/sha384 could overflow a buffer).
It gained support for sha1 hash.
ddr_hash can now conveniently retrieve (and check) and store hashes in xattrs and md5sum/sha256sum/... style files.
A new null plugin (ddr_null) was added.
Release 1.44-1:
The plugin libddr_MD5.so (short ddr_MD5) has been renamed to ddr_hash, reflecting that we also support sha1, sha256,
sha224, sha512, sha384 now. Checks have been added to the test suite and the documentation been updated accordingly.
Release 1.43-1:
The main feature of 1.43 is the new lzo plugin. It de/compresses data
using the lzo algorithms, which are very fast to decompress and most
versions are also fast to compress (at somewhat moderate compression
levels). The plugin supports many of dd_rescue's features, such
as skipping bad blocks (encoding sparseness/holes into the output)
as well as appending. It also continues on errors (skipping a whole
block if nodiscard is NOT given) and allows to search for valid lzo
block headers if sync is lost. fuzz testing has been done to support
reliability. A man page ddr_lzo(1) has been created.
The plugin interface has been enhanced to support ddr_lzo; the MD5 plugin
has also seen some work beyond just refactoring: It supports the parameter
output/outfd= now and supports all type of holes that can be generated in
a chain with ddr_lzo now.
Some minor improvements (docu, messages) and bug fixes have been
applied. There also is a new ARMv8 (AArch64 aka ARM64) optimized
routine to detect zero-blocks.
Release 1.42.1-1:
1.42.1 contains a fix for a sublety how we set up a handler for
SIGILL and return with longjmp to detect the supported instruction
sets of the CPU -- we need to manually reset the process' signal mask,
otherwise a second failed probe would abort.
Release 1.42-1:
1.42 brings the possibility to load plugins to analyze or transform data
before it's written to the output file(s). A plugin to calculate the MD5
hash is provided. posix_fadvise() is used if available (optimization) and
dd_rescue now only provides a short usage info rather than the long help
text on wrong parameters.
Release 1.41-1:
There has been a lot of internal refactoring that improves the detection of CPU
features (at runtime) and libc/compiler features (at build time). One result is
that this version supports building against the Android NDK. (armv7l binaries
built against Android API 17 (aka 4.2) libc can be found below in the download
section.) Another consequence is that AVX2 support is now enabled (for saving
CPU cycles on sparse block detection). A few minor bugs have been addressed
(the most serious one a harmless off-by-one on determining the size of a
block device). Number formatting is more consistent now. There also a new
option -u/--rmvtrim that deletes the created file again and issues a fstrim
on the filesystem -- good if you filled the empty space of a filesystem with
zeros for data protection and SSD refreshment.
Release 1.40.1-1:
It just has one patch to fix the SSE2 detection on i386 -- the old code would end in an endless loop ...
ddrescue-1.18.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
Here are the changes from the previous distributed version (1.17):
ddrescuelog.cc (do_logic_ops): Fixed 'or' and 'xor'.
Added new option '-H, --test-mode' to simulate read errors.
Added new option '-L, --loose-domain' to ddrescue and ddrescuelog.
Added new option '-N, --no-trim' to disable trimming of damaged areas.
Added new option '-O, --reopen-on-error'.
Added new options '-1, --log-rates', and '-2, --log-reads'.
Extended '-K, --skip-size' with maximum and disable values.
Changed long name of option '-r' to '--retry-passes'.
Changed short name of option '--generate-mode' to '-G'.
Default value of option '-l, --logfile-size' increased to 10000.
If interrupted, ddrescue terminates by raising the signal received.
rescuebook.cc (copy_non_tried): Do not mark skipped blocks as non-trimmed. Try them in additional passes (before trimming).
rescuebook.cc: Limit the copying phase to 3 passes.
rescuebook.cc: Alternate direction of passes during copying phase.
rescuebook.cc: Smallest blocks are trimmed first.
rescuebook.cc (split_errors): Read largest first if logfile full.
Improved speed when using option '-m, --domain-logfile'.
io.cc (show_status): Show the current total run time.
rescuebook.cc: Show pass number and direction during copying.
rescuebook.cc (show_status): Show block pos instead of current_pos.
main.cc: Show "an unknown number of bytes" for unknown isize.
Added option '-B, --binary-prefixes' to ddrescuelog.
Added new option '-C, --complete-logfile' to ddrescuelog.
Added new option '-P, --compare-as-domain' to ddrescuelog.
Improved speed of logic operations in ddrescuelog.
rescuebook.cc (Rescuebook::do_rescue): Show warning when domain is smaller than logfile.
ddrescuelog.cc (do_show_status): Show logfile and domain extents when domain is smaller than logfile.
block.h: Class Block now forces the invariant by itself.
Code reorganization. New class 'Logfile'.
Added status message to rescue logfile.
Many improvements to documentation.
ddrescue.texinfo: Renamed to ddrescue.texi.
libewf{,-devel,-tools}-20140608-1.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm, libewf-{devel,tools}-20140608-1.{fc19,fc20}.{i686,x86_64}.rpm, and ewftools-20140608-1.{fc19,fc20}.{i686,x86_64}.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
Here are the changes from the previous version (20140427):
bug fix for utf16 header functions
bug fix in ewfmount regarding logical files date and time values
updated python.m4
fixes to build static library with mingw and cygwin
bug fixes in m4 files
removed #error restriction in dependency include header files
make pyewf_handle_open more strict to catch non-string objects without the check the code will segfault on non-string objects
{python-,}binplist-0.1.4-2.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Binplist is a binary property list (plist) parser module written in python.
Here are the changes from the previous release (0.1.4-0):
The python library (python-binplist) has been split from the binplist executable.
In binplist, the following changes were made:
The plist.py file was removed.
The binplist.py file was renamed to binplist.
The /usr/bin/binplist.py[co] and /usr/bin/plist.py[co] files are removed.
These files are automatically created if either binplist.py or plist.py programs were executed by root.
Their presence causes log2timeline.py and related programs to fail.
plaso-1.0.2-2.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.0.2-2.el6.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Here are the changes from the previous release (1.0.2-1)
Missing dependencies were added (python-construct, libolecf-python, python-dpkt, python-binplist).
Note that on CentOS/RHEL 6, the python-construct and python-dpkt were release in support of plaso.
lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-3.noarch.rpm,
lime-kernel-modules-{fc19,el5,el6}-{i686,x86_64}-1.1.r17-2.noarch.rpm,
fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.3.noarch.rpm,
fmem-kernel-modules-{fc19,el5,el6}-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem and LiME
3.14.8-200 for FC20
3.14.6-200 for FC20
3.14.7-100 for FC19
3.14.8-100 for FC19
2.6.32-431.20.3 for EL6
2.6.18-371.9.1 for EL5
June 11, 2014:
The following have been released:
lime-kernel-modules-common-1.1.r17-1.noarch.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page.
This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects.
This repackaging increases the number of pckages but decreases their size.
Note: this RPM is hard-linked between all of the supported architectures, Fedora 17-20 and CentOS 5 and 6.
If you use rsync, make certain that you use the -H option
to preserve those hard links.
lime-kernel-modules-1.1.r17-1.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects, specifically the following:
lime-kernel-modules-{fc17,fc18,fc19,fc20,el5,el6}-{i686,x86_64}-1.1.r17-*.noarch.rpm - These are the actual kernel objects packaged for each operating system version
and architecture.
Note: again these RPMs are hard-linked between all of the supported architectures, Fedora 17-20 and CentOS 5 and 6.
fmem-kernel-modules-common-1.6-1.1.noarch.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
This package contains the source code for making the FMEM kernel modules and the install-fmem script.
This package also obsoletes tie fmem-kernel-objects package which contained the source code and all of the kernel objects.
This repackaging increases the number of pckages but decreases their size.
Note: this RPM is hard-linked between all of the supported architectures, Fedora 17-20 and CentOS 5 and 6.
If you use rsync, make certain that you use the -H option
to preserve those hard links.
May 22, 2014:
The following have been released:
nDPI{,-devel}-1.4.0.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - nDPI nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
xplico-1.1.0-1.{fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
See here for the changes in this release.
Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
Note that Fedora 17 is not supported yet but support is expected soon.
libewf{,-devel,-tools}-20140427-1.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm, libewf-{devel,tools}-20140427-1.{fc19,fc20}.{i686,x86_64}.rpm, and ewftools-20140427-1.{fc19,fc20}.{i686,x86_64}.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20140216):
fixes to build static library with mingw and cygwin
bug fixes in m4 files
removed #error restriction in dependency include header files
make pyewf_handle_open more strict to catch non-string objects without the check the code will segfault on non-string objects
bug fixes in empty block compression
bug fix in libewf_read_io_handle_read_chunk_data error tolerance code path
bokken-1.6-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Bokken is a GUI for the
Pyew and Radare projects so it offers almost all the same features that
Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
pyew-2.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Pyew is a (command line)
Python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits),
PE and ELF file formats
(it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays
function names and string data references; supports OLE2 format,
PDF format and more. It also supports plugins to add more features to the tool.
radare-2.0.9.7-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Radare is a framework for doing reverse engineering.
python-radare-2.0.9.7-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Python-Radare are
bindings that allow Radare to be used from Python .
vala{,-devel,-doc,-tools}-0.20-1.el6.{i686,x86_64}.rpm and emacs-vala-0.20-1.el6.{i686,x86_64}.rpm -
Vala is a new programming language that aims to bring modern
programming language features to GNOME developers without imposing any additional runtime requirements and without using a different ABI compared
to applications and libraries written in C.
valabind-0.7.4-2.{fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Valabind is a tool to parse vala
or vapi files to transform them into swig interface files, C++,
NodeJS-ffi, or GIR.
With swig, you can create language bindings for any API written in vala or C with a vapi interface.
It can also generate bindings for C++.
snort-2.9.6.1-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.6.1-1.1.{fc17,fc18,fc19,fc20,el6}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
md5deep-4.4-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
See here for the list of changes in this version.
pytsk-20140506-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
See here for a list of changes.
yaf{,-devel}-2.5.0-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and
yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap dumpfiles as generated by tcpdump, from live capture from an interface
using pcap, an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into
serialized IPFIX message streams (IPFIX files) on the local file system.
See here for a list of changes in this version.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.2-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
Note: In this release of SiLK (3.8.2-1), support for the IPA extensions have been removed.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.2-2.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
silk-ipset-{devel,lib,tools}-3.8.2-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
guymager-0.7.3-2.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package.
The change made in this version was to replace all lines in the configuration file (/etc/guymager/guymager.cfg) that contain backslashes at the end lines with
spaces to work around a programming error in libguytools.
lime-kernel-objects-1.1.r16-1.28.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
The changes added support for the following kernels:
FC20
3.14.4-200
3.14.3-200
3.14.2-200
3.13.9-200
3.13.8-200
3.13.7-200
3.13.10-200
FC19
3.14.4-100
3.13.9-100
3.13.7-100
3.13.11-100
EL6
2.6.32-431.17.1
2.6.32-431.11.2
EL5
2.6.18-371.8.1
2.6.18-371.6.1
fmem-kernel-objects-1.6-1.28.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the same kernels noted for lime.
plaso-1.0.2-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.0.2-1.el6.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
See here for the changes in this release.
April 24, 2014:
The following have been released:
splunk-4.3.7-181874.i386.rpm, splunk-4.3.7-181874-linux-2.6-x86_64.rpmsplunk-6.0.3-204106.i386.rpm, and splunk-6.0.3-204106-linux-2.6-x86_64.rpm -
These versions of Splunk provide what is needed to upgrade to the latest version which is 6.0.3.
The version in the repository is old and contains an expired signing key.
We apologize for not keeping Splunk up to date and any inconvenience this upgrade may cause.
Please note that these versions are installed in the forensics-test repository which is normally disabled.
To update to the latest version (6.0.3 as of this writing), follow this procedure:
First, upgrade to splunk 4.3.7 by following the procedure found here.
In step 2 in the Steps for upgrading section, use this command to upgrade to splunk 4.3.7:
If you have previously enabled splunk to start on a reboot, you need to use these commands to reestablish that configuration:
sudo /opt/splunk/bin/splunk disable boot-start
sudo /opt/splunk/bin/splunk enable boot-start
Then restart splunk with the following:
sudo /opt/splunk/bin/splunk start
Note: On Wednesday, September 10, 2014, the latest version of Splunk will become the default version in the regular cert repository.
You will need to perform the upgrade noted above before then so that Splunk will continue to function properly.
April 7, 2014:
The following have been released:
CERT-Forensics-Tools-1.0-58.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
This package was updated to add the following:
plaso - A timeline tool (Fedora 17 and beyond, and CentOS/RHEL 6.5 for x86_64 only)
libregf-tools - Tools to access Windows NT Registry files
libmsiecf-tools - Tools to access Microsoft Internet Explorer (MSIE) Cache File (index.dat) files
libevt-tools - Tools to access Windows Event Log (EVT) format files
liblnk-tools - Tools to access Windows NT Registry files
libolecf-tools - Tools to access OLE 2 Compound File (OLECF) format files
ddrutility (not CentOS/RHEL 5) - Utility for use with gnuddrescue to aid with data recovery
fcrackzip - Zip Password Cracker
undbx (not CentOS/RHEL 5) - Tool to extract, recover and undelete e-mail messages from Outlook Express .dbx files
silk-ipa (Fedora 17 and beyond, and CentOS/RHEL 6.5 for x86_64 only) - Script to enable the IPA-based version of the SiLK tools
Note: On CentOS/RHEL, installing the CERT-Forensics-Tools meta package or plaso requires postgresql.
For Fedora, postgresql is provided in the the CERT Linux Forensics Tools repository.
However, for CentOS 6.5 for the x86_x64 architecture only, the version of postgresql comes from the CentOS
Software Collections Repository.
This means that you must install the centos-release-SCL package by running yum install centos-release-SCL as root before you apply updates from the repository.
hachoir-metadata-1.3.3-2.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - hachoir-metadata is a tool
that extracts metadata from multimedia files: music, picture, video, and archives.
The changes were to correct the permissions of the installed files.
plaso-1.0.1alpha-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.0.1alpha-1.el6.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
libregf{,-devel,-python,-tools}-20140118-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
libregf contains libraries and tools to access the Windows NT Registry File files.
libmsiecf{,-devel,-python,-tools}-20140131-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
libmsiecf contains libraries and tools
to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
libevt{,-devel,-python,-tools}-20140112-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Libevt
contains libraries and tools to access the Windows Event Log (EVT) format files.
libevtx{,-devel,-python,-tools}-20140112-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
liblnk{,-devel,-python,-tools}-20140112-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - liblnk contains libraries and tools
to access the Windows Shortcut File (LNK) format file.s
libolecf{,-devel,-python,-tools}-20131108-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libolecf contains libraries and tools
to access the OLE 2 Compound File (OLECF) format filed.
The OLE 2 Compound File format is used to store certain versions of Microsoft Office files, thumbs.db and other file formats.
protobuf-c{,-devel}-0.15-2.1.el6.x86_64.rpm - Protobuf-c package provides a code generator and runtime libraries
to use Protocol Buffers from pure C (not C++).
This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
protobuf{,-compiler,-devel,-lite,-lite-devel,-lite-static,-python,-static,-vim}-2.4.1-1.el6.x86_64.rpm - Protobuf (Protocol Buffers)
are a way of encoding structured data in an efficient yet extensible format. Google uses Protocol Buffers for almost all of its internal RPC protocols and file formats.
This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
python-ipython{,-console,-doc,-gui,-notebook,-tests}-0.13.2-1.el6.x86_64.rpm - IPython is an enhanced interactive Python shell.
This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
perl-Parse-Evtx-{,-tools}1.1.1-2.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - perl-Parse-Evtx
is a Windows Event Log Parser library and tools collection.
Because files in the previous release - 1.1.1-1 - of perl-Parse-Evtx now conflict with files in libevtx-tools, the tools from perl-Parse-Evtx were moved to perl-Parse-Evtx-tools so
that perl-Parse-Evtx, upon which log2timeline depends, could be installed.
binplist-0.1.4-0.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Binplist is a binary property list (plist) parser module written in python.
libewf{,-devel,-tools}-20140216-1.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm, libewf-{devel,tools}-20140216-1.{fc19,fc20}.{i686,x86_64}.rpm, and ewftools-20140216-1.{fc19,fc20}.{i686,x86_64}.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20140216):
bug fix in recent process status changes
integrating latest update for multi threaded ewfacquire changes
changed behavior of empty-block check
worked on integrating multi threaded ewfacquire changes
updated dependencies
added libcdatetime
removed borlandc files
small updates
moved low-level function support from compile time to run time
worked on sync with experimental version
Also added missing fuse-devel build requirement
sleuthkit{,-devel,-libs}-4.1.3-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
The changes from the previous version - 4.1.3-1 - are the following:
Patch to support pytsk.
Rebuilt with libewf-20140216
pytsk-20131230-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
See here for a list of changes.
partclone-0.2.69-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
This release was built to use the correct version of libntfs-3g.so.
lime-kernel-objects-1.1.r16-1.27.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
The changes added support for the following kernels:
3.13.6-200 for FC20
3.13.5-202 for FC20
3.13.5-200 for FC20
3.13.4-200 for FC20
3.13.3-201 for FC20
3.12.10-300 for FC20
3.13.6-100 for FC19
3.13.5-103 for FC19
3.13.5-101 for FC19
3.12.11-201 for FC19
2.6.32-431.5.1 for EL6
fmem-kernel-objects-1.6-1.27.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the same kernels noted for lime.
ddrutility-2.2-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to
gnuddrescue.
It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
ddru_findbad
ddru_ntfsbitmap
ddru_ntfsfindbad (NEW)
fcrackzip-1.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fcrackzip is a zip password cracker, similar to fzc, zipcrack and others.
It is intended to be free, fast, portable, and featureful.
undbx-0.21-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Undbx extracts, recovers and undeletes e-mail messages from
Outlook Express .dbx files.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
Note: In this release of SiLK (3.8.1-3), support for the IPA extensions have been removed.
They have been replaced by an optional repository that is now part of cert-forensics-tools-release named forensics-sip, the definition of which can be found in
/etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
When that script is run, the following additional packages are installed or updated:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-4.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm or
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-4.el6.x86_64.rpm - The only change to this release
is that it was built with the IPA IP address annotation system.
postgresql{,-contrib,-devel,-docs,-libs,-plperl,-plpython,-plpython3,-pltcl,-server,-test,-upgrade}-9.3.4-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm -
PostgreSQL is an advanced Object-Relational database management system (DBMS).
The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system.
These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection.
The PostgreSQL server can be found in the postgresql-server sub-package.
ipa{,-devel,-python}-0.5.2-3.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and
ipa{,-devel,-python}-0.5.2-3.{el6}.x86_64.rpm - IPA is an IP address annotation system.
IPA provides a flexible and efficient repository of IP address information, tools for querying and maintaining the data, and shared libraries and modules for data access.
For more information, read the IPA documentation.
ip4r-2.0-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and ip4r-2.0-1.el6.x86_64.rpm - IP4R
and ip4 are types that contain a single IPv4 address and a range of IPv4 addresses respectively.
They can be used as a more flexible, indexable version of the cidr type.
This version has been built for PostgreSQL version 9.3.4 for Fedora and version 9.2 for CentOS/RHEL using the CentOS
Software Collections Repository.
February 12, 2014:
The following have been released:
lime-kernel-objects-1.1.r16-1.26.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
The tool supports acquiring memory either to the file system of the device or over the network.
LiME is unique in that it is the first tool that allows full memory captures from Android devices.
It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more
forensically sound than those of other tools designed for Linux memory acquisition.
In addition, this package includes a script named CaptureMemoryWithLime and a corresponding man page that manages the installation of
the appropriate kernel object and dumps memory on the installed machine to the indicated file.
LiME can be used with Volatility as described
here to analyze memory as part of an investigation of digital assets.
LiME releases will track with fmem-kernel-objects as to the list of supported kernels.
fmem-kernel-objects-1.6-1.26.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following kernels:
3.12.9-301 for FC20
3.12.8-300 for FC20
3.12.7-300 for FC20
3.12.8-200 for FC19
3.12.7-200 for FC19
2.6.18-371.4.1 for EL5
daq-2.0.2-1.{fc16,fc17,fc18,fc19,el6}.{i386,x86_64}.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
Here are the changes since the last version:
os-daq-modules/daq_ipfw.c: Don't treat being interrupted by a signal as an error.
README, configure.ac, os-daq-modules/daq_afpacket.c: Fix AFPacket DAQ module to attempt to reconstruct the automatically
stripped VLAN header prior to passing it to the reader. Also, use AFPacket TX Ring instead of sendto to improve TX performance.
(Requires a newer Linux kernel version, README and configure.ac updated to reflect this.)
disktype-9-15.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Disktype detects the content format of a disk or disk image.
This version is based on the standard version with support for
exfat,
LUKS,
f2fs,
btrfs, and
EXT 2, 3, and 4, all courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in
Menlo Park, CA.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.63-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
Here are the changes from the previous distributed version (0.6.61):
Daniel Gryniewicz found buffer overrun in LIST_COPY_TIME
Old dependency filter breaks file coloring
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for the list of the changes since the previous version (3.8.0).
analysis-pipeline-4.3.2-2.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
This version was rebuilt to use the latest version of SiLK, specifically 3.8.1-1.
silk-ipset-{devel,lib,tools}-3.8.11.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
sleuthkit{,-devel,-libs}-4.1.3-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
Here are the changes since 4.1.2:
Fixed bug that could crash UFS/ExtX in inode_lookup
More bounds checking in ISO9660 code
Image layer bounds checking
Update version of SQLITE-JDBC
Changed how java loads navite libraries
Config file for YAFFS2 spare area
New method in image layer to return names
Yaffs2 cleanup
Escape all strings in SQLite database
SQlite code uses NTTFS sequence number to match parent IDs
snort-2.9.6.0-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.6.0-1.1.{fc17,fc18,fc19,fc20,el6}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
xmount-0.6.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following:
Added support for split DD input files.
Patch for newer libewf support (meaning packages newer than 20110903), courtesy Erik Uitto from the
Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA.
January 24, 2014:
The following have been released:
dff-1.3.0.20140123-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF)
is both a digital investigation tool and a development platform.
The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide.
Written in Python and C++,
it exclusively uses Open Source technologies.
