Linux Forensics Tools Repository: Package Summary for Packages on April 23, 2012:

  • libewf-{,devel,tools}-20120416-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.

  • log2timeline-0.63-1.{fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. Here are the changes in this version:
    • ALL modules/files were run through perltidy using the configuration file of dev/perltidy.conf.
    • Also several modules have had their documentation updated and code reformed to reflect recent release of a style guide for the project. perltidy is not enough to enforce that, but at least a start. Rewriting the documentation (pod) is also a vital portion of making the modules easier to use/understand/develop.
    • All libraries within the tool and the main API have been rewritten with this in mind, making 'man' documentation considerably more useful than it was.
    • [SERIALIZE output] JSON::XS used to serialize the timestamp output, a very simple output module that simply stores
      • This makes it possible to output using this method and then sorting is simpler since it does not require the module to read in the csv and change it into something like a hash, since it is already stored as such.
      • This might become the default output of the tool, and then run l2t_process on that output, turning that into CSV instead of using CSV as default and trying to filter that output.
      • This also makes it easier to filter, based on certain attributes, instead of at the line level. the timestamp object without really doing anything to it. Use that for easy sorting in later stages.
    • [WIN7 list] Fixed a small bug in Win7 list file (and win7_noreg). The evt module was loaded up and not the evtx one.
    • [FIREFOX3 input] Added a check to see if the SQlite database contains a -wal or -shm (in addition to -journal) And if it does, then do the same procedure as if it was a -journal (read-only database that gets copied to a temp location) This was pointed to me by Svante
    • [PREFETCH input] Changed the default output so that loaded DLLs are not included by default, unless the -d|--detail option/parameter is used.
    • [MFT input] Inside the verification routine a check is made to see if the magic value is FILE0, it should only be FILE. Fixed that, making the mft module capable of parsing those $MFT files that do not the standard offset to the fixup array.
    • [SAM input] Changed the handling of SAM database data, it did not properly parse the SAM database file in certain cases due to the keys being prefilled with the CMI-CREATE....
    • [NTUSER input] Changed a value check in UserAssist key parsing causing UserAssist keys not properly being parsed.
    • [WIN_LINK input] The values for mtime and atime got swapped (the correct order is CAM not CMA like it was)
    • [SETUPAPI input] Added a 'detailed_time' check, to reduce the text inside the alert by default, unless detail option used.
    • [log2timeline] Updated the man page to reflect updates to the 'detailed_time' changes to setupapi input module.
    • [WIN library] Added a mapping to map up all Windows use of timezones to the one used in the DateTime library.
    • [win_sysinfo PreProc] Updated the pre-processing library so that it checks if a known transform of a Windows named timezone information is available and if it is it will compare it to the chosen timezone (and change it if they differ).
    • [LOG2TIMELINE] Small bug in the log2timeline library, causing input modules list that has more than one - sign in it not properly verified.
    • [IEHISTORY input] Switched time1 and time2, and started to update the module so it adheres to the newly released, not yet complete, style guide.
    • [EVTX input] Updated the EVTX library to the latest release, version 1.1.1 (written by Andreas Schuster)
      • Also changed the 50 attempts to 15 (in case of an error in reading an entry), also only output error message if debug is turned on.

  • tcpflow-1.2.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. Tcpflow can also process stored tcpdump packet flows. Here are the changes in this version:
    • configure.ac: incremented version to 1.2.6 (1.2.5 had a bad tag)
    • src/tcpip.cpp (tcpip::print_packet): fixed error in fwrite().
    • src/main.cpp (print_usage): fixed misspelling of name
    • src/tcpip.cpp (tcpdemux::tcpdemux): default outdir is now "."