Linux Forensics Tools Repository: Package Summary for Packages on August 21, 2012:

  • libewf-{,devel,tools}-20120813-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.

  • registrydecoder-20120816-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_84}.rpm - Registrydecoder is tool for the acquisition, analysis, and reporting of registry contents. See here for a list of changes.
  • regripper-plugins-20120812-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. This version includes version 20120612 of the plugins from here. The plugins added are the following:
    • NEW PLUGIN by Hal Pomeranz: ssh_host_keys.pl that extracts stored Putty and WinSCP host keys from NTUSER hive
    • NEW PLUGIN by Hal Pomeranz: ssh_host_keys.pl that extracts stored Putty and WinSCP host keys from NTUSER hive
    • NEW PLUGIN by Hal Pomeranz: winscp_sessions.pl that extracts WinSCP saved session data from NTUSER hive (with password decoding)
    • NOTE profiles all-all, ntuser-all, sam-all, security-all, software-all and system-all were updated
    • NOTE source code repository was aligned to current release
    • NEW PLUGIN by John Lukach: pstools.pl that displays the content for PsTools EULA Agreements
    • NEW PLUGIN by K. Johnson (with Harlan Carvey updates): filehistory.pl that parses NTUSER FileHistory Registry keys from Windows 8
    • NEW PLUGIN by Elizabeth Schweinsberg: user_runplus.pl that gets contents of the Run, RunOnce, and RunServices keys from NTUSER hive
    • NEW PLUGIN by Elizabeth Schweinsberg: soft_runplus.pl that gets contents of the Run, RunOnce, and RunServices keys from SOFTWARE hive
    • NEW PLUGIN by Elizabeth Schweinsberg: svc_plus.pl that gets services, displaied in short format, from SYSTEM hive

  • tcpflow-1.3.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. Tcpflow can also process stored tcpdump packet flows. Here are the changes in this version:
    • src/tcpdemux.cpp (tcpdemux::process_tcp): fixed bug in which myflow.tlast wasn't being set.
    • src/main.cpp (main): fixed compile bugs that resulted from adoption of standard DFXML header.
    • configure.ac (HAVE_PTHREAD): fixed typo in configure.ac
    • src/tcpdemux.h: removed struct ip as it was redundent to struct iphdr
    • configure.ac: tcpflow now compiles under mingw for Windows
    • src/tcpdemux.cpp: moved tcpdemux class methods into this new file.
    • src/tcpip.cpp (tcpip::close_file): added support for FUTIMENS, but I don't yet have a system on which to test it. Hope that it's good.