Linux Forensics Tools Repository: Package Summary for Packages on August 23, 2011:

  • ataraw-0.2.1-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - ATAraw allows user-level Linux programs to send arbitrary commands to ATA and SATA devices. The system currently supports programmed IO and DMA modes, but does not support asynchronous or multiple-queued commands.
  • bloom-1.4.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Bloom is an NPS bloom filter package that includes the frag_find utility.
  • bulk_extractor-1.0.2-1.{fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important.
  • bulk_extractor-stoplist-1.0-1.{fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Bulk_extractor-stoplist is a context stop list for bulk_extractor.
  • fiwalk-0.6.15-1.{fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format.
  • jafat-1.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - JAFAT is an assortment of tools to assist in the forensc investigation of computer systems.
  • log2timeline-0.60-2.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. This version removes perl-Parse-Evtx since that is now a separate package.
  • perl-Parse-Evtx-1.0.8-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - perl-Parse-Evtx is a Windows Event Log Parser library and tools collection.
  • tln_tools-20110729-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - tln_tools are time line tools.
  • Volatility-2.0.1-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version adds the following plugins from the Malware Analyst's Cookbook:
    • apihooks - API hooks
    • callbacks - system-wide notification routines
    • devicetree - device tree
    • driverirp - IRP hook detection
    • gdt - Global Descriptor Table
    • idt - Interrupt Descriptor Table
    • impscan - a module for imports (API calls)
    • ldrmodules - unlinked DLLs
    • malfind - hidden and injected code
    • psxview - hidden processes with various process listings
    • ssdt_ex - Hook Explorer for IDA Pro (and SSDT by thread)
    • svcscan - for Windows services
    • threads - _ETHREAD and _KTHREADs

    These plugins required the following additional packages:
    • yara-1.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
    • yara-python-1.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yara-python is a Python extension that gives access to YARA's powerful features from Python scripts.
    • distorm3-1.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Distorm3 is a lightweight, easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.

  • xmount-0.4.5-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, VirtualBox'svirtual disk file format or in VMware's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VMware or alike.
  • CERT-Forensics-Tools-1.0-31.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - This package was updated to add these packages:
    • ataraw
    • bloom
    • bulk_extractor (not for Fedora 12 nor CentOS/RHEL 5)
    • bulk_extractor-stoplist (not for Fedora 12 nor CentOS/RHEL 5)
    • fiwalk (not for Fedora 12 nor CentOS/RHEL 5)
    • jafat
    • perl-Parse-Evtx
    • tln_tools
    • xmount