Software Engineering Institute

LiFTeR: Changes for January 11, 2019

libfsntfs{,‑devel,‑python,‑python3,‑tools}-20190104-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm, libfsntfs{,‑devel,‑python,‑python3,‑tools}-20190104-1.el7.x86_64.rpm, and libfsntfs{,‑devel,‑python,‑tools}-20190104-1.el6.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS).
libfvde{,‑devel,‑python,‑python3,‑tools}-20190104-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfvde{,‑devel,‑python,‑python3,‑tools}-20190104-1.el7.6_64.rpm, and libfvde{,‑devel,‑python,‑tools}-20190104-1.el6.{i686,x86_64}.rpm - Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
plaso-20181219-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and plaso-20181219-3.el7.x86_64.rpm - Plaso is the Python -based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.

Here are the recent changes:
- Release 2
  - For Fedora 24 and 25 and CentOS/RHEL 7, this release contains a new program named update-plaso, the purpose of which is to update the packages installed via pip for the Python Virtual Environment built for plaso. The recommendation is to run update-plaso routinely to keep plaso updated.
  - No changes were made for the Fedora 26, 27, 28, and 29 revisions of plaso.
- Release 3
  - For CentOS/RHEL 7, the version of Python 2 installed by default is 2.7.5 which is fairly old. This version causes problems in plaso. To solve these problems, the version of Python 2 - 2.7.13 - that is distributed as part of the RedHat Software Collections Library (SCL) is used for plaso. This resulted in a re-engineering of the installation and the installed scripts to use the scl program. This version contains those re-engineered versions. Use this version of plaso, run the following command
    sudo yum -y install centos-release-scl-rh
  - No changes were made for the Fedora 24, 25, 26, 27, 28, and 29 revisions of plaso.
Please note that the pip package artifacts, version 20190111, causes plaso to generate errors and exit prematurely. To solve this problem after installing or updating plaso on Fedora 24 or 25 or CentOS/RHEL 7, do the following:
sudo scl enable python27 -- /bin/sh -c "source /usr/local/lib/PythonVirtualEnvironments/plaso/bin/activate; pip uninstall artifacts; pip install artifacts==20181213"
pfring-7.4.0-2370.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package contains header files and libraries, among other files, to support the PF_Ring network socket. Here is the announcement of PF_Ring 7.4.
pfring-dkms-7.4.0-2370.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed. This package conains the code and supporting files needed to create the PF_Ring kernel module.
ndpi-2.6.0-1459.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection. Based on OpenDPI it includes ntop extensions.