DFF combines an intuitive user interface with a modular and cross-platform architecture.
Note that only Fedora 17, 18, 19, and 20 are supported in this release.
This release uses ffmpeg version 2.
This version is the developer version as of January 23, 2014.
Note that these packages have been placed in the forensics-test repository which must be enabled in the /etc/yum.repos.d/cert-forensics-tools.repo
by setting enabled to 1 (true).
January 22, 2014:
The following have been released:
analysis-pipeline-4.3.2-1.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm - The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
See the release notes for a list of changes.
ffmpeg{,-libs,-devel}-2.1.1-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - FFmpeg is a complete, cross-platform solution to record,
convert and stream audio and video. It includes libavcodec - the leading audio/video codec library.
These packages have been made available in are support of dff.
dff-1.3.0-4.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both
a digital investigation tool and a development platform.
The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide.
Written in Python and C++,
it exclusively uses Open Source technologies.
DFF combines an intuitive user interface with a modular and cross-platform architecture.
Note that only Fedora 17, 18, 19, and 20 supported in this release.
This release uses ffmpeg version 2.
fmem-kernel-objects-1.6-1.25.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following kernels:
3.12.6-300 for FC20
3.12.5-302 for FC20
3.11.10-301 for FC20
3.12.6-200 for FC19
3.12.5-200 for FC19
3.11.10-200 for FC19
3.11.9-200 for FC19
3.11.8-200 for FC19
3.11.7-200 for FC19
3.11.10-100 for FC18
3.11.9-100 for FC18
3.11.7-100 for FC18
3.11.4-101 for FC18
2.6.32-431.3.1 for EL6
2.6.32-431.1.2.0.1 for EL6
2.6.32-431 for EL6
2.6.18-371.3.1 for EL5
guymager-0.7.3-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package.
See here for the list of changes.
netsa-rayon-1.4.3-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations.
Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis.
Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo.
It can also be used in wxPython GUI applications.
Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of
Pycairo (for static output) or wxPython,/a> (for GUI output).
See here for a list of changes.
python-rarfile-2.2-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Python-rarfile is a
Python module for RAR archive reading.
python-registry-1.0.1-1.{fc17,fc18,fc19,fc20}.{i386,x86_64}.rpm - Python-registry provides read-only access
to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE.
The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced
study of the Windows Registry.
Python-registry is written in pure Python, making it portable across all major platforms.
pytsk-20131230-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
See here for a list of changes.
yaf{,-devel}-2.4.0-3.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and
yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap dumpfiles as generated by tcpdump, from live capture from an interface
using pcap, an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into
serialized IPFIX message streams (IPFIX files) on the local file system.
These packages were rebuilt to remove support for p0f.
yara-2.0.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
Here are the changes since the last version (1.7.2):
Faster
Better multi-thread support
Rules can be saved in binary form
Volatility-2.3.1-2.el5.{i386,x86_64}.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
See here for a list of changes.
This version also includes the plugins from the Malware Analyst's Cookbook to version R134.
This version was rebuilt to use the latest version of yara.
xrdp-0.7.0-1.el6.{i386,x86_64}.rpm - XRDP is an open source Remote Desktop Protocol (RDP) server.
CentOS/RHEL 6 did not have such a server so this version was added and released through the repository.
CERT-Forensics-Tools-1.0-57.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
This package was updated to add the following:
analyzeMFT
hdparm
kracked, for Fedora and CentOS/RHEL 6 only
libpff-tools
snarf, for Fedora and CentOS/RHEL 6 only
super_mediator
vmfs-tools
January 16, 2014:
The following have been released:
Fedora 20 - The repository now supports Fedora 20
for the i686 and x86_64 CPU architectures.
Here is the list of tools provided for Fedora 20:
All other packages installed when the CERT-Forensics-Tools package is installed are taken from the Fedora 20
Release and
Updates repositories.
Note that the RPM Fusion repository is not required to install of the CERT Linux Forensics Tools.
Fedora 16 Support for Fedora 16 i686 and x86_64 architectures - Updates to Fedora 16 for
both the i686 and x86_64 CPU architectures has ceased.
January 8, 2014:
The following have been released:
cert-forensics-tools-release-{16,17,18,19,5.10,6}-9.noarch.rpm - These packages were added to provide the new
CERT Forensics Oeprations and Investigations Team Key.
The fingerprint for this key is: 5FA3 2061 C4A0 F073 D6E7 3C1D BFCC 1527 ED92 ABE3.
You must do the following as root to install this new package before updating
existing packages installed from the repository:
yum update cert-forensics-tools-release
You can then do the following as root to install any other updates for your system:
yum update
In addition, all of the packages in the Fedora 16, 17, 18, 19, and RHEL/CentOS repositories have been resigned with this new key.
December 13, 2013:
The following have been released:
libewf{,-devel,-tools}-20131210-1.{fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm/{ewftools,libewf,libewf-devel}-20131210-1.fc19.{i686,x86_64}.rpm -
Libewf is a library for support of the Expert Witness Compression Format (EWF).
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Note that in Fedora 19, the tools package is named ewftools to reflect the package name found in the Fedora 19 release.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20130416):
updated dependencies
worked on Python bindings
added libcthreads
fix in DFXML output for size values
worked on ewfmount
libfixbuf{,-devel}-1.4.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for the list of the changes since the previous version (3.7.2).
yaf{,-devel}-2.4.0-2.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm/yaf{,-devel}-2.2.1-5.el5.{i686,x86_64}.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
These packages were rebuilt to use libfixbuf version 1.4.0.
super_mediator-0.3.0-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
This package was rebuilt to use libfixbuf version 1.4.0.
python-apsw-3.8.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Python-apsw
is a Python wrapper for the SQLite embedded relational database engine.
In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.
pytsk-20131124-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
See here for a list of changes.
yara-1.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
Here are the changes since the last version (1.7):
BUGFIX: Regular expressions marked as both "wide" and "ascii" were treated as just "wide"
BUGFIX: Bug in "n of ()" operator
BUGFIX: Bug in get_process_memory could cause infinite loop
BUGFIX: Fix SIGABORT in ARM
BUGFIX: Failing to detect one-byte strings at the end of a file.
BUGFIX: Strings being incorrectly printed when markes both as wide and ascii
BUGFIX: Stack overflow while following circular symlinks
BUGFIX: Expression "/re/ matches var" always matching if "var" was an empty string
BUGFIX: Strings marked as "fullword" were incorrectly matching in some cases
yara-python-1.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Yara-python
is a Python extension that gives access to Yara's powerful features from Python scripts.
Here are the changes since the last version (1.7):
BUGFIX: Regular expressions marked as both "wide" and "ascii" were treated as just "wide"
BUGFIX: Bug in "n of ()" operator
BUGFIX: Bug in get_process_memory could cause infinite loop
BUGFIX: Fix SIGABORT in ARM
BUGFIX: Failing to detect one-byte strings at the end of a file.
BUGFIX: Strings being incorrectly printed when markes both as wide and ascii
BUGFIX: Stack overflow while following circular symlinks
BUGFIX: Expression "/re/ matches var" always matching if "var" was an empty string
BUGFIX: Strings marked as "fullword" were incorrectly matching in some cases
Volatility-2.3.1-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
See here for a list of changes.
This version also includes the plugins from the Malware Analyst's Cookbook to version R134.
See here for the list of recent changes.
November 18, 2013:
The following have been released:
device-mapper-multipath{,-libs,-sysvinit}-0.4.9-*.1.{fc16,fc17,fc18,fc19}.{i386,x86_64}.rpm,kpartx-0.4.9-*.1.{fc16,fc17.fc18,fc19}.{i386,x86_64},
device-mapper-multipath{,-libs}-0.4.9-64.1.el6.{i386,x86_64}.rpm,kpartx-0.4.9-64.1.el6.{i386,x86_64},
device-mapper-multipath-0.4.7-59.1.el5.{i386,x86_64}.rpm,kpartx-0.4.7-59.1.el6.{i386,x86_64} - Device-mapper-multipath
provides tools to manage multipath devices by instructing the device-mapper multipath kernel module what to do.
Of particular importance is kpartx which reads partition tables on specified device and create device maps over partitions segments detected.
Unfortunately, kpartx as distributed fails if the specified device is not writable.
This version opens the specified device read-only which makes it more usable when dealing with read-only evidence.
This read-only change is the only change made to the latest distribution for each of Fedora 16-19, and CentOS/RHEL 5 and 6.
November 8, 2013:
The following have been released:
snort-2.9.5.5-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.5.5-1.1.{fc16,fc17,fc18,fc19,el6}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
sleuthkit{,-devel,-libs}-4.1.2-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
Here are the changes since 4.1.0:
Core
Fixed more visual studio projects to work on 64-bit
Added FILE_SHARE_WRITE to all windows open calls
Removed unused methods in CRC code that caused compile errors
Added NTFS FNAME times to time2 struct in TSK_FS_META to make them easier to access -- should have done this a long time ago!
fls -m and tsk_gettimes output NTFS FNAME times to output for timelines
hfind with EnCase hashsets works when DB is specified (and not only index)
TskAuto now goes into UNALLOC partitions by default too
Added support to automatically find all Cellebrite raw dump files given the name of the first image
Added 64-bit windows targets to VisualStudio files
Added NTFS sequence to parent address in directory and directory itself
Updated SQLite code to use sequence when finding parent object ID
Java
Added method to Image to perform sanity check on image sizes
Java bindings JAR files now have native libraries in them
Logical files are added with a transaction
fiwalk
Fixed compile error on Linux etc
analyzeMFT-2.0.11-1.1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - AnalyzeMFT is a tool that fully parses
the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple formats.
Volatility-2.3-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm -
The Volatility Framework is a completely
open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
See here for a list of changes.
This version also includes the plugins from the Malware Analyst's Cookbook to version R134.
See here for the list of recent changes.
fmem-kernel-objects-1.6-1.24.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following kernels:
3.11.6-201 for FC19
3.11.6-200 for FC19
3.11.4-201 for FC19
3.11.3-201 for FC19
3.11.2-200 for FC19
3.11.1-200 for FC19
3.10.11-200 for FC19
3.10.10-200 for FC19
3.10.9-200 for FC19
3.10.7-200 for FC19
3.10.6-200 for FC19
3.10.5-201 for FC19
3.10.4-300 for FC19
3.11.4-101 for FC18
3.10.14-100 for FC18
3.10.13-101 for FC18
3.10.12-100 for FC18
3.10.11-100 for FC18
3.10.10-100 for FC18
3.10.9-100 for FC18
3.10.7-100 for FC18
3.10.6-100 for FC18
3.10.4-100 for FC18
2.6.32-358.23.2 for EL6
2.6.32-358.18.1 for EL6
2.6.18-348.18.1 for EL5
2.6.18-371.1.2 for EL5
September 17, 2013:
The following have been released:
postgresql{,-contrib,-devel,-libs,-plperl,-plpython,-server,9.3.0-1PGDG.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - PostgreSQL
is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you'll need to
access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the
PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the
postgresql93-server sub-package.
pgadmin3_93-1.18.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - PGadmin
III is a powerful administration and development platform for the PostgreSQL database, free for any use.
It is designed to answer the needs of all users, from writing simple SQL queries to developing complex
databases. The graphical interface supports all PostgreSQL features and makes administration easy.
ipa{,-devel,-python}-0.5.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - IPA
is an IP address annotation system.
IPA provides a flexible and efficient repository of IP address information, tools for querying and maintaining the data, and shared libraries and modules for data access.
For more information, read the IPA documentation.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.7.2-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This version has support for the IPA library.
ip4r93-2.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - IP4R
and ip4 are types that contain a single IPv4 address and a range of IPv4 addresses respectively.
They can be used as a more flexible, indexable version of the cidr type.
This version has been built for PostgreSQL version 9.3.
ghostpdl-9.10-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm -
Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages.
Ghostpdl is used by Xplico.
testdisk-6.14-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
This version correctly specifies the version of libntfs-3g.so.
partclone-0.2.48-4.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
This release was built to use the correct version of libntfs-3g.so.
libbde{,-devel,-python,-tools}-20130908-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the support formats, protection methods, and additional features.
Here are the changes for this release:
updated dependencies
added libcthreads build support
updated msvscpp files
bug fixes
code clean up
pytsk-20130910-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
See here for a list of changes.
September 2, 2013:
The following have been released:
dd_rescue-1.40-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
Here are the changes from the previous distributed version (1.33):
Release 1.40-1
It brings copying of extended attributes (with -p/--preserve). It doubles the default soft
block size for buffered IO, but brings sparse write optimization for half-empty blocks.
It also optimizes copying by using the first write to get rid off odd file offsets. It
also adds a lot more test cases to make check.
Release 1.39-1
It fixes an issue where a copied file could be appended zeros if hardblocksize copy was used
(e.g. b/c hardbs==softbs, bnc #833765). There's also a bit better ARM asm optimization,
yielding a ~15% performance increase. There's also a help/manpage clarification that
syncfreq actually is a size. And we use autoconf now to determine the target system
features. Default build target now uses libdl.
Release 1.38-1
Improving SSE sparse detection performance (by 40%), adding a testcase for the 1.35/1.36
bug and run it in make check. There's even an AVX version, but it's not enabled by
default, as it's untested. --force/-f now allows to ignore a non-zero output position
on non-seekable output and the curr.rate and ETA calculations have improved a bit.
Release 1.37-1
Fixing an issue with SSE2 sparse detection, which could spuriously detect zero-filled
blocks and thus result in corrupted copies if option -a was used. (This would happen for
blocks that had no bytes with the uppermost bit set, such as e.g. ASCII text.) Embarassing!
Also fixed issues on big-endian machines (although these were inconsequential for dd_rescue).
Release 1.36-1
It fixes an overflow issue with the number output for long running
dd_rescue processes. SSE2 is now also enabled in x86 (32bit, with runtime detection) and
an optimized ARM version (assembler yeah!) to find zero blocks was added.
Release 1.35-1
It had some improvements on the output that it prints -- beyond internal improvements it introduces
colours to the output unless the terminal type is clearly dumb; there is also an option to control this.
Numbers are highlighted for readability. Output is rate limited (10/s). 1.35 also brings a simple
rewrite logic for handling write errors. There's an SSE2 optimized version to find
zero blocks for sparse writing.
python-apsw-3.8.0-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Python-apsw
is a Python wrapper for the SQLite embedded relational database engine.
In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.
pytsk-20130826-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
See here for a list of changes.
regripper-28000000-4.{fc16,fc17,fc18,fc19,el5,el6}.noarch.rpm - Regripper is a
Windows Registry data extraction and correlation tool.
This package is contains version 2.8 of the regripper tool. The plugins are packaged separately.
This release contains version 08-26-13 of the auto_rip.pl.
See here for more details about this script.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
Here are the changes from the previous version (3.7.1):
PySiLK changes
Add IPSet.is_ipv6() and IPSet.convert() methods.
Fix a bug when saving an IPv6-IPset that contains only IPv4 addresses.
IPset bug fixes
Fix bugs when computing the union or intersection of an IPv4-IPset and an IPv6-IPset that contains only IPv4 addresses.
rwfilter bug fixes
Fix a spurious warning when loading an IPset.
Fix a memory issue during shutdown when an argument to one of the --*cidr switches (--scidr, --dcidr, etc) is mistyped.
rwflowpack, flowcap bug fixes
Fix a bug where the daemon failed to read TCP flags contained in a SubTemplateMultiList when reading IPFIX data over the network.
Fix a memory leak when receiving IPFIX data containing a SubTemplateList or a SubTemplateMultiList.
silk-ipset-{devel,lib,tools}-3.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
August 26, 2013:
The following have been released:
libvshadow{,-devel,-tools,-python}-20130723-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version:
fixes for 32-bit WINAPI build of pyvshadow in file object glue code
Changes for stand-alone libbfio build
updated msvscpp files
remove unnecessary restriction in library include headers
updated dependencies
daq-2.0.1-1.{fc16,fc17,fc18,fc19,el6}.{i386,x86_64}.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
here are the changes since the last version:
daq_dump.c, daq_ipfw.c, daq_ipq.c, daq_nfq.c:
Ensure verdict is in range before bumping peg counts.
Thanks to John Menerick for reporting the
issue.
snort-2.9.5.3-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.5.3-1.1.{fc16,fc17,fc18,fc19,el6}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
dd_rescue-1.34-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
Here are the changes from the previous distributed version (1.33):
This version provides better support for various *nix systems (specifically had a few fixes for FreeBSD),
better compatibility with compilers (clang and g++ and clang++). It can now also load libfallocate at runtime (libdl)
and detects a few more fatl write errors as such.
ddrescue-1.17-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
Here are the changes from the previous distributed version (1.16):
Added new option -l, --logfile-size.
Added new option -w, --ignore-write-errors.
Option --fill has been renamed to --fill-mode.
Option --generate-logfile has been renamed to --generate-mode.
Added option --sector-size as a synonym of --block-size.
Added option --retries as a synonym of --max-retries.
Added option --size as a synonym of --max-size.
rescuebook.cc: Trimming is now done from both edges of each non-trimmed block. Largest blocks are trimmed first.
rescuebook.cc: Largest blocks are now split first until logfile reaches --logfile-size entries.
logbook.cc (extend_sblock_vector, truncate_vector): Terminate if truncation would discard finished blocks.
rescuebook.cc: Mark failed blocks with 1 sector as bad-sector.
logbook.cc (extend_sblock_vector): Remove last block of logfile if it starts at isize and is not marked as finished.
io.cc (show_status,update_rates): Detect a jump back in time and adjust status.
ddrescue.h (slow_read): Return false for the first 10 seconds.
io.cc (show_status) Leave cursor after message so that ^C does not overwrite it.
main.cc: Do not require --force for generate mode.
ddrescue.h (Logbook::logfile_exists): Do not return false if logfile exists but is empty.
Added new chapter 'Using ddrescue safely' to the manual.
Documented that 'direct disc access' only reads whole sectors.
configure: Options now accept a separate argument.
Makefile.in: Added new target install-bin.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.61-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
Here are the changes from the previous distributed version (0.6.61):
Move documentation to unversioned directory
netsa-rayon-1.4.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm -
Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations.
Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis.
Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo.
It can also be used in wxPython GUI applications.
Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of
Pycairo (for static output) or wxPython (for GUI output).
See here for a list of changes.
snarf{,-devel,-python}-0.2.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system.
Applications can use snarf's C and Python APIs to construct and send network alert messages,
which can then be routed to multiple destinations in a configurable manner.
Here are the changes:
Initial release to open source community.
Additional documentation.
Bug fixes.
ghostpdl-9.09-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm -
Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages.
Ghostpdl is used by Xplico. This version attempts to update Xplico's version of pcl6 - the binary installed as part of ghostpdl - as stored in /opt/xplico/bin if Xplico is installed.
ssdeep-2.10-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered
piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
testdisk-6.14-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
Here are the changes from the last version (6.13):
General Improvements
The log file generated by the Windows version (cygwin) reports bad sectors in a more readable fashion, example
ReadFile Data error (cyclic redundancy check).
As openssl isn't used, don't link with this cryptographic library (Debian tries to avoid mixing GPL code and openssl)
TestDisk
Improvements
testdisk /list now displays the disk model, serial number, firmware version and hpa or dco presence if detected
Recover WBFS (Wii Backup File System) partition
Make FAT RebuildBS works when there is a single FAT table
Interface: Display the partition table type if autodetected
Interface: modified warning about mismatching geometry between FAT or NTFS boot sector and HD geometry information (Debian #651756)
Interface: Remove "Allow partial last cylinder" option
Bug fixes
Fix crc in EFI backup GPT
Rewrote how TestDisk aligns partition on cylinder or 1MB boundary. It avoids to create partition entry where the partition ends after the end of the disk.
Fix thumbs.db recovery, avoid some false positive with .doc
Interface: if less than 10 file families are enabled, display the results even if zero has been found yet
New file formats:
.aep After Effects
.axx AxCrypt
.dp Designer, a Photobook Designer Software
.lzh archive
.mmap MindManager
.plt Gerber Graphix Advantage
.prproj Adobe Premiere project
.psb Adobe Photoshop Image
.pts PTGui, panoramic stitching software
.qcp The QCP File Format and Media Types for Speech Data (RFC3625)
.shn Shorten audio file
.snt Windows Sticky Notes
.ttd TinyTag Data
.wallet Armory bitcoin wallet
.wim Windows imaging (WIM) image
Bug fixes
Fix an endless loop during .caf file recovery
Fix tiff recovery including some raw file formats, 64-bit version wasn't affected
August 1, 2013:
The following have been released:
CERT-Forensics-Tools-1.0-55.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm -
This package was updated to do the following:
For Fedora 19, use ewftools.
For all else, use libewf-tools and obsolete ewftools.
libbfio{,devel}-20120425-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Libbfio is a
library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access.
Here are the changes:
add VC_EXTRALEAN to config_msc.h
add autoconf/make test suite
add callback function to resize memory range if needed?
additional checks for system strings
allow re-set of pool entries?
bug fix for POSIX wide character support in path functions
check if libbfio.3 is up to date
code clean up
fixed memory leak due to recent changes
remove deprecated functions in libbfio_legacy.[ch]
removed deprecated functions
updated .pc and .spec file
updated codegear files
updated common
updated configure.ac
updated configure.ac and m4 files
updated dependencies
updated gettext
updated libcstring, libuna
updated libuna
updated list type, offset list
updated msvscpp and borlandc files
updated msvscpp files
updated spec and pc files
what about disk full on write
wide to narrow (ASCII with codepage) conversion
worked on absolute path support with /../
worked on file range back end
worked on full file name support for open on demand
worked on full path functions
worked on libcfile rewrite
worked on libcpath rewrite
libpff-20120802-2.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Libpff is a library
and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal
Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
Libpff is used by DFF - the Digital Forensics Framework.
See the libpff website for the list of changes
dff-1.3.0-3.{fc17,fc18,fc19}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both
a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers
and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user
interface with a modular and cross-platform architecture. Note that only Fedora 17, 18, and 19 supported in this release.
Here are the changes (thanks to Danil Bazin for the bug report and suggested fixes):
Added a dynamic loader configuration file, activated them when dff is installed, and deactived them when dff is uninstalled.
Added missing PyQt4 dependency.
Added missing reglookup dependency.
Added the __init__.py file needed for searching.
Recomplied with latest libbfio and libpff libraries.
Installed the ffmpeg-devel package from the RPMFusion to add video support to dff.
This required the installation of these additional pagkages, all also from RPMFusion:
ffmpeg-libs
librtmp
x264-libs
xvidcore
fmem-kernel-objects-1.6-1.23.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following kernels:
2.6.32-358.11.1 for EL6
3.9.8-108 for FC17
3.9.10-100 for FC17
3.9.5-201 for FC18
3.9.6-208 for FC18
3.9.9-201 for FC18
3.9.10-200 for FC18
3.9.11-200 for FC18
3.9.5-301 for FC19
3.9.9-302 for FC19
3.10.3-300 for FC19
libbde{,-devel,-python,-tools}-20130729-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the support formats, protection methods, and additional features.
Here are the changes for this release:
updated dependencies
pybde fixes for >2G file objects in BFIO glue code
worked on git support
updated dependencies
fixed some typos
fix for dealing with padding in FVE metadata block
partclone-0.2.48-3.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
This release was built to use the latest libntfs-3g shared library, bringing all of the releases to the same release level.
recoll-1.19.4-2.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Recoll
is a text search tool for Unix and Linux desktops. Recoll finds keywords inside documents as well as file names.
See here for a list of changes in this version.
In addition, tar archives have been enabled and the epub, pstotext, and aspell packages have been added as required packages.
stegdetect-0.6.0-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - stegdetect is an automated tool for detecting steganographic content in images.
This package was rebuilt to remove compiler optimization, the inclusion of which caused stegdetect to crash.
Thanks to Pete Troxell for the bug reports and suggested fixes.
kracked-0.1-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Kracked is a tool that creates word lists from files, memory captures for example.
{vmfs-tools,ilibvmfs-devel}-0.2.5-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - VMfs-tools is a collection of
command-line tools for operating on VMware's VMFS file system.
Included in this release is limited VMFS version 5 support.
August 6, 2013:
The following have been released:
Fedora 19 -
The repository now supports Fedora 19 for the i686 and x86_64 CPU architectures.
Fedora 15 -
Support for Fedora 16 i686 and x86_64 architectures - Updates to Fedora 15 for the i686 and x86_64 CPU architectures has ceased.
July 10, 2013:
The following have been released:
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.60-1.1.{fc15,fc16,fc17,fc18, el6}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
sleuthkit{,-devel,-libs}-4.1.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
Here are the changes since 4.0.2:
Core
Added YAFFS2 support (patch from viaForensics).
Added Ext4 support (patch from kfairbanks)
changed all include paths to be 'tsk' instead of 'tsk3' (IMPORTANT FOR ALL DEVELOPERS!)
Framework
Added Linux and MAC support.
Added L01 support.
Added APIs to find files by name, path and extension.
added a public method to Content to add ability to close() its tsk handle before the object is gc'd
added faster skip() and random seek support to ReadContentInputStream
refactored datamodel by pushing common methods up to AbstractFile
fixed minor memory leaks
improved regression testing framework for java bindings datamodel
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.7.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See the release notes for a list of changes since the previous version, 2.5.0.
analysis-pipeline-4.2-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
See the release notes for a list of changes since the previous version, 3.0.0.
silk-ipset-{devel,lib,tools}-3.7.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
super_mediator-0.3.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
netsa-python-1.4.3-1.{fc15,fc16,fc17,fc18,el5,el6}.{i386,x86_64}.rpm - Netsa-python is a
library of Python routines and frameworks that the NetSA team at CERT has found helpful when developing analyses using the SiLK toolkit. Of particular note are the
netsa.script NetSA Scripting Framework, which provides a standard framework for writing scripts that process flow data, and the netsa.util.shell command line
processing system, which provides tools for managing extremely complicated collections of shell processes that should fail or succeed together (extremely useful when working with named pipes).
Netsa-python is compatible with Python versions 2.4 and greater.
See here for a list of the changes since the last release which was version 1.3.
netsa-rayon-1.4.1-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations.
Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis.
Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo.
It can also be used in wxPython GUI applications.
Netsa-rayon is compatible with Python versions 2.4 and greater, and requires netsa-python and at least one of
Pycairo (for static output) or wxPython (for GUI output).
See here for a list of changes.
snarf{,-devel,-python}-0.2.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system.
Applications can use snarf's C and Python APIs to construct and send network alert messages,
which can then be routed to multiple destinations in a configurable manner.
prism-1.2-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The prism
trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
This is a new release keeping up with the latest SiLK 3 tools.
CERT-Forensics-Tools-1.0-54.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
This package was updated to do the following:
Added libbde-tools for all supported architectures
Added libfvde-tools for all supported architectures
Added libvhdi-tools for all supported architectures
Obsoletes rayon and replaces it with netsa-python
pytsk-2012113-3.{fc15,fc16,fc17,fc18,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for
The Sleuth Kit.
This release has been rebuilt to use version 4.1.0 of The Sleuth Kit.
June 17, 2013:
The following have been released:
aff{lib,lib-devel,tools}-3.7.1-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
This version now uses the correct version of libewf-devel.
testdisk-6.13-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
This version now uses the correct version of libewf-devel.
libbde{,-devel,-python,-tools}-20130422-1.fc18.{i686,x86_64}.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
The supported BDE formats are:
BitLocker Windows Vista
BitLocker Windows 7
BitLocker Windows 8 (Consumer Preview)
BitLocker To Go
The supported protection methods are:
clear key
password
recovery password
start-up key
FKEV and/or TWEAK key data
The additional features are:
support for partial encrypted volumes
zeros out the BDE metadata, matches behavior seen on Windows
libfvde{,-devel,-tools}-20130422-1.fc18.{i686,x86_64}.rpm - Libfvde is a library and tools to access FileVault Drive
Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
The supported FileVault2 implementations are:
Mac OS X Lion
Mac OS X Mountain Lion
The supported encryption volume types are:
removable media volume (initial support as of 20121113 version)
system volume
The supported protection methods are:
password
recovery password
VMK key data (as of 20121114 version)
The development in progress work areas are:
extend CoreStorage volume support
partial encrypted volumes
libvhdi{,-devel,-python,-tools}-20130512-1.fc18.{i686,x86_64}.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
Note that this project has an experimental status.
The supported formats for reading are:
VHD version 1
The supported image types are:
Fixed-size hard disk image
Dynamic-size (or sparse) hard disk image
The image types currently not supported are:
Differential (or differencing) hard disk image
The areas for work in progress are:
Differential image support
Dokan library support
June 6, 2013:
The following have been released:
python-apsw-3.7.17-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Python-apsw
is a Python wrapper for the SQLite embedded relational database engine.
In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.
libewf{,-devel,-tools}-20130416-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20130128):
added error tolerance for Logicube image with missing checksum in data section
bug fix in libcfile.m4 for building on MingW and Cygwin
changes and fixes in debug output
changes to zlib.m4 for adler32 detection
code clean up
fix in libsmdev for MinGW build
fixed maximum number of segments
fixed unknown symbols error related to libbfio
moved README.mingw and README.static to wiki
sync with experimental version
updated codegear files
updated dependencies
updated msvscpp files
updated types.h
updates for libsmdev
worked on libcdata integration
fmem-kernel-objects-1.6-1.22.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following kernels:
3.9.4-200 for FC18
3.9.2-200 for FC18
3.8.13-100 for FC17
3.8.12-100 for FC17
2.6.32-358.6.2 for EL6
2.6.18-348.6.1 for EL5
May 23, 2013:
The following have been released:
libvshadow{,-devel,-tools,-python}-20130509-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Here are the changes since the last version.
added libcthreads
added libvshadow_volume_get_store_identifier function
added store read from file IO handle function
changes to read block descriptors on demand improves vshadowinfo preformance
fixed issue in read buffer due to recent changes
fixes for multiple open/close on the same volume object
slight improvement of error tolerability of catalog parsing
vshadowmount small changes
worked on multi-threading support
worked on multi-threading support
worked on multi-threading support
worked on tests
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.59-1.1.{fc15,fc16,fc17,fc18, el6}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
regripper-28000000-3.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool.
This package is contains version 2.8 of the regripper tool. The plugins are packaged separately.
This release contains the auto_rip.pl.
See here for more details about this script.
May 14, 2013:
The following have been released:
ADIA - These items are VMware and VirtualBox-based forensic appliances built with Fedora 17 for the i686 and x86_64 architectures.
Please note that they are not a live CDs.
See here for more details.
May 7, 2013:
The following have been released:
partclone-0.2.48-3.el6}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
This release (3) was built to use the latest libntfs-3g shared library which comes from the fuse-ntfs-3g package. It has only be rebuilt for
RHEL/CentOS 6 to fix a conflict with this shared library.
prism-1.2-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The prism
trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
The changes in this version are the following:
Added new wsgi web UI.
Filter DeprecationWarnings to prevent user confusion.
Correct runtime dependencies.
rayon-1.3.3-2.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Rayon is a Python library and set of tools for generating
basic two-dimensional statistical visualizations. Rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis.
Rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications.
Rayon is compatible with Python versions 2.4 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython (for GUI output).
This version has been rebuilt to more precisely defined the build and operational dependencies.
libvshadow{,-devel,-tools,-python}-20130501-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Here are the changes since the last version:
added initial version of qcowmount with Dokan library support
yaf{,-devel}-2.4.0-1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE for that OS.
Here are the changes since the last version:
New HTTP DPI Fields
Updated DPI Elements
Bug Fix to not replace yaf.conf on install
New application label: VMware server console
Added support to decode ERSPAN headers
Drop statistics are updated when statistics messages are exported
yafcollect bug fix
Other Bug Fixes
fmem-kernel-objects-1.6-1.21.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following kernels:
3.8.11-200 for FC18
3.8.11-100 for FC17
April 30, 2013:
The following have been released:
regripper-28000000-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool.
This package is contains version 2.8 of the regripper tool. The plugins are packaged separately.
See the Update History for a list of the changes made since the last release (20130404).
regripper-plugins-20130429-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from
the regripper application.
See the Update History for the list of changes made in this release.
fmem-kernel-objects-1.6-1.20.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following kernels:
3.8.9-200 for FC18
3.8.8-203 for FC18
3.8.8-202 for FC18
3.8.8-100 for FC17
2.6.32-358.6.1 for EL6
2.6.18-348.4.1 for EL5
April 26, 2013:
The following have been released:
scalpel-2.0-2.el5.{i686,x86_64}.rpm - This package was updated to reflect the new version of the regular expression matching library tre.
Note that this change is only for RHEL/CentOS 5.
snort-2.9.4.6-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.4.6-1.1.{fc15,fc16,fc17,fc18,el6}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
libvshadow{,-devel,-tools,-python}-20130417-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Here are the changes since the last version:
added tests directory
bug fix in dependencies
code clean up
pyvshadow updates
updated README files
updated dependencies
updates and bug fixes in pyvshadow
vshadowtools now detect if there is a VSS signature first and bail out with a different error if not
April 22, 2013:
The following have been released:
snort-2.9.4.5-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.4.5-1.1.{fc15,fc16,fc17,fc18,el6}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
regripper-plugins-20130404-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from
the regripper application.
The plugins added are the following:
NOTE: these are the packager's comments on what is new in this release, not the authors.
NEW PLUGIN attachmgr.pl The Windows Attachment Manager manages how attachments are handled, and settings are on a per-user basis. Malware has been shown to access
these settings and make modifications.
NEW PLUGIN javasoft.pl Gets contents of JavaSoft/UseJava2IExplorer value
NEW PLUGIN lsa_packages.pl Lists various *Packages key contents beneath LSA key
NEW PLUGIN olsearch.pl Gets contents of user's OutLook Searches
NEW PLUGIN outlook2.pl Gets MAPI (Outlook) settings *BETA*
NEW PLUGIN photos.pl Read data on images opened via Win8 Photos app
NEW PLUGIN scanwithav.pl Checks ScanWithAV value in Software hive, per KB 883260
NEW PLUGIN uac.pl Get User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
UPDATE appinitdlls.pl updated to address 64-bit systems
UPDATE ares.pl updated based on data provided by J. Weg
UPDATE ie_settings.pl added "AutoConfigURL" value info
UPDATE inprocserver.pl fixed retrieving LW time from correct key
UPDATE landesk.pl added Wow6432Node path
UPDATE sevenzip.pl minor updates added
UPDATE soft_run.pl updated to include Policies keys; added additional keys
UPDATE ssh_host_keys.pl Added rptMsg for key not found errors by Corey Harrell
UPDATE termserv.pl updated with autostart locations
UPDATE user_run.pl added additional keys; updated to include Policies keys; updated to include additional keys; updated to include 64-bit, additional keys/values
UPDATE winlogon_u updated with ThreatExpert info
UPDATE winscp_sessions.pl Added rptMsg for key not found errors by Corey Harrell
NOTE RegRipperPluginsPackage (RRPP) now counts 236 plugins
bloom-1.4.6-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Bloom
is an NPS bloom filter package that includes the frag_find utility.
This version removes the frag_find tool which is now packaged separately.
frag_find-1.0.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Frag_find
is a program for finding blocks of one or more MASTER files in a disk IMAGE file.
This is useful in cases where a MASTER file has been stolen and you wish to establish that the file has been present on a subject's drive.
If most of the MASTER file's sectors are found on the IMAGE drive---and if the sectors are in consecutive sector runs---then the chances are excellent that the file was once there.
CERT-Forensics-Tools-1.0-53.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
This package was updated to do the following:
add frag_find for all supported architectures
disktype-9-9.3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Disktype detects the content format of a disk or disk image.
This release corrects a package building error dealing with release numbering.
fmem-kernel-objects-1.6-1.19.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following kernels:
cert-forensics-tools-release-5.9-8.noarch.rpm - This package was added to correct a configuration problem where the package could not be installed on all RHEL/CentOS-5 systems.
April 3, 2013:
The following have been released:
dd_rescue-1.33-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
Here are the changes from the previous distributed version (1.31):
This version brings long options, a new double overwrite mode (-2) and a man page.
fmem-kernel-objects-1.6-1.18.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following Fedora kernels:
3.8.5-201 for FC18
3.8.4-102 for FC17
python-apsw-3.7.16.1_r1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded
relational database engine.
In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.
yara-1.7-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
Here are the changes since the last version:
faster compilation
added suport for modulus (%) and bitwise xor (|) operators
better hashing of regular expressions
BUGFIX: yara-python segfault when using dir() on Rules and Match classes
BUGFIX: Regular expressions not matching at the end of the file when compiled with RE2
BUGFIX: Memory leaks
BUGFIX: File handle leaks
yara-python-1.7-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Yara-python is a Python extension that
gives access to YARA's powerful features from Python scripts.
See the changes for yara above.
March 26, 2013:
The following have been released:
guymager-0.7.1-1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes
since the last release (0.6.13):
Duplicate image creation
New RunStats module
New job queue mechanism - Note that because of this capability and the version of qt-devel on RHEL/CentOS 5, this version of guymager is not available on RHEL/CentOS 5
New userfield
New configuration table for main Guymager table
New font configuration
New cfg table HiddenDevices
New configuration parameter CommandAcquisitionEnd
Writing hidden area info into info file
Gray out rescan button when scan is running
In order to avoid the "contagious error", DirectIO is switched on in fallback mode.
Removed race condition where write thread would write hash into image before it has been calculated by hash thread.
SHA-1 support added
fmem-kernel-objects-1.6-1.17.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following Fedora kernels:
3.8.4-202 for FC18
3.8.3-203 for FC18
3.8.2-206 for FC18
3.8.3-103 for FC17
March 12, 2013:
The following have been released:
disktype-9-9.2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Disktype detects the content format of a disk or disk image.
This release corrects a package building error dealing with libewf.
libfixbuf{,-devel}-1.3.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.5.0-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This version has been recompiled to use the latest version of libfixbuf for the supported operating system and architecture.
yaf{,-devel}-2.3.3-3.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE for that OS.
This version has been recompiled to use the latest version of libfixbuf for the supported operating system and architecture.
yaf{,-devel}-2.2.1-4.{el5}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter.
Note that this version of Yaf is only available for CentOS/RHEL 5.
It has been recompiled to use the latest version of libfixbuf.
March 5, 2013:
The following have been released:
Fedora 18 - The repository now supports Fedora 18
for the i686 and x86_64 CPU architectures.
All packages have been moved from the forensics-test repository to the standard cert repository.
If you find any unexpected behavior with the packages as currently distributed, please send email to
partclone-0.2.48-2.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
This release was built to use the latest libntfs-3g shared library.
dff-1.3.0-1.{fc17,fc18}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both
a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers
and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user
interface with a modular and cross-platform architecture. Note that only Fedora 17 and 18 are supported in this release.
See here for a list of recent changes
fmem-kernel-objects-1.6-1.16.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the following Fedora kernels:
3.7.9-205 for FC18
3.8.1-201 for FC18
3.7.9-101 for FC17
3.7.9-104 for FC17
xplico-1.0.1-3.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
This release includes support for Python version 3.3 which is the default for Fedora 18.
snort-2.9.4.1-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
libvshadow{,-devel,-tools,-python}-20130304-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Here are the changes since the last version:
added PackageMaker files
updated include/types.h
fixed typo in vhsadowmount
regripper-plugins-20130218-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from
the regripper application. The plugins added are the following:
NEW PLUGIN by Corey Harrell: uac.pl that gets UAC configuration values (SOFTWARE)
UPDATE by Harlan Carvey to comdlg32.pl, many updates (NTUSER)
NOTE profile software-all was updated
NOTE profiles all DO NOT contain plugins TLN versions: you must create your own profiles or use them directly
February 21, 2013:
The following have been released:
dd_rescue-1.32-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
Here are the changes from the previous distributed version (1.31):
1.32: This version has a new option (-x) to append to the output file and you can specify -Y (multiple times if you wish so)
to write the same data to secondary output files.
ghostpdl-9.07-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages.
Ghostpdl is used by Xplico. This version attempts to update Xplico's version of pcl6 - the binary installed as part of ghostpdl - as stored in /opt/xplico/bin if Xplico is installed.
fmem-kernel-objects-1.6-1.15.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes are the following:
3.7.6-201 for FC18
3.7.7-201 for FC18
3.7.8-202 for FC18
3.7.9-201 for FC18
February 8, 2013:
The following have been released:
dd_rescue-1.31-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
Here are the changes from the previous distributed version (1.28):
1.31: This version brings a few tiny improvements in the output (such as displaying the total elapsed time in the summary as opposed to ETA of 0,
and the amount of data really written with option -W). But importantly, it has the new mode of triple overwriting of data (options -3 and -4),
with random numbers, inverse random numbers, new random numbers (only for -4) and zeros, this way allowing paranoia-safe deletion of information.
1.30: This version brought a fix for outputting data to stdout and a fix for a possible double free operation (introduced in 1.29).
The message formatting has been streamlined a bit. The PRNG can now be initialized from a file (e.g. -Z /dev/urandom).
The program now can also avoid writing to a target block if the target block already has the same data (option -W).
Think of SSDs or other devices where you want to avoid writes.
1.29: This contains a bug was fixed, where the last bytes where not copied corrected if hardbs == softbs. 1.29 also brings a number
of new features; the ability to write the same (softbs sized) block again and again (option -R, automatically set if infile is /dev/zero),
the ability to limit transfer size such that the outfile won't be enlarged (-M) and the possibility to use userspace random numbers (libc/frandom)
to fill files with random data (options -z and -Z). Last not least, OBS also builds .deb binaries for Ubu12.04 / Deb6 now.
fuse-exfat-1.0.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fuse-exfat is an exFAT file
system implementation with write support. exFAT is a simple file system created by Microsoft.
It is intended to replace FAT32 removing some of it's limitations.
exFAT is a standard file system for SDXC memory cards.
Here are the changes from the previous version:
Fixed unexpected removal of a directory if it is moved into itself.
Fixed "Operation not permitted" error on reading an empty file.
exfat-utils-1.0.1-1.1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
Here are the changes from the previous version:
Fixed unexpected removal of a directory if it is moved into itself.
Fixed "Operation not permitted" error on reading an empty file.
libewf{,-devel,-tools}-20130128-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20121209):
worked on sync with experimental version
docstring changes in pyewf
fix for corruption scenario
fixes in pyewf examples
updated msvscpp files
updated codegear files
updated pyewf
worked on sync with experimental version
replace libmfcache by new libfcache
updated configure files
updated dpkg files
updated rpm spec file
updated pyewf - fixes multiple issues
updated dependencies
worked on sync with experimental version
added pyewf/setup.py with thanks to Michael Cohen
bug fix for 31th day of the month issue
libvshadow{,-devel,-tools,-python}-20130131-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Here are the changes since the last version:
worked on pyvshadow
worked on exposing block descriptors via vshadowinfo
sleuthkit{,-devel,-libs}-4.0.2-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
Here are the changes since 4.0.1:
New Features
Added fiwalk tool from Simson. Not supported in Visual Studio yet.
Bug Fixes
Fixed fcat to work on NTFS files (still doesn't support ADS though).
Fixed HFS+ support in tsk_loaddb / SQLite -- root directory was not added.
NTFS code now looks at all MFT entries when listing directory contents. It used to only look at unallocated entries for orphan files. This fixes an image that had allocated files missing from the directory b-tree.
NTFS code uses sequence number when searching MFT entries for all files.
Libewf detection code change to support v2 API more reliably (ID: 3596212).
NTFS $SII code could crash in rare cases if $SDS was multiple of block size.
Framework
Added new API to TskImgDB that returns the base name of an image.
Numerous performance improvements to framework.
Removed requirement in framework to specify module extension in pipeline configuration file.
Added blackboard artifacts to represent both operating system and network service user accounts.
Java Bindings
added more APIs to find files by name, path and where clause
added API to get currently processed dir when image is being added,
added API to return specific types of children of image, volume system, volume, file system.
moved more common methods up to Content interface
deprecated context of blackboard attributes,
deprecated SleuthkitCase.runQuery() and SleuthkitCase.closeRunQuery()
fixed ReadContentInputStream bugs (ignoring offset into a buffer, implementing available() )
methods that are lazy loading are now thread safe
Hash class is now thread-safe
use more PreparedStatements to improve performance
changed source level from java 1.6 to 1.7
Throw exceptions from C++ side better
fiwalk-0.6.16-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fiwalk
is a program that processes a disk image using the SleuthKit library and outputs its results in
Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the
Weka Datamining Toolkit, or an easy-to-read textual format.
