Linux Forensics Tools Repository: Package Summary for Packages on June 4, 2012:

  • bulk_extractor-1.2.2-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor has been repackaged, where all of the supporting tools are now installed as distributed by the author. These tools are installed in /usr/bin and are the following:

    • bulk_diff.py - compares two bulk_extractor runs and reports what's changed.
    • identify_filenames.py - reads feature files and a DFXML file for a disk image and reports the file from which each feature came
    • post_process_exif.py - reads the exif.txt feature file and produces a CSV file from all of the XML-encoded EXIF information
    • This directory also contains modules for working with digital forensics XML:

      • bulk_extractor.py - a DFXML python module for reading the report.xml file created by bulk_extractor and reading the feature files. Also allows reading a ZIP file produced from a bulk_extrator output directory as if it were uncompressed.
      • dfxml.py - a DFXML python module for reading DFXML files
      • fiwalk.py - a DFXML python module for producing DFXML streams using fiwalk
      • ttable.py - produces nicely formatted Python tables
    • This directory also contains an out-of-date multi-drive correlator; this will be operational by August 1, 2012:

      • cda2.py - multi drive correlator
      • cda_test.py - test program for multi-drive correlator
      • cda_tool.py - another multi-drive correlator

  • libewf-{,devel,tools}-20120603-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.

  • ssdeep-2.8-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes.