Software Engineering Institute

LiFTeR: Changes for July 15, 2016

Fedora 24 - The repository now supports Fedora 24 for both the i686 and x86_64 CPU architectures. Here is the list of tools provided for Fedora 24:

2hash
a52dec
afflib
aimage
analysis-pipeline
analyzeMFT
artifacts
ataraw
autopsy
bencode
binplist
bloom
bokken
bulk_extractor
bulk_extractor-stoplist
CERT-Forensics-Tools
cert-forensics-tools-release
cryptcat
daq
dc3dd
ddrescue
dd_rescue
ddrescueview
ddrutility
dfdatetime
dff
dfvfs
dfwinreg
disktype
distorm3
DropboxReader
eindeutig
epub
exfat-utils
faad2
fatback
fcrackzip
ffmpeg
fmem-kernel-modules
fmem-kernel-modules-common
frag_find

fred
fundl
galleta
ghostpdl
grokevt
guymager
hachoir-core
hachoir-metadata
hachoir-parser
hachoir-regex
hachoir-subfile
hachoir-urwid
hachoir-wx
ip4r
jafat
KHracker
kracked
lame
libbde
libbfio
libesedb
libevt
libevtx
libewf
libfixbuf
libfsntfs
libfvde
libfwnt
libfwsi
libguytools
libiconv
liblnk
libluksde
libmad
libmsiecf
libolecf
libp0f
libpff
libpst
libqcow
libregf

libscca
libschemaTools
libsigscan
libsmdev
libsmraw
libvhdi
libvmdk
libvshadow
libvslvm
lime-kernel-modules
lime-kernel-modules-common
log2timeline
md5deep
mdbtools
missidentify
mount_ewf
nDPI
netsa-python
netsa-rayon
partclone
pasco
perl-File-Mork
perl-Mac-PropertyList
perl-Parse-Evtx
perl-Parse-Win32Registry
plaso
prism
pstotext
ptfinder
ptk
pyew
python-apsw
python-construct
python-radare
python-rarfile
python-registry
pytsk
radare
radare-extras
rar
registrydecoder

reglookup
regripper
regripper-plugins
rifiuti
rifiuti2
scrounge-ntfs
sfdumper
shellbags
silk
silk-ipa
silk-ipset
sleuthkit
snort
snort-openappid
snort-sample-rules
ssdeep
stegdetect
super_mediator
tln_tools
testdisk
undbx
unrar
untex
valabind
videosnarf
vinetto
vmfs-tools
Volatility
Volatility-community-plugins
xlsxwriter
xmount
xplico
xvidcore
yaf
yara
yara-python

libpff-20160110-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided. Libpff is used by DFF,the Digital Forensics Framework. See here for the list of changes.
libvshadow{,-devel,-python,-tools}-20160110-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. This version uses the external version of libbfio to support DFF, the Digital Forensics Framework.
dff-1.3.6-20160630.1.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. This version is the developer version as of June 30, 2016.

