LiFTeR: Changes for February 1, 2019
- sleuthkit{,-devel,-libs}-4.6.5-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and sleuthkit{,-devel,-libs}-4.6.5-1.el7.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
See here for the changes since the last version (4.6.3) released to this repository.
- pytsk3-20190121-2.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and pytsk3-20190122-1.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
Note: the packages installed are named python2-pytsk3 and python3-pytsk3 for Fedora 24 through 29 and CentOS/RHEL 7 but there is no Python 3 version for CentOS/RHEL 6.
- python{2,3}-dtfabric-20190120-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and python2-dtfabric-20190120-2.el7.x86_64.rpm -
Dtfabric is a project to manage data types and structures, as used in the libyal projects.
- libfsapfs{,-devel,-python2,-python3,-tools}-20181215-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsapfs{,-devel,-python2,-tools}-20181205-2.el6.{i686,x86_64}.rpm and libfsapfs{,-devel,-python2,-python3,-tools}-20181205-2.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
Note that this project currently only focuses on the analysis of the format.
- libbde{,-devel,-python2,-python3,-tools}-20190102-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libbde{,-devel,-python2,-tools}-20190102-2.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python2,-python3,-tools}-20190102-2.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
- libesedb{,-devel,-python2,-python3,-tools}-20181229-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libesedb{,-devel,-python2,-tools}-20181229-2.el6.{i686,x86_64}.rpm, and libesedb{,-devel,-python2,-python3,-tools}-20181229-2.el7}.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
ESEDB is used in may different applications like Windows Search, Windows Mail, Exchange, Active Directory, etc.
- libevt{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, and libevt{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm ,libevt{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
- libevtx{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, and libevtx{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, libevtx{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
- libfsntfs{,-devel,-python2,-python3,-tools}-20190104-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfsntfs{,-devel,-python2,-tools}-20190104-2.el6.{i686,x86_64}.rpm, and libfsntfs{,-devel,-python2,-python3,-tools}-20190104-2.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
- libfwnt{,-devel,-python2,-python3}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfwnt{,-devel,-python2}-20181227-2.el6.x86_64.rpm, and libfwnt{,-devel,-python2,-python3}-20181227-2.el7.x86_64.rpm -
LibFWNT, is a library for Windows NT data types.
- liblnk{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, liblnk{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and liblnk{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
- libmsiecf{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc26,fc27,fc29}.{i686,x86_64}.rpm, libmsiecf{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libmsiecf{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
- libolecf{,-devel,-python2,-python3,-tools}-20181231-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libolecf{,-devel,-python2,-tools}-20181231-2.el6.{i686,x86_64}.rpm, and libolecf{,-devel,-python2,-python3,-tools}-20181231-2.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
- libqcow{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libqcow{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libqcow{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
- libregf{,-devel,-python2,-python3,-tools}-20181231-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libregf{,-devel,-python2,-tools}-20181231-2.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-python3,-tools}-20181231-2.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
- libscca{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libscca{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libscca{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
- libsigscan{,-devel,-python2,-python3,-tools}-20190103-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsigscan{,-devel,-python2,-tools}-20190103-2.el6.{i686,x86_64}.rpm, and libsigscan{,-devel,-python2,-python3,-tools}-20190103-2.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
- libsmdev{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-tools}-20181227-2.el6}.{i686,x86_64}.rpm, and libsmdev{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
- libsmraw{,-devel,-python2,-python3,-tool2}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmraw{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm and libsmraw{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
- libvhdi{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvhdi{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libvhdi{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
- libvshadow{,-devel,-python2,-python3,-tools}-20190127-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvshadow{,-devel,-python2,-tools}-20190127-2.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python2,-python3,-tools}-20190127-2.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
- libvslvm{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvslvm{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libvslvm{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
- libvmdk{,-devel,-python2,-python3,-tools}-20181227-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvmdk{,-devel,-python2,-tools}-20181227-2.el6.{i686,x86_64}.rpm, and libvmdk{,-devel,-python2,-python3,-tools}-20181227-2.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
- libfvde{,-devel,-python2,-python3,-tools}-20190104-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libfvde{,-devel,-python2,-tools}-20190104-2.el6.{i686,x86_64}.rpm, and libfvde{,-devel,-python2,-python3,-tools}-20190104-2.el7.6_64.rpm -
Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
- python{2,3}-dfdatetime-20190116-2.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm - dfDateTime,
or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.
- python{2,3}-dfwinreg-20190122-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and python2-dfwinreg-20190122-2.el7.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
The goal of dfWinReg is to provide a generic interface for accessing Windows Registry objects that resembles the Registry key hierarchy as seen on a live Windows system.
- libexe{,-devel,-python2,-python3,-tools}-20181128-2.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libexe{,-devel,-python2,-tools}-20181128-2.el6.{i686,x86_64}.rpm, and libexe{,-devel,-python2,-python3,-tools}-20181128-2.el7.x86_64.rpm -
Libexe is a library and tools to access the executable (EXE) format.
- libwrc{,-devel,-python2,-python3,-tools}-20181203-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libwrc{,-devel,-python2,-tools}-20181203-2.el6.{i686,x86_64}.rpm, and libwrc{,-devel,-python2,-python3,-tools}-20181203-2.el7.x86_64.rpm -
Libwrc is a library and tools to access the Windows Resource Compiler (WRC) format.
