LiFTeR: Changes for January 11, 2019
- libfsntfs{,-devel,-python,-python3,-tools}-20190104-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python,-tools}-20190104-1.el6.{i686,x86_64}.rpm, and libfsntfs{,-devel,-python,-python3,-tools}-20190104-1.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
- libfvde{,-devel,-python,-python3,-tools}-20190104-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfvde{,-devel,-python,-tools}-20190104-1.el6.{i686,x86_64}.rpm, and libfvde{,-devel,-python,-python3,-tools}-20190104-1.el7.6_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
- plaso-20181219-3.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and plaso-20181219-3.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Here are the recent changes:
- Release 2
- For Fedora 24 and 25 and CentOS/RHEL 7, this release contains a new program named update-plaso, the purpose of which is to update the packages installed via pip for the Python Virtual Environment built for plaso. The recommendation is to run update-plaso routinely to keep plaso updated.
- No changes were made for the Fedora 26, 27, 28, and 29 revisions of plaso.
- Release 3
- For CentOS/RHEL 7, the version of Python 2 installed by default is 2.7.5 which is fairly old.
This version causes problems in plaso.
To solve these problems, the version of Python 2 - 2.7.13 - that is distributed as part of the RedHat Software Collections Library (SCL) is used for plaso.
This resulted in a re-engineering of the installation and the installed scripts to use the scl program.
This version contains those re-engineered versions.
Use this version of plaso, run the following command:
sudo yum -y install centos-release-scl-rh
- No changes were made for the Fedora 24, 25, 26, 27, 28, and 29 revisions of plaso.
- For CentOS/RHEL 7, the version of Python 2 installed by default is 2.7.5 which is fairly old.
This version causes problems in plaso.
To solve these problems, the version of Python 2 - 2.7.13 - that is distributed as part of the RedHat Software Collections Library (SCL) is used for plaso.
This resulted in a re-engineering of the installation and the installed scripts to use the scl program.
This version contains those re-engineered versions.
Use this version of plaso, run the following command:
sudo scl enable python27 -- /bin/sh -c "source /usr/local/lib/PythonVirtualEnvironments/plaso/bin/activate;
pip uninstall artifacts; pip install artifacts==20181213"
- Release 2
- pfring-7.4.0-2370.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
- pfring-dkms-7.4.0-2370.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-2.6.0-1459.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.