LiFTeR: Changes for July 15, 2016
- Fedora 24 - The repository now supports Fedora 24 for the i686 and x86_64 CPU architectures. Here is the list of tools provided for Fedora 24:
- libpff-20160110-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided. Libpff is used by DFF,the Digital Forensics Framework. See here for the list of changes.
- libvshadow{,-devel,-python,-tools}-20160110-2.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libvshadow{,-devel,-python,-tools}-20160110-2.el7.x86_64.rpm - Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. This version uses the external version of libbfio to support DFF, the Digital Forensics Framework.
- dff-1.3.6-20160630.1.{fc20,fc21,fc22,fc23,fc24,el7}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF)
is both a digital investigation tool and a development platform.
The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide.
Written in Python and C++,
it exclusively uses Open Source technologies.
DFF combines an intuitive user interface with a modular and cross-platform architecture.
This version is the developer version as of June 30, 2016.
To support this version, the following were also installed:
- Fedora 24 (From RPM Fusion)
- ffmpeg-libs-2.8.7-1.fc24.{i386,x86_64}.rpm
- ffmpeg-2.8.7-1.fc24.{i386,x86_64}.rpm
- ffmpeg-devel-2.8.7-1.fc24.{i386,x86_64}.rpm
- lame-devel-3.99.5-5.fc24.{i386,x86_64}.rpm
- libavdevice-2.8.7-1.fc24.{i386,x86_64}.rpm
- x264-devel-0.148-7.20160614gita5e06b9.fc24.{i386,x86_64}.rpm
- x265-devel-1.9-1.fc24.{i386,x86_64}.rpm
- x265-libs-1.9-1.fc24.{i386,x86_64}.rpm
- xvidcore-1.3.4-2.fc24.{i386,x86_64}.rpm
- xvidcore-devel-1.3.4-2.fc24.{i386,x86_64}.rpm
- Fedora 23 (From RPM Fusion)
- libbfio-devel-20160108-1.fc23.{i386,x86_64}.rpm
- libbfio-20160108-1.fc23.{i386,x86_64}.rpm
- libavdevice-2.8.7-1.fc23.{i386,x86_64}.rpm
- ffmpeg-libs-2.8.7-1.fc23.{i386,x86_64}.rpm
- ffmpeg-devel-2.8.7-1.fc23.{i386,x86_64}.rpm
- CentOS 7 (From NUX)
- faac-1.28-6.0.el7.nux.x86_64.rpm
- fdk-aac-0.1.4-1.x86_64.rpm
- ffmpeg-devel-2.6.8-3.el7.nux.x86_64.rpm
- ffmpeg-libs-2.6.8-3.el7.nux.x86_64.rpm
- libavdevice-2.6.8-3.el7.nux.x86_64.rpm
- x264-libs-0.142-11.20141221git6a301b6.el7.nux.x86_64.rpm
- x265-libs-1.9-1.el7.nux.x86_64.rpm
- xvidcore-1.3.2-5.el7.nux.x86_64.rpm
- Fedora 24 (From RPM Fusion)
- libbde{,-devel,-python,-tools}-20160418-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libbde{,-devel,-python,-tools}-20160418-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker
Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
See here for the list of changes.
- libbfio{,-devel,-python}-20160108-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i386,x86_64}.rpm - Libbfio is a
library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff.
It is used to chain I/O to support file-in-file access.
- libevt{,-devel,-python,-tools}-20160421-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libevt contains libraries and tools
to access the Windows Event Log (EVT) format files.
See here for the list of changes.
- libevtx{,-devel,-python,-tools}-20160421-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libevtx{,-devel,-python,-tools}-20160421-1.el7.x86_64.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
See here for the list of changes.
- liblnk{,-devel,-python,-tools}-20160420-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and liblnk{,-devel,-python,-tools}-20160420-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the
Windows Shortcut File (LNK) format file.
See here for the list of changes.
- libmsiecf{,-devel,-python,-tools}-20160421-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libmsiecf{,-devel,-python,-tools}-20160421-1.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
See here for the list of changes.
