Linux Forensics Tools Repository: Package Summary for Packages on July 15, 2016:

  • Fedora 24 - The repository now supports Fedora 24 for both the i686 and x86_64 CPU architectures. Here is the list of tools provided for Fedora 24:
    2hash
    a52dec
    afflib
    aimage
    analysis-pipeline
    analyzeMFT
    artifacts
    ataraw
    autopsy
    bencode
    binplist
    bloom
    bokken
    bulk_extractor
    bulk_extractor-stoplist
    CERT-Forensics-Tools
    cert-forensics-tools-release
    cryptcat
    daq
    dc3dd
    ddrescue
    dd_rescue
    ddrescueview
    ddrutility
    dfdatetime
    dff
    dfvfs
    dfwinreg
    disktype
    distorm3
    DropboxReader
    eindeutig
    epub
    exfat-utils
    faad2
    fatback
    fcrackzip
    ffmpeg
    fmem-kernel-modules
    fmem-kernel-modules-common
    frag_find
    fred
    fundl
    galleta
    ghostpdl
    grokevt
    guymager
    hachoir-core
    hachoir-metadata
    hachoir-parser
    hachoir-regex
    hachoir-subfile
    hachoir-urwid
    hachoir-wx
    ip4r
    jafat
    KHracker
    kracked
    lame
    libbde
    libbfio
    libesedb
    libevt
    libevtx
    libewf
    libfixbuf
    libfsntfs
    libfvde
    libfwnt
    libfwsi
    libguytools
    libiconv
    liblnk
    libluksde
    libmad
    libmsiecf
    libolecf
    libp0f
    libpff
    libpst
    libqcow
    libregf
    libscca
    libschemaTools
    libsigscan
    libsmdev
    libsmraw
    libvhdi
    libvmdk
    libvshadow
    libvslvm
    lime-kernel-modules
    lime-kernel-modules-common
    log2timeline
    md5deep
    mdbtools
    missidentify
    mount_ewf
    nDPI
    netsa-python
    netsa-rayon
    partclone
    pasco
    perl-File-Mork
    perl-Mac-PropertyList
    perl-Parse-Evtx
    perl-Parse-Win32Registry
    plaso
    prism
    pstotext
    ptfinder
    ptk
    pyew
    python-apsw
    python-construct
    python-radare
    python-rarfile
    python-registry
    pytsk
    radare
    radare-extras
    rar
    registrydecoder
    reglookup
    regripper
    regripper-plugins
    rifiuti
    rifiuti2
    scrounge-ntfs
    sfdumper
    shellbags
    silk
    silk-ipa
    silk-ipset
    sleuthkit
    snort
    snort-openappid
    snort-sample-rules
    ssdeep
    stegdetect
    super_mediator
    tln_tools
    testdisk
    undbx
    unrar
    untex
    valabind
    videosnarf
    vinetto
    vmfs-tools
    Volatility
    Volatility-community-plugins
    xlsxwriter
    xmount
    xplico
    xvidcore
    yaf
    yara
    yara-python

  • libpff-20160110-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided. Libpff is used by DFF,the Digital Forensics Framework. See here for the list of changes.
  • libvshadow{,-devel,-python,-tools}-20160110-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. This version uses the external version of libbfio to support DFF, the Digital Forensics Framework.
  • dff-1.3.6-20160630.1.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. This version is the developer version as of June 30, 2016.

    To support this version, the following were also installed:
    • Fedora 24 (From RPM Fusion)

      • ffmpeg-libs-2.8.7-1.fc24.{i386,x86_64}.rpm
      • ffmpeg-2.8.7-1.fc24.{i386,x86_64}.rpm
      • ffmpeg-devel-2.8.7-1.fc24.{i386,x86_64}.rpm
      • lame-devel-3.99.5-5.fc24.{i386,x86_64}.rpm
      • libavdevice-2.8.7-1.fc24.{i386,x86_64}.rpm
      • x264-devel-0.148-7.20160614gita5e06b9.fc24.{i386,x86_64}.rpm
      • x265-devel-1.9-1.fc24.{i386,x86_64}.rpm
      • x265-libs-1.9-1.fc24.{i386,x86_64}.rpm
      • xvidcore-1.3.4-2.fc24.{i386,x86_64}.rpm
      • xvidcore-devel-1.3.4-2.fc24.{i386,x86_64}.rpm
    • Fedora 23 (From RPM Fusion)

      • libbfio-devel-20160108-1.fc23.{i386,x86_64}.rpm
      • libbfio-20160108-1.fc23.{i386,x86_64}.rpm
      • libavdevice-2.8.7-1.fc23.{i386,x86_64}.rpm
      • ffmpeg-libs-2.8.7-1.fc23.{i386,x86_64}.rpm
      • ffmpeg-devel-2.8.7-1.fc23.{i386,x86_64}.rpm
    • CentOS 7 (From NUX)

      • faac-1.28-6.0.el7.nux.x86_64.rpm
      • fdk-aac-0.1.4-1.x86_64.rpm
      • ffmpeg-devel-2.6.8-3.el7.nux.x86_64.rpm
      • ffmpeg-libs-2.6.8-3.el7.nux.x86_64.rpm
      • libavdevice-2.6.8-3.el7.nux.x86_64.rpm
      • x264-libs-0.142-11.20141221git6a301b6.el7.nux.x86_64.rpm
      • x265-libs-1.9-1.el7.nux.x86_64.rpm
      • xvidcore-1.3.2-5.el7.nux.x86_64.rpm

