Linux Forensics Tools Repository: Package Summary for Packages on July 3, 2012:

  • ptk-1.0.5-2.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - PTK is a computer forensic framework for the command line tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the command line tool mysql_secure_installation or equivalent, and operating. It also assumes a web server, for example Apache, also assumed to be configured and operational. This package has been rebuilt to correct directory permissions for the installed files.
  • libvshadow{,-devel,-tools}-20120511-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
  • guymager-0.6.9-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.6.7):
    • Releasing all changes of 0.6.8 (switch to new version in order to have test users update their packages correctly)
    • AEWF: Considering also 1st chunk base offset when checking if chunk can be added to current sectors section.
    • New cfg parameter CheckRootRights
    • If source disk can't be opened, give it another try without option NOATIME
    • Corrected text output for image hash calculation in info file; Translations updated.
    • Error in UtilIsZero removed (leading to wrong image if FifoBlockSizeEwf is set to values above 65536)
    • Package no longer recommends gksu, smartmontools and hdparm but depends on them
    • No longer exits on write errors on info file or in AEWF module (should already have been done in 0.6.4, but the takeover from trunk wasn't done)
    • New cfg parameter EwfCompressionThreshold
    • Also include symlinks when searching for libparted
    • Changes from Mika (unistd.h)

  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.

    The changes are the following:
    • rwflowpack change
      • Modify the log messages produced by libfixbuf to follow the format of other rwflowpack log messages.
      • Modify NetFlow v9 support to require libfixbuf-1.1.0.
    • flowcap change
      • Modify the log messages produced by libfixbuf to follow the format of other rwflowpack log messages.
      • Modify NetFlow v9 support to require libfixbuf-1.1.0.
    • Building
      • Add new configure switch --enable-asa-zero-packet-hack to work around a bug in the NetFlow9 template used by Cisco ASA routers wherein the template is missing a packetTotalCount field, causing rwflowpack to treat these flows as having 0 packets. When the switch is specified, SiLK sets the packet count to 1 for flow records having a source IP, a byte count, but no packet count. In addition, if SiLK is compiled without IPv6 support, the hack causes rwflowpack to a use fully-expanded file format to store IPv4 flow records collected from netflow-v9 probes. This verison of SiLK has been built with --enable-asa-zero-packet-hack.

    The packages added to the repository are:

    • silk-analysis-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-common-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-devel-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
    • silk-flowcap-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
    • silk-rwflowappend-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
    • silk-rwflowpack-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
    • silk-rwpollexec-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
    • silk-rwreceiver-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
    • silk-rwsender-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.

  • registrydecoder-20120629-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_84}.rpm - Registrydecoder is tool for the acquisition, analysis, and reporting of registry contents. This is version 1.3 of this tool. See here for a list of changes.
  • CERT-Forensics-Tools-1.0-40.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - This package was updated to do the following:
    • add libvshadow-tools