LiFTeR: Changes for October 23, 2015
- fmem-kernel-modules-fc22-{i686,x86_64}-1.6-1.16.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.2.3-200 for FC22
- lime-kernel-modules-fc22-{i686,x86_64}-1.1.r17-16.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.2.3-200 for FC22
- libfsntfs{,-devel,-python,-tools}-20150906-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools to access the New Technology File System (NTFS).
See here for the list of changes.
- dfvfs-20151008-1.{fc17,fc18,fc19,fc20,fc21,fc22,el6,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 17, 18, 19, 20, 21, and 22 for i686 and x86_64 architectures and CentOS/RHEL versions 6 and 7 for the x86_64 architecture for this version of dfvfs.
- libbfio{,-devel,-python,-tools}-20150927-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i386,x86_64}.rpm - Libbfio is a
library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access.
See here for the list of changes.
- libevtx{,-devel,-python,-tools}-20150928-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and libevtx{,-devel,-python,-tools}-20150928-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
- libfixbuf{,-devel}-1.7.1-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Libfixbuf
is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
- pyfixbuf-0.2.0-3.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - Pyfixbuf is a Python API for libfixbuf, an implementation
of the IPFIX protocol used for building collecting and exporting processes.
PyFixBuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the content of the message before forwarding to another IPFIX collection point,
or in converting IPFIX to another format (text, database, JSON, etc.).
This release was rebuilt to use libfixbuf-1.7.1.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.11.0.1-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.11.0.1-2.{fc17,fc18,fc19,fc20,fc21,fc22}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.11.0.1-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
- analysis-pipeline-4.4.1-3.{fc17,fc18,fc9,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and analysis-pipeline-4.4.1-3.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
This version was rebuilt to use the latest version of SiLK, specifically 3.11.0.
- silk-ipset-{devel,lib,tools}-3.11.0-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6,el7}.{i686,x86_64}.rpm - The SiLK IPset
distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA).
The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses.
SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite.
Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
See here for the list of changes in this release.
- super_mediator-1.1.1-3.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and super_mediator-1.1.1-3.el7.x86_64.rpm -
Super_mediator is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
This release was rebuilt to use libfixbuf-1.7.1 and silk-ipset-3.11.0.
- yaf{,-devel}-2.7.1-3.{fc17,fc18,fc19,fc20,fc21,fc22,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.7.1-3.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
This release was rebuilt to use libfixbuf-1.7.1.
- libfvde{,-devel,-tools}-20151013-1.{fc17,fc18,fc9,fc20,fc21,fc22,el5,el6}.{i686,x86_64}.rpm and libfvde{,-devel,-tools}-20151013-1.el7.x86_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive
Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
See here for a list of changes since the last release (20150222).
- Volatility-2.5-1.{fc17,fc18,fc19,fc20,fc21,fc22,el5,el6}.{i386,x86_64}.rpm and Volatility-2.5-1.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility uses the code as available from here as of 2015-10-20 which is identified as Volatility 2.5.
It also contains the mimikatz plugin.