Linux Forensics Tools Repository: Package Summary for Packages on June 27, 2012:

  • BEViewer-1.3.006-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - BEViwer is a User Interface for browsing features that have been extracted via the bulk_extractor feature extraction tool. BEViewer supports browsing multiple images and bookmarking and exporting features. BEViewer also provides a User Interface for launching bulk_extractor scans.
  • ddrescue-1.16-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. See /usr/share/doc/ddrescue-1.16/ChangeLog after the package has been installed.
  • dd_rescue-1.28-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue<./TT> does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
  • libfixbuf{,-devel}-1.1.2-1.{fc14,fc15,fc16,fc17el5,el6}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). This version contains general bug fixes as well as Netflow V9 bug fixes.
  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The changes are to use libfixbuf-1.1.2-1. The packages added to the repository are:

    • silk-analysis-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-common-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-devel-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
    • silk-flowcap-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
    • silk-rwflowappend-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
    • silk-rwflowpack-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
    • silk-rwpollexec-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
    • silk-rwreceiver-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
    • silk-rwsender-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.

  • yaf{,-devel}-2.2.2-2.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE. The changes are to use libfixbuf-1.1.2-1.
  • log2timeline-0.64-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. Here are the changes in this version:
    • [TESTSUITE] Added the first version of a test suite to the tool.
      • All tests are located inside the t/ directory.
      • Tests should be constructed for ALL possible uses of the tool, not limited to:
        • Raw parsing of logs using input modules.
        • Correct output for output modules.
        • Correct output from each function inside modules/libraries.
      • The first TEST suite is raw and not nearly complete, needs loads of stuff to be 'proper' but it is a start.
    • [LS_QUARANTINE input] A new input module that parses the LSQuarantineEvents SQLite db in Mac OS X.
    • [Log2Timeline library] Added the possibility to use a dot (.) in the exclusion list.
      • Changed the exclusion list so it can be easily changed
      • Added a call to ->end on each input module if verification failed.
      • Minor bug fixes in the main engine.
      • Changed wording when an output module is loaded (from "Loading output file" to "Loading output module").
      • Added support to detect shortcuts in Windows systems.
      • Added the "path_orig" to all input modules (making it possible to "fix" paths).
    • [CHROME input] - Slight changes to the output based on the value of the typed_count variable, also updated the path to the code that describes the transition types.
    • [SKYPE input] Fixed the verification routine a bit, cleaned it up slightly and fixed a small bug that caused the tool not to include SKYPE data when recursive mode was set on.
      • Also fixed UTF-8 support, should properly display UTF-8 by now.
    • [PREFETCH input] Small changes to the verification module.
    • [WinReg] Fixed a small bug in the code that caused the deleted entries lookup sometimes to loop forever.
    • [SQLITE output] Changed the way the SQLite code is written considerably, pre-compiling statements to prevent them being compiled for each insert, using transactions instead of writing them constantly to the DB, and other minor tweaks to make the DB output faster than before (since it was increadibly slow before).
    • [CHROME input] Small bug to fix UTF-8 support.
    • [FIREFOX3 input] Small bug to fix UTF-8 support.
    • [PREFETCH input] Fixed a bug, added a seekdir so that prefetch information is contained within the timeline if recursive is turned on.
    • [RECYCLER input] Fixed a bug, added a seekdir so that recycler information is contained within the timeline if recursive is turned on.
    • [LIST files] Added few items into the Windows list files, as well as to create a Mac OS X one.
    • [MFT input] Fixed a bug with Unicode support.
    • [RECYCLER input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
    • [SOL input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
    • [EVTX input] Changed the dependencies to Parse::Evtx2 instead of Parse::Evtx (same library, changed the namespace).
      • Issue when Parse::Evtx was installed on SIFT, causing the tool to first load the library from Schuster, and not the slightly changed one distributed by the tool, causing the module to not work.

  • md5deep-4.2-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - This package was updated to reflect the new version of md5deep. Here are the list of new features:
    • Fixed padding in Tiger hashes for large files

  • {nmap,ncat,nping,nmap-update,zenmap}-6.01-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Nmap is a free and open source utility for network exploration or security auditing. See the change log for details. Nping is a packet generation and response analysis tool. Ncat is a flexible data transfer, redirection, and debugging tool. Nmap-update is a tool that gets the latest versions of architecture-independent files, such as scripts and databases, for the installed version of Nmap. Zenmap is an advanced GUI and results viewer. It replaces nmap-frontend. See the Changelog for the changes made in this release.
  • regripper-25000000-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is now contains only the version 2.5 of the regripper tool. The plugins are now packaged separately.
  • regripper-plugins-20120612-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. This version includes version 20120612 of the plugins from here. The plugins added are the following:
    • NEW PLUGIN by Jason Hale: typedurlstime.pl that parses and correlates the TypedURLs and TypedURLsTime subkeys
    • NEW PLUGIN by Jason Hale: typedurlstime_tln.pl that parses and correlates the TypedURLs and TypedURLsTime subkeys (output in TLN format)