Linux Forensics Tools Repository: Package Summary for Packages on March 30, 2012:

  • tcpflow-1.2.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. Tcpflow can also process stored tcpdump packet flows. he changes are: bug fixes and performance improvements.
  • safecopy-1.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Safecopy is a data recovery tool which tries to extract as much data as possible from a problematic (i.e. damaged sectors) source - like floppy drives, harddisk partitions, CDs, tape devices, ..., where other tools like dd would fail doe to I/O errors. Here are the changes:
    • New --forceopen option to wait for removable drives to come back
    • New -c (continue) option to resume when copying directly unto devices
    • Return codes: (0 for success, 2 for abort/ error, 1 for incomplete copy)
    • Adapted test suite to test for these return codes
    • Code cleanup

  • testdisk-6.13-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. Here are the changes:
    • Fix UAC manifests for Windows, so users don't need to use right-click "Run As Administrator"
    • TestDisk
      • Fix image creation, image.dd file wasn't created (Regression introduced in 6.12)
      • Detect Vmware VMFS partition
      • Locate lost GFS2 partition but not yet the size
      • Log HDD serial number and firmware revision
      • List NTFS Alternate Data Streams (ADS)

    • PhotoRec
      • Session recovery restarts at the previous location
      • Better MPEG recovery, there should be less concatenated videos.
      • Better JPG recovery, there should be less cases where thumbnails were recovered instead of the picture itself.
      • Handle large avi files using "AVIX" or mov files using 64-bit chunk size.
      • Rename recovered pdf using the title (not perfect)
      • Major cleanup of PhotoRec core code

  • libp0f{,-devel}-2.0.8-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libp0f is a library implementation of p0f version 2 available from here. This library splits the core p0f functionality from the p0f application in order to support 3rd-party linkage. libp0f does not change any of the fingerprinting algorithms from p0f version 2, nor has it upgraded any of the p0f fingerprints. The library is required for use with Yaf. To enable p0f in Yaf, configure Yaf with --enable-p0fprinter (see the next item), and run Yaf with --p0fprint.
  • yaf{,-devel}-2.2.1-3.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE. This release was built with the following configuration options enabled:
    • enable-applabel - enable the packet payload application label engine
    • enable-p0fprinter - enable the p0f based OS finger printing capability
    • enable-plugins - enable YAF to load plugin extensions
    • enable-ltdl-install=no - do not install files that would otherwise conflict with libtool-ltdl

  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The changes are to enable adns, the Asynchronous-capable DNS Client Library. The packages added to the repository are:

    • silk-analysis-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-common-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-devel-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
    • silk-flowcap-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
    • silk-rwflowappend-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
    • silk-rwflowpack-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
    • silk-rwpollexec-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
    • silk-rwreceiver-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
    • silk-rwsender-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.