Linux Forensics Tools Repository: Package Summary for Packages on April 7, 2017:

  • sleuthkit{,-devel,-libs}-4.4.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. See here for the changes since the last version (4.3.0) released to this repository.
  • pytsk3-20170324-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit.
  • ddrescue-1.22-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. See here for the changes since the last version (1.21) released to this repository.
  • ddrutility-2.8-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to gnuddrescue. It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:

    • ddru_findbad
    • ddru_ntfsbitmap
    • ddru_ntfsfindbad
    • ddru_diskutility
    • ddru_diskutility
    See here for the list of changes in this release.
  • dd_rescue-1.99.5-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. See here for the changes since the last version (1.99) released to this repository.
  • dc3dd-7.2.646-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,x86_64}.rpm - dc3dd is a patched version of GNU dd that includes several features useful for computer forensics.
  • guymager-0.8.4-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. See here for the list of changes.
  • dfvfs-20170324-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.noarch.rpm - dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats. The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
  • libbde{,-devel,-python,-python3,-tools}-20170204-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20170204-1.el6.{i686,x86_64}.rpm- Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the list of changes.
  • libbfio,{-devel}-20170123-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,{i386,x86_64}}.rpm - Libbfio is a library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff. It is used to chain I/O to support file-in-file access. See here for the list of changes.
  • libesedb{,-devel,-python,-python3,-tools}-20170121-1.(fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm and libesedb{,-devel,-python,-tools}-20170121-1.el6.{i686,x86_64}.rpm- Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format. ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc. See here for the list of changes.
  • libevt{,-devel,-python,-python3,-tools}-20170120-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libevt{,-devel,-python,-tools}-20170120-1.el6.{i686,x86_64}.rpm - Libevt contains libraries and tools to access the Windows Event Log (EVT) format files. See here for the list of changes.
  • libevtx{,-devel,-python,-python3,-tools}-20170122-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libevtx{,-devel,-python,-tools}-20170120-1.el6.{i686,x86_64}.rpm - Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files. See here for the list of changes.
  • libfwsi{,-devel,-python,-python3}-20160110-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libfwsi{,-devel,-python}-20160110-1.el6.{i686,x86_64}.rpm- Libfwsi is a library to access the Windows Shell Item format. See here for the list of changes.
  • libiconv{,-devel,-static,-utils}-1.15-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Libiconv provides an iconv() implementation, for use on systems which don't have one, or whose implementation cannot convert from/to Unicode. Due to conflicts with other packages, notably glibc, the libiconv packages are installed in /usr/libiconf. This release makes the library files also available at /usr/libiconf/lib for the x86_64 architecture which makes the package easier to use when building packages that use libiconv.
  • liblnk{,-devel,-python,-python3,-tools}-20170111-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20170111-1.el6.{i686,x86_64}.rpm- Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file. See here for the list of changes.
  • libmsiecf{,-devel,-python,-python3,-tools}-20170116-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20170116-1.el6.{i686,x86_64}.rpm- Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files. See here for the list of changes.
  • libolecf{,-devel,-python,-python3,-tools}-20170129-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libolecf{,-devel,-python,-tools}-20170129-1.el6.{i686,x86_64}.rpm- Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. See here for the list of changes.
  • libqcow{,-devel,-python,-python3,-tools}-20170222-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libqcow{,-devel,-python,-tools}-20170222-1.el6.{i686,x86_64}.rpm - Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format. See here for the list of changes.
  • libsigscan{,-devel,-python,-python3,-tools}-20170124-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libsigscan{,-devel,-python,-tools}-20170124-1.el6.{i686,x86_64}.rpm- a href="https://github.com/libyal/libsigscan/wiki">Libsigscan is a library and tools used to binary signature scanning. See here for the list of changes.
  • libsmdev{,-devel,-python,-python3,-tools}-20170225-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libsmdev{,-devel,-python,-tools}-20170225-1.el6}.{i686,x86_64}.rpm - Libsmdev is a library and tools used to access storage media devices. See here for the list of changes.
  • libvhdi{,-devel,-python,-python3,-tools}-20170223-1.(fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20170223-1.el6.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status. See here for the list of supported disk formats.
  • libvmdk{,-devel,-python,-python3,-tools}-20170226-1.{fc20,fc21,fc22,fc23,fc24,fc25,el7}.{i686,x86_64}.rpm and libvmdk{,-devel,-python,-tools}-20170226-1.el6.{i686,x86_64}.rpm - Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format. See here the list of changes.
  • nDPI{,-devel}-1.8-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

    nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

    See here for the list of supported protocols.

