regripper-25000000-2.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool.
This package is now contains only the version 2.5 of the regripper tool. The plugins are packaged separately.
This package corrects a problem where the individual plugins could not be found. This error is corrected by using perl's @INC array to find the plugin directory.
regripper-plugins-20120926-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from
the regripper application. The plugins added are the following:
NEW PLUGIN by Harlan Carvey: appcertdlls.pl that gets entries from AppCertDlls key (SYSTEM)
NEW PLUGIN by Harlan Carvey: appcompatcache.pl that parses files from the Shim Cache (SYSTEM)
NEW PLUGIN by Harlan Carvey: appcompatcache_tln.pl that parses files from the Shim Cache, TLN output (SYSTEM)
NEW PLUGIN by Harlan Carvey: applets_tln.pl that gets the content of Applets key, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: appspecific.pl that gets contents of user's Intellipoint\AppSpecific subkeys (NTUSER)
NEW PLUGIN by Harlan Carvey: ares.pl that gets contents of user's Software\Ares key (NTUSER)
NEW PLUGIN by Corey Harrell: backuprestore.pl that gets FilesNotToSnapshot, KeysNotToRestore, FilesNotToBackup (SYSTEM)
NEW PLUGIN by Harlan Carvey: compatassist.pl that checks user's Compatibility Assistant\Persisted values (NTUSER)
NEW PLUGIN by Harlan Carvey: direct.pl that searches Direct keys for MostRecentApplication subkeys (SOFTWARE)
NEW PLUGIN by Harlan Carvey: direct_tln.pl that searches Direct keys for MostRecentApplication subkeys, TLN output (SOFTWARE)
NEW PLUGIN by Corey Harrell: disablesr.pl that gets the on/off value for System Restore (SOFTWARE)
NEW PLUGIN by Harlan Carvey: installer.pl that determines products install information (SOFTWARE)
NEW PLUGIN by Harlan Carvey: javafx.pl that gets contents of user's JavaFX key (NTUSER)
NEW PLUGIN by Harlan Carvey: legacy_tln.pl that lists LEGACY entries in Enum\Root key, TLN output (SYSTEM)
NEW PLUGIN by Harlan Carvey: networklist_tln.pl that collects network info from NetworkList key, TLN output (SOFTWARE)
NEW PLUGIN by Harlan Carvey: osversion.pl that checks for OSVersion value, malware related (NTUSER)
NEW PLUGIN by Corey Harrell: prefetch.pl that gets the Prefetch Parameters (SYSTEM)
NEW PLUGIN by Harlan Carvey: runmru_tln.pl that gets contents of user's RunMRU key, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: shellbags.pl that gets contents of users's Shell/BagMRU keys, Windows7 (USRCLASS)
NEW PLUGIN by Harlan Carvey: sysinternals.pl that checks for SysInternals apps keys (NTUSER)
NEW PLUGIN by Harlan Carvey: sysinternals_tln.pl that checks for SysInternals apps keys, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: tracing.pl that gets list of apps that can be traced (SOFTWARE)
NEW PLUGIN by Harlan Carvey: tracing_tln.pl that gets list of apps that can be traced, TLN output (SOFTWARE)
NEW PLUGIN by Harlan Carvey: trustrecords.pl that gets user's Office 2010 TrustRecords values (NTUSER)
NEW PLUGIN by Harlan Carvey: trustrecords_tln.pl that gets user's Office 2010 TrustRecords values, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: tsclient_tln.pl that gets contents of user's Terminal Server Client key, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: typedpaths_tln.pl that gets contents of user's typedpaths key, TLN output (NTUSER)
NEW PLUGIN by Harlan Carvey: userassist_tln.pl that displays contents of UserAssist subkeys, TLN output (NTUSER)
NEW PLUGIN by Mari DeGrazia: winbackup.pl that gets Windows Backup settings (SOFTWARE)
NEW PLUGIN by Harlan Carvey: wpdbusenum.pl that gets WpdBusEnumRoot subkey info (SYSTEM)
UPDATE by Harlan Carvey to legacy.pl, added analysis tip (SYSTEM)
UPDATE by Harlan Carvey to muicache.pl, the plugin works both on NTUSER and/or USRCLASS hives (NTUSER,USRCLASS)
UPDATE by Harlan Carvey to networklist.pl, added NameType value reporting (SOFTWARE)
UPDATE by Harlan Carvey to soft_run.pl, added support to newer OS and 64 bits (SOFTWARE)
UPDATE by Harlan Carvey to tsclient.pl, added parsing of Servers key (NTUSER)
UPDATE by Harlan Carvey to userassist.pl (NTUSER)
REMOVED TEMPORARILY plugin typedurlstime.pl, postponed on next packages
REMOVED TEMPORARILY plugin typedurlstime_tln.pl, postponed on next packages
REMOVED plugin bagtest.pl, deprecated
REMOVED plugin bagtest2.pl, deprecated
REMOVED plugin crashcontrol.pl, too similar to crashdump.pl
REMOVED plugin filesnottosnapshot.pl, superseded by backuprestore.pl
REMOVED plugin pstools.pl, superseded by the more general sysinternals.pl plugin
REMOVED plugin userassist2.pl, deprecated since userassist.pl was updated
REMOVED plugin vista_comdlg32.pl, deprecated since comdlg32.pl was updated
REMOVED plugin win7_ua.pl, Windows7-RC and Vigenerè encryption are obsolete
NOTE added profile usrclass-all for USRCLASS.DAT hive
NOTE profiles '-all' DO NOT contain plugins TLN versions: you must create your own profiles or use them directly
NOTE source code repository was switched to GIT and it was aligned to the current release
NOTE RegRipperPluginsPackage (RRPP) now counts 236 plugins
libvshadow{,-devel,-tools}-20120922-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
fmem-kernel-objects-1.6-1.1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem,
similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package
are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the
triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a
script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system.
This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection
phase of an investigation that includes digital assets.
CERT-Forensics-Tools-1.0-46.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm -
This package was updated to do the following:
add fmem-kernel-objects for all supported releases.
log2timeline-0.65-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
Here are the changes in this version:
[UTMP input] New input module parsing utmp/wtmp files in Linux, written by Francesco Picasso.
[SELINUX input] New input module parsing SELinux audit files in Linux, written by Francesco Picasso.
[l2t_process] Renamed to l2t_process_old, being replaced by l2t_process.py from l2t-tools.
[EVTX Library] Fixed a small bug in the code, causing some EVTX file parsing to fail.
[Altiris input] Fixed a small bug when the date is malformed.
[Log2Timeline library] Fixed few bugs:
Small error in the format sort, caused oxml to sometimes be skipped in processing.
[GENERIC_LINUX input] Added a small extra eval sentence.
[LS_QUARANTINE] Fixed a minor bug in the get_time routine, if a database occurs it is caught by an eval sentence.
[TEST] Added few more tests.
[MOST INPUT MODULES] Changed the line my $line = <$fh> or return undef; in most input modules.
[WIN library] Added few more transformations of Windows stored time zones into a "olson" ones understood by DateTime.
[CHROME input] Fixed a small unicode bug in the "File Downloaded" section.
[faersluskra2timalina] Added a new frontend to the tool, exact copy of log2timeline, except all parameters in Icelandic... kinda
[timescanner tool] Removed this frontend from the Makefile since it serves no purpose (as in no longer part of the automatic installation).
python-apsw-3.7.14.1_r1-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded
relational database engine. In contrast to other wrappers such as pysqlite
it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python.
The documentation has a section on the differences between APSW and pysqlite.
See here for a list of the changes.