LiFTeR: Changes for April 5, 2019
- pfring-7.4.0-2483.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
- pfring-dkms-7.4.0-2483.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-2.8.0-1534.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
- python{2,3}-dfwinreg-20190329-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
- certifi-2019.3.9-1.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm - Certifi is a
carefully curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts.
Note: the packages installed are named python2-certifi and python3-certifi for Fedora 24 through 29 and CentOS/RHEL 7.
- python{2,3}-requests-2.21.0-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm -
Python-requests is an Apache2 Licensed HttP library, written in Python, for human beings.
Python’s standard urllib2 module provides most of the HttP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web.
It requires an enormous amount of work (even method overrides) to perform the simplest of tasks.
- Volatility-2.6.1-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i386,x86_64}.rpm and Volatility-2.6.1-2.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6.1 that has been patched to April 3, 2019.
You can read about this version here
- plaso-20190331-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and plaso-20190331-1.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
The changes to this release are noted here.
Please note that for Fedora 24, 25, and 26, and CentOS/RHEL 7, of all of the ancillary packages needed by plaso use the pip program in a Python Virtual Environment. Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found here.
For Fedora 24, 25, 26, and CentOS/RHEL 7, this package contains a program named update-plaso, the purpose of which is to update the packages that plaso depends upon. Note that this updates the dependent packages but not plaso. The recommendation is to run update-plaso routinely to keep the plaso dependencies updated.
For Fedora 27, 28, and 29, this version of plaso no longer requires either elasticsearch5 or efilter. They may be safely removed with the following:
sudo dnf remove python{,2}-elasticsearch5 python{,2}-efilter
Note that for Fedora 24, 25, 26 and CentOS/RHEL 7, these packages are automatically removed from the Python Virtual Environment.
- fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.18.noarch.rpm - Support for the following kernels were added for
Fmem:
- 5.0.5-200 for FC29
- lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-18.noarch.rpm - Support for the following kernels were added for
LiME:
- 5.0.5-200 for FC29
- fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.36.noarch.rpm - Support for the following kernels were added for
Fmem:
- 5.0.5-100 for FC28
- lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-36.noarch.rpm - Support for the following kernels were added for
LiME:
- 5.0.5-100 for FC28