Linux Forensics Tools Repository: Package Summary for Packages on January 12, 2012:

  • cert-forensics-tools-release-{13,14,15,16,5.7,6}-7.noarch.rpm - This package was added to provide the new CERT Forensics Repository Key. The fingerprint for this key is: AE8F 91D1 5126 5835 B4DE 765D 9198 DA78 51B6 01A4.

    You must do the following as root to install this new package before updating existing packages installed from our repository:
    yum update cert-forensics-tools-release
    You can then do the following as root to install any other updates for your system:
    yum update
    In addition, all of the packages in the Fedora 13, 14, 15, 16, and RHEL/CentOS repositories have been resigned with this new key.
  • CERT-Forensics-Tools-1.0-36.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - This package was updated to include the following:

    • shellbags for Fedora 14, 15, and 16.
    • KHracker for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
    • md5dump for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
    • tcpflow for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
    • registrydecoder for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
    • xplico for Fedora 13, 14, 15, and 16.
    • snort for Fedora 13, 14, 15, and 16.
    • snort-sample-rules for Fedora 13, 14, 15, and 16.

  • shellbags-0.5.1-2.{fc14,fc15,fc16}.noarch.rpm - Shellbags Microsoft Windows uses a set of registry keys known as "shellbags" to maintain the size, view, icon, and position of a folder when using Explorer. Shellbags persist information for directories even after the directory is removed, which means that they can be used to enumerate past mounted volumes, deleted files, and user actions. See Using shellbag information to reconstruct user activities for an overview of the investigative value of shellbags. Shellbags is installed in the Fedora 14, 15, and 16 versions of the repository.
  • python-registry-0.2.3-1.{fc14,fc15,fc16}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry. python-registry is written in pure Python, making it portable across all major platforms. Python-registry is installed in the Fedora 14, 15, and 16 versions of the repository. This package is required by shellbags.
  • KHracker-0.3-1.noarch.rpm - KHracker is a python-based decryption tool for encrypted known_hosts entries. It will attempt to decrypt values stored in SSH known_hosts files, if the encryption option has been enabled for that computer. By default, known_hosts entries are not encrypted, but there is an option to do so. From a forensics perspective, encrypted known_hosts entries can prevent an investigator from seeing other computers to which a user may have been connecting. Information about the connections made from a system can be integral to identifying a complete understanding of the systems involved in a network intrusion or incident response case.
  • python-netaddr-0.7.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64} - python-netaddr is a pure Python network address representation and manipulation library. provides a Pythonic way of working with:
    • IPv4 and IPv6 addresses and subnets
    • MAC addresses, OUI and IAB identifiers, IEEE EUI-64 identifiers
    • arbitrary (non-aligned) IP address ranges and IP address sets
    • various non-CIDR IP range formats such as nmap and glob-style formats

    Included are routines for:
    • generating, sorting and summarizing IP addresses and networks
    • performing easy conversions between address notations and formats
    • detecting, parsing and formatting network address representations
    • performing set-based operations on groups of IP addresses and subnets
    • working with arbitrary IP address ranges and formats
    • accessing OUI and IAB organisational information published by IEEE
    • accessing IP address and block information published by IANA

    This package is required by KHracker.
  • md5deep-4.0.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep. Here are the list of new features:
    • Rewrote most of the program in C++.
    • Enabled multiprocessor support on all platforms.
    • Removed ten character limit on file size mode.