Linux Forensics Tools Repository: Package Summary for Packages on December 8, 2011:

  • Fedora 16 - The repository now supports Fedora 16 for both the i386 and x86_64 CPU architectures.
  • registrydecoder-20111108-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_84}.rpm - registrydecoder is tool for the acquisition, analysis, and reporting of registry contents.
  • regripper-20111118-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - regripper is a Windows Registry data extraction and correlation tool. This version includes version 20111118 of the plugins from here.
  • log2timeline-0.62-1.{fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. Here are the changes in this version:
    • [FF_CACHE input] New input module, designed to parse the cache files of Firefox. Contributed by John Ritchie
    • [OPENVPN input] New input module, desigend to parse the OpenVPN log files.
    • [L2T_PROCESS] Added a few more allowed characters in the keyword list
    • [proftpd_xferlog input] Willi Ballenthin added a new module to parse the ProFTPD XFerlog file
    • [Log2Timeline library] Fixed a bug, when the 'all' moduiles option is used (or -f is omitted) no modules get loaded
      • Added a small change to try to parse the MFT directly even though the $MFT might not be directly visible
      • Fixed a small bug whereas the tool would crash if the local timezone was used.
      • Fixed a small bug whereas the tool is not able to find the default directory (. does not exist) or if the file in question does not really exist that the tool is pointing to... that made the tool return a double error instead of just dying on the first one.
      • The tool will now accept a separate output timezone so the tool can output in a different timezone than the hosts one.
    • [log2timeline] Added the -Z ZONE parameter so the tool can output in a different timezone than the host timezone.
    • [CSV output] Changed the output timezone so it now prints using the -Z definition, so it now supports different output timezone than the host one.
    • [EVTX input] Fixed a bug in where the tool could go into a endless loop in the case where you have a EVTX that is somehow broken and the function get_next_event dies. If the tool runs into such occurance it returned an empty timestamp object, that in turn let the tool query for it again, thus possibly getting into an endless loop. Added a counter so the tool tries to get the next event 50 times, otherwise it will die.
    • [log2timeline-sift] Moved the mount command out of the script and into the configuration file
      • Changed the mount command, since there were few errors with the previous one
      • Added an addional check to see if the $MFT file can be directly called (and if so, skip the icat call)

  • xplico-0.7.1-1.{fc13,fc14,fc15,fc16}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. See the Xplico website for the list of changes in this version. Note that RHEL/CentOS is not supported due to a lack of Python Version 3 support.
  • guymager-0.6.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.5.9):
    • Better HPA/DCO log output
    • Bug removed where acquisition hash codes were not shown in info file if verification was aborted.
    • Additional State Info added
    • New configuration parameter DirectIO
    • Setting sectors per chunk correctly for libewf
    • Removed full path of image file names from .info file, only show the image filename
    • New thread debugging messages
    • New EWF module reduces memory footprint significantly.
    • Posibility to compute MD5 hashes of the individual image files and write them to the .info file.
    • Better log output always contains acquired device
    • Bug removed where libewf only did empty block compression (slight API change in libewf20100226)
    • Compression problem with libewf20100226 fixed
    • Wrong file size check in acquisition dialog corrected