Linux Forensics Tools Repository: Package Summary for Packages on May 22, 2014:

  • nDPI{,-devel}-{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - nDPI nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

    nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

    See here for the list of supported protocols.
  • xplico-1.1.0-1.{fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. See here for the changes in this release. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support. Note that Fedora 17 is not supported yet but support is expected soon.
  • libewf-{,devel,tools}-20140427-1.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm, libewf-{devel,tools}-20140427-1.{fc19,fc20}.{i686,x86_64}.rpm, ewftools-20140427-1.{fc19,fc20}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20140216):
    • fixes to build static library with mingw and cygwin
    • bug fixes in m4 files
    • removed #error restriction in dependency include header files
    • make pyewf_handle_open more strict to catch non-string objects without the check the code will segfault on non-string objects
    • bug fixes in empty block compression
    • bug fix in libewf_read_io_handle_read_chunk_data error tolerance code path

  • bokken-1.6-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Bokken is a GUI for the Pyew and Radare projects so it offers almost all the same features that Pyew has and and some of the Radare's ones. It's intended to be a basic disassembler, mainly, to analyze malware and vulnerabilities.
  • pyew-2.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Pyew is a (command line) Python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.
  • radare-{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Radare is a framework for doing reverse engineering.
  • python-radare-{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Python-Radare are bindings that allow Radare to be used from Python .
  • vala{,-devel,-doc,-tools}-0.20-1.el6.{i686,x86_64}.rpm and emacs-vala-0.20-1.el6.{i686,x86_64}.rpm - Vala is a new programming language that aims to bring modern programming language features to GNOME developers without imposing any additional runtime requirements and without using a different ABI compared to applications and libraries written in C.
  • valabind-0.7.4-2.{fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Valabind is a tool to parse vala or vapi files to transform them into swig interface files, C++, NodeJS-ffi, or GIR. With swig, you can create language bindings for any API written in vala or C with a vapi interface. It can also generate bindings for C++.
  • snort-{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
  • snort-sample-rules-{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
  • md5deep-4.4-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - This package was updated to reflect the new version of md5deep. See here for the list of changes in this version.
  • pytsk-20140506-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
  • yaf{,-devel}-2.5.0-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap dumpfiles as generated by tcpdump, from live capture from an interface using pcap, an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. See here for a list of changes in this version.
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.2-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version. Note: In this release of SiLK (3.8.2-1), support for the IPA extensions have been removed.
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.2-2.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
  • silk-ipset{,-devel,-lib,-tools}-3.8.2-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
  • guymager-0.7.3-2.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. The change made in this version was to replace all lines in the configuration file (/etc/guymager/guymager.cfg) that contain backslashes at the end lines with spaces to work around a programming error in libguytools.
  • lime-kernel-objects-1.1.r16-1.28.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The changes added support for the following kernels:
    • 3.14.4-200
    • 3.14.3-200
    • 3.14.2-200
    • 3.13.9-200
    • 3.13.8-200
    • 3.13.7-200
    • 3.13.10-200
    • 3.14.4-100
    • 3.13.9-100
    • 3.13.7-100
    • 3.13.11-100
    • 2.6.32-431.17.1
    • 2.6.32-431.11.2
    • 2.6.18-371.8.1
    • 2.6.18-371.6.1

  • fmem-kernel-objects-1.6-1.28.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the same kernels noted for lime.
  • plaso-1.0.2-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.0.2-1.el6.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. See here for the changes in this release.