This release has been rebuilt to use version 4.0.2 of The Sleuth Kit, which because that release now contains both fiwalk and jpeg_extract, this release
no longer contains those to programs.
yaf{,-devel}-2.3.3-2.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE.
See here for the list of changes.
fmem-kernel-objects-1.6-1.14.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes are the following:
3.7.5-201 for FC18
February 5, 2013:
The following have been released:
Support for Fedora 18 i686 and x86_64 architectures - The repository now supports Fedora 18 for the i686 and
x86_64 CPU architectures. Please note that while the release packages are located in the standard cert repository, all other packages
are located in the forensics-test repository. To install and use these packages, you must enable the forensics-test repository by editing
the /etc/yum.repos.d/cert-forensics-tools.repo and changing the enabled=0 line to enabled=1. You must do this as root.
The schedule is to move all packages to the standard cert repository on Monday, March 4, 2013 unless testing disrupts this schedule.
If you find any unexpected behavior with the packages as currently distributed, please send email to
fuse-exfat-1.0.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fuse-exfat is an exFAT file
system implementation with write support. exFAT is a simple file system created by Microsoft.
It is intended to replace FAT32 removing some of it's limitations.
exFAT is a standard file system for SDXC memory cards.
Here are the changes from the previous version:
Fixed crash when renaming a file within a single directory and a new name differs only in case.
Fixed clusters allocation: a cluster beyond valid clusters range could be allocated.
Fixed crash when a volume is unmounted while some files are open.
SConscript now respects AR and RANLIB environment variables.
Improved error handling.
Enabled big_writes. This improves write speed (larger block size means less switches between kernel- and user-space).
Do BLKROGET ioctl to make sure the device is not read-only: after "blockdev --setro" kernel still allows to open the device in read-write mode but fails writes.
exfat-utils-1.0.0-1.1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
Here are the changes from the previous version:
Fixed crash when renaming a file within a single directory and a new name differs only in case.
Fixed clusters allocation: a cluster beyond valid clusters range could be allocated.
Fixed crash when a volume is unmounted while some files are open.
SConscript now respects AR and RANLIB environment variables.
Improved error handling.
Enabled big_writes. This improves write speed (larger block size means less switches between kernel- and user-space).
Do BLKROGET ioctl to make sure the device is not read-only: after "blockdev --setro" kernel still allows to open the device in read-write mode but fails writes.
libvshadow{,-devel,-tools,-python}-20130113-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Here are the changes since the last version.
2013 update
updated dependencies
updated msvscpp files
added vshadowmount.1 man page
python-apsw-3.7.15.2_r1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded
relational database engine. In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.
libiconv{,-devel,-static,-utils}-1.14-3.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Libiconv
provides an iconv() implementation, for use on systems which don't have one, or whose implementation cannot convert from/to Unicode.
Due to conflicts with other packages, notably glibc, the libiconv packages are installed in /usr/liboconv.
Note that libiconv is not available for RHEL/CentOS 5.
This release makes the library files also available at /usr/liboconv/lib for the 86_64 architecture which makes the package easier to use when building
packages that use libiconv.
The only changes in this release are the removal of files in the libiconv package which conflicted with files in the libiconv-devel package.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.58-1.1.{fc15,fc16,fc17,fc18, el6}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats. The packages include the following:
libpst includes:
readpst which can convert email messages to both mbox and MH mailbox formats
pst2ldif which can convert the contacts to .ldif format for import into ldap databases, and
pst2dii which can convert email messages to the DII load file format used by Summation.
libpst-libs package contains the shared library used by the pst utilities.
libpst-python package contains libpst shared objects from python code.
libpst-devel package contains the library links and header files needed to develop applications using the libpst shared library.
libpst-devel-doc package contains the doxygen generated documentation for the libpst.so shared library.
libpst-doc package contains the html documentation for the pst utilities.
This version uses the libiconv library.
Note that libpst is not available for RHEL/CentOS 5.
Here are the changes since the last version:
fix From quoting on embedded rfc/822 messages.
fmem-kernel-objects-1.6-1.13.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes are the following:
3.7.4-204 for FC18
3.6.10-4 for FC18
3.7.3-101 for FC17
3.6.11-4 for FC16
CERT-Forensics-Tools-1.0-52.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm -
This package was updated to do the following:
add exfat-utils for all supported architectures
remove gpart and ext3grep from Fedora 18 and beyond
January 3, 2013:
The following have been released:
guymager-0.6.13-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes
since the last release (0.6.12):
Package dependency to udisks added (for recent Ubuntu)
libparted search extended to subdirs
Added cfg parameter ForceCommandGetSerialNumber
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.57-1.1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats. The packages include the following:
libpst includes:
readpst which can convert email messages to both mbox and MH mailbox formats
pst2ldif which can convert the contacts to .ldif format for import into ldap databases, and
pst2dii which can convert email messages to the DII load file format used by Summation.
libpst-libs package contains the shared library used by the pst utilities.
libpst-python package contains libpst shared objects from python code.
libpst-devel package contains the library links and header files needed to develop applications using the libpst shared library.
libpst-devel-doc package contains the doxygen generated documentation for the libpst.so shared library.
libpst-doc package contains the html documentation for the pst utilities.
This version uses the libiconv library.
Note that libpst is not available for RHEL/CentOS 5.
python-apsw-3.7.15.1_r1-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded
relational database engine. In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.
fmem-kernel-objects-1.6-1.12.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes are the following:
Support for 3.6.10-2 for FC17
Support for 3.6.10-2 for FC16
December 14, 2012:
The following have been released:
daq-2.0.0-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm -
The Data Acquisition Library (Daq) is a library used by snort.
snort-2.9.4-1.1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
snort-sample-rules-2.9.4-1.1.{fc14,fc15,fc16,fc17,el6}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the
snort rules page to acquire a current set of snort rules.
libewf{,-devel,-tools}-20121209-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1
API is required, install a version of libewf-devel from 2010, for example version 20100226.
This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both
libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
This version provides the a set of tools (libewf-tools) that replace ewftools.
fmem-kernel-objects-1.6-1.11.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes are the following:
Support for 3.6.9-2 for FC17
December 4, 2012:
The following have been released:
jafat-1.1.6-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - JAFAT
is an assortment of tools to assist in the forensc investigation of computer systems.
Volatility-2.2-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm -
The Volatility Framework is a completely
open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
See https://code.google.com/p/volatility/source/list for a list of changes.
This version also includes the plugins from the Malware Analyst's Cookbook to version R134.
See here for the list of recent changes.
exfat-utils-0.9.8-1.1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
epub-0.5.0-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Epub is the distribution and interchange format
standard for digital publications and documents based on Web Standards. Epub defines a method for representing, packaging, and encoding structured and semantically enhanced
web content - including XHTML, CSS, SVG, images, and other resources - for distribution in a single-file format.
Epub allows publishers to produce and send a single digital publication file through distribution and offers interoperability between consumers
software / hardware for unencrypted reflowable digital books and other publications.
Epub is a helper application for recoll.
libiconv{,-devel,-static,-utils}-1.14-2.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Libiconv
provides an iconv() implementation, for use on systems which don't have one, or whose implementation cannot convert from/to Unicode.
Due to conflicts with other packages, notably glibc, the libiconv packages are installed in /usr/liboconv.
Note that libiconv is not available for RHEL/CentOS 5.
This release makes the library files also available at /usr/liboconv/lib for the x86_64 architecture which makes the package easier to use when building
packages that use libiconv.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.55-2.2.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats. The packages include the following:
libpst includes:
readpst which can convert email messages to both mbox and MH mailbox formats
pst2ldif which can convert the contacts to .ldif format for import into ldap databases, and
pst2dii which can convert email messages to the DII load file format used by Summation.
libpst-libs package contains the shared library used by the pst utilities.
libpst-python package contains libpst shared objects from python code.
libpst-devel package contains the library links and header files needed to develop applications using the libpst shared library.
libpst-devel-doc package contains the doxygen generated documentation for the libpst.so shared library.
libpst-doc package contains the html documentation for the pst utilities.
Note that libpst is not available for RHEL/CentOS 5.
This version has been rebuilt to use the libiconv library.
pstotext-1.9-2.1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - PStotext is a utility that
reads in postscript files and outputs an ASCII rendering. While the rendering is not always accurate, it is often sufficient.
PStotext is a helper application for recoll
recoll-1.18.1-1.1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Recoll
is a text search tool for Unix and Linux desktops. Recoll finds keywords inside documents as well as file names.
See here for a list of changes in this version. In addition, tar archives have been
enabled and the epub, pstotext, and aspell packages have been added as required packages.
fmem-kernel-objects-1.6-1.10.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes are the following:
Support for 3.6.8-2 for FC17
Support for 3.6.7-4 for FC16
November 27, 2012:
The following have been released:
fmem-kernel-objects-1.6-1.8.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux
kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17.
These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code
is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin
directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions
of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets.
The changes are the following:
Support for 3.6.7-4 for FC17
sleuthkit{,-devel,-libs}-4.0.1-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
Here are the changes since 3.2.3:
New Features:
Can open raw Windows devices with write mode sharing.
More DOS partition types are displayed.
Added fcat tool that takes in file name and exports content (equivalent to using ifind and icat together).
Added new API to TskImgDB that returns hash value associated with carved files.
Performance improvements with FAT code (maps and dir_add)
Performance improvements with NTFS code (maps)
Added AONLY flag to block_walk
Updated blkls and blkcalc to use AONLY flag -- MUCH faster.
Bug Fixes:
Fixed mactime issue where it could choose the wrong timezone that did not follow daylight savings times.
Fixed file size of alternate data streams in framework.
Incorporated memory leak fixes and raw device fixes from ADF Solutions.
fiwalk-0.6.16-2.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Fiwalk
is a program that processes a disk image using the SleuthKit library and outputs its results in
Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the
Weka Datamining Toolkit, or an easy-to-read textual format.
This release has been rebuilt to use version 4.0.1 of The Sleuth Kit.
pytsk-2012113-2.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for
The Sleuth Kit.
This release has been rebuilt to use version 4.0.1 of The Sleuth Kit.
testdisk-6.13-2.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
This release was rebuilt to use the ntfs-3g development and library packages required for CentOS/RHEL 5, but
all other versions were rebuilt for synchronization purposes.
bulk_extractor-1.3.1-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor
bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without
parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or
processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more
common tend to be more important. This version fixes many issues. In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
CERT-Forensics-Tools-1.0-50.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
This package was updated to do the following:
added bulk_extrator, bulk_extrator-stoplist, and fiwalk for RHEL/CentOS 5 for all supported architectures
obsoletes BEViewer since that tool is now included in bulk_extrator
November 19, 2012:
The following have been released:
fuse-exfat-0.9.8-1.1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fuse-exfat is an exFAT file
system implementation with write support. exFAT is a simple file system created by Microsoft.
It is intended to replace FAT32 removing some of it's limitations.
exFAT is a standard file system for SDXC memory cards.
libiconv{,-devel,-static,-utils}-1.14-1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Libiconv
provides an iconv() implementation, for use on systems which don't have one, or whose implementation cannot convert from/to Unicode.
Due to conflicts with other packages, notably glibc, the libiconv packages are installed in /usr/liboconv.
Note that libiconv is not available for RHEL/CentOS 5.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.55-2.1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - The libpst
package includes:
readpst which can convert email messages to both mbox and MH mailbox formats
pst2ldif which can convert the contacts to .ldif format for import into ldap databases, and
pst2dii which can convert email messages to the DII load file format used by Summation.
The libpst-libs package contains the shared library used by the pst utilities.
The libpst-python package allows use of the libpst shared object from python code.
The libpst-devel package contains the library links and header files needed to develop applications using the libpst shared library.
The libpst-devel-doc package contains the doxygen generated documentation for the libpst.so shared library.
The libpst-doc package contains the html documentation for the pst utilities.
Note that libpst is not available for RHEL/CentOS 5.
partclone-0.2.48-1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
CERT-Forensics-Tools-1.0-48.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
This package was updated to do the following:
now is architecture-specific to accomodate kernel-PAE-modules-extra for the i686 architecture
added fuse-exfat
added partclone
November 14, 2012:
The following have been released:
fmem-kernel-objects-1.6-1.7.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux
kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17.
These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code
is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin
directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions
of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets.
The changes are the following:
Support for 3.6.6-1 for FC17
Support for 3.6.6-1 for FC16
libvshadow{,-devel,-tools,-python}-20121107-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Here are the changes since the last version:
updates msvscpp 2010 build
pyvshadow: fixes for 32-bit build
pytsk-2012113-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for
The Sleuth Kit.
disktype-9-9beta.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Disktype detects the content format of a disk or disk image.
It knows about common file systems, partition tables, and boot codes.
This version adds support for ext4, btrfs, and exFAT file systems.
CERT-Forensics-Tools-1.0-47.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm -
This package was updated to do the following:
add kernel-modules-extra for both architectures. These kernel modules include support for ufs file systems.
add kernel-PAE-modules-extra for the x86 architecture. These kernel modules include support for ufs file systems.
added disktype
November 7, 2012:
The following have been released:
fmem-kernel-objects-1.6-1.6.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux
kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17.
These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code
is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin
directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions
of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets.
The changes are the following:
Support for 3.6.5-1 for FC17
Support for 3.6.5-2 for FC16
libvshadow{,-devel,-tools,-python}-20121103-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Here are the changes since the last version:
fix in spec file
updated dependencies
pyvshadow: fix for Mac OS X build
updated msvscpp files
code clean up
pytsk-20121106-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for
The Sleuth Kit.
October 29, 2012:
The following have been released:
fmem-kernel-objects-1.6-1.5.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux
kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17.
These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code
is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin
directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions
of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets.
The changes are the following:
Support for 3.6.3-1 for FC17
Support for 3.6.2-1 for FC16
md5deep-4.3-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
Here are the list of new features:
Fixed check for endian-ness, affecting hash generation on big-endian platforms.
Fixed minor bugs related to OpenSolaris.
libvshadow{,-devel,-tools,-python}-20121016-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Here are the changes since the last version:
October 19, 2012:
The following have been released:
fmem-kernel-objects-1.6-1.3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux
kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17.
These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code
is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin
directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions
of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets.
The changes are the following:
Support for kernel 3.6.1-1 for FC17
Support for kernel 3.6.2-4 for FC17
nDPI-1.4.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - nDPI nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that
it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic
on port 80). This is because nowadays the concept of port=application no longer holds.
xplico-1.0.1-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder.
Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
It also assumes a web server, for example Apache, has been configured and is operational.
Here are the changes since 1.0.0:
nDPI integration
performace improved
FTP dissector improved
Added the prism dissector
CLI execution bug fixed
PCAP-over-IP SSL encryption
IRC dissector improvements
File reconstruction from Fragmented Payloads improved
FaceBook Chat updated
FaceBook Message (partial)
HTTP without initial packets (packets lost)
RTP dissector imporved
PCAP2WAV, RTP2WAV interface added
libvshadow{,-devel,-tools,-python}-20121016-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
Here are the changes since the last version:
pyvshadow: bug fixes
Missing Py_None increment reference
added increment/decrement reference of volume object in store
pyvshadow: added creation time as integer function
made get store more restrictive
added store get size function for python binding
updated dpkg and spec files
added store get offset function
worked on Python bindings
fix for dpkg files docs
worked on Python bindings
sleuthkit{,-devel,-libs}-4.0.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
Here are the changes since 3.2.3:
New Features:
Added multithreaded support
Added C++ wrapper classes
Added JNI bindings / Java data model classes
3314047: Added utf8-specific versions of 'toid' methods for img,vs,fs types
3184429: More consistent printing of unset times (all zerso instead of 1970)
New database design that allows for multiple images in the same database
GPT volume system tries other sector sizes if first attempt fails.
Added hash calculation and lookup to AutoDB and JNI.
Upgraded SQLite to 3.7.9.
Added Framework in (windows-only)
EnCase hash support
Libewf v2 support (it is now non-beta)
First file in a raw split or E01 can be specified and the rest of the files are found.
mactime displays times as 0 if the time is not set (isntead of 1970)
Changed behavior of 'mactime -y' to use ISO8601 format.
Updated HFS+ code from ATC-NY.
FAT orphan file improvements to reduce false positives.
TskAuto better reports errors.
Upgrade build projects from Visual Studio 2008 to 2010.
Bug Fixes:
Relaxed checking when conflict exists between DOS and GPT partitions. Had a Mac image that was failing to resolve which partition table to use.
ptk-1.0.5-4.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - PTK is a computer forensic framework for the command line
tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the
command line tool mysql_secure_installation or equivalent, and operating.
It also assumes a web server, for example Apache, has been configured and is operational.
Here are the list of changes:
Now recognizes that both The Sleuth Kit Version 3 and Version 4 are valid versions.
October 11, 2012:
The following have been released:
regripper-25000000-2.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool.
This package is now contains only the version 2.5 of the regripper tool. The plugins are packaged separately.
This package corrects a problem where the individual plugins could not be found. This error is corrected by using perl's @INC array to find the plugin directory.
regripper-plugins-20120926-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from
the regripper application. The plugins added are the following:
NEW PLUGIN by Harlan Carvey: appcertdlls.pl that gets entries from AppCertDlls key (SYSTEM)
NEW PLUGIN by Harlan Carvey: appcompatcache.pl that parses files from the Shim Cache (SYSTEM)
NEW PLUGIN by Harlan Carvey: appcompatcache_tln.pl that parses files from the Shim Cache, TLN output (SYSTEM)
NEW PLUGIN by Harlan Carvey: applets_tln.pl that gets the content of Applets key, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: appspecific.pl that gets contents of user's Intellipoint\AppSpecific subkeys (NTUSER)
NEW PLUGIN by Harlan Carvey: ares.pl that gets contents of user's Software\Ares key (NTUSER)
NEW PLUGIN by Corey Harrell: backuprestore.pl that gets FilesNotToSnapshot, KeysNotToRestore, FilesNotToBackup (SYSTEM)
NEW PLUGIN by Harlan Carvey: compatassist.pl that checks user's Compatibility Assistant\Persisted values (NTUSER)
NEW PLUGIN by Harlan Carvey: direct.pl that searches Direct keys for MostRecentApplication subkeys (SOFTWARE)
NEW PLUGIN by Harlan Carvey: direct_tln.pl that searches Direct keys for MostRecentApplication subkeys, TLN output (SOFTWARE)
NEW PLUGIN by Corey Harrell: disablesr.pl that gets the on/off value for System Restore (SOFTWARE)
NEW PLUGIN by Harlan Carvey: installer.pl that determines products install information (SOFTWARE)
NEW PLUGIN by Harlan Carvey: javafx.pl that gets contents of user's JavaFX key (NTUSER)
NEW PLUGIN by Harlan Carvey: legacy_tln.pl that lists LEGACY entries in Enum\Root key, TLN output (SYSTEM)
NEW PLUGIN by Harlan Carvey: networklist_tln.pl that collects network info from NetworkList key, TLN output (SOFTWARE)
NEW PLUGIN by Harlan Carvey: osversion.pl that checks for OSVersion value, malware related (NTUSER)
NEW PLUGIN by Corey Harrell: prefetch.pl that gets the Prefetch Parameters (SYSTEM)
NEW PLUGIN by Harlan Carvey: runmru_tln.pl that gets contents of user's RunMRU key, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: shellbags.pl that gets contents of users's Shell/BagMRU keys, Windows7 (USRCLASS)
NEW PLUGIN by Harlan Carvey: sysinternals.pl that checks for SysInternals apps keys (NTUSER)
NEW PLUGIN by Harlan Carvey: sysinternals_tln.pl that checks for SysInternals apps keys, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: tracing.pl that gets list of apps that can be traced (SOFTWARE)
NEW PLUGIN by Harlan Carvey: tracing_tln.pl that gets list of apps that can be traced, TLN output (SOFTWARE)
NEW PLUGIN by Harlan Carvey: trustrecords.pl that gets user's Office 2010 TrustRecords values (NTUSER)
NEW PLUGIN by Harlan Carvey: trustrecords_tln.pl that gets user's Office 2010 TrustRecords values, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: tsclient_tln.pl that gets contents of user's Terminal Server Client key, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: typedpaths_tln.pl that gets contents of user's typedpaths key, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: userassist_tln.pl that displays contents of UserAssist subkeys, TLN output (NTUSER)
NEW PLUGIN by Mari DeGrazia: winbackup.pl that gets Windows Backup settings (SOFTWARE)
NEW PLUGIN by Harlan Carvey: wpdbusenum.pl that gets WpdBusEnumRoot subkey info (SYSTEM)
UPDATE by Harlan Carvey to legacy.pl, added analysis tip (SYSTEM)
UPDATE by Harlan Carvey to muicache.pl, the plugin works both on NTUSER and/or USRCLASS hives (NTUSER,USRCLASS)
UPDATE by Harlan Carvey to networklist.pl, added NameType value reporting (SOFTWARE)
UPDATE by Harlan Carvey to soft_run.pl, added support to newer OS and 64 bits (SOFTWARE)
UPDATE by Harlan Carvey to tsclient.pl, added parsing of Servers key (NTUSER)
UPDATE by Harlan Carvey to userassist.pl (NTUSER)
REMOVED TEMPORARILY plugin typedurlstime.pl, postponed on next packages
REMOVED TEMPORARILY plugin typedurlstime_tln.pl, postponed on next packages
REMOVED plugin bagtest.pl, deprecated
REMOVED plugin bagtest2.pl, deprecated
REMOVED plugin crashcontrol.pl, too similar to crashdump.pl
REMOVED plugin filesnottosnapshot.pl, superseded by backuprestore.pl
REMOVED plugin pstools.pl, superseded by the more general sysinternals.pl plugin
REMOVED plugin userassist2.pl, deprecated since userassist.pl was updated
REMOVED plugin vista_comdlg32.pl, deprecated since comdlg32.pl was updated
REMOVED plugin win7_ua.pl, Windows7-RC and Vigenerè encryption are obsolete
NOTE added profile usrclass-all for USRCLASS.DAT hive
NOTE profiles '-all' DO NOT contain plugins TLN versions: you must create your own profiles or use them directly
NOTE source code repository was switched to GIT and it was aligned to the current release
NOTE RegRipperPluginsPackage (RRPP) now counts 236 plugins
libvshadow{,-devel,-tools}-20120922-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
fmem-kernel-objects-1.6-1.1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem,
similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package
are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the
triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a
script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system.
This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection
phase of an investigation that includes digital assets.
CERT-Forensics-Tools-1.0-46.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm -
This package was updated to do the following:
add fmem-kernel-objects for all supported releases.
log2timeline-0.65-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
[UTMP input] New input module parsing utmp/wtmp files in Linux, written by Francesco Picasso.
[SELINUX input] New input module parsing SELinux audit files in Linux, written by Francesco Picasso.
[l2t_process] Renamed to l2t_process_old, being replaced by l2t_process.py from l2t-tools.
[EVTX Library] Fixed a small bug in the code, causing some EVTX file parsing to fail.
[Altiris input] Fixed a small bug when the date is malformed.
[Log2Timeline library] Fixed few bugs:
Small error in the format sort, caused oxml to sometimes be skipped in processing.
[GENERIC_LINUX input] Added a small extra eval sentence.
[LS_QUARANTINE] Fixed a minor bug in the get_time routine, if a database occurs it is caught by an eval sentence.
[TEST] Added few more tests.
[MOST INPUT MODULES] Changed the line my $line = <$fh> or return undef; in most input modules.
[WIN library] Added few more transformations of Windows stored time zones into a "olson" ones understood by DateTime.
[CHROME input] Fixed a small unicode bug in the "File Downloaded" section.
[faersluskra2timalina] Added a new frontend to the tool, exact copy of log2timeline, except all parameters in Icelandic... kinda
[timescanner tool] Removed this frontend from the Makefile since it serves no purpose (as in no longer part of the automatic installation).
python-apsw-3.7.14.1_r1-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded
relational database engine. In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.
September 17, 2012:
The following have been released:
recoll-1.17.3-1.1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Recoll
is a text search tool for Unix and Linux desktops. Recoll finds keywords inside documents as well as file names.
This version installs all of the needed helper applications and enables them all by default.
untex-1.3-3.1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Untex
removes some LaTeX commands from the files listed in the arguments (or standard input) and prints the output to standard output.
CERT-Forensics-Tools-1.0-45.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm -
This package was updated to do the following:
add recoll for all supported releases except RHEL/CentOS 5.
libfixbuf{,-devel}-1.2.0-1.{fc14,fc15,fc16,fc17el5,el6}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
yaf{,-devel}-2.3.2-2.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE.
See here for the list of changes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.5.0-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
This version has been recompiled to use the latest version of libfixbuf for the supported operating system and architecture.
libvshadow{,-devel,-tools}-20120915-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
September 4, 2012:
The following have been released:
prism-1.1.1-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The prism
trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool.
The script can be used directly, or might be used as a component in other more specialized scripts.
In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
CERT-Forensics-Tools-1.0-44.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm -
This package was updated to do the following:
add prism to all systems where the SiLK tools are installed.
August 23, 2012:
The following have been released:
analysis-pipeline-3.0.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
The Analysis Pipeline supports many types of analysis, including:
Watch list alerting (did we see traffic from a known bad IP?)
Beacon detection
Passive FTP detection
IPv6 tunnel detection
Thresholding (e.g., is total bytes over a limit?)
Collection issues (is a sensor no longer reporting?)
Although the Analysis Pipeline can be run interactively, it is designed to be incorporated into the SiLK collection and packing infrastructure, where it can
analyze every SiLK Flow record produced by rwflowpack as the records are being added to the SiLK data repository.
When a record matches an analysis, the Analysis Pipeline may output the record in a pipe-delimited textual format. Whether a record is output depends
on how often the administrator has configured the Analysis Pipeline to issue that type of output. The administrator can easily configure a SIEM to process
the output generated by the Analysis Pipeline.
CERT-Forensics-Tools-1.0-43.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm -
This package was updated to do the following:
add BEViewer all systems where bulk_extractor is installed.
add analysis-pipeline all systems where the SiLK tools are installed.
August 21, 2012:
The following have been released:
libewf{,-devel,-tools}-20120813-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
This version provides the development environment for Version 2 of the API using the libewf-devel package.
If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both
libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
This version provides the a set of tools (libewf-tools) that replace ewftools.
registrydecoder-20120816-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_84}.rpm - Registrydecoder
is tool for the acquisition, analysis, and reporting of registry contents.
See here for a list of changes.
regripper-plugins-20120812-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from
the regripper application.
This version includes version 20120612 of the plugins from here.
The plugins added are the following:
NEW PLUGIN by Hal Pomeranz: ssh_host_keys.pl that extracts stored Putty and WinSCP host keys from NTUSER hive
NEW PLUGIN by Hal Pomeranz: ssh_host_keys.pl that extracts stored Putty and WinSCP host keys from NTUSER hive
NEW PLUGIN by Hal Pomeranz: winscp_sessions.pl that extracts WinSCP saved session data from NTUSER hive (with password decoding)
NOTE profiles all-all, ntuser-all, sam-all, security-all, software-all and system-all were updated
NOTE source code repository was aligned to current release
NEW PLUGIN by John Lukach: pstools.pl that displays the content for PsTools EULA Agreements
NEW PLUGIN by K. Johnson (with Harlan Carvey updates): filehistory.pl that parses NTUSER FileHistory Registry keys from Windows 8
NEW PLUGIN by Elizabeth Schweinsberg: user_runplus.pl that gets contents of the Run, RunOnce, and RunServices keys from NTUSER hive
NEW PLUGIN by Elizabeth Schweinsberg: soft_runplus.pl that gets contents of the Run, RunOnce, and RunServices keys from SOFTWARE hive
NEW PLUGIN by Elizabeth Schweinsberg: svc_plus.pl that gets services, displaied in short format, from SYSTEM hive
tcpflow-1.3.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program
that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction.
Tcpflow can also process stored tcpdump packet flows.
Here are the changes in this version:
src/tcpdemux.cpp (tcpdemux::process_tcp): fixed bug in which myflow.tlast wasn't being set.
src/main.cpp (main): fixed compile bugs that resulted from adoption of standard DFXML header.
configure.ac (HAVE_PTHREAD): fixed typo in configure.ac
src/tcpdemux.h: removed struct ip as it was redundent to struct iphdr
configure.ac: tcpflow now compiles under mingw for Windows
src/tcpdemux.cpp: moved tcpdemux class methods into this new file.
src/tcpip.cpp (tcpip::close_file): added support for FUTIMENS, but I don't yet have a system on which to test it. Hope that it's good.
August 10, 2012:
The following have been released:
ghostpdl-9.06-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm -
Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages.
Ghostpdl is used by Xplico. This version attempts to update Xplico's version of pcl6 - the binary installed as part of ghostpdl - as stored in /opt/xplico/bin if Xplico is installed.
August 8, 2012:
The following have been released:
perl-XML-SAX-Base-1.04-1.1.el6.noarch.rpm - perl-XML-SAX-Base is a base class for PerlSAX drivers and filters.
As distributed on RPM Forge, two files (/usr/share/man/man3/XML::SAX::Base.3pm.gz and /usr/share/man/man3/XML::SAX::Exception.3pm.gz) conflict with the files installed
with perl-XML-SAX-0.96-7.el6.noarch from RedHat's EPEL repository. This package was rebuilt to remove these conflicts, and the release number changes from 1 to 1.1 so as to prefer
this package over the RPM Forge package. Thanks to Joern Franz for the report.
August 7, 2012:
The following have been released:
guymager-0.6.12-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes
since the last release (0.6.11):
Avoiding -O3 / inline compiler bug
Correct srceen output if no log file is in use
DD verification: retry with NOATIME switched off if open fails
DD verification: Do not exit if open fails
distorm3-3-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm -
Distorm3 is a lightweight, easy-to-use and fast decomposer library.
It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2,
SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX. Distorm3 is used by
The Volatility Framework.
ghostpdl-9.05-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm -
Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages.
Ghostpdl is used by Xplico.
libpff-20120802-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Libpff is a library
and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal
Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
Libpff is used by DFF - the Digital Forensics Framework.
tcpflow-1.2.8-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program
that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction.
Tcpflow can also process stored tcpdump packet flows.
Here are the changes in this version:
src/main.cpp (main): added calling process_infile(expression,device,"",true) when no files are provided to fix bug of no live capture.
src/sysdep.h: removed; put code in tcpflow.h for simplicity
src/datalink.cpp (dl_null): moved ETHERTYPE_IPV6 from sysdep.h to datalink.cpp
bootstrap.sh: added --add-missing to bootstrap.sh
July 30, 2012:
The following have been released:
ssdeep-2.9-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered
piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
July 18, 2012:
The following have been released:
xplico-1.0.0-2.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder.
Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
It also assumes a web server, for example Apache, has been configured and is operational.
Here is the list of changes:
The postinstall script conditions the /etc/php.ini configuration file for PHP so that xplico works without manual intervention. The changes are:
Asserts short_open_tag if it is current set to Off.
Sets post_max_size to 100M which is the recomended value.
Sets upload_max_filesize to 100M which is the recomended value.
Sets date.timezone to US/Eastern. If this is not appropriate for your time zone, you will need to edit /etc/php.ini by hand.
The preuninstall script undoes the aforementioned change to /etc/php.ini configuration file, but only if the changes were made by the postinstall executed when
xplico was installed or updated.
The postinstall and preinstall scripts now use systemctl for Fedora 16 and beyond,
ptk-1.0.5-3.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - PTK is a computer forensic framework for the command line
tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the
command line tool mysql_secure_installation or equivalent, and operating.
It also assumes a web server, for example Apache, has been configured and is operational.
Here are the list of changes:
The postinstall script conditions the /etc/php.ini configuration file for PHP so that ptk works without manual
intervention. The changes are:
Asserts short_open_tag if it is current set to Off.
The preuninstall script undoes the aforementioned change to /etc/php.ini configuration file, but only if the changes were made by the postinstall executed when
ptk was installed or updated.
libguytools-2.0.2-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libguytools is a package of subroutines and header files needed to
build and operate guymager. The changes are:
Correctly handling decimal point for different locale settings in toolcfg
Some small signed/unsigned changes for cleaner linting
Copyright notices cleaned up
guymager-0.6.11-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes
since the last release (0.6.11 release 1):
Rebuilt to use libguytools-2.0.2.
July 12, 2012:
The following have been released:
guymager-0.6.11-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes
since the last release (0.6.9):
Removed bug where section tables might contain only one entry
New cfg parameter EwfNaming supports 2 methods for naming EWF segment files
Added warnings for low space on destination path and large number of image files before starting acquisition,
new configuration parameters WarnAboutImageSize and WarnAboutSegmentFileCount
When opening destination image fails, retry with NOATIME switched off (thus enabling cloning without root rights)
Removed bug where section tables might contain only one entry.
python-apsw-3.7.13_r1-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded
relational database engine. In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.
registrydecoder-20120709-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_84}.rpm - Registrydecoder
is tool for the acquisition, analysis, and reporting of registry contents.
See here for a list of changes.
aff{lib,lib-devel,tools}-3.7.1-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
See here for the changes.
July 10, 2012:
The following have been released:
fred-0.1.0beta4-1.{fc14,fc15,fc16,fc17}.noarch.rpm - Fred Forensic Registry EDitor (fred) is a cross-platform Microsoft
registry hive editor. This project was born out of the need for a reasonably good registry hive viewer for Linux to conduct forensic analysis. Therefore it includes some
functions not found in normal "free" registry editors like a hex viewer with data interpreter and a reporting function that can easily be extended with custom ECMAScript
report templates. The current version contains the following reports: NTUSER_RecentDocs, NTUSER_TypedUrls, SAM_UserAccounts, SOFTWARE_WindowsVersion, SYSTEM_CurrentNetworkSettings,
SYSTEM_SystemTimeInfo and SYSTEM_UsbStorageDevices.
CERT-Forensics-Tools-1.0-41.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm -
This package was updated to do the following:
add fred for Fedora systems only
tcpflow-1.2.7-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program
that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction.
Tcpflow can also process stored tcpdump packet flows.
Here are the changes in this version:
src/main.cpp (main): -r option now allows for multiple files to be specified.
src/main.cpp (main): -R option now allows for incomplete tcp connections to be finished.
src/main.cpp (main): removed global "tcpdemux demux" variable. Now it's passed as *user in the datalink methods, as it should be.
src/tcpdemux.h (class tcpip): bytes_printed renamed to bytes_processed, as it will be used in packet processing as well.
pytsk-20120626-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for
The Sleuth Kit.
python-xlwt-0.7.4-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Python-xlwt is a library for generating spreadsheet files that
are compatible with Excel 97/2000/XP/2003, OpenOffice.org Calc, and Gnumeric. Python-xlwt has full support for Unicode. Excel spreadsheets can be generated on any platform without
needing Excel or a COM server.
yaf{,-devel}-2.2.1-2.{el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Note that this release of Yaf is only available for CentOS/RHEL 5. All other versions use Yaf-2.2.2 and beyond.
The change is to use libfixbuf-1.1.2-1.
July 3, 2012:
The following have been released:
ptk-1.0.5-2.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - PTK is a computer forensic framework for the command line
tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the
command line tool mysql_secure_installation or equivalent, and operating. It also assumes a web server, for example
Apache, also assumed to be configured and operational. This package has been rebuilt to correct directory
permissions for the installed files.
libvshadow{,-devel,-tools}-20120511-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
guymager-0.6.9-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes
since the last release (0.6.7):
Releasing all changes of 0.6.8 (switch to new version in order to have test users update their packages correctly)
AEWF: Considering also 1st chunk base offset when checking if chunk can be added to current sectors section.
New cfg parameter CheckRootRights
If source disk can't be opened, give it another try without option NOATIME
Corrected text output for image hash calculation in info file; Translations updated.
Error in UtilIsZero removed (leading to wrong image if FifoBlockSizeEwf is set to values above 65536)
Package no longer recommends gksu, smartmontools and hdparm but depends on them
No longer exits on write errors on info file or in AEWF module (should already have been done in 0.6.4, but the takeover from trunk wasn't done)
New cfg parameter EwfCompressionThreshold
Also include symlinks when searching for libparted
Changes from Mika (unistd.h)
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
The changes are the following:
rwflowpack change
Modify the log messages produced by libfixbuf to follow the format of other rwflowpack log messages.
Modify NetFlow v9 support to require libfixbuf-1.1.0.
flowcap change
Modify the log messages produced by libfixbuf to follow the format of other rwflowpack log messages.
Modify NetFlow v9 support to require libfixbuf-1.1.0.
Building
Add new configure switch --enable-asa-zero-packet-hack to work around a bug in the NetFlow9 template used by Cisco ASA routers wherein the
template is missing a packetTotalCount field, causing rwflowpack to treat these flows as having 0 packets. When the switch is specified,
SiLK sets the packet count to 1 for flow records having a source IP, a byte count, but no packet count. In addition, if SiLK is compiled
without IPv6 support, the hack causes rwflowpack to a use fully-expanded file format to store IPv4 flow records collected from netflow-v9 probes.
This verison of SiLK has been built with --enable-asa-zero-packet-hack.
registrydecoder-20120629-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_84}.rpm - Registrydecoder
is tool for the acquisition, analysis, and reporting of registry contents. This is version 1.3 of this tool.
See here for a list of changes.
CERT-Forensics-Tools-1.0-40.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm -
This package was updated to do the following:
add libvshadow-tools
June 28, 2012:
The following have been released:
nmap{,-frontend}-6.01-3.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Nmap has been repackaged in conformance with
the way Fedora has been packaged for {nmap,nmap-frontend}-6.00. Please note that the zenmap package has been replaced with the nmap-frontend package.
Please also note that nmap versions 6.00 and 6.01 have been withdrawn for the RHEL/CentOS 5 systems.
CERT-Forensics-Tools-1.0-39.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm -
This package was updated to do the following:
add nmap-frontend
obsolete zenmap
obsolete ncat
obsolete nping
obsolete nmap-update
dff-1.2.0-3.fc17.x86_64.rpm - The Digital Forensics Framework (DFF) has been built for the x86_64 CPU architecture.
To install it, do the following, as root, on a Fedora 17 x86_64 installation only:
yum erase libewf.i386
yum clean all
yum install dff
xmount-0.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following:
Support to emulate Microsoft's Virtual Hard Disk images (by using the --out vhd arguments).
June 27, 2012:
The following have been released:
BEViewer-1.3.006-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - BEViwer
is a User Interface for browsing features that have been extracted via the bulk_extractor feature extraction tool.
BEViewer supports browsing multiple images and bookmarking and exporting features.
BEViewer also provides a User Interface for launching bulk_extractor scans.
ddrescue-1.16-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
See /usr/share/doc/ddrescue-1.16/ChangeLog after the package has been installed.
dd_rescue-1.28-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Dd_rescue
is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue does however
not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
libfixbuf{,-devel}-1.1.2-1.{fc14,fc15,fc16,fc17el5,el6}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
This version contains general bug fixes as well as Netflow V9 bug fixes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.4.7-3-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
The changes are to use libfixbuf-1.1.2-1.
yaf{,-devel}-2.2.2-2.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE.
The changes are to use libfixbuf-1.1.2-1.
log2timeline-0.64-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
[TESTSUITE] Added the first version of a test suite to the tool.
All tests are located inside the t/ directory.
Tests should be constructed for ALL possible uses of the tool, not limited to:
Raw parsing of logs using input modules.
Correct output for output modules.
Correct output from each function inside modules/libraries.
The first TEST suite is raw and not nearly complete, needs loads of stuff to be 'proper' but it is a start.
[LS_QUARANTINE input] A new input module that parses the LSQuarantineEvents SQLite db in Mac OS X.
[Log2Timeline library] Added the possibility to use a dot (.) in the exclusion list.
Changed the exclusion list so it can be easily changed
Added a call to ->end on each input module if verification failed.
Minor bug fixes in the main engine.
Changed wording when an output module is loaded (from "Loading output file" to "Loading output module").
Added support to detect shortcuts in Windows systems.
Added the "path_orig" to all input modules (making it possible to "fix" paths).
[CHROME input] - Slight changes to the output based on the value of the typed_count variable, also updated the path to the code that describes the transition types.
[SKYPE input] Fixed the verification routine a bit, cleaned it up slightly and fixed a small bug that caused the tool not to include SKYPE data when recursive mode was set on.
Also fixed UTF-8 support, should properly display UTF-8 by now.
[PREFETCH input] Small changes to the verification module.
[WinReg] Fixed a small bug in the code that caused the deleted entries lookup sometimes to loop forever.
[SQLITE output] Changed the way the SQLite code is written considerably, pre-compiling statements to prevent them being compiled for each insert, using transactions
instead of writing them constantly to the DB, and other minor tweaks to make the DB output faster than before (since it was increadibly slow before).
[CHROME input] Small bug to fix UTF-8 support.
[FIREFOX3 input] Small bug to fix UTF-8 support.
[PREFETCH input] Fixed a bug, added a seekdir so that prefetch information is contained within the timeline if recursive is turned on.
[RECYCLER input] Fixed a bug, added a seekdir so that recycler information is contained within the timeline if recursive is turned on.
[LIST files] Added few items into the Windows list files, as well as to create a Mac OS X one.
[MFT input] Fixed a bug with Unicode support.
[RECYCLER input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
[SOL input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
[EVTX input] Changed the dependencies to Parse::Evtx2 instead of Parse::Evtx (same library, changed the namespace).
Issue when Parse::Evtx was installed on SIFT, causing the tool to first load the library from Schuster, and not the slightly changed one
distributed by the tool, causing the module to not work.
md5deep-4.2-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
Here are the list of new features:
Fixed padding in Tiger hashes for large files
{nmap,ncat,nping,nmap-update,zenmap}-6.01-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Nmap is a free and open source utility for
network exploration or security auditing. See the change log for details.
Nping is a packet generation and response analysis tool.
Ncat is a flexible data transfer, redirection, and debugging tool.
Nmap-update is a tool that gets the latest versions of architecture-independent files, such as scripts and databases, for the installed version of Nmap.
Zenmap is an advanced GUI and results viewer. It replaces nmap-frontend.
See the Changelog for the changes made in this release.
regripper-25000000-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool.
This package is now contains only the version 2.5 of the regripper tool. The plugins are now packaged separately.
regripper-plugins-20120612-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from
the regripper application.
This version includes version 20120612 of the plugins from here.
The plugins added are the following:
NEW PLUGIN by Jason Hale: typedurlstime.pl that parses and correlates the TypedURLs and TypedURLsTime subkeys
NEW PLUGIN by Jason Hale: typedurlstime_tln.pl that parses and correlates the TypedURLs and TypedURLsTime subkeys (output in TLN format)
June 5, 2012:
The following have been released:
regripper-20120528-2.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool.
This version includes version 20120528 of the plugins from here.
The plugins added are the following:
NEW PLUGIN by Francesco Picasso: "internet_explorer_cu.pl" that parses the Internet Explorer info from NTUSER.DAT registry
NEW PLUGIN by Francesco Picasso: "internet_settings_cu.pl" that parses the Internet Settings info from NTUSER.DAT registry
REMOVED plugin "ie_main.pl", since superseded by "internet_explorer_cu.pl"
REMOVED plugin "iexplore.pl", since superseded by "internet_explorer_cu.pl"
FIXED plugin "timezone.pl", see Issue14 and see source code comments
FIXED plugin "userassist2.pl", now it parses Windows7 entries, see source code comments
ADDED profiles with every plugin listed in alphabetical order: all-all (3), ntuser-all (98), sam-all (1), security-all (3), software-all (56), system-all (46)
NOTE RegRipperPlugins now counts 207 plugins
KNOWN ISSUES: comdlg32 does not parse Vista/7 subkeys (Issue 15)
June 4, 2012:
The following have been released:
bulk_extractor-1.2.2-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor
has been repackaged, where all of the supporting tools are now installed as distributed by the author. These tools are installed in /usr/bin and
are the following:
bulk_diff.py - compares two bulk_extractor runs and reports what's changed.
identify_filenames.py - reads feature files and a DFXML file for a disk image and reports the file from which each feature came
post_process_exif.py - reads the exif.txt feature file and produces a CSV file from all of the XML-encoded EXIF information
This directory also contains modules for working with digital forensics XML:
bulk_extractor.py - a DFXML python module for reading the report.xml file created by bulk_extractor and reading the feature files.