  • libbde{,-devel,-python,-tools}-20160418-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
  • libbfio{-devel,-python}-20160108-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,{i386,x86_64}}.rpm - Libbfio is a library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff. It is used to chain I/O to support file-in-file access.
  • libevt{,-devel,-python,-tools}-20160421-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
  • libevtx{,-devel,-python,-tools}-20160421-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
  • liblnk{,-devel,-python,-tools}-20160420-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
  • libmsiecf{,-devel,-python,-tools}-20160421-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
  • libfsntfs{,-devel,-python,-tools}-20160418-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS). See here for the list of changes.
  • libolecf{,-devel-,-python,-tools}-20160423-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
  • libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.66-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. See here for the list of changes.
  • libregf{,-devel,-python,-tools}-20160424-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libregf contains libraries and tools to access the Windows NT Registry File files. See here for the list of changes.
  • libsmraw{,-devel,-python,-tools}-20160424-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes. See here for the list of changes.
  • libvhdi{,-devel,-python,-tools}-20160424-1.(fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
  • fmem-kernel-modules-1.6-1.8.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem. Support for Fedora 24 x86_64 and i686 architectures was added.
  • lime-kernel-modules-1.1.r17-8.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME. Support for Fedora 24 x86_64 and i686 architectures was added.
  • fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.6.3-300 for FC24

  • lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.6.3-300 for FC24

  • fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.1.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.5.7-300 for FC24
    • 4.5.5-300 for FC24

  • lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-1.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.5.7-300 for FC24
    • 4.5.5-300 for FC24

  • fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.5.7-202 for FC23

  • lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.5.7-202 for FC23

  • fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for Fmem:
    • 2.6.32-642.3.1 for EL6

  • lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for LiME:
    • 2.6.32-642.3.1 for EL6

  • fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for Fmem:
    • 2.6.18-411 for EL5

  • lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for LiME:
    • 2.6.18-411 for EL5

  • lime-kernel-modules-common-1.1.r17-2.noarch.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page. This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects. This repackaging increases the number of packages but decreases their size.

    Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7 If you use rsync, make certain that you use the -H option to preserve those hard links.


  • snort-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
  • snort-openappid-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - This is the snort package built with the following additions:
    • The --enable-open-appid option was added to the configure script that configures the build of snort. See here for more details.
    • The files found here and named snort-openappid.tar.gz are installed in /usr/share/snort/cisco/apps.
    • Here is the OpenAppId Detector Developer Guide .

  • snort-sample-rules-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
  • dfvfs-20160706-1.(fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems. See here for the list of changes.

    At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64 architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of dfvfs.
  • libfwnt{,-devel,-python,-python3}-20160418-1.(fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm and libfwnt{,-devel,-python}-20160418-1.el6.noarch.rpm - LibFWNT, is a library for Windows NT data types. See here for the list of changes. This package is needed by dfvfs.
  • dfdatetime-20160706-1.{fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision. This package is needed by dfvfs.
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.2-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
  • silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.12.2‑2.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.12.2‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
  • distorm3-3.3.4-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Distorm3 is a lightweight, easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX. Distorm3 is used by The Volatility Framework. The changes are listed here.
  • Volatility-2.5-4.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility is the official version of Volatility 2.5. It also contains the mimikatz plugin. This release was build using the code as of 2016-07-08.
  • Volatility-community-plugins-20160708-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation. These plugins are installed in /usr/share/volatility/plugins/community/.
  • exfat-utils-1.2.4-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. See here for the list of changes since the last released version (1.2.3).
  • nDPI{,-devel}-1.8-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

    nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

    See here for the list of supported protocols.
  • xplico-1.1.1-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. This release was rebuilt to work with nDPI-1.8.
  • python-registry-1.2.0-1.{fc20,fc21,fc22,fc23,fc23,el6,el7}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry.
  • valabind-0.10.0-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and valabind‑0.10.0‑1.el7.x86_64.rpm - Valabind is a tool to parse vala or vapi files to transform them into swig interface files, C++, NodeJS-ffi, or GIR. With swig, you can create language bindings for any API written in vala or C with a vapi interface. It can also generate bindings for C++.
  • radare{,-devel}-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and radare{,‑devel}‑2.0.10.4‑1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
  • python-radare-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and python‑radare‑2.0.10.4‑1.el7.x86_64.rpm- Python-Radare are bindings that allow Radare to be used from Python.
  • radare-extras-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and radare‑extras‑2.0.10.4‑1.el7.x86_64.rpm- Radare-Extras are are extra plugins for radare2.
  • disktype-9-19.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - Disktype detects the content format of a disk or disk image. This version is based on the standard version with support for exfat, LUKS, f2fs, btrfs, and EXT 2, 3, and 4, all courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA. This version was rebuilt to increment the release number to be higher (19.1) than the current version provided for either Fedora (19) or CentOS/RHEL (12).
  • netsa-rayon-1.4.3-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython,/a> (for GUI output). See here for a list of changes. This release was rebuilt to use Syhinx version 1.2.2 to produce the documentation.
  • analysis-pipeline-5.4.1-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the changes since the last version (5,4).