- libewf{,-devel,-tools,-python2,-python3,-tools}-20160718-20140806.1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libewf{,-devel,-tools,-python2,-tools}-20160718-20140806.1.el6.{i686,x86_64}.rpm, and libewf{,-devel,-tools,-python2,-python3,-tools}-20160718-20140806.1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format.
This package is built from the libewf source code dated 20140806 but to make it the latest version, the version number was changed to the build date (20160718) and the release number changed to include the source code release date (20140806).
- python{2,3}-construct-2.5.2-2.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm and python2-construct-2.5.2-2.el6.noarch.rpm -
Python-construct is a powerful declarative parser (and builder) for binary data.
Note: the packages installed are named python2-construct and python3-construct for Fedora 24 through 29 and CentOS/RHEL 7 but there is no Python 3 version for CentOS/RHEL 6.
- python{2,3}-artifacts-20190113-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm, artifacts-data-20190113-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm,
python2-artifacts-20190113-2.el7.x86_64.rpm, and artifacts-data-20190113-2.el7.x86_64.rpm -
- python{2,3}-bencode-2.0.0-2.{fc24,fc25,fc26,fc27,fc28,fc29}.noarch.rpm -
Bencode re-packages the existing bencoding
and bdecoding implemention from the ‘official’ BitTorrent client as a separate, light-weight package for re-using them without having the entire BitTorrent software as a dependency.
- python{2,3}-xlsxwriter-1.1.2-2.{fc24,fc25,fc26,fc27,fc28,fc29,el7}.noarch.rpm and python2-xlsxwriter-1.1.2-2.el6.noarch.rpm -
XlsxWriter is a Python module for writing files in the Excel 2007+ XLSX file format.
XlsxWriter can be used to write text, numbers, formulas and hyperlinks to multiple worksheets and it supports features such as formatting and many more.
See here for a list of the changes since the last version (1.0.8).
Note: the packages installed are named python2-xlsxwriter and python3-xlsxwriter for Fedora 24 through 29 and CentOS/RHEL 7 but there is no Python 3 version for CentOS/RHEL 6.
- efilter-1.5-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6,el7}.noarch.rpm - Efilter
is a general purpose query language designed to be embedded in Python applications and libraries.
It supports SQL-like syntax to filter your application's data and provides a convenient way to directly search through the objects your applications manages.
A second use case for EFILTER is to translate queries from one query language to another, such as from SQL to OpenIOC and so on.
A basic SQL-like syntax and a POC lisp implementation are included with the language, and others are relatively simple to add.
Note: the packages installed are named python2-efilter and python3-efilter for Fedora 24 through 29 but there is no Python 3 version for CentOS/RHEL 6 and 7.
- python{2,3}-dfvfs-20190128-1.{fc24,fc25,fc26,fc27,fc28,fc29}.noarch.rpm and python2-dfvfs-20190128-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
The goal of dfVFS is to provide a generic interface for accessing file-system objects, for which it uses several back-ends that provide the actual implementation of the various storage media types,
volume systems and file systems.
- winreg-kb-20181223-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and winreg-kb-20181223-1.el7.x86_64.rpm -
Winreg-kb winreg-kb is a project to build a Windows Registry Knowledge Base.
winregrc is a Python module part of winreg-kb to allow reuse of Windows Registry Resources.
See these scripts that make use of package.
Note that winreg-kb is not available for CentOS/RHEL 6 because of the old version of Python 2.
- winevt-kb-20181223-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and winevt-kb-20181223-1.el7.x86_64.rpm -
Winevt-kb is a project to build a Windows Event Log knowledge base.
winevtrc is the Python module part of winevt-kb to allow reuse of Windows Event Log resources.
See this resource for an explanation of the scripts included with this package - export.py, extract.py, query.py - and how to use them.
- pyparsing{,-doc}-2.3.1-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29,el6}.noarch.rpm, python3-pyparsing-2.3.1-1.{fc23,fc24,fc25,fc26,fc27,fc28,fc29}.noarch.rpm, pyparsing{,-doc}-2.3.1-1.el7.noarch.rpm, python3-pyparsing-2.3.1-1.el7.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
The pyparsing module provides a library of classes that client code uses to construct the grammar directly in Python code.
Pyparsing is provided by RedHat for Fedora 21.
Pyparsing version 2.3.3 is needed by plaso.
- plaso-20181219-5.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and plaso-20181219-5.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This version was changed to use the new package names for the packages noted above.
For Fedora 24 and 25, the recommended way to install this update is the following:
sudo rpm -ev plaso --nodeps; sudo rm -rf /usr/local/lib/PythonVirtualEnvironments/plaso; sudo dnf -y install plaso
and for CentOS/RHEL 7, the following:
sudo rpm -ev plaso --nodeps; sudo rm -rf /usr/local/lib/PythonVirtualEnvironments/plaso; sudo yum -y install plaso
- pfring-7.4.0-2394.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
- pfring-dkms-7.4.0-2394.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-2.6.0-1485.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
- fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.10.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.20.5-200 for FC29
- 4.20.4-200 for FC29
- 4.20.3-200 for FC29
- lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-10.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.20.5-200 for FC29
- 4.20.4-200 for FC29
- 4.20.3-200 for FC29
- fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.29.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.20.5-100 for FC28
- 4.20.4-100 for FC28
- 4.19.16-200 for FC28
- lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-29.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.20.5-100 for FC28
- 4.20.4-100 for FC28
- 4.19.16-200 for FC28