- libfsntfs{,-devel,-python,-tools}-20160418-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - Libfsntfs contains library and tools
to access the New Technology File System (NTFS).
See here for the list of changes.
- libolecf{,-devel-,-python,-tools}-20160423-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libolecf{,-devel-,-python,-tools}-20160423-1.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
See here for the list of changes.
- libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.66-1.1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The libpst
utilities convert Outlook .pst files to other formats.
See here for the list of changes.
- libregf{,-devel,-python,-tools}-20160424-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libregf{,-devel,-python,-tools}-20160424-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
See here for the list of changes.
- libsmraw{,-devel,-python,-tools}-20160424-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libsmraw{,-devel,-python,-tools}-20160424-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
Libsmraw contains supports for multiple (split) RAW naming schemes.
See here for the list of changes.
- libvhdi{,-devel,-python,-tools}-20160424-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and libvhdi{,-devel,-python,-tools}-20160424-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status.
See here for the list of supported disk formats.
- fmem-kernel-modules-1.6-1.8.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 24 x86_64 and i686 architectures was added.
- lime-kernel-modules-1.1.r17-8.noarch.rpm - This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 24 x86_64 and i686 architectures was added.
- fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.2.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.6.3-300 for FC24
- lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-2.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.6.3-300 for FC24
- fmem-kernel-modules-fc24-{i686,x86_64}-1.6-1.1.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.5.7-300 for FC24
- 4.5.5-300 for FC24
- lime-kernel-modules-fc24-{i686,x86_64}-1.1.r17-1.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.5.7-300 for FC24
- 4.5.5-300 for FC24
- fmem-kernel-modules-fc23-{i686,x86_64}-1.6-1.20.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.5.7-202 for FC23
- lime-kernel-modules-fc23-{i686,x86_64}-1.1.r17-20.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.5.7-202 for FC23
- fmem-kernel-modules-el6-{i686,x86_64}-1.6-1.24.noarch.rpm - Support for the following kernels were added for
Fmem:
- 2.6.32-642.3.1 for EL6
- lime-kernel-modules-el6-{i686,x86_64}-1.1.r17-24.noarch.rpm - Support for the following kernels were added for
LiME:
- 2.6.32-642.3.1 for EL6
- fmem-kernel-modules-el5-{i686,x86_64}-1.6-1.15.noarch.rpm - Support for the following kernels were added for
Fmem:
- 2.6.18-411 for EL5
- lime-kernel-modules-el5-{i686,x86_64}-1.1.r17-15.noarch.rpm - Support for the following kernels were added for
LiME:
- 2.6.18-411 for EL5
- lime-kernel-modules-common-1.1.r17-2.noarch.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
This package contains only the source code for making the LiME kernel modules, the CaptureMemoryWithLime script and the corresponding manual page.
This package also obsoletes tie lime-kernel-objects package which contained the source code and all of the kernel objects.
This repackaging increases the number of packages but decreases their size.
Note: this RPM is hard-linked between all of the supported architectures, Fedora 20-24 and CentOS 6 and 7 If you use rsync, make certain that you use the -H option to preserve those hard links.
- snort-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and snort-2.9.8.3-1.el7.x86_64.rpm -
Snort is an open
source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
See here for the changes in this version.
- snort-openappid-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and snort-openappid-2.9.8.3-1.el7.x86_64.rpm -
This is the snort package built --enable-open-appid option added to the configure script that configures the build of snort.
See here for more details.
See the OpenAppId Detector Developer Guide for more information.
To install snort-openappid on your system, you must first remove snort.
Here is an example:
if rpm -q --quiet snort; then sudo rpm -ev snort --nodeps; fi
sudo dnf install snort-openappid # On CentOS/RHEL, use yum instead of dnf
- snort-sample-rules-2.9.8.3-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - These rules are sample rules only and are intended to allow
snort to start successfully.
These rules only flag HTTP traffic destined for port 80.
Please see the snort rules page to acquire a current set of snort rules.
- dfvfs-20160706-1.{fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfVFS,
the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several
back-ends that provide the actual implementation of the various storage media types, volume systems and file systems.
See here for the list of changes.