Also allows reading a ZIP file produced from a bulk_extrator output directory as if it were uncompressed.
dfxml.py - a DFXML python module for reading DFXML files
fiwalk.py - a DFXML python module for producing DFXML streams using fiwalk
This directory also contains an out-of-date multi-drive correlator; this will be operational by August 1, 2012:
cda2.py - multi drive correlator
cda_test.py - test program for multi-drive correlator
cda_tool.py - another multi-drive correlator
libewf{,-devel,-tools}-20120603-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
This version provides the development environment for Version 2 of the API using the libewf-devel package.
If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both
libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
This version provides the a set of tools (libewf-tools) that replace ewftools.
ssdeep-2.8-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered
piecewise hashes (CTPH), also called fuzzy hashes.
June 1, 2012:
The following have been released:
bulk_extractor-1.2.2-2.{fc13,fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor was
packaged incorrectly, producing incorrect version installed in /usr/bin/bulk_extractor. This release corrects that problem.
May 31, 2012:
The following have been released:
Fedora 17 - The repository now supports Fedora 17
for the i386 and x86_64 CPU architectures.
Fedora 13 - Support for Fedora 13 - Development of repository for Fedora 13 has stopped as of 2012-05-31.
BEViewer-1.2.1.004-1.{fc13,fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - BEViwer
is a User Interface for browsing features that have been extracted via the bulk_extractor feature extraction tool.
BEViewer supports browsing multiple images and bookmarking and exporting features.
BEViewer also provides a User Interface for launching bulk_extractor scans.
May 29, 2012:
The following have been released:
bulk_extractor-1.2.2-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file
system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important.
See the ChangeLog file (/usr/share/doc/bulk_extractor-1.2.2/ChangeLog) in the package for a list of changes.
May 23, 2012:
The following have been released:
libewf{,-devel,-tools}-20120504-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
This version provides the development environment for Version 2 of the API using the libewf-devel package.
If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both
libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
This version provides the a set of tools (libewf-tools) that replace ewftools.
netsa-python-1.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Netsa-python is a
library of Python routines and frameworks that the NetSA team at CERT has found helpful when developing analyses using the SiLK toolkit. Of particular note are the
netsa.script NetSA Scripting Framework, which provides a standard framework for writing scripts that process flow data, and the netsa.util.shell command line
processing system, which provides tools for managing extremely complicated collections of shell processes that should fail or succeed together (extremely useful when working with named pipes).
netsa-python is compatible with Python versions 2.4 and greater.
rayon-1.3.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Rayon is a Python library and set of tools for generating
basic two-dimensional statistical visualizations. Rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis.
Rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications.
Rayon is compatible with Python versions 2.4 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython (for GUI output).
{nmap,ncat,nping,nmap-update,zenmap}-6.00-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Nmap is a free and open source utility for
network exploration or security auditing. See the change log for details.
Nping is a packet generation and response analysis tool.
Ncat is a flexible data transfer, redirection, and debugging tool.
Nmap-update is a tool that gets the latest versions of architecture-independent files, such as scripts and databases, for the installed version of Nmap.
Zenmap is an advanced GUI and results viewer. It replaces nmap-frontend.
CERT-Forensics-Tools-1.0-38.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm -
This package was updated to do the following:
obsolete nmap-frontend
add zenmap
add ncat
add nping
add nmap-update
remove registrydecoder for RHEL/CentOS 5 (it requires too many dependencies)
May 1, 2012:
The following have been released:
guymager-0.6.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes
since the last release (0.6.5):
Configuration parameter CommandGetAddStateInfo now understands placeholder %local for distinguishing between local and non-local devices
New configuration parameter QueryDeviceMediaInfo for devices that do not like HPA/DCO querying
MD5 calculation of destination disk corrected for disks whose size is not a multiple of the block size
No longer depends on libproc (using libc functions instead)
New, fast SHA256 and MD5 routines (from package coreutils)
No longer depends on libcrypto or libcrypto for fast hash functions
April 23, 2012:
The following have been released:
libewf{,-devel,-tools}-20120416-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
This version provides the development environment for Version 2 of the API using the libewf-devel package.
If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both
libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
This version provides the a set of tools (libewf-tools) that replace ewftools.
log2timeline-0.63-1.{fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
ALL modules/files were run through perltidy using the configuration file of dev/perltidy.conf.
Also several modules have had their documentation updated and code reformed to reflect recent release of a style guide
for the project. perltidy is not enough to enforce that, but at least a start. Rewriting the documentation (pod) is also a vital
portion of making the modules easier to use/understand/develop.
All libraries within the tool and the main API have been rewritten with this in mind, making 'man' documentation considerably
more useful than it was.
[SERIALIZE output] JSON::XS used to serialize the timestamp output, a very simple output module that simply stores
This makes it possible to output using this method and then sorting is simpler since it does not require the module
to read in the csv and change it into something like a hash, since it is already stored as such.
This might become the default output of the tool, and then run l2t_process on that output, turning that into CSV
instead of using CSV as default and trying to filter that output.
This also makes it easier to filter, based on certain attributes, instead of at the line level.
the timestamp object without really doing anything to it. Use that for easy sorting in later stages.
[WIN7 list] Fixed a small bug in Win7 list file (and win7_noreg). The evt module was loaded up and not the evtx one.
[FIREFOX3 input] Added a check to see if the SQlite database contains a -wal or -shm (in addition to -journal)
And if it does, then do the same procedure as if it was a -journal (read-only database that gets copied to a temp location)
This was pointed to me by Svante
[PREFETCH input] Changed the default output so that loaded DLLs are not included by default, unless the -d|--detail
option/parameter is used.
[MFT input] Inside the verification routine a check is made to see if the magic value is FILE0, it should only be FILE.
Fixed that, making the mft module capable of parsing those $MFT files that do not the standard offset to the fixup array.
[SAM input] Changed the handling of SAM database data, it did not properly parse the SAM database file in certain cases
due to the keys being prefilled with the CMI-CREATE....
[NTUSER input] Changed a value check in UserAssist key parsing causing UserAssist keys not properly being parsed.
[WIN_LINK input] The values for mtime and atime got swapped (the correct order is CAM not CMA like it was)
[SETUPAPI input] Added a 'detailed_time' check, to reduce the text inside the alert by default, unless detail option used.
[log2timeline] Updated the man page to reflect updates to the 'detailed_time' changes to setupapi input module.
[WIN library] Added a mapping to map up all Windows use of timezones to the one used in the DateTime library.
[win_sysinfo PreProc] Updated the pre-processing library so that it checks if a known transform of a Windows named
timezone information is available and if it is it will compare it to the chosen timezone (and change it if they differ).
[LOG2TIMELINE] Small bug in the log2timeline library, causing input modules list that has more than one - sign in it
not properly verified.
[IEHISTORY input] Switched time1 and time2, and started to update the module so it adheres to the newly released, not
yet complete, style guide.
[EVTX input] Updated the EVTX library to the latest release, version 1.1.1 (written by Andreas Schuster)
Also changed the 50 attempts to 15 (in case of an error in reading an entry), also only output error
message if debug is turned on.
tcpflow-1.2.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program
that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction.
Tcpflow can also process stored tcpdump packet flows.
Here are the changes in this version:
configure.ac: incremented version to 1.2.6 (1.2.5 had a bad tag)
src/tcpip.cpp (tcpip::print_packet): fixed error in fwrite().
src/main.cpp (print_usage): fixed misspelling of name
src/tcpip.cpp (tcpdemux::tcpdemux): default outdir is now "."
April 10, 2012:
The following have been released:
python-pefile-1.2.10_114-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm -
Python-pefile is a multi-platform Python module to read and work with Portable Executable (aka PE) files.
Most of the information in the PE Header is accessible, as well as all the sections, section's information and data.
Pefile requires some basic understanding of the layout of a PE file. Armed with it it's possible to explore nearly every single feature of the file.
Some of the tasks that pefile makes possible are:
Modifying and writing back to the PE image
Header Inspection
Sections analysis
Retrieving data
Warnings for suspicious and malformed values
Packer detection with PEiD’s signatures
PEiD signature generation
Please, refer to UsageExamples for starting points on how to use pefile.
To work with authenticated binaries, including Authenticode signatures, please check the project verify-sigs.
AdobeMalwareClassifier-1.0-1.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - AdobeMalwareClassifier
is a tool that perform quick, easy classification of binaries for malware analysis.
The Adobe Malware Classifier is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file
contains malware so they can develop malware detection signatures faster, reducing the time during which users' systems are vulnerable.
The tool uses machine-learning algorithms to classify Win32 binaries - EXEs and DLLs - into three classes: 0 for "clean," 1 for "malicious," or "UNKNOWN."
The tool extracts seven key features from an unknown binary, feeds them to one of the four classifiers or all of them, and presents its classification of the unknown
binary as "clean," "malicious," or "unknown."
The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a dataset of approximately 100,000
malicious programs and 16,000 clean programs.
April 3, 2012:
The following have been released:
aff{lib,lib-devel,tools}-3.7.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
See /usr/share/doc/afflib-3.7.0/ChangeLog after the package has been installed.
yaf{,-devel}-2.2.2-1.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE.
This release fixes bugs in VLAN tagging.
March 30, 2012:
The following have been released:
tcpflow-1.2.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program
that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction.
Tcpflow can also process stored tcpdump packet flows.
he changes are: bug fixes and performance improvements.
safecopy-1.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Safecopy is a data recovery tool which
tries to extract as much data as possible from a problematic (i.e. damaged sectors) source - like floppy drives, harddisk partitions, CDs, tape devices, ..., where
other tools like dd would fail doe to I/O errors.
Here are the changes:
New --forceopen option to wait for removable drives to come back
New -c (continue) option to resume when copying directly unto devices
Return codes: (0 for success, 2 for abort/ error, 1 for incomplete copy)
Adapted test suite to test for these return codes
Code cleanup
testdisk-6.13-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
Here are the changes:
Fix UAC manifests for Windows, so users don't need to use right-click "Run As Administrator"
TestDisk
Fix image creation, image.dd file wasn't created (Regression introduced in 6.12)
Detect Vmware VMFS partition
Locate lost GFS2 partition but not yet the size
Log HDD serial number and firmware revision
List NTFS Alternate Data Streams (ADS)
PhotoRec
Session recovery restarts at the previous location
Better MPEG recovery, there should be less concatenated videos.
Better JPG recovery, there should be less cases where thumbnails were recovered instead of the picture itself.
Handle large avi files using "AVIX" or mov files using 64-bit chunk size.
Rename recovered pdf using the title (not perfect)
Major cleanup of PhotoRec core code
libp0f{,-devel}-2.0.8-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libp0f
is a library implementation of p0f version 2 available from here.
This library splits the core p0f functionality from the p0f application in order to support 3rd-party linkage.
libp0f does not change any of the fingerprinting algorithms from p0f version 2, nor has it upgraded any of the p0f fingerprints.
The library is required for use with Yaf.
To enable p0f in Yaf, configure Yaf with --enable-p0fprinter (see the next item), and run Yaf with --p0fprint.
yaf{,-devel}-2.2.1-3.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE.
This release was built with the following configuration options enabled:
enable-applabel - enable the packet payload application label engine
enable-p0fprinter - enable the p0f based OS finger printing capability
enable-plugins - enable YAF to load plugin extensions
enable-ltdl-install=no - do not install files that would otherwise conflict with libtool-ltdl
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.4.7-3.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
The changes are to enable adns, the Asynchronous-capable DNS Client Library.
March 12, 2012:
The following have been released:
tcpflow-1.2.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program
that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction.
Tcpflow can also process stored tcpdump packet flows.
The changes are: bug fixes and performance improvements.
guymager-0.6.5-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes
since the last release (0.6.3):
Device scan: Assume that a device will not be included more than once in a scan
New CFG parameter AvoidEncaseProblems for Encase EWF string limitations
No longer exits on write errors in AEWF module
No longer exits on info file write errors
Center info dialog relative to application (not screen)
yaf{,-devel}-2.2.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
The changes are bug fixes.
reglookup-1.0.1-2.{fc12,fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - Release 2 of the reglookup
package was installed to include the following patches:
Patch 278: fix for pyregfi install
Patch 277: incorporated a version of Adam Golebiowski's build patches reworked REGFI_VERSION and began using it in pyregfi installation
Patch 276: added 1.0.1 target
March 7, 2012:
The following have been released:
xplico-1.0.0-1.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder.
Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support.
Here is the list of changes:
SQLite dispatcher performance improved
Added the PPI dissector
Added the syslog dissector
Added "Bogus IP length" correction with checksum verification disabled
New Facebook Chat dissector for the new Facebook chat protocol
To build and install this package for CentOS 6, the following were installed in the CentOS/RHEL repository:
python3-3.1.2-7.fc13.i686.rpm
python3-libs-3.1.2-7.fc13.i686.rpm
python3-httplib2-0.6.0-3.fc14.noarch.rpm
February 24, 2012:
The following have been released:
regripper-20120224-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool.
This version includes version 20120224 of the plugins from here.
The plugins added are the following:
EMDMgt.pl (Brad Reninger) - this plugin parses the EMDMgt registry key located in the SOFTWARE Hive.
This registry key identifies the volume serial number of USB devices.
ccleaner.pl (Adrian Leong) - this plugin gets CCleaner User's Settings from NTUSER.DAT.
md5deep-4.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
Here are the list of new features:
Added expert mode option to parse Windows PE files
and bug fixes:
Fixed junction point handling on Win32
February 17, 2012:
The following have been released:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational
Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for the list of changes.
February 15, 2012:
The following have been released:
bulk_extractor-1.2.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file
system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important.
See this Changelog for a list of changes.
libewf{,-devel,-tools}-20120122-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
This version provides the development environment for Version 2 of the API using the libewf-devel package.
If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both
libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
This version provides the a set of tools (libewf-tools) that replace ewftools.
February 7, 2012:
The following have been released:
dff-1.2.0-3.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Digital Forensics Framework (DFF) is both
a digital investigation tool and a development platform. This release adds missing support for Expert Witness Format Compression Format (ewf) files.
regripper-20120206-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool.
This version includes version 20120206 of the plugins from here. This version adds the filesnottosnapshot.pl
(extracts from SYSTEM registry files and folders not backed up in Volume Shadow Copies) and spp_clients.pl (list volumes currently monitored by
the Volume Shadow Copy Service) plugins.
xmount-0.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. This release uses Version 2 of the libewf API.
Volatility-2.0.1-3.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm -
The Volatility Framework is a completely
open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version updates
the plugins from the Malware Analyst's Cookbook to version R134.
See here for the list of recent changes.
registrydecoder-20120202-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_84}.rpm - Registrydecoder
is tool for the acquisition, analysis, and reporting of registry contents. This is version 1.2 of this tool.
See here for a list of changes.
tcpflow-1.1.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program
that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored tcpdump
packet flows. The changes are: C++ rewrite, improved performance, and DFXML output.
January 27, 2012:
The following have been released:
libewf{,-devel,-tools}-20120122-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1
API is required, install a version of libewf-devel from 2010, for example version 20100226.
This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both
libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
This version provides the a set of tools (libewf-tools) that replace ewftools.
md5deep-4.0.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
Here are the list of new features:
Fixed hang on DFXML generation on Win32
Fixed incorrect hashes via stdin on Win32
Fixed "Too many open files" error on OS X
Doc files in Win32 have been corrected.
January 12, 2012:
The following have been released:
cert-forensics-tools-release-{13,14,15,16,5.7,6}-7.noarch.rpm - This package was added to provide the new
CERT Forensics Repository Key. The fingerprint for this key is:
AE8F 91D1 5126 5835 B4DE 765D 9198 DA78 51B6 01A4.
You must do the following as root to install this new package before updating
existing packages installed from our repository:
yum update cert-forensics-tools-release
You can then do the following as root to install any other updates for your system:
yum update
In addition, all of the packages in the Fedora 13, 14, 15, 16, and RHEL/CentOS repositories have been resigned with this new key.
CERT-Forensics-Tools-1.0-36.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm -
This package was updated to include the following:
shellbags for Fedora 14, 15, and 16.
KHracker for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
md5dump for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
tcpflow for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
registrydecoder for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
xplico for Fedora 13, 14, 15, and 16.
snort for Fedora 13, 14, 15, and 16.
snort-sample-rules for Fedora 13, 14, 15, and 16.
shellbags-0.5.1-2.{fc14,fc15,fc16}.noarch.rpm - Shellbags Microsoft Windows uses a set of
registry keys known as "shellbags" to maintain the size, view, icon, and position of a folder when using Explorer. Shellbags persist information for
directories even after the directory is removed, which means that they can be used to enumerate past mounted volumes, deleted files, and user actions.
See Using shellbag information to reconstruct user activities for an overview of the
investigative value of shellbags. Shellbags is installed in the Fedora 14, 15, and 16 versions of the repository.
python-registry-0.2.3-1.{fc14,fc15,fc16}.{i386,x86_64}.rpm - Python-registry provides read-only access
to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks,
and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry. python-registry is written in pure
Python, making it portable across all major platforms. Python-registry is installed in the Fedora 14, 15, and 16 versions of the repository.
This package is required by shellbags.
KHracker-0.3-1.noarch.rpm - KHracker is a python-based decryption tool for encrypted known_hosts entries. It will
attempt to decrypt values stored in SSH known_hosts files, if the encryption option has been enabled for that computer. By default, known_hosts
entries are not encrypted, but there is an option to do so. From a forensics perspective, encrypted known_hosts entries can prevent an
investigator from seeing other computers to which a user may have been connecting. Information about the connections made from a system can be integral to
identifying a complete understanding of the systems involved in a network intrusion or incident response case.
python-netaddr-0.7.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64} - python-netaddr is a pure Python network address
representation and manipulation library. provides a Pythonic way of working with:
IPv4 and IPv6 addresses and subnets
MAC addresses, OUI and IAB identifiers, IEEE EUI-64 identifiers
arbitrary (non-aligned) IP address ranges and IP address sets
various non-CIDR IP range formats such as nmap and glob-style formats
Included are routines for:
generating, sorting and summarizing IP addresses and networks
performing easy conversions between address notations and formats
detecting, parsing and formatting network address representations
performing set-based operations on groups of IP addresses and subnets
working with arbitrary IP address ranges and formats
accessing OUI and IAB organisational information published by IEEE
accessing IP address and block information published by IANA
This package is required by KHracker.
md5deep-4.0.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
Here are the list of new features:
Rewrote most of the program in C++.
Enabled multiprocessor support on all platforms.
Removed ten character limit on file size mode.
January 3, 2012:
The following have been released:
aff{lib,lib-devel,tools}-3.6.15-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
See /usr/share/doc/afflib-3.6.15/ChangeLog after the package has been installed.
fiwalk-0.6.16-1.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - Fiwalk
is a program that processes a disk image using the SleuthKit library and outputs its results in
Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the
Weka Datamining Toolkit, or an easy-to-read textual format.
See /usr/share/doc/fiwalk-0.6.16/ChangeLog after the package has been installed.
bulk_extractor-1.1.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file
system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor
also created a histograms of features that it finds, as features that are more common tend to be more important.
See /usr/share/doc/bulk_extractor-1.1.3/ChangeLog after the package has been installed.
tcpflow-1.0.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program
that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging.
Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored tcpdump
packet flows.
ddrescue-1.15-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
See /usr/share/doc/ddrescue-1.15/ChangeLog after the package has been installed.
libewf{,-devel,-tools}-20111231-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1
API is required, install a version of libewf-devel from 2010, for example version 20100226.
This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both
libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
This version provides the a set of tools (libewf-tools) that replace ewftools.
libfixbuf{,-devel}-1.1.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
This version contains bug fixes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.4.5-6.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
The only change was to recompile this package to use the libfixbuf{,-devel}-1.1.1 packages.
yaf{,-devel}-2.1.2-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
The only change was to recompile this package to use the libfixbuf{,-devel}-1.1.1 packages.
perl-Parse-Evtx-1.1.1-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - perl-Parse-Evtx
is a Windows Event Log Parser library and tools collection.
xmount-0.4.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. This release uses Version 2 of the libewf API.
December 8, 2011:
The following have been released:
Fedora 16 - The repository now supports Fedora 16
for the i386 and x86_64 CPU architectures.
registrydecoder-20111108-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_84}.rpm - registrydecoder
is tool for the acquisition, analysis, and reporting of registry contents.
regripper-20111118-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - regripper is a Windows Registry data extraction and correlation tool.
This version includes version 20111118 of the plugins from here.
log2timeline-0.62-1.{fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
[FF_CACHE input] New input module, designed to parse the cache files of Firefox. Contributed by John Ritchie
[OPENVPN input] New input module, desigend to parse the OpenVPN log files.
[L2T_PROCESS] Added a few more allowed characters in the keyword list
[proftpd_xferlog input] Willi Ballenthin added a new module to parse the ProFTPD XFerlog file
[Log2Timeline library] Fixed a bug, when the 'all' moduiles option is used (or -f is omitted) no modules get loaded
Added a small change to try to parse the MFT directly even though the $MFT might not be directly visible
Fixed a small bug whereas the tool would crash if the local timezone was used.
Fixed a small bug whereas the tool is not able to find the default directory (. does not exist) or if the file in
question does not really exist that the tool is pointing to... that made the tool return a double error instead of
just dying on the first one.
The tool will now accept a separate output timezone so the tool can output in a different timezone than the hosts one.
[log2timeline] Added the -Z ZONE parameter so the tool can output in a different timezone than the host timezone.
[CSV output] Changed the output timezone so it now prints using the -Z definition, so it now supports different output
timezone than the host one.
[EVTX input] Fixed a bug in where the tool could go into a endless loop in the case where you have a EVTX that is
somehow broken and the function get_next_event dies. If the tool runs into such occurance it returned an empty
timestamp object, that in turn let the tool query for it again, thus possibly getting into an endless loop.
Added a counter so the tool tries to get the next event 50 times, otherwise it will die.
