Linux Forensics Tools Repository: Package Summary for Packages on June 27, 2014:

  • dd_rescue-1.45-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Note: these packages are available from the RPM Forge repository for CentOS/RHEL 5 and 6. See here for more details on the RPM Forge repository. Here are the changes from the previously distributed version (1.40):
    • Release 1.45-1: ddr_hash received a bugfix (sha512/sha384 could overflow a buffer). It gained support for sha1 hash. ddr_hash can now conveniently retrieve (and check) and store hashes in xattrs and md5sum/sha256sum/... style files. A new null plugin (ddr_null) was added.
    • Release 1.44-1: The plugin libddr_MD5.so (short ddr_MD5) has been renamed to ddr_hash, reflecting that we also support sha1, sha256, sha224, sha512, sha384 now. Checks have been added to the test suite and the documentation been updated accordingly.
    • Release 1.43-1: The main feature of 1.43 is the new lzo plugin. It de/compresses data using the lzo algorithms, which are very fast to decompress and most versions are also fast to compress (at somewhat moderate compression levels). The plugin supports many of dd_rescue's features, such as skipping bad blocks (encoding sparseness/holes into the output) as well as appending. It also continues on errors (skipping a whole block if nodiscard is NOT given) and allows to search for valid lzo block headers if sync is lost. fuzz testing has been done to support reliability. A man page ddr_lzo(1) has been created.

      The plugin interface has been enhanced to support ddr_lzo; the MD5 plugin has also seen some work beyond just refactoring: It supports the parameter output/outfd= now and supports all type of holes that can be generated in a chain with ddr_lzo now.

      Some minor improvements (docu, messages) and bug fixes have been applied. There also is a new ARMv8 (AArch64 aka ARM64) optimized routine to detect zero-blocks.
    • Release 1.42.1-1: 1.42.1 contains a fix for a sublety how we set up a handler for SIGILL and return with longjmp to detect the supported instruction sets of the CPU -- we need to manually reset the process' signal mask, otherwise a second failed probe would abort.
    • Release 1.42-1: 1.42 brings the possibility to load plugins to analyze or transform data before it's written to the output file(s). A plugin to calculate the MD5 hash is provided. posix_fadvise() is used if available (optimization) and dd_rescue now only provides a short usage info rather than the long help text on wrong parameters.
    • Release 1.41-1: There has been a lot of internal refactoring that improves the detection of CPU features (at runtime) and libc/compiler features (at build time). One result is that this version supports building against the Android NDK. (armv7l binaries built against Android API 17 (aka 4.2) libc can be found below in the download section.) Another consequence is that AVX2 support is now enabled (for saving CPU cycles on sparse block detection). A few minor bugs have been addressed (the most serious one a harmless off-by-one on determining the size of a block device). Number formatting is more consistent now. There also a new option -u/--rmvtrim that deletes the created file again and issues a fstrim on the filesystem -- good if you filled the empty space of a filesystem with zeros for data protection and SSD refreshment.
    • Release 1.40.1-1: It just has one patch to fix the SSE2 detection on i386 -- the old code would end in an endless loop ...

  • ddrescue-1.18.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Here are the changes from the previous distributed version (1.17):
    • ddrescuelog.cc (do_logic_ops): Fixed 'or' and 'xor'.
    • Added new option '-H, --test-mode' to simulate read errors.
    • Added new option '-L, --loose-domain' to ddrescue and ddrescuelog.
    • Added new option '-N, --no-trim' to disable trimming of damaged areas.
    • Added new option '-O, --reopen-on-error'.
    • Added new options '-1, --log-rates', and '-2, --log-reads'.
    • Extended '-K, --skip-size' with maximum and disable values.
    • Changed long name of option '-r' to '--retry-passes'.
    • Changed short name of option '--generate-mode' to '-G'.
    • Default value of option '-l, --logfile-size' increased to 10000.
    • If interrupted, ddrescue terminates by raising the signal received.
    • rescuebook.cc (copy_non_tried): Do not mark skipped blocks as non-trimmed. Try them in additional passes (before trimming).
    • rescuebook.cc: Limit the copying phase to 3 passes.
    • rescuebook.cc: Alternate direction of passes during copying phase.
    • rescuebook.cc: Smallest blocks are trimmed first.
    • rescuebook.cc (split_errors): Read largest first if logfile full.
    • Improved speed when using option '-m, --domain-logfile'.
    • io.cc (show_status): Show the current total run time.
    • rescuebook.cc: Show pass number and direction during copying.
    • rescuebook.cc (show_status): Show block pos instead of current_pos.
    • main.cc: Show "an unknown number of bytes" for unknown isize.
    • Added option '-B, --binary-prefixes' to ddrescuelog.
    • Added new option '-C, --complete-logfile' to ddrescuelog.
    • Added new option '-P, --compare-as-domain' to ddrescuelog.
    • Improved speed of logic operations in ddrescuelog.
    • rescuebook.cc (Rescuebook::do_rescue): Show warning when domain is smaller than logfile.
    • ddrescuelog.cc (do_show_status): Show logfile and domain extents when domain is smaller than logfile.
    • block.h: Class Block now forces the invariant by itself.
    • Code reorganization. New class 'Logfile'.
    • Added status message to rescue logfile.
    • Many improvements to documentation.
    • ddrescue.texinfo: Renamed to ddrescue.texi.

  • libewf-{,devel,tools}-20140608-1.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm, libewf-{devel,tools}-20140608-1.{fc19,fc20}.{i686,x86_64}.rpm, ewftools-20140608-1.{fc19,fc20}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20140427):
    • bug fix for utf16 header functions
    • bug fix in ewfmount regarding logical files date and time values
    • updated python.m4
    • fixes to build static library with mingw and cygwin
    • bug fixes in m4 files
    • removed #error restriction in dependency include header files
    • make pyewf_handle_open more strict to catch non-string objects without the check the code will segfault on non-string objects

  • {python-,}binplist-0.1.4-2.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Binplist is a binary property list (plist) parser module written in python. Here are the changes from the previous release (0.1.4-0):
    • The python library (python-binplist) has been split from the binplist executable.
    • In binplist, the following changes were made:
      • The plist.py file was removed.
      • The binplist.py file was renamed to binplist.
      • The /usr/bin/binplist.py[co] and /usr/bin/plist.py[co] files are removed. These files are automatically created if either binplist.py or plist.py programs were executed by root. Their presence causes log2timeline.py and related programs to fail.

  • plaso-1.0.2-2.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.0.2-2.el6.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Here are the changes from the previous release (1.0.2-1)
    • Missing dependencies were added (python-construct, libolecf-python, python-dpkt, python-binplist). Note that on CentOS/RHEL 6, the python-construct and python-dpkt were release in support of plaso.
    • Fixed a bug in the Firefox history parser.
    • For the CentOS/RHEL 6 version, the Software Collections Library version of Python 2 is used to byte compile the Python source files.

  • lime-kernel-modules-fc20-{i686,x86_64}-1.1.r17-3.noarch.rpm,
    lime-kernel-modules-{fc19,el5,el6}-{i686,x86_64}-1.1.r17-2.noarch.rpm,
    fmem-kernel-modules-fc20-{i686,x86_64}-1.6-1.3.noarch.rpm,
    fmem-kernel-modules-{fc19,el5,el6}-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem and LiME
    • 3.14.8-200 for FC20
    • 3.14.6-200 for FC20
    • 3.14.7-100 for FC19
    • 3.14.8-100 for FC19
    • 2.6.32-431.20.3 for EL6
    • 2.6.18-371.9.1 for EL5