Linux Forensics Tools Repository: Package Summary for Packages on September 25, 2015:

  • dd_rescue-1.99-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previously distributed version (1.46):
    • Version 1.99 brings updates to the ddr_crypt plugin: It adds hardware acceleration for ARMv8 CPUs/SOCs (even if in 32bit mode) -- this is a 10x speedup on AES en/decryption operations. (An Cortex-A57 at 2.1GHz (Exy7420) does ~1GB/s with AES128-CTR.) The ddr_crypt plugin xattr support has been extended and it has an option to process openSSL compatible Salted__ files. A bug in CTR initialization has been fixed. The main program sees improved write error retry logic and better fault injection logic (support for ranges, using absolute positions). There are now more variants of Android binaries.

  • ddrescue-1.20-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Here are the changes for this version:
    • 'logfile' has been renamed to 'mapfile' everywhere.
    • Changed short name of option '--synchronous' to '-y'.
    • Changed long name of option '-d' to '--idirect'.
    • Added new option '-D, --odirect'.
    • Added new option '-J, --verify-on-error'.
    • Added new option '--max-read-rate'.
    • rescuebook.cc (copy_block): Copy arbitrary blocks with '--idirect'.
    • Include only bad_sector blocks in 'errsize'.
    • rescuebook.cc (show_status): Show the estimated remaining time.
    • io.cc (format_time): Show time in days, hours, minutes and seconds.
    • Added per sector location data to fill mode.
    • mapbook.cc: Added emergency save of the mapfile.
    • Show device name with '--ask' or '-vv' on Haiku.
    • mapfile.cc (read_mapfile): Read read-only mapfiles from stdin.
    • ddrescuelog.cc: Allow multiple mapfiles for '-t, --show-status'.
    • ddrescuelog.cc (create_mapfile): '-' writes mapfile to stdout.
    • ddrescue.texi: Added new chapter 'Optical media'.
    • ddrescue.texi: Documented maximum size of the rescue domain.
    • configure: Option '--enable-linux' renamed to '--enable-non-posix'.
    • Makefile.in: Added new targets 'install*-compress'.
    • File 'ddrescue.h' renamed to 'mapbook.h'.
    • File 'logbook.cc' renamed to 'mapbook.cc'.
    • File 'logfile.cc' renamed to 'mapfile.cc'.
    • Files linux.{h,cc} renamed to non_posix.{h,cc}.

  • libbde{,-devel,-python,-tools}-20150905-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
  • liblnk{,-devel,-python,-tools}-20150830-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
  • libfsntfs{,-devel,-python,-tools}-20150829-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS). See here for the list of changes.
  • dfvfs-20150915-1.(fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

    At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 17, 18, 19, 20, 21, and 22 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
  • artifacts-20150409-1.(fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.noarch.rpm - Artifacts is a free, community-sourced, machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools. This package was built to support plaso.
  • python-dpkt-1.8-2.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and python-dpkt-1.8-2.{el6,el7}.x86_64.rpm - Python-dpkt is a fast, simple packet creator and parser, with definitions for the basic TCP/IP protocols, for Python. This package was built to support plaso.
  • python-pefile-1.2.10_139.2.{fc17,fc18,fc19,el6,el7}.{i686,x86_64}.rpm - Python-pefile is a multi-platform Python module to parse and work with This version was built to support plaso. Portable Executable (aka PE) files. Most of the information contained in the PE headers is accessible as well as all sections' details and their data. This package was built to support plaso.
  • python-psutil-2.1.3-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Python-psutil is a cross-platform library for retrieving information onrunning processes and system utilization (CPU, memory, disks, network)in Python. This package was built to support plaso.
  • python-tornado-3.2.1-3.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - Python-tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed. By using non-blocking network I/O, Tornado can scale to tens of thousands of open connections, making it ideal for long polling, WebSockets, and other applications that require a long-lived connection to each user. This package was built to support plaso.
  • python-ipython{,-console,-doc,-gui,-notebook,-sphinx,-tests)-2.4.1-8.fc20.{i686,x86_64}.rpm - IPython is an enhanced interactive Python shell. This package was built to support plaso.
  • python-requests-2.3.0-3.fc20.{i686,x86_64}.rpm - Python-requests is an Apache2 Licensed HTTP library, written in Python, for human beings. Python’s standard urllib2 module provides most of the HTTP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web. It requires an enormous amount of work (even method overrides) to perform the simplest of tasks. This package was built to support plaso.
  • plaso-1.3.0-2.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm, plaso-1.3.0-1.{el6,el7}.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. This release adds the missing artifacts and python-requests dependencies.

    At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, and 22 for i686 and x86_64 architectures and CentOS/RHEL versions 7 for the x86_64 architecture for this version of plaso. For Fedora 17, 18, and 19 and CentOS/RHEL 5 and 6 for the i686 and x86_64 architectures, all dependencies are satisfied but not all available packages mee the minimum requirements for plaso. Effort to satisfy these out-of-date dependencies will be expended when there is a specific request to do so.
  • sleuthkit{,-devel,-libs}-4.2.0-1.{fc17,fc18,fc19,fc20,fc21,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. See here for the list of changes in this release.
  • pytsk-20150406-3.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. This version was rebuilt to use The Sleuth Kit version 4.2.0 for all systems except CentOS/RHEL 5 which uses The Sleuth Kit version 4.1.3.
  • fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.13.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.1.7-200 for FC22

  • lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-13.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.1.7-200 for FC22

  • fmem-kernel-modules-fc21-{i686,x86_64}-1.6-1.25.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.1.7-100 for FC21

  • lime-kernel-modules-fc21-{i686,x86_64}-1.1.r17-25.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.1.7-100 for FC21

  • fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for Fmem:
    • 2.6.32-573.7.1 for EL6

  • lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for LiME:
    • 2.6.32-573.7.1 for EL6

  • yara-3.4.0-2.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Here are the changes since the last version (3.3.0):
    • Short-circuit evaluation for conditions
    • New yr_rules_save_stream/yr_rules_load_stream APIs.
    • load() and save() methods in yara-python accept file-like objects
    • Improvements to the PE and ELF modules
    • Some performance improvements
    • New command-line option --print-module-data
    • Multiple bug fixes.

    In addition, release 2 was built with openssl-devel
  • yara-python-3.4.0-2.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts. Here are the changes since the last version (3.3.0):
    • Short-circuit evaluation for conditions
    • New yr_rules_save_stream/yr_rules_load_stream APIs.
    • load() and save() methods in yara-python accept file-like objects
    • Improvements to the PE and ELF modules
    • Some performance improvements
    • New command-line option --print-module-data
    • Multiple bug fixes.

    In addition, release 2 was built with openssl-devel