At this time, this repository, in combination of all supporting repositories, provides all of the necessary packages for Fedora versions 20, 21, 22, 23, and 24 for i686 and x86_64 architectures and CentOS/RHEL version 7 for the x86_64 architecture for this version of dfvfs.
- libfwnt{,-devel,-python,-python3}-20160418-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm, libfwnt{,-devel,-python}-20160418-1.el6.{i686,x86_64}.rpm, and libfwnt{,-devel,-python,-python3}-20160418-1.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
See here for the list of changes.
This package is needed by dfvfs.
- python-dfdatetime-20160706-1.{fc20,fc21,fc22,fc23,fc24,el7}.noarch.rpm - dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
This package is needed by dfvfs.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.2-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.2-2.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.12.2-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
- distorm3-3.3.4-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i386,x86_64}.rpm and distorm3-3.3.4-1.el7.x86_64.rpm -
Distorm3 is a lightweight, easy-to-use and fast decomposer library.
It disassembles instructions in 16, 32 and 64 bit modes.
Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
Distorm3 is used by The Volatility Framework.
The changes are listed here.
- Volatility-2.5-4.{fc20,fc21,fc22,fc23,fc24,el6}.{i386,x86_64}.rpm and Volatility-2.5-4.el7.x86_64.rpm -
The Volatility Framework is a completely
open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.5.
It also contains the mimikatz plugin.
This release was build using the code as of 2016-07-08.
- Volatility-community-plugins-20160708-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.noarch.rpm - The Volatility Community Plugins
is a collection of Volatility plugins written and maintained by authors in the forensics community.
Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun.
Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation.
These plugins are installed in /usr/share/volatility/plugins/community/.
- exfat-utils-1.2.4-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities
for creating, checking, dumping and labeling exFAT file systems.
See here for the list of changes since the last released version (1.2.3).
- nDPI{,-devel}-1.8-1.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - nDPI is a ntop-maintained superset of
the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available
only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience.
Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while
being them un-necessary for network traffic monitoring.
nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.
See here for the list of supported protocols.
- xplico-1.1.1-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder.
This release was rebuilt to work with nDPI-1.8.
- python-registry-1.2.0-1.{fc20,fc21,fc22,fc23,fc23,el6,el7}.{i386,x86_64}.rpm - Python-registry
provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE.
The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced
study of the Windows Registry.
- valabind-0.10.0-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and valabind-0.10.0-1.el7.x86_64.rpm - Valabind is a tool to parse vala
or vapi files to transform them into swig interface files, C++,
NodeJS-ffi, or GIR.
With swig, you can create language bindings for any API written in vala or C with a vapi interface.
It can also generate bindings for C++.
- radare{,-devel}-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and radare{,-devel}-2.0.10.4-1.el7.x86_64.rpm - Radare is a framework for doing reverse engineering.
- python-radare-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and python-radare-2.0.10.4-1.el7.x86_64.rpm- Python-Radare are
bindings that allow Radare to be used from Python.
- radare-extras-2.0.10.4-1.{fc20,fc21,fc22,fc23,fc24}.{i686,x86_64}.rpm and radare-extras-2.0.10.4-1.el7.x86_64.rpm- Radare-Extras are
are extra plugins for radare2.
- disktype-9-19.1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and disktype-9-19.1.el7.x86_64.rpm -
Disktype detects the content format of a disk or disk image.
This version is based on the standard version with support for
exfat,
LUKS,
f2fs,
btrfs, and
EXT 2, 3, and 4,
all courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA.
This version was rebuilt to increment the release number to be higher (19.1) than the current version provided for either Fedora (19) or CentOS/RHEL (12).
- netsa-rayon-1.4.3-2.{fc20,fc21,fc22,fc23,fc24,el6,el7}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations.
Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis.
Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo.
It can also be used in wxPython GUI applications.
Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of
Pycairo (for static output) or wxPython,/a> (for GUI output).
See here for a list of changes.
This release was rebuilt to use Syhinx version 1.2.2 to produce the documentation.
- analysis-pipeline-5.4.1-1.{fc20,fc21,fc22,fc23,fc24,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.4.1-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).
See here for the changes since the last version (5,4).