Linux Forensics Tools Repository: Package Summary for Packages on October 11, 2012:

  • regripper-25000000-2.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is now contains only the version 2.5 of the regripper tool. The plugins are packaged separately. This package corrects a problem where the individual plugins could not be found. This error is corrected by using perl's @INC array to find the plugin directory.
  • regripper-plugins-20120926-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. The plugins added are the following:
    • NEW PLUGIN by Harlan Carvey: appcertdlls.pl that gets entries from AppCertDlls key (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: appcompatcache.pl that parses files from the Shim Cache (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: appcompatcache_tln.pl that parses files from the Shim Cache, TLN output (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: applets_tln.pl that gets the content of Applets key, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: appspecific.pl that gets contents of user's Intellipoint\AppSpecific subkeys (NTUSER)
    • NEW PLUGIN by Harlan Carvey: ares.pl that gets contents of user's Software\Ares key (NTUSER)
    • NEW PLUGIN by Corey Harrell: backuprestore.pl that gets FilesNotToSnapshot, KeysNotToRestore, FilesNotToBackup (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: compatassist.pl that checks user's Compatibility Assistant\Persisted values (NTUSER)
    • NEW PLUGIN by Harlan Carvey: direct.pl that searches Direct keys for MostRecentApplication subkeys (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: direct_tln.pl that searches Direct keys for MostRecentApplication subkeys, TLN output (SOFTWARE)
    • NEW PLUGIN by Corey Harrell: disablesr.pl that gets the on/off value for System Restore (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: installer.pl that determines products install information (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: javafx.pl that gets contents of user's JavaFX key (NTUSER)
    • NEW PLUGIN by Harlan Carvey: legacy_tln.pl that lists LEGACY entries in Enum\Root key, TLN output (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: networklist_tln.pl that collects network info from NetworkList key, TLN output (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: osversion.pl that checks for OSVersion value, malware related (NTUSER)
    • NEW PLUGIN by Corey Harrell: prefetch.pl that gets the Prefetch Parameters (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: runmru_tln.pl that gets contents of user's RunMRU key, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: shellbags.pl that gets contents of users's Shell/BagMRU keys, Windows7 (USRCLASS)
    • NEW PLUGIN by Harlan Carvey: sysinternals.pl that checks for SysInternals apps keys (NTUSER)
    • NEW PLUGIN by Harlan Carvey: sysinternals_tln.pl that checks for SysInternals apps keys, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: tracing.pl that gets list of apps that can be traced (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: tracing_tln.pl that gets list of apps that can be traced, TLN output (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: trustrecords.pl that gets user's Office 2010 TrustRecords values (NTUSER)
    • NEW PLUGIN by Harlan Carvey: trustrecords_tln.pl that gets user's Office 2010 TrustRecords values, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: tsclient_tln.pl that gets contents of user's Terminal Server Client key, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: typedpaths_tln.pl that gets contents of user's typedpaths key, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: userassist_tln.pl that displays contents of UserAssist subkeys, TLN output (NTUSER)
    • NEW PLUGIN by Mari DeGrazia: winbackup.pl that gets Windows Backup settings (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: wpdbusenum.pl that gets WpdBusEnumRoot subkey info (SYSTEM)
    • UPDATE by Harlan Carvey to legacy.pl, added analysis tip (SYSTEM)
    • UPDATE by Harlan Carvey to muicache.pl, the plugin works both on NTUSER and/or USRCLASS hives (NTUSER,USRCLASS)
    • UPDATE by Harlan Carvey to networklist.pl, added NameType value reporting (SOFTWARE)
    • UPDATE by Harlan Carvey to soft_run.pl, added support to newer OS and 64 bits (SOFTWARE)
    • UPDATE by Harlan Carvey to tsclient.pl, added parsing of Servers key (NTUSER)
    • UPDATE by Harlan Carvey to userassist.pl (NTUSER)
    • REMOVED TEMPORARILY plugin typedurlstime.pl, postponed on next packages
    • REMOVED TEMPORARILY plugin typedurlstime_tln.pl, postponed on next packages
    • REMOVED plugin bagtest.pl, deprecated
    • REMOVED plugin bagtest2.pl, deprecated
    • REMOVED plugin crashcontrol.pl, too similar to crashdump.pl
    • REMOVED plugin filesnottosnapshot.pl, superseded by backuprestore.pl
    • REMOVED plugin pstools.pl, superseded by the more general sysinternals.pl plugin
    • REMOVED plugin userassist2.pl, deprecated since userassist.pl was updated
    • REMOVED plugin vista_comdlg32.pl, deprecated since comdlg32.pl was updated
    • REMOVED plugin win7_ua.pl, Windows7-RC and Vigenerè encryption are obsolete
    • NOTE added profile usrclass-all for USRCLASS.DAT hive
    • NOTE profiles all-all, ntuser-all, sam-all, security-all, software-all, system-all, usrclass-all were updated
    • NOTE profiles '-all' DO NOT contain plugins TLN versions: you must create your own profiles or use them directly
    • NOTE source code repository was switched to GIT and it was aligned to the current release
    • NOTE RegRipperPluginsPackage (RRPP) now counts 236 plugins

  • libvshadow{,-devel,-tools}-20120922-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
  • fmem-kernel-objects-1.6-1.1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets.
  • CERT-Forensics-Tools-1.0-46.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - This package was updated to do the following:
    • add fmem-kernel-objects for all supported releases.

  • log2timeline-0.65-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. Here are the changes in this version:
    • [UTMP input] New input module parsing utmp/wtmp files in Linux, written by Francesco Picasso.
    • [SELINUX input] New input module parsing SELinux audit files in Linux, written by Francesco Picasso.
    • [l2t_process] Renamed to l2t_process_old, being replaced by l2t_process.py from l2t-tools.
    • [EVTX Library] Fixed a small bug in the code, causing some EVTX file parsing to fail.
    • [Altiris input] Fixed a small bug when the date is malformed.
    • [Log2Timeline library] Fixed few bugs:
      • Small error in the format sort, caused oxml to sometimes be skipped in processing.
    • [GENERIC_LINUX input] Added a small extra eval sentence.
    • [LS_QUARANTINE] Fixed a minor bug in the get_time routine, if a database occurs it is caught by an eval sentence.
    • [TEST] Added few more tests.
    • [MOST INPUT MODULES] Changed the line my $line = <$fh> or return undef; in most input modules.
    • [WIN library] Added few more transformations of Windows stored time zones into a "olson" ones understood by DateTime.
    • [CHROME input] Fixed a small unicode bug in the "File Downloaded" section.
    • [faersluskra2timalina] Added a new frontend to the tool, exact copy of log2timeline, except all parameters in Icelandic... kinda
    • [timescanner tool] Removed this frontend from the Makefile since it serves no purpose (as in no longer part of the automatic installation).

  • python-apsw-3.7.14.1_r1-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.