To support this version, the following were also installed:
- Fedora 24 (From RPM Fusion)
  - ffmpeg-libs-2.8.7-1.fc24.{i386,x86_64}.rpm
  - ffmpeg-2.8.7-1.fc24.{i386,x86_64}.rpm
  - ffmpeg-devel-2.8.7-1.fc24.{i386,x86_64}.rpm
  - lame-devel-3.99.5-5.fc24.{i386,x86_64}.rpm
  - libavdevice-2.8.7-1.fc24.{i386,x86_64}.rpm
  - x264-devel-0.148-7.20160614gita5e06b9.fc24.{i386,x86_64}.rpm
  - x265-devel-1.9-1.fc24.{i386,x86_64}.rpm
  - x265-libs-1.9-1.fc24.{i386,x86_64}.rpm
  - xvidcore-1.3.4-2.fc24.{i386,x86_64}.rpm
  - xvidcore-devel-1.3.4-2.fc24.{i386,x86_64}.rpm
- Fedora 23 (From RPM Fusion)
  - libbfio-devel-20160108-1.fc23.{i386,x86_64}.rpm
  - libbfio-20160108-1.fc23.{i386,x86_64}.rpm
  - libavdevice-2.8.7-1.fc23.{i386,x86_64}.rpm
  - ffmpeg-libs-2.8.7-1.fc23.{i386,x86_64}.rpm
  - ffmpeg-devel-2.8.7-1.fc23.{i386,x86_64}.rpm
- CentOS 7 (From NUX)
  - faac-1.28-6.0.el7.nux.x86_64.rpm
  - fdk-aac-0.1.4-1.x86_64.rpm
  - ffmpeg-devel-2.6.8-3.el7.nux.x86_64.rpm
  - ffmpeg-libs-2.6.8-3.el7.nux.x86_64.rpm
  - libavdevice-2.6.8-3.el7.nux.x86_64.rpm
  - x264-libs-0.142-11.20141221git6a301b6.el7.nux.x86_64.rpm
  - x265-libs-1.9-1.el7.nux.x86_64.rpm
  - xvidcore-1.3.2-5.el7.nux.x86_64.rpm
libbde{,-devel,-python,-tools}-20160418-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
libbfio{-devel,-python}-20160108-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,{i386,x86_64}}.rpm - Libbfio is a library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff. It is used to chain I/O to support file-in-file access.
libevt{,-devel,-python,-tools}-20160421-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
libevtx{,-devel,-python,-tools}-20160421-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
liblnk{,-devel,-python,-tools}-20160420-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
libmsiecf{,-devel,-python,-tools}-20160421-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
libfsntfs{,-devel,-python,-tools}-20160418-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS). See here for the list of changes.
libolecf{,-devel-,-python,-tools}-20160423-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.66-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. See here for the list of changes.
libregf{,-devel,-python,-tools}-20160424-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libregf contains libraries and tools to access the Windows NT Registry File files. See here for the list of changes.
libsmraw{,-devel,-python,-tools}-20160424-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
libvhdi{,-devel,-python,-tools}-20160424-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
fmem-kernel-modules-1.6-1.8.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. Support for Fedora 24 x86_64 and i686 architectures was added.
lime-kernel-modules-1.1.r17-8.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. Support for Fedora 24 x86_64 and i686 architectures was added.
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.6.3-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for LiME:
- 4.6.3-300 for FC24
fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.1.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.5.7-300 for FC24
- 4.5.5-300 for FC24
lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-1.noarch.rpm - Support for the following kernels were added for LiME:
- 4.5.7-300 for FC24
- 4.5.5-300 for FC24
fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
- 4.5.7-202 for FC23
lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
- 4.5.7-202 for FC23
fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.32-642.3.1 for EL6
lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.32-642.3.1 for EL6
fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
- 2.6.18-411 for EL5
lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
- 2.6.18-411 for EL5
lime-kernel-modules-common-1.1.r17-2.noarch.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page. This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects. This repackaging increases the number of packages but decreases their size.

Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7 If you use rsync, make certain that you use the -H option to preserve those hard links.
snort-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
snort-openappid-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
- The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
- The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
- Here is the OpenAppId Detector Developer Guide .
snort-sample-rules-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
dfvfs-20160706-1.(fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64 architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of dfvfs.
libfwnt{,-devel,-python,-python3}-20160418-1.(fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm and libfwnt{,-devel,-python}-20160418-1.el6.noarch.rpm - LibFWNT, is a library for Windows NT data types. See here for the list of changes. This package is needed by dfvfs.
dfdatetime-20160706-1.{fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision. This package is needed by dfvfs.
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.2-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.12.2‑2.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.12.2‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
distorm3-3.3.4-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Distorm3 is a lightweight, easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX. Distorm3 is used by The Volatility Framework. The changes are listed here.
Volatility-2.5-4.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility is the official version of Volatility 2.5. It also contains the mimikatz plugin. This release was build using the code as of 2016-07-08.
Volatility-community-plugins-20160708-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation. These plugins are installed in /usr/share/volatility/plugins/community/.
exfat-utils-1.2.4-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. See here for the list of changes since the last released version (1.2.3).
nDPI{,-devel}-1.8-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

See here for the list of supported protocols.
xplico-1.1.1-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. This release was rebuilt to work with nDPI-1.8.
python-registry-1.2.0-1.{fc20,fc21,fc22,fc23,fc23,el6,el7}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry.
valabind-0.10.0-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and valabind‑0.10.0‑1.el7.x86_64.rpm - Valabind is a tool to parse vala or vapi files to transform them into swig interface files, C++, NodeJS-ffi, or GIR. With swig, you can create language bindings for any API written in vala or C with a vapi interface. It can also generate bindings for C++.
radare{,-devel}-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and radare{,‑devel}‑2.0.10.4‑1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
python-radare-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and python‑radare‑2.0.10.4‑1.el7.x86_64.rpm- Python-Radare are bindings that allow Radare to be used from Python.
radare-extras-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and radare‑extras‑2.0.10.4‑1.el7.x86_64.rpm- Radare-Extras are are extra plugins for radare2.
disktype-9-19.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - Disktype detects the content format of a disk or disk image. This version is based on the standard version with support for exfat, LUKS, f2fs, btrfs, and EXT 2, 3, and 4, all courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA. This version was rebuilt to increment the release number to be higher (19.1) than the current version provided for either Fedora (19) or CentOS/RHEL (12).
netsa-rayon-1.4.3-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython,/a> (for GUI output). See here for a list of changes. This release was rebuilt to use Syhinx version 1.2.2 to produce the documentation.
analysis-pipeline-5.4.1-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the changes since the last version (5,4).