Linux Forensics Tools Repository: Package Summary for Packages on February 8, 2013:

  • dd_rescue-1.31-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.28):
    • 1.31: This version brings a few tiny improvements in the output (such as displaying the total elapsed time in the summary as opposed to ETA of 0, and the amount of data really written with option -W). But importantly, it has the new mode of triple overwriting of data (options -3 and -4), with random numbers, inverse random numbers, new random numbers (only for -4) and zeros, this way allowing paranoia-safe deletion of information.
    • 1.30: This version brought a fix for outputting data to stdout and a fix for a possible double free operation (introduced in 1.29). The message formatting has been streamlined a bit. The PRNG can now be initialized from a file (e.g. -Z /dev/urandom). The program now can also avoid writing to a target block if the target block already has the same data (option -W). Think of SSDs or other devices where you want to avoid writes.
    • 1.29: This contains a bug was fixed, where the last bytes where not copied corrected if hardbs == softbs. 1.29 also brings a number of new features; the ability to write the same (softbs sized) block again and again (option -R, automatically set if infile is /dev/zero), the ability to limit transfer size such that the outfile won't be enlarged (-M) and the possibility to use userspace random numbers (libc/frandom) to fill files with random data (options -z and -Z). Last not least, OBS also builds .deb binaries for Ubu12.04 / Deb6 now.

  • fuse-exfat-1.0.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fuse-exfat is an exFAT file system implementation with write support. exFAT is a simple file system created by Microsoft. It is intended to replace FAT32 removing some of it's limitations. exFAT is a standard file system for SDXC memory cards. Here are the changes from the previous version:
    • Fixed unexpected removal of a directory if it is moved into itself.
    • Fixed "Operation not permitted" error on reading an empty file.

  • exfat-utils-1.0.1-1.1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. Here are the changes from the previous version:
    • Fixed unexpected removal of a directory if it is moved into itself.
    • Fixed "Operation not permitted" error on reading an empty file.

  • libewf-{,devel,tools}-20130128-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20121209):
    • worked on sync with experimental version
    • docstring changes in pyewf
    • fix for corruption scenario
    • fixes in pyewf examples
    • updated msvscpp files
    • updated codegear files
    • updated pyewf
    • worked on sync with experimental version
    • replace libmfcache by new libfcache
    • updated configure files
    • updated dpkg files
    • updated rpm spec file
    • updated pyewf - fixes multiple issues
    • updated dependencies
    • worked on sync with experimental version
    • added pyewf/setup.py with thanks to Michael Cohen
    • bug fix for 31th day of the month issue

  • libvshadow{,-devel,-tools,-python}-20130131-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
    • worked on pyvshadow
    • worked on exposing block descriptors via vshadowinfo
    • worked on exposing block descriptors via API
    • removed LIBVSHADOW_STORE_FLAG_IO_HANDLE_MANAGED flags

  • sleuthkit{,-devel,-libs}-4.0.2-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 4.0.1:
    • New Features
      • Added fiwalk tool from Simson. Not supported in Visual Studio yet.
    • Bug Fixes
      • Fixed fcat to work on NTFS files (still doesn't support ADS though).
      • Fixed HFS+ support in tsk_loaddb / SQLite -- root directory was not added.
      • NTFS code now looks at all MFT entries when listing directory contents. It used to only look at unallocated entries for orphan files. This fixes an image that had allocated files missing from the directory b-tree.
      • NTFS code uses sequence number when searching MFT entries for all files.
      • Libewf detection code change to support v2 API more reliably (ID: 3596212).
      • NTFS $SII code could crash in rare cases if $SDS was multiple of block size.
    • Framework
      • Added new API to TskImgDB that returns the base name of an image.
      • Numerous performance improvements to framework.
      • Removed requirement in framework to specify module extension in pipeline configuration file.
      • Added blackboard artifacts to represent both operating system and network service user accounts.
    • Java Bindings
      • added more APIs to find files by name, path and where clause
      • added API to get currently processed dir when image is being added,
      • added API to return specific types of children of image, volume system, volume, file system.
      • moved more common methods up to Content interface
      • deprecated context of blackboard attributes,
      • deprecated SleuthkitCase.runQuery() and SleuthkitCase.closeRunQuery()
      • fixed ReadContentInputStream bugs (ignoring offset into a buffer, implementing available() )
      • methods that are lazy loading are now thread safe
      • Hash class is now thread-safe
      • use more PreparedStatements to improve performance
      • changed source level from java 1.6 to 1.7
      • Throw exceptions from C++ side better

  • fiwalk-0.6.16-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format. This release has been rebuilt to use version 4.0.2 of The Sleuth Kit, which because that release now contains both fiwalk and jpeg_extract, this release no longer contains those to programs.
  • yaf{,-devel}-2.3.3-2.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE. See here for the list of changes.
  • fmem-kernel-objects-1.6-1.14.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes are the following:
    • 3.7.5-201 for FC18