[log2timeline-sift] Moved the mount command out of the script and into the configuration file
Changed the mount command, since there were few errors with the previous one
Added an addional check to see if the $MFT file can be directly called (and if so, skip the icat call)
xplico-0.7.1-1.{fc13,fc14,fc15,fc16}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder.
See the Xplico website for the list of changes in this version. Note that RHEL/CentOS is not supported due to a lack of
Python Version 3 support.
guymager-0.6.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes
since the last release (0.5.9):
Better HPA/DCO log output
Bug removed where acquisition hash codes were not shown in info file if verification was aborted.
Additional State Info added
New configuration parameter DirectIO
Setting sectors per chunk correctly for libewf
Removed full path of image file names from .info file, only show the image filename
New thread debugging messages
New EWF module reduces memory footprint significantly.
Posibility to compute MD5 hashes of the individual image files and write them to the .info file.
Better log output always contains acquired device
Bug removed where libewf only did empty block compression (slight API change in libewf20100226)
Compression problem with libewf20100226 fixed
Wrong file size check in acquisition dialog corrected
October 20, 2011:
The following have been released:
regripper-20111014-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - regripper is a Windows Registry data extraction and correlation tool.
This version includes the version 20111014 plugins from here.
October 13, 2011:
The following have been released:
daq-0.6.2-1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library
used by snort.
snort{,mysql,postgresql,unixODBC}-2.9.1.1-1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm -
Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
snort-sample-rules-1.0-1.{fc12,fc13,fc14,fc15,el6}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the
snort rules page to acquire a current set of snort rules.
libewf{,-devel,-tools}-20111016-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1
API is required, install a version of libewf-devel from 2010, for example version 20100226.
This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both
libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
This version provides the a set of tools (libewf-tools) that replace ewftools.
nmap{,-frontend}-5.51-3.{fc12,fc13,fc14,el5,el6}.{i386,x86_64}.rpm - Nmap is a free and open source utility for
network exploration or security auditing. See the change log for details.
CERT-Forensics-Tools-1.0-33.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm -
This package was updated to select a correct version of the
libewf-tools package.
October 13, 2011:
The following have been released:
dff-1.2.0-2.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Digital Forensics Framework (DFF) is both
a digital investigation tool and a development platform. This release fixes incorrect directory permissions and adds python-apsw as a dependency.
python-apsw-3.6.7_r1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Another Python SQL wrapper (python-apsw)
is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
October 12, 2011:
The following have been released:
libewf{,-devel,-tools}-20111011-1.{fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Libewf
is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1
API is required, install a version of libewf-devel from 2010, for example version 20100226.
This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both
libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
This version provides the a set of tools (libewf-tools) that replace ewftools.
xmount-0.4.5-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. Release 2 of xmount was made to use Version 2 of the
libewf API.
sleuthkit{,-devel,-libs}-3.2.3-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data. See the included NEWS.txt for a list of
changes. Note that this version has been built using Version 2 of the libewf API.
dff-1.2.0-1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Digital Forensics Framework (DFF) is both
a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers
and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user
interface with a modular and cross-platform architecture. is a free and Open Source platform dedicated to digital forensic and eDiscovery sciences. Note that this
version requires the Version 2 API of libewf. Note that the CentOS/RHEL 5 is not supported in this release.
CERT-Forensics-Tools-1.0-32.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm -
This package was updated to add these packages:
libewf-tools
and remove these packages:
ewftools
October 4, 2011:
The following have been released:
bulk_extractor-1.0.7-1.{fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file
system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor
also created a histograms of features that it finds, as features that are more common tend to be more important.
reglookup-1.0.1-1.{fc12,fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - The reglookup
package version 1.0.0 was installed for all supported architectures.
ssdeep-2.7-1.{fc12,fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - ssdeep is a program for computing context triggered
piecewise hashes (CTPH), also called fuzzy hashes.
yaf{,-devel}-2.1.2-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Here are the changes in this version:
Added new --plugin-conf switch for adding a configuration file to a plugin
Added new --p0f-fingerprints switch to give location of p0f fingerprint files
Bug Fixes
log2timeline-0.61-2.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
Bug fixess
Changes to sqlite output
User contributed new input modules
September 13, 2011:
The following have been released:
libfixbuf{,-devel}-1.0.2-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
This version contains bug fixes.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.4.5-5.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
The only change was to recompile this package to use the libfixbuf{,-devel}-1.0.2 packages.
yaf{,-devel}-2.1.1-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
The only change was to recompile this package to use the libfixbuf{,-devel}-1.0.2 packages.
September 9, 2011:
The following have been released:
regripper-20110830-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - regripper is a Windows Registry data extraction and correlation tool.
This version includes the version 20110830 plugins from here.
August 23, 2011:
The following have been released:
ataraw-0.2.1-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - ATAraw
allows user-level Linux programs to send arbitrary commands to ATA and SATA devices. The system currently supports programmed IO and DMA modes,
but does not support asynchronous or multiple-queued commands.
bloom-1.4.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Bloom
is an NPS bloom filter package that includes the frag_find utility.
bulk_extractor-1.0.2-1.{fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file
system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor
also created a histograms of features that it finds, as features that are more common tend to be more important.
jafat-1.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - JAFAT
is an assortment of tools to assist in the forensc investigation of computer systems.
log2timeline-0.60-2.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
This version removes perl-Parse-Evtx since that is now a separate package.
perl-Parse-Evtx-1.0.8-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - perl-Parse-Evtx
is a Windows Event Log Parser library and tools collection.
tln_tools-20110729-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - tln_tools
are time line tools.
Volatility-2.0.1-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License,
for the extraction of digital artifacts from volatile memory (RAM) samples. This version adds the following plugins from the Malware Analyst's Cookbook:
apihooks - API hooks
callbacks - system-wide notification routines
devicetree - device tree
driverirp - IRP hook detection
gdt - Global Descriptor Table
idt - Interrupt Descriptor Table
impscan - a module for imports (API calls)
ldrmodules - unlinked DLLs
malfind - hidden and injected code
psxview - hidden processes with various process listings
ssdt_ex - Hook Explorer for IDA Pro (and SSDT by thread)
svcscan - for Windows services
threads - _ETHREAD and _KTHREADs
These plugins required the following additional packages:
yara-1.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
yara-python-1.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yara-python is a Python extension that
gives access to YARA's powerful features from Python scripts.
distorm3-1.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Distorm3 is a lightweight,
easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2,
SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
xmount-0.4.5-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using
FUSE (Filesystem in Userspace)
that contains a virtual representation of the input image. The virtual representation can be in raw DD,
VirtualBox'svirtual disk file format or in
VMware's VMDK file format. Input images can be raw DD,
EWF (Expert Witness Compression Format) or
AFF (Advanced Forensic Format)
files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot
acquired harddisk images using QEMU, KVM,
VirtualBox, VMware or alike.
CERT-Forensics-Tools-1.0-31.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm -
This package was updated to add these packages:
ataraw
bloom
bulk_extractor (not for Fedora 12 nor CentOS/RHEL 5)
bulk_extractor-stoplist (not for Fedora 12 nor CentOS/RHEL 5)
fiwalk (not for Fedora 12 nor CentOS/RHEL 5)
jafat
perl-Parse-Evtx
tln_tools
xmount
August 16, 2011:
The following have been released:
yaf{,-devel}-2.1.1-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Here are the changes in this version:
Important bug fix for application labeling SSL plugin.
August 10, 2011:
The following have been released:
dff-1.1.0-1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Digital Forensics Framework (DFF) is both
a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers
and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user
interface with a modular and cross-platform architecture. is a free and Open Source platform dedicated to digital forensic and eDiscovery sciences. The following
additional packages were change or installed in support of DFF:
aff{lib,lib-devel,tools}-3.6.12-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. This version includes static versions of the libraries.
libpff-20110413-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Libpff is a library
and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal
Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
libbfio{,devel}-20110625-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Libbfio is a
library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access. Static and dynamic versions of the libraries are provided.
dc3dd-7.1.614.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64} - dc3dd is a patched version of GNU dd that
includes several features useful for computer forensics. New in this version are the following:
Log output may be sent to multiple job logs and hash logs. Simply specify log=LOG and/or hlog=LOG more than once.
Verification of an image restored to a device larger than the image is now supported. Specify phod=DEVICE to hash only
the bytes dc3dd writes to the device. Specify fhod=DEVICE to hash both the bytes dc3dd writes to the device and all
the bytes that follow, up to the end of the device.
CERT-Forensics-Tools-1.0-30.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm -
This package was updated to add the
DFF package. Note that DFF is not provided for CentOS/RHEL version 5.
August 3, 2011:
The following have been released:
Volatility-2.0-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm -
The Volatility Framework is a completely open collection of tools, implemented in
Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This package was updated
because the versions for RHEL/CentOS were incorrectly configured.
regripper-20110518-2.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - regripper is a Windows Registry data extraction and correlation tool.
This version installs all of the plugins available at this link.
perl-DateTime-Format-WindowsFileTime-0.02-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm -
perl-DateTime-Format-WindowsFileTime converts a
Windows FILETIME into a DateTime object. The Windows FILETIME structure holds a date and time associated with a file. The structure identifies a 64-bit integer
specifying the number of 100-nanosecond intervals which have passed since January 1, 1601. This package was built and installed in support of regripper.
August 1, 2011:
The following has been released:
Volatility-2.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm -
The Volatility Framework is a completely open collection of tools, implemented in
Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely
independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the
techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
See here for the list of changes.
July 29, 2011:
The following have been released:
md5deep-3.9.2-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
yaf{,-devel}-2.1.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Here are the changes in this version:
New Information Element exported in every flow record, flowAttributes (CERT PEN 6871, IE 40).
YAF now checks if a flow has fixed-size packets and exports this flag using the new flowAttributes Information Element (see yaf)
Reset Application Label on UDP-uniflows for Deep Packet Inspection
Fixed yafscii invalid parameter bug that may have existed on certain platforms
Added VNC (RFB Protocol) application label
DPI Enhancements
FlowEndReason IPFIX field is now set to 31 for udp-uniflows
For Cygwin: Added support for getting the yaf config directory via the Windows Registry
Several other bug fixes
July 8, 2011:
The following has been released:
guymager-0.5.9-1.{fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes
since the last release (0.5.7):
The 2GiB limit for EWF files no longer exists (the max. size now is 8EiB)
A new AutoExit function has been added. If activated, guymager ends as soon as all acquisitions terminated successfully.
By means of the program's exit code, a script might decide, for instance, to shut down the system. This feature is
interesting for acquisitions taking place overnight or during the weekend.
A new menu point in Gnome allows for launching Guymager from the menu Application / System tools.
The problems with UDisks under KDE / Kubuntu no longer exist.
June 23, 2011:
The following have been released:
DropboxReader-1.0-1.{fc11,fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - The DropboxReader
package version 1.0 was installed for all supported architectures. Dropbox Reader is a suite of command-line tools for parsing configuration and cache files associated with
the Dropbox cloud storage software.
CERT-Forensics-Tools-1.0-29.{fc11,fc12,fc13,fc14,fc15,el6,el6}.noarch.rpm -
This package was updated to add the
DropboxReader package.
June 22, 2011:
The following have been released:
grokevt-0.5.0-2.{fc11,fc12,fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - The grokevt
package version 0.5.0 was installed for all supported architectures.
Here are the changes since the previous version (0.4.1):
Redesigned grokevt-builddb to use RegLookup's pyregfi library instead of executing the command line tools
Added work-around for the fact that many Linux distributions no longer make case-insensitive filesystem mounts easy
Support for Python 3
Changed license to GPLv3
Various unicode and other bug fixes
reglookup-1.0.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - The reglookup
package version 1.0.0 was installed for all supported architectures, except for Fedora 11.
Here are the changes since the previous version (0.4.0):
SK records and security descriptors now accessible in pyregfi
Added key caching to regfi, reintroduced SK caching
Minor API simplifications and improved documentation
Numerous bug fixes
Made regfi a proper library and made major improvements to the API
Added Python bindings (pyregfi) for regfi
Replaced Make-based build system with a SCons-based one
Numerous improvements in regfi for multithreaded use, memory management
Improved API documentation
June 15, 2011:
The following have been released:
lame{,-libs}-3.98.4-1.fc14.{i686,x86_64}.rpm - The lame and lame-libs
packages version 3.98.4 were installed in the Fedora 15 repository for the i386 and x86_64 architectures.
These additions make the repository dependant only upon the Fedora and Fedora Updates repositories.
SiLK - SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
The only change for version 2.4.5 release 4 was to recompile all of the tools to use the local timezone for command inputs and for printing records.
Files continue to be stored by UTC time.
June 14, 2011:
The following have been released:
sleuthkit-{,devel,libs,debuginfo}-3.2.2-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
yaf{,-devel}-2.0.2-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Here are the changes in this version:
Improvements with Reassembly of TCP Fragments
Bug Fix for DNS Deep Packet Inspection
--no-frag switch now works
Bug Fix for expiring flows that exceed the idle timeout when reading from a file
Added the ability to configure YAF with WinPCAP
June 9, 2011:
The following has been released:
Volatility-1.4_rc1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm -
The Volatility Framework is a completely open collection of tools, implemented in
Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely
independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the
techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
June 8, 2011:
The following have been released:
libfixbuf{,-devel}-1.0.1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
SiLK -
SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
The only change was to recompile all of the tools to use libfixbuf{,-devel}-1.0.1 packages.
yaf{,-devel}-2.0.1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Here are the changes:
This version requires libfixbuf 1.0.0 or greater.
Bug Fix for compile error with --enable-daginterface
Enhancement for SNMPv3 application labeler
md5deep-3.9.1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
etherape-0.9.12-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after
etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.
It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.
June 6, 2011:
The following have been released:
aff{lib,lib-devel,tools}-3.6.12-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
See /usr/share/doc/afflib-3.6.11/ChangeLog after the package has been installed.
log2timeline-0.60-1.{fc11,fc12,fc13,fc14,fc15,el5}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
See /usr/share/doc/log2timeline-0.60/CHANGELOG after the package has been installed. Note that the program glog2timeline has been removed from this release, but may
reappear in the future.
ssdeep-2.6-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i686,x86_64}.rpm - ssdeep is a program for computing context triggered
piecewise hashes (CTPH), also called fuzzy hashes.
xplico-0.6.3-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. The following changes were made:
32 and 64 bit
new decoding manager (DeMa): version 0.3.1
mfile manipulator (HTTP file transfer) bug fixes
WebMail scripts improved
HTTP dissector improved
XI: upgraded the javascript libraries
May 23, 2011:
The following have been released:
FC14-foren-2011-01-{i386,x86-64} - These items are VMware-based forensic appliances built with Fedora 14 for the i386 and x86_64 architectures.
Please note that they are not a live CDs.
See this document
that explains how to download, install, and operate the appliance.
testdisk-6.12-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
May 10, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, 14, and CentOS versions of the cert repository, except as noted:
ddrescue-1.14-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Ddrescue
is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.
Here are the changes:
Added new option `-R, --reverse'.
Added new option `-E, --max-error-rate'.
Extended syntax `--max-errors=+N' to specify new errors.
Changed short name of option `--retrim' to `-M'.
Removed spurious warning about `preallocation not available'.
Code reorganization. New class `Genbook'.
gparted-0.8.0-1.{fc11,fc12,fc13,fc14}.{i386,x86_64}.rpm - Gparted
is a free partition editor for graphically managing your disk partitions
See the release notes for details.
Note that this update does not apply to the CentOS repositories.
nmap{,-frontend}-5.51-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Nmap is a free and open source utility for
network exploration or security auditing. See the change log for details.
p7zip{,-plugins}-9.20.1-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - P7zip
is a quick port of 7z.exe and 7za.exe (command line version of 7zip, see www.7-zip.org) for Unix. 7-Zip is a file archiver with highest compression ratio.
Here are the changes:
7-Zip now supports LZMA2 compression method.
7-Zip now can update solid .7z archives.
7-Zip now supports XZ archives.
7-Zip now supports PPMd compression in ZIP archives.
7-Zip now can unpack NTFS, FAT, VHD, MBR, APM, SquashFS, CramFS, MSLZ archives.
7-Zip now can unpack GZip, BZip2, LZMA, XZ and TAR archives from stdin.
7-Zip now can unpack some TAR and ISO archives with incorrect headers.
7-Zip now supports files that are larger than 8 GB in TAR archives.
NSIS and WIM support was improved.
Partial parsing for EXE resources, SWF and FLV.
The support for archives in installers was improved.
7-Zip now can stores NTFS file timestamps to ZIP archives.
Speed optimizations in PPMd codec.
Speed optimizations in CRC calculation code for Intel's Atom CPUs.
New -scrc switch to calculate total CRC-32 during extracting / testing.
7-Zip File Manager now doesn't use temp files to open nested archives stored without compression.
Disk fragmentation problem for ZIP archives created by 7-Zip was fixed.
Some bugs were fixed.
New localizations: Hindi, Gujarati, Sanskrit, Tatar, Uyghur, Kazakh.
Not in p7zip : Speed optimizations in AES code for Intel's 32nm CPUs.
libfixbuf{,-devel}-1.0.0-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
Here are the changes:
Added functionality to adhere to the proposed IPFIX extension: "Export of Structured Data in IPFIX". This proposed standard allows for the following three new data types.
Added new data type: fbBasicList_t to house fixbuf "basicLists."
Added new data type: fbSubTemplateList_t to house fixbuf "subTemplateLists."
Added new data type: fbSubTemplateMultiList_t to house fixbuf "subTemplateMultiLists."
Added the functionality to handle multiple listeners, allowing for connections on multiple ports.
Support for Netflow V9.
Spread support has been expanded to allow for greater flexibility in using one exporter to publish to multiple groups.
Templates are now managed on a per-group basis for a Spread exporter.
Templates can now be multicasted to select Spread groups.
Default Automatic Mode for Listeners is now set to true.
Many other bug fixes.
yaf{,-devel}-2.0.0-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do
flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from
pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter,
aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX
files) on the local file system.
Here are the changes:
YAF now exports TCP, payload, finger printing, p0f, MAC, entropy, and DPI flow information within an IPFIX subTemplateMultiList data type.
Added the ability to export YAF capture statistics using IPFIX Options Templates.
The --stats or --no-stats were added to configure YAF stats output.
Added the ability to define Spread group types to use Spread as a manifold for flow export based on application, port, protocol, version, or vlan.
Added New Application Labels: DHCP, AIM, SOCKS, SMB, SNMP, NETBIOS.
Added a time-out buffer flush function.
Added SSL Certificate Capture.
Added DNS Resource Record Parsing.
Added Deep Packet Inspection for the MySQL protocol.
The --silk switch will maintain compatibility with SiLK by not nesting TCP information in the subTemplateMultiList data type.
Deep Packet Inspection elements are read from one configuration file.
Added the ability to create new DPI elements from the configuration file.
Added UDP Export and Template Retransmission.
Many Bug fixes and other enhancements.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.4.5-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
The only change was to recompile all of the tools to use libfixbuf{,-devel}-1.0.0 packages.
unrar-4.0.7-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm and
libunrar{,-devel}-4.0.7-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - UNrar is a freeware program for extracting, testing and
viewing the contents of archives created with the RAR archiver version 1.50 and above.
See the news for a list of changes.
May 6, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, 14, and CentOS versions of the cert repository:
aff{lib,lib-devel,tools}-3.6.11-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
See /usr/share/doc/afflib-3.6.11/ChangeLog after the package has been installed.
xplico-0.6.2-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. The following changes were made:
l7-patterns for all flows/protocols not decoded by xplico
Xplico Interface (XI) improved
python3 porting of many scripts
realtime capture module improved
facebook chat realtime views
UTC/localtime bug fixes
l2tp dissector bug fixes
cli and lite dispatchers bug fixes
telnet dissector bug fixes
April 26, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, 14, and CentOS versions of the cert repository:
md5deep-3.9-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
scalpel-2.0-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - This package was updated to reflect the new version of scalpel.
April 18, 2011:
The following has been released:
aff{lib,lib-devel,tools}-3.6.10-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
See /usr/share/doc/afflib-3.6.10/ChangeLog after the package has been installed.
April 14, 2011:
The following have been released:
aff{lib,lib-devel,tools}-3.6.9-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
See /usr/share/doc/afflib-3.6.9/ChangeLog after the package has been installed.
log2timeline-0.52-1.{fc11,fc12,fc13,fc14,el5}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
This version contains a few bug fixes, new modules, and a new tool called l2t_process. See /usr/share/doc/log2timeline-0.52/CHANGELOG after the package has been installed.
To build and install this package for CentOS, the following Perl modules were installed:
perl-Compress-Raw-Zlib-2.033-1.el5.{i386,x86_64}.rpm - See here for details.
perl-Archive-Zip-1.30-1.el5.noarch.rpm - See here for details.
April 12, 2011:
The following has been released:
ptfinder-0.3.05-2.{fc11,fc12,fc13,fc14,el5}.noarch.rpm - ptfinder
searches a memory dump of a system running Microsoft Windows for traces of processes and threads. This release adds support for Vista, Windows Server 2003,
Windows 2000, and Windows XP to the already supported Windows XP SP 2.
March 22, 2011:
The following have been released:
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.4.5-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
yaf{,-devel}-1.3.2-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - YAF is Yet Another Flow sensor. It processes packet data from pcap(3) dumpfiles
as generated by tcpdump(1) or via live capture from an interface using pcap(3) or an Endace DAG card into bidirectional flows, then exports those flows to
IPFIX Collecting Processes or in an IPFIX-based file format. YAF's output can be used with the NetSA Aggregated Flow (NAF) toolchain.
The yaf-devel package contains static libraries and C header files for yaf.
aff{lib,lib-devel,tools}-3.6.8-1.fc{11,12,13,14}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
CERT-Forensics-Tools-1.0-28.fc{11,12,13,14}.noarch.rpm -
This package was updated to add the SiLK and YAF tools.
March 16, 2011:
The following has been released:
FC14-foren-2011-01-i386-RC2 - This item is second release candidate for the VMware-based forensic appliance built with Fedora 14. Please note that this
is not a live CD.
See this document
that explains how to download, install, and operate the appliance.
This release candidate has PTK Version 1.0.5, a reengineered desktop, and phpMyAdmin.
March 14, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
ptk-1.0.5-1.fc{11,12,13,14}.noarch.rpm - PTK is a computer forensic framework for the command line
tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the
command line tool mysql_secure_installation or equivalent, and operating. It also assumes a web server, for example
Apache, also assumed to be configured and operational.
