LiFTeR: Changes for November 16, 2018
- pfring-7.2.0-2232.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
- pfring-dkms-7.2.0-2232.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically
improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- libfsapfs{,-devel,-python,-python3,-tools}-20181110-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python,-tools}-20181110-1.el6.{i686,x86_64}.rpm, and libfsapfs{,-devel,-python,-python3,-tools}-20181110-1.el7.x86_64.rpm -
libfsapfs
is a library to access the Apple File System (APFS).
Note that this project currently only focuses on the analysis of the format.
- CERT-Forensics-Tools-1.0-82.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-82.el7.x86_64.rpm -
The changes since the last release (1.0-81) are the following:
- The libapfs-tools package is installed.
- rekall-1.7.2-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el7}.{i686,x86_64}.rpm - Rekall is an advanced forensic and incident response framework.
While it began life purely as a memory forensic framework, it has now evolved into a complete platform.
Rekall implements the most advanced analysis techniques in the field, while still being developed in the open, with a free and open source license. Many of the innovations implemented within Rekall have been published in
peer reviewed papers.
Note that this package has been installed in the forensics-test repository for now. To install rekall on your system, you first need to enable this repository by running this command for Fedora:
sudo dnf config-manager --set-enabled forensics-test
or this command for CentOS/RHEL:
sudo yum-config-manager --enable forensics-test
Please report any problems with rekall to
Please note that the installation of all of these ancillary packages neede by rekall use the pip program in a Python Virtual Environment. Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found here.
- autopsy-4.9.1-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and autopsy-4.9.1-1.el7.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Note that autopsy has been promoted from the forensics-test repository.
In addition, the Java™ Platform, Standard Edition Development Kit (JDK™) from Oracle also needs to be installed before running autopsy. That package can be found here. Testing has been verified to work with JDK 8, update 191.
- coreutilsshim-1.0-1.fc29.noarch.rpm - CoreutilsShim is a package that resolves dependencies from changes to the coreutils package for Fedora 29.
- sleuthkit{,-devel,-libs}-4.6.4-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.6.3) released to this repository.
- apfs-fuse-20181116-1.{fc23,fc24,fc25,fc26,fc27,fc28}.{i386,x86_64}.rpm and apfs-fuse-20181116-1.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far). Thus, the driver may return compressed files instead of uncompressed ones. Although most of the time it should just report an error.
- fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.3.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.18.18-300 for FC29
- lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-3.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.18.18-300 for FC29
- fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.23.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.18.18-200 for FC28
- lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-23.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.18.18-200 for FC28
- fmem-kernel-modules-fc27-{i386,x86_64}-1.6-1.42.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.18.18-100 for FC27
- lime-kernel-modules-fc27-{i386,x86_64}-1.1.r17-42.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.18.18-100 for FC27