ataraw-0.2.1-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - ATAraw
allows user-level Linux programs to send arbitrary commands to ATA and SATA devices. The system currently supports programmed IO and DMA modes,
but does not support asynchronous or multiple-queued commands.
bloom-1.4.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Bloom
is an NPS bloom filter package that includes the frag_find utility.
bulk_extractor-1.0.2-1.{fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file
system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor
also created a histograms of features that it finds, as features that are more common tend to be more important.
jafat-1.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - JAFAT
is an assortment of tools to assist in the forensc investigation of computer systems.
log2timeline-0.60-2.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline.
This version removes perl-Parse-Evtx since that is now a separate package.
perl-Parse-Evtx-1.0.8-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - perl-Parse-Evtx
is a Windows Event Log Parser library and tools collection.
tln_tools-20110729-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - tln_tools
are time line tools.
Volatility-2.0.1-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License,
for the extraction of digital artifacts from volatile memory (RAM) samples. This version adds the following plugins from the Malware Analyst's Cookbook:
apihooks - API hooks
callbacks - system-wide notification routines
devicetree - device tree
driverirp - IRP hook detection
gdt - Global Descriptor Table
idt - Interrupt Descriptor Table
impscan - a module for imports (API calls)
ldrmodules - unlinked DLLs
malfind - hidden and injected code
psxview - hidden processes with various process listings
ssdt_ex - Hook Explorer for IDA Pro (and SSDT by thread)
svcscan - for Windows services
threads - _ETHREAD and _KTHREADs
These plugins required the following additional packages:
yara-1.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yara scans the given FILE or
the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
yara-python-1.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yara-python is a Python extension that
gives access to YARA's powerful features from Python scripts.
distorm3-1.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Distorm3 is a lightweight,
easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2,
SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
xmount-0.4.5-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Xmount
is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using
FUSE (Filesystem in Userspace)
that contains a virtual representation of the input image. The virtual representation can be in raw DD,
VirtualBox'svirtual disk file format or in
VMware's VMDK file format. Input images can be raw DD,
EWF (Expert Witness Compression Format) or
AFF (Advanced Forensic Format)
files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot
acquired harddisk images using QEMU, KVM,
VirtualBox, VMware or alike.
CERT-Forensics-Tools-1.0-31.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm -
This package was updated to add these packages:
ataraw
bloom
bulk_extractor (not for Fedora 12 nor CentOS/RHEL 5)
bulk_extractor-stoplist (not for Fedora 12 nor CentOS/RHEL 5)