CERT-Forensics-Tools-1.0-27.fc{11,12,13,14}.noarch.rpm -
This package was updated to add the PTK tool.
March 1, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
xplico-0.6.1-6.fc{12,13,14}.{i386,x86_64}.rpm and xplico-0.6.1-6.fc11.i386.rpm - xplico is an Internet traffic decoder.
This release no longer automatically configures xplico to automatically start on system boot. This configuration should be done in tandem with the configuration
of httpd upon which it relies.
sleuthkit-{,devel,libs,debuginfo}-3.2.1-1.fc1{1,2,3,4}.{i686,x86_64}.rpm - The The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
February 28, 2011:
The following has been released:
FC14-foren-2011-01-i386-RC1 - This item is a VMware-based forensic appliance built with Fedora 14. Please note that this
is not a live CD.
See this document
that explains how to download, install, and operate the appliance.
February 24, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
gpart-0.1h-12.fc12.i686.rpm - This package was copied from the Fedora 12 and Fedora 13 i386 releases to the CERT x64_64 Fedora 12 and 13 repositories.
gpart-0.1h-13.fc14.i686.rpm - This package was copied from the Fedora 14 i386 releases to the CERT x64_64 Fedora 14 repository.
CERT-Forensics-Tools-1.0-26.fc{11,12,13,14}.{i386,x86_64}.rpm -
This package was updated to make the
gpart package no longer conditional on the i386 architecture.
See here for more information.
February 23, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
CERT-Forensics-Tools-1.0-24.fc{11,12,13,14}.noarch.rpm -
This package was updated to reflect the addition of
the xplico dependency for all supported architectures. Xplico 0.6.1 was previously released
on December 10, 2010.
etherape-0.9.10.fc{11,12,13,14}.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after etherman.
Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.
It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.
February 10, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
dc3dd-7.0.0.fc{11,12,13,14}.{i386,x86_64} - dc3dd is a patched version of GNU dd to
include a number of features useful for computer forensics. Many of these features were inspired by dcfldd, but were rewritten for dc3dd.
Pattern writes. The program can write a single hexadecimal value or a text string to the output device for wiping purposes.
Piecewise and overall hashing with multiple algorithms. Supports MD5, SHA-1, SHA-256, and SHA-512.
Progress meter with automatic input/output file size probing.
Combined log for hashes and errors.
Error grouping. Produces one error message for identical sequential errors.
Verify mode. Able to hash output files and compare hashes to the acquisition hash.
Ability to split the output into chunks with numerical or alphabetic extensions.
Ability to write multiple output files simultaneuously.
January 31, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
CERT-Forensics-Tools-1.0-23.fc{11,12,13,14}.noarch.rpm -
This package was updated to reflect the conditional addition of
the gpart dependency only for the x86 architecture.
January 17, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
CERT-Forensics-Tools-1.0-22.fc{11,12,13,14}.noarch.rpm -
This package was updated to reflect the addition of all of the following tool and supporting package:
gpart - gpart is a tool which tries to guess the primary partition table of a PC-type hard disk
in case the primary partition table in sector 0 is damaged, incorrect or deleted. The guessed table can be written to a file or device. Supported (guessable) filesystem or partition types:
DOS/Windows FAT (FAT 12/16/32)
Linux ext2
Linux swap partitions versions 0 and 1 (Linux >= v2.2.X)
OS/2 HPFS
Windows NTFS
*BSD disklabels
Solaris/x86 disklabels
Minix FS
Reiser FS
Linux LVM physical volume module (LVM by Heinz Mauelshagen)
January 11, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
etherape-0.9.9.fc{11,12,13,14}.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after etherman.
Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.
It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.
January 10, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
nmapfe - nmapfe is a convenient X Window front end for the
Nmap Security Scanner. Most of the options correspond directly to Nmap options, which are described in detail in the Nmap man page. We recom-
mend you read that first. There is also limited help available via the NmapFE "Help" menu.
etherape - etherape is a graphical network monitor for Unix modeled after etherman.
Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display.
It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
CERT-Forensics-Tools-1.0-21.fc{11,12,13,14}.noarch.rpm -
This package was updated to reflect the addition of all of the following tools and supporting packages:
January 4, 2011:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
aff{lib,lib-devel,tools}-3.6.6-2.fc{11,12,13,14}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
December 20, 2010:
The following packages and tools have been updated in the Fedora 10, 11, 13, and 14 versions of the cert repository:
md5deep-3.7-1.fc{11,12,13,14}.*.rpm - This package was updated to reflect the new version of md5deep.
December 16, 2010:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
log2timeline-0.51-1.fc{12,13,14}.{i386,x86_64}.rpm and log2timeline-0.51-1.fc11.i386.rpm -
log2timeline is a framework for the automatic creation of a super timeline.
perl-Mac-PropertyList-1.33-1.fc1{1,2,3,4}.noarch.rpm -
perl-Mac-PropertyList is a low-level interface to the Mac OS X Property List (plist) format.
log2timeline-0.51 uses this package.
December 10, 2010:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
xplico-0.6.1-5.fc{12,13,14}.{i386,x86_64}.rpm and xplico-0.6.1-5.fc11.i386.rpm - xplico is an Internet traffic decoder.
It has both a command cli interface and a Web interface (using http://localhost:9876). Please note that this version
preserves previous instances of the xplico database that contains created cases and uploaded sessions.
November 30, 2010:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
xplico-0.6.0-10.fc{12,13,14}.{i386,x86_64}.rpm, xplico-0.6.0-10.fc11.i386.rpm - xplico is an Internet traffic decoder.
It has both a command cli interface and a Web interface (using http://localhost:9876).
November 17, 2010:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
ssldump - ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the
chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it
decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also
decrypt the connections and display the application data traffic.
socat - socat is a command line based utility that establishes two bidirectional byte streams and
transfers data between them.
CERT-Forensics-Tools-1.0-20.fc{11,12,13,14}.noarch.rpm -
This package was updated to reflect the addition of all of the following tools and supporting packages:
November 16, 2010:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
{libunrar,libunrar-devel,unrar}-3.9.10-3.fc1{1,2,3,4}.{i386,x86_64}.rpm - UnRAR is a RAR archive unarchiver.
aff{lib,lib-devel,tools}-3.6.4-1.fc{11,12,13,14}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
November 11, 2010:
The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
sleuthkit-{,devel,libs,debuginfo}-3.2.0-1.fc1{1,2,3,4}.{i686,x86_64}.rpm - The The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
November 5, 2010:
Fedora 14 - The repository now supports Fedora 14
for the i686 and x86_64 CPU architectures.
October 25, 2010:
The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
aff{lib,lib-devel,tools}-3.6.3-3.fc{10,11,12,13}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
October 4, 2010:
The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
aff{lib,lib-devel,tools}-3.6.2-3.fc{10,11,12,13}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files
using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
FC12-foren-2010-02 - The CERT Forensics Appliance, a VMware-based Fedora 12
system was released. Please note that this is a VMware guest but it is not a Live CD. You must install the VMware files from the downloaded ISO image. See the README.txt
for details.
August 17, 2010:
The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
hachoir-core-1.3.4-1.fc{10,11,12,13}.*.rpm - hachoir-core is a Python library used to represent a binary file as a tree of Python objects.
hachoir-metadata-1.3.3-1.fc{10,11,12,13}.*.rpm - hachoir-metadata is a tool that extracts metadata from multimedia files: music, picture, video, and archives.
hachoir-parser-1.3.5-1.fc{10,11,12,13}.*.rpm- hachoir-parser is a Python library used by the hachoir tool suite to parse binary files.
hachoir-regx-1.0.5-1.fc{10,11,12,13}.*.rpm - hachoir-regex is a Python library used for regular expression (regex or regexp) manupulation.
hachoir-subfile-0.5.3-1.fc{10,11,12,13}.*.rpm - hachoir-subfile is a tool that finds subfiles in any binary stream.
hachoir-urwid-1.1-1.fc{10,11,12,13}.*.rpm - hachoir-urwid is a binary file explorer based on Hachoir library to parse the files.
hachoir-wx-0.3.1-1.fc{10,11,12,13}.*.rpm - hachoir-wx is a wxWidgets-based program that's meant to provide a
(more) user-friendly interface to the facilities provided by the hachoir binary parser core.
CERT-Forensics-Tools-1.0-18.fc{10,11,12,13}.noarch.rpm -
This package was updated to reflect the addition of all of the following tools and supporting packages:
scrounge-ntfs-0.9-1.fc{10,11,12,13}.*.rpm - scrounge-ntfs which was also added to the repository.
CERT-Forensics-Tools-1.0-17.fc{10,11,12,13}.noarch.rpm -
This package was updated to reflect the addition of all of the following tools and supporting packages:
August 4, 2010:
The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
ssdeep-2.5-1.fc{10,11,12,13}.{i686,x86_64}.rpm - ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes.
August 2, 2010:
The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
sfdumper-2.2-1.fc1{0,1,2,3}.noarch.rpm - Sfdumper is a selective file dumper script.
July 23, 2010:
The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
sleuthkit-{,devel,libs,debuginfo}-3.1.3-1.fc1{0,1,2,3}.{i686,x86_64}.rpm - The Sleuthkit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
ghex-2.2?.?-?.fc{10,11,12}.*.rpm - The ghex Gnome Hex Editor was added.
CERT-Forensics-Tools-1.0-16.fc{10,11,12}.noarch.rpm -
This package was updated to reflect the addition of all of the following tools and supporting packages:
NOTE: These modules represent the last modules to be built for Fedora 8 and Fedora 9.
June 22, 2010:
The following packages and tools have been updated in the Fedora 8, 9, 10, 11, 12, and 13 versions of the cert repository:
log2timeline-0.43.1.fc{8,9,10,11,12,13}.*.rpm - log2timeline is a framework for the automatic creation of a super timeline.
June 11, 2010:
The following packages and tools have been updated in the Fedora 10, 11, 12, 13 versions of the cert repository:
libguytools-2.0.1-1.fc1{0,1,2,3}.{i686,x86_64}.rpm - Libguytools is a package of subroutines and header files needed to build and operate guymager.
guymager-0.5.3beta1-2.fc1{0,1,2,3}.{i686,x86_64}.rpm - Guymager is a forensic imaging package.
sleuthkit-{,devel,libs,debuginfo}-3.1.2-1.fc1{0,1,2,3}.{i686,x86_64}.rpm - The Sleuthkit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
June 10, 2010:
Fedora 13 x86_64 is now supported by the repository.
June 8, 2010:
Fedora 13 i386 is now supported by the repository.
April 6, 2010:
The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
autopsy-2.24-1.fc{8,9,10,11,12}.noarch.rpm - This package was updated to reflect the new version of autopsy.
April 5, 2010:
The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
rifiuti2-0.5.1-1.fc{8,9,10,11,12}.*.rpm - rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
stegdetect-0.61-1.fc{8,9,10,11,12}.*.rpm - stegdetect is an automated tool for detecting steganographic content in images.
regripper-2008909-1.fc{8,9,10,11,12}.*.rpm - regripper is a Windows Registry data extraction and correlation tool.
rar-3.9.3-1.fc{8,9,10,11,12}.*.rpm - rar is a compression and decompresson program.
unrar-3.8.4-1.fc{8,9,10,11,12}.*.rpm - unrar is for extracting, testing and viewing the contents of archives created with the RAR archiver version 1.50 and above.
missidentify-1.0-1.fc{8,9,10,11,12}.*.rpm - missidentify is a program to find Win32 applications.
log2timeline-0.42.1.fc{8,9,10,11,12}.*.rpm - log2timeline is a framework for the automatic creation of a super timeline.
CERT-Forensics-Tools-1.0-14.fc{8,9,10,11,12}.noarch.rpm -
This package was updated to reflect the addition of all of the following tools and supporting packages:
March 25, 2010:
The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
md5deep-3.6-1.fc{8,9,10,11,12}.*.rpm - This package was updated to reflect the new version of md5deep.
March 18, 2010:
The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
reglookup-0.12-1.fc{8,9,10,11,12}.*.rpm - This package was updated to reflect the new version of reglookup.
March 8, 2010:
The x86_64 architecture has been added to the Fedora 12 repository. Simply follow the instructions for Fedora 12 and the tools will be automatically installed on that architecture.
The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
autopsy-2.23-1.noarch.rpm - Version 2.23 was installed. Here are the changes since the previously installed (2.21) version:
--------------------------- Version 2.23 --------------------------------
2/12/10: bug fix: resolved issue 2950693 where previous searches were not shown
  if they used quotes.
2/12/10: bug fix: resolved issue 2932385 where wrong flag was being used to do
only doing category searching
2/12/10: bug fix: resolved issue 2779244 where wrong sorter path was being used.
--------------------------- Version 2.22 --------------------------------
10/27/09: Update: Change istat to use -B instead of -b (new change in TSK).
11/19/09: Update: Improved configure script process and error message
for FILE_EXE check.
11/25/09: Fixed MD5 exe bug when building live CD
12/30/09: Fixed issue 2923857 re: cookie errors for the icon and css file
links when cookies are used.
ssdeep-2.4-1.fc{8,9,10,11,12}.i686.rpm - Version 2.4 was installed. Here are the changes made since the previously installed (2.3) version:
** Version 2.4 - 25 Feb 2010
Added -k mode to compare unknown signatures against known signatures.
March 4, 2010:
The x86_64 architecture has been added to the Fedora 12 repository. Simply follow the instructions for Fedora 12 and the tools will be automatically installed on that architecture.
The following packages and tools have been updated in the Fedora 12 version of the cert repository:
CERT-Forensics-Tools-1.0-10.fc12.noarch.rpm -
This package was updated but in essense, no changes were made.
memdump-1.01-2.fc12.*.rpm - This package is now made from source and has been moved from the memdump repository to the cert repository.
fatback-1.3-1.fc12.*.rpm - This package is now made from source and has been moved from the fatback repository to the cert repository.
March 3, 2010:
The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
foremost-1.5.7-1.fc{8,9,10,11,12}.i386.rpm - This package was updated to reflect the new version of foremost.
splunk-4.0.9-74233.i386.rpm - Splunk, version 4.0.9, build 74223. See the release notes
here.
March 2, 2010:
The following packages and tools have been updated in the Fedora 9, 10, 11, and 12 versions of the cert repository:
CERT-Forensics-Tools-1.0-5.fc{9,10,11,12}.noarch.rpm -
This update includes the nmap as a dependency. This release of nmap includes ncat,
an improved version of the netcat program.
February 19, 2010:
The following packages and tools have been updated in the Fedora 10, 11, and 12 versions of the cert repository:
guymager-0.4.2-1.fc1{0,1,2}.i686.rpm - Guymager is a forensic imaging package.
libguytools-1.1.1-1.fc1{0,1,2}.i686.rpm - Libguytools is a package of subroutines and header files needed to build and operate guymager.
sfdumper-2.1-1.fc1{0,1,2}.noarch.rpm - Sfdumper is a selective file dumper script.
mount_ewf-20090113-1.fc1{0,1,2}.noarch.rpm - Mount_ewf is a script that mounts EWF files as mounted images using the loopback capability.
fundl-2.0-1.fc1{0,1,2}.noarch.rpm - Fundl is a script that uses the Sleuthkit for recovering deleted files.
cryptcat-1.2.1-1.fc1{0,1,2}.i686.rpm - Cryptcat is a lightweight version of netcat with integrated transport encryption capabilities.
CERT-Forensics-Tools-1.0-4.fc1{0,1,2}.noarch.rpm -
This update includes the following tools as dependencies:
February 8, 2010:
All of the Fedora 8 packages have been signed with the new CERT Forensics Team GPG key.
To use this key, you must install the cert-forensics-tools-release-8-3.noarch.rpm package first.
In addition, the following tools have been updated in the Fedora 10 version of the cert repository:
CERT-Forensics-Tools-1.0-4.fc8.noarch.rpm -
This update includes dc3dd as a dependency.
cert-forensics-tools-release-8-3.noarch.rpm - This update contains the new CERT Forensics Team Key.
dcfldd-1.3.4.1-2.fc8.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
foremost-1.5.6-1.fc8.i386.rpm - This package was updated to reflect the new version of foremost.
md5deep-3.5.1-1.fc8.i386.rpm - This package was updated to reflect the new version of md5deep.
reglookup-0.11.0-1.fc8.i386.rpm - This package was updated to reflect the new version of reglookup.
ssdeep-2.3-1.fc8.i386.rpm - This package was updated to reflect the new version of ssdeep.
February 8, 2010:
All of the Fedora 9 packages have been signed with the new CERT Forensics Team GPG key.
To use this key, you must install the cert-forensics-tools-release-9-4.noarch.rpm package first.
In addition, the following tools have been updated in the Fedora 10 version of the cert repository:
CERT-Forensics-Tools-1.0-4.fc9.noarch.rpm -
This update includes dc3dd as a dependency.
cert-forensics-tools-release-9-4.noarch.rpm - This update contains the new CERT Forensics Team Key.
dcfldd-1.3.4.1-2.fc9.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
foremost-1.5.6-1.fc9.i386.rpm - This package was updated to reflect the new version of foremost.
md5deep-3.5.1-1.fc9.i386.rpm - This package was updated to reflect the new version of md5deep.
reglookup-0.11.0-1.fc9.i386.rpm - This package was updated to reflect the new version of reglookup.
ssdeep-2.3-1.fc9.i386.rpm - This package was updated to reflect the new version of ssdeep.
February 8, 2010:
All of the Fedora 10 packages have been signed with the new CERT Forensics Team GPG key.
To use this key, you must install the cert-forensics-tools-release-10-3.noarch.rpm package first.
In addition, the following tools have been updated in the Fedora 10 version of the cert repository:
CERT-Forensics-Tools-1.0-2.fc10.noarch.rpm -
This update includes dc3dd as a dependency.
cert-forensics-tools-release-10-3.noarch.rpm - This update contains the new CERT Forensics Team Key.
dcfldd-1.3.4.1-2.fc10.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
foremost-1.5.6-1.fc10.i386.rpm - This package was updated to reflect the new version of foremost.
md5deep-3.5.1-1.fc10.i386.rpm - This package was updated to reflect the new version of md5deep.
reglookup-0.11.0-1.fc10.i386.rpm - This package was updated to reflect the new version of reglookup.
ssdeep-2.3-1.fc10.i386.rpm - This package was updated to reflect the new version of ssdeep.
The following tool has been updated in the Fedora 11 version of the cert repository:
ssdeep-2.3-1.fc11.i386.rpm - This package was updated to reflect the new version of ssdeep.
The following tool has been updated in the Fedora 12 version of the cert repository:
ssdeep-2.3-1.fc12.i386.rpm - This package was updated to reflect the new version of ssdeep.
February 3, 2010:
All of the Fedora 11 packages have been signed with the new CERT Forensics Team GPG key.
To use this key, you must install the cert-forensics-tools-release-11-5.noarch.rpm package first.
In addition, the following tools have been updated in the Fedora 11 version of the cert repository:
CERT-Forensics-Tools-1.0-3.fc11.noarch.rpm -
This update includes dc3dd as a dependency.
cert-forensics-tools-release-11-5.noarch.rpm - This update contains the new CERT Forensics Team Key.
dcfldd-1.3.4.1-2.fc11.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
foremost-1.5.6-1.fc11.i386.rpm - This package was updated to reflect the new version of foremost.
md5deep-3.5.1-1.fc11.i386.rpm - This package was updated to reflect the new version of md5deep.
reglookup-0.11.0-1.fc11.i386.rpm - This package was updated to reflect the new version of reglookup.
ssdeep-2.2-1.fc11.i386.rpm - This package was updated to reflect the new version of ssdeep.
February 2, 2010:
The CERT Forensics Appliance based on VMware and Fedora 12 has been released.
Fedora 12 is now supported by the repository.
January 7, 2010:
A new key has been issued for the CERT Forensics Team. As of this time, only the Fedora 12 packages
have been signed with this new key.
August 24, 2009:
The following tools have been added to the Fedora 11 version of the cert repository:
hal-no-no-ignore-0.5.12-29.20090226git.fc11.i386.rpm - This package causes the Hardware
Abstraction Layer (hal) to not ignore various file system types (ntfs, vfat) that are normally
ignored by default. See the documentation on hal.
July 10, 2009:
Fedora 11 -
Fedora 11 is now supported by the repository.
June 2, 2009:
The following tools have been repaired and installed in the Fedora 8, 9, 10 repositories:
Volatility-1.1.2-2.fc10.i386.rpm - Missing files were added and the command language interpreter,
python in this case, was correctly referenced.
May 26, 2009:
The following tools have been added to the Fedora 8, 9, 10 version of the splunk repository:
splunk-3.4.9-57762.i386.rpm - Splunk, version 3.4.9, build 57762. See the release notes
here.
April 28, 2009:
The following tools have been added to the Fedora 10 version of the forensics-test repository:
libewf-devel-static-20080501-3.fc10.i386.rpm - A static version of the libewf libraries. These libararies are needed to build PyFlag.
pyflag-0.87.pre1-7.i386.rpm - The Python-based Forensic and Log Analysis (FLAG) GUI.
April 23, 2009:
The following tools have been added to the Fedora 10 version of the forensics-test repository:
python-urwid-0.9.8.4-1.noarch.rpm - Python library for making text console applications. This is needed to build PyFlag.
April 15, 2009:
The following tools have been added to the Fedora 10 version of the forensics-test repository:
sfdumper-1.6-1.fc10.noarch.rpm - A Selective File Dumper build on top of the Sleuthkit
April 14, 2009:
The following tools have been added to the Fedora 10 version of the forensics-test repository:
guymager-0.3.1-2.fc10.i386.rpm - A GUI imager
libguytools-1.0.4-1.fc10.i386.rpm - Libraries for guymager
gtkhash-0.2.1-1.fc10.i386.rpm - A GUI front-end for hashing
fundl-1.0-1.fc10.noarch.rpm - A File UNDeLtion script
A tool test entry has been made in the Fedora 10 version of the /etc/yum.repos.d/cert-forensics-tools.repo repository definitions file.
This lets us provide tools for testing purposes. The test entry needs to be enabled by editing the cert-forensics-tools.repo file
and setting enabled to the value 1 as in enabled=1.