Linux Forensics Tools Repository: Package Summary for Packages on May 26, 2017:

  • fmem-kernel-modules-fc25-{i686,x86_64}-1.6-1.26.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.10.16-200 for FC25

  • lime-kernel-modules-fc25-{i686,x86_64}-1.1.r17-26.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.10.16-200 for FC25

  • fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.40.noarch.rpm - Support for the following kernels were added for Fmem:
    • 4.10.15-100 for FC24
    • 4.10.16-100 for FC24

  • lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-40.noarch.rpm - Support for the following kernels were added for LiME:
    • 4.10.15-100 for FC24
    • 4.10.16-100 for FC24

  • fmem-kernel-modules-el7-{i686,x86_64}-1.6-1.31.noarch.rpm - Support for the following kernels were added for Fmem:
    • 3.10.0-514.21.1 for EL7

  • lime-kernel-modules-el7-{i686,x86_64}-1.1.r17-31.noarch.rpm - Support for the following kernels were added for LiME:
    • 3.10.0-514.21.1 for EL7

  • jansson{,-devel}-2.9-1.el7.x86_64.rpm and jansson-devel-doc-2.9-1.el7.noarch.rpm - Jansson is a C library for encoding, decoding and manipulating JSON data. It features:
    • Simple and intuitive API and data model
    • Comprehensive documentation
    • No dependencies on other libraries
    • Full Unicode support (UTF-8)
    • Extensive test suite
    This tool was built to be used by yara-python.
  • yara{,-doc,-devel}-3.5.0-7.1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Note that the -devel and -doc packages split out the files needed for development and documentation respectively.
  • yara-python-3.5.0-7.1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to Yara's powerful features from Python scripts.
  • dislocker{,-libs}-0.7.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm and fuse-dislocker-0.7.1-1.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm >/TT>- Dislocker reads BitLocker encrypted partitions under a Linux system. The driver has the capability to read/write on:
    • Windows Vista, 7, 8, 8.1 and 10 encrypted partitions - that's AES-CBC, AES-XTS, 128 or 256 bits, with or without the Elephant diffuser, encrypted partitions;
    • BitLocker-To-Go encrypted partitions - that's USB/FAT32 partitions.
    The core driver is composed of a library, with multiple binaries (see the NOTES section below) using this library. Two binaries are of interest when wanting to decrypt a BitLocker encrypted partition:

    1. dislocker-fuse: binary using FUSE to dynamically decrypt the BitLocker-ed partition. You have to give it a mount point where, once keys are decrypted, a file named dislocker-file appears. This file is a virtual NTFS partition, so you can mount it as any NTFS partition and then read from or write to it. Note that writing to the NTFS virtual file will change the underlying BitLocker partition's content.
    2. dislocker-file: binary decrypting a BitLocker encrypted partition into a flat file. This file has to be given through command line and, once dislocker-file is finished, will be an NTFS partition. It won't have any link to the original BitLocker partition. Therefore, if you write to this file, the BitLocker volume won't change, only the NTFS file will. Note that this may take a long time to create that file, depending on the size of the encrypted partition. But afterward, once the partition is decrypted, the access to the NTFS partition will be faster. Another thing to think about is the size on your disk this binary needs: the same size as the volume you're trying to decrypt. Nevertheless, once the partition is decrypted, you can mount your file as any NTFS partition.

  • CERT-Forensics-Tools-1.0-73.{fc20,fc21,fc22,fc23,fc24,fc25,el6,el7}.{i686,x86_64}.rpm - This package was updated as follows:
    • The dislocker suite was added for all supported systems.