Linux Forensics Tools Repository: Package Summary for Packages on October 19, 2012:

  • fmem-kernel-objects-1.6-1.3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets. The changes are the following:
    • Support for kernel 3.6.1-1 for FC17
    • Support for kernel 3.6.2-4 for FC17

  • nDPI-1.4.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - nDPI nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

    nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

    See here for the list of supported protocols.
  • xplico-1.0.1-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support. It also assumes a web server, for example Apache, has been configured and is operational. Here are the changes since 1.0.0:
    • nDPI integration
    • performace improved
    • FTP dissector improved
    • Added the prism dissector
    • CLI execution bug fixed
    • PCAP-over-IP SSL encryption
    • IRC dissector improvements
    • File reconstruction from Fragmented Payloads improved
    • FaceBook Chat updated
    • FaceBook Message (partial)
    • HTTP without initial packets (packets lost)
    • RTP dissector imporved
    • PCAP2WAV, RTP2WAV interface added

  • libvshadow{,-devel,-tools,-python}-20121016-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
    • pyvshadow: bug fixes
      • Missing Py_None increment reference
      • added increment/decrement reference of volume object in store
    • pyvshadow: added creation time as integer function
    • made get store more restrictive
    • added store get size function for python binding
    • updated dpkg and spec files
    • added store get offset function
    • worked on Python bindings
    • fix for dpkg files docs
    • worked on Python bindings

  • sleuthkit{,-devel,-libs}-4.0.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 3.2.3:
    • New Features:
      • Added multithreaded support
      • Added C++ wrapper classes
      • Added JNI bindings / Java data model classes
      • 3314047: Added utf8-specific versions of 'toid' methods for img,vs,fs types
      • 3184429: More consistent printing of unset times (all zerso instead of 1970)
      • New database design that allows for multiple images in the same database
      • GPT volume system tries other sector sizes if first attempt fails.
      • Added hash calculation and lookup to AutoDB and JNI.
      • Upgraded SQLite to 3.7.9.
      • Added Framework in (windows-only)
      • EnCase hash support
      • Libewf v2 support (it is now non-beta)
      • First file in a raw split or E01 can be specified and the rest of the files are found.
      • mactime displays times as 0 if the time is not set (isntead of 1970)
      • Changed behavior of 'mactime -y' to use ISO8601 format.
      • Updated HFS+ code from ATC-NY.
      • FAT orphan file improvements to reduce false positives.
      • TskAuto better reports errors.
      • Upgrade build projects from Visual Studio 2008 to 2010.
    • Bug Fixes:
      • Relaxed checking when conflict exists between DOS and GPT partitions. Had a Mac image that was failing to resolve which partition table to use.

    • ptk-1.0.5-4.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - PTK is a computer forensic framework for the command line tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the command line tool mysql_secure_installation or equivalent, and operating. It also assumes a web server, for example Apache, has been configured and is operational. Here are the list of changes:
      • Now recognizes that both The Sleuth Kit Version 3 and Version 4 are valid versions.