    This version brings the code base used to build this package up to 2017-03-28.
  • partclone-0.2.90-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. See here for the list of changes in this release.
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.15.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for a list of changes in this version.
  • silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.15.0‑2.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and silk‑{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}‑3.15.0‑2.{el6,el7}.x86_64.rpm - This release of the SiLK tools can be found in an optional repository that is now part of cert-forensics-tools-release named forensics‑sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
  • silk-ipset{-devel,-lib,-tools}-3.15.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
  • analysis-pipeline-5.6-2.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See here for the list of changes for this release. This package was rebuilt to use silk 3.15.0.
  • capstone{,-devel,-python,-python3}-3.0.4-4.{fc20,fc21}.{i686,x86_64}.rpm and capstone-java-3.0.4-4.noarch.rpm - Capstone is a lightweight multi-platform, multi-architecture disassembly framework. See here for the list of changes and future features.
  • capstone{,-devel,-python,-python3}-3.0.4-4.el7.x86_64.rpm - Capstone is a lightweight multi-platform, multi-architecture disassembly framework. See here for the list of changes and future features.
  • capstone{,-devel,-python,}-3.0.4-4.el6.(i386,x86_64}.rpm - Capstone is a lightweight multi-platform, multi-architecture disassembly framework. See here for the list of changes and future features.
  • pyew-2.3.0.0-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.
  • radare{,-devel}-2.1.3.0-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and radare{,‑devel}‑2.1.3.0‑1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
  • python-radare-2.1.3.0-1.{fc20,fc21,fc22,fc23,fc24,fc25}.{i686,x86_64}.rpm and python‑radare‑2.1.3.0‑1.el7.x86_64.rpm- Python-Radare are bindings that allow Radare to be used from Python.
  • Volatility-2.6-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version of Volatility is the official version of Volatility 2.6. You can read about this version here Since the Volatility-community-plugins contain the mimikatz plugin, that plugin is no longer packaged with Volatility.
  • Volatility-community-plugins-20170405-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.noarch.rpm - The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community. Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun. Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation. These plugins are installed in /usr/share/volatility/plugins/community/. Note: The following plugins were removed the el6: PhilipHuppert, ThomasChopitea, TranVienHa, YingLi, DaveLasalle, LoïcJaquemet, and artoszInglot.
  • python-haystack-0.36-0.noarch.rpm - Python-Haystack is an heap analysis framework, focused on searching and reversing of C structure in allcoated memory.
  • python-pycoin-0.77-0.noarch.rpm - Python-Pycoin is an implementation of several utility routines that may be useful when dealing with bitcoin and some alt-coins. It has been tested with Python 2.7, 3.3, 3.4 and 3.5.
  • python-dpapick-0.3-0.noarch.rpm - Python-Dpapick is a Python toolkit to provide a platform-independant implementation of Microsoft's cryptography subsytem called DPAPI (Data Protection API). It can be used either as a library or as a standalone tool. It is also the first open-source tool that allows decryption of DPAPI structures in an offline way and, moreover, from another plateform than Windows. It is provided with some application probes that includes the built-in logic to retreive the corresponding secrets that are protected. For more information go here.
  • python-typing-3.6.1.0-0.noarch.rpm - Python-Typing is a backport of the standard library typing module to Python versions older than 3.6. Typing defines a standard notation for Python function and variable type annotations. The notation can be used for documenting code in a concise, standard format, and it has been designed to also be used by static and runtime type checkers, static analyzers, IDEs and other tools. Note: this package was installed only for Fedora 20, 21, and 22. All other versions of Fedora and CentOS provide this package.
  • python-M2Crypto-0.26.0-0.noarch.rpm - Python-M2Crypto is the most complete Python wrapper for OpenSSL featuring RSA, DSA, DH, EC, HMACs, message digests, symmetric ciphers (including AES); SSL functionality to implement clients and servers; HTTPS extensions to Python’s httplib, urllib, and xmlrpclib; unforgeable HMAC’ing AuthCookies for web session management; FTP/TLS client and server; S/MIME; ZServerSSL: A HTTPS server for Zope and ZSmime: An S/MIME messenger for Zope. M2Crypto can also be used to provide SSL for Twisted. Smartcards are supported through the Engine interface.
  • python-ioc_writer-0.3.3-0.noarch.rpm - Python-IOC_Writer is a Python library that allows for basic creation and editing of OpenIOC objects. It supports a basic CRUD (Create, Read, Update, Delete) for various items.
  • fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.22.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.10.8-200 for FC25

  • lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-22.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.10.8-200 for FC25

  • fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.21.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.10.6-200 for FC25

  • lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-21.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.10.6-200 for FC25

  • fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.10.5-200 for FC25

  • lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.10.5-200 for FC25

  • fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.10.8-100 for FC24

  • lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.10.8-100 for FC24

  • fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.10.6-100 for FC24

  • lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.10.6-100 for FC24

  • fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.34.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.9.17-100 for FC24

  • lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-34.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.9.17-100 for FC24