Linux Forensics Tools Repository: Package Summary for Packages on February 12, 2014:

  • lime-kernel-objects-1.1.r16-1.26.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

    In addition, this package includes a script named CaptureMemoryWithLime and a corresponding man page that manages the installation of the appropriate kernel object and dumps memory on the installed machine to the indicated file.

    LiME can be used with Volatility as described here to analyze memory as part of an investigation of digital assets.

    LiME releases will track with fmem-kernel-objects as to the list of supported kernels.
  • fmem-kernel-objects-1.6-1.26.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
    • 3.12.9-301 for FC20
    • 3.12.8-300 for FC20
    • 3.12.7-300 for FC20
    • 3.12.8-200 for FC19
    • 3.12.7-200 for FC19
    • 2.6.18-371.4.1 for EL5

  • daq-2.0.2-1.{fc16,fc17,fc18,fc19,el6}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort. Here are the changes since the last version:
    • os-daq-modules/daq_ipfw.c: Don't treat being interrupted by a signal as an error.
    • configure.ac, daq.spec, os-daq-modules/daq_afpacket.c: Fix frame length sanity check.
    • README, configure.ac, os-daq-modules/daq_afpacket.c: Fix AFPacket DAQ module to attempt to reconstruct the automatically stripped VLAN header prior to passing it to the reader. Also, use AFPacket TX Ring instead of sendto to improve TX performance. (Requires a newer Linux kernel version, README and configure.ac updated to reflect this.)

  • disktype-9-15.{fc17,fc18,fc19,fc20,el5,el6}.noarch.rpm - Disktype detects the content format of a disk or disk image. This version is based on the standard version with support for exfat, LUKS, f2fs, btrfs, and EXT 2, 3, and 4, all courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA.
  • libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.63-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. Here are the changes from the previous distributed version (0.6.61):
    • Daniel Gryniewicz found buffer overrun in LIST_COPY_TIME
    • Old dependency filter breaks file coloring

  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for the list of the changes since the previous version (3.8.0).
  • analysis-pipeline-4.3.2-2.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). This version was rebuilt to use the latest version of SiLK, specifically 3.8.1-1.
  • silk-ipset-{devel,lib,tools}-3.8.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
  • sleuthkit{,-devel,-libs}-4.1.3-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 4.1.2:
    • Fixed bug that could crash UFS/ExtX in inode_lookup
    • More bounds checking in ISO9660 code
    • Image layer bounds checking
    • Update version of SQLITE-JDBC
    • Changed how java loads navite libraries
    • Config file for YAFFS2 spare area
    • New method in image layer to return names
    • Yaffs2 cleanup
    • Escape all strings in SQLite database
    • SQlite code uses NTTFS sequence number to match parent IDs

  • snort-2.9.6.0-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
  • snort-sample-rules-2.9.6.0-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
  • xmount-0.6.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following:
    • Added support for split DD input files.
    • Patch for newer libewf support (meaning packages newer than 20110903), courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA.