Linux Forensics Tools Repository: Package Summary for Packages on November 27, 2012:

  • fmem-kernel-objects-1.6-1.8.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets. The changes are the following:
    • Support for 3.6.7-4 for FC17

  • sleuthkit{,-devel,-libs}-4.0.1-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 3.2.3:
    • New Features:
      • Can open raw Windows devices with write mode sharing.
      • More DOS partition types are displayed.
      • Added fcat tool that takes in file name and exports content (equivalent to using ifind and icat together).
      • Added new API to TskImgDB that returns hash value associated with carved files.
      • Performance improvements with FAT code (maps and dir_add)
      • Performance improvements with NTFS code (maps)
      • Added AONLY flag to block_walk
      • Updated blkls and blkcalc to use AONLY flag -- MUCH faster.
    • Bug Fixes:
      • Fixed mactime issue where it could choose the wrong timezone that did not follow daylight savings times.
      • Fixed file size of alternate data streams in framework.
      • Incorporated memory leak fixes and raw device fixes from ADF Solutions.

  • fiwalk-0.6.16-2.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format. This release has been rebuilt to use version 4.0.1 of The Sleuth Kit.
  • pytsk-2012113-2.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. This release has been rebuilt to use version 4.0.1 of The Sleuth Kit.
  • testdisk-6.13-2.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. This release was rebuilt to use the ntfs-3g development and library packages required for CentOS/RHEL 5, but all other versions were rebuilt for synchronization purposes.
  • bulk_extractor-1.3.1-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important. This version fixes many issues. In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
  • CERT-Forensics-Tools-1.0-50.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - This package was updated to do the following:
    • added bulk_extrator, bulk_extrator-stoplist, and fiwalk for RHEL/CentOS 5 for all supported architectures
    • obsoletes BEViewer since that tool is now included in bulk_extrator