LiFTeR: Changes for March 29, 2019
- libbde{,-devel,-python2,-python3,-tools}-20190317-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libbde{,-devel,-python2,-tools}-20190317-1.el6.{i686,x86_64}.rpm, and libbde{,-devel,-python2,-python3,-tools}-20190317-1.el7.x86_64.rpm -
Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format.
The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.
- libsmdev{,-devel,-python2,-python3,-tools}-20190315-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libsmdev{,-devel,-python2,-tools}-20190315-1.el6}.{i686,x86_64}.rpm, and libsmdev{,-devel,-python2,-python3,-tools}-20190315-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
- pytsk3-20190316-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and pytsk3-20190316-1.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
Note: the packages installed are named python2-pytsk3 and python3-pytsk3 for Fedora 24 through 29 and CentOS/RHEL 7 but there is no Python 3 version for CentOS/RHEL 6.
- pfring-7.4.0-2468.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
- pfring-dkms-7.4.0-2468.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-2.8.0-1527.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
- python{2,3}-artifacts-20190320-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm and artifacts-data-20190320-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i386,x86_64}.rpm -
Artifacts is a free, community-sourced,
machine-readable knowledge base of forensic artifacts that the world can use both as an information source and within other tools.
- libvshadow{,-devel,-python2,-python3,-tools}-20190323-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm, libvshadow{,-devel,-python2,-tools}-20190323-1.el6.{i686,x86_64}.rpm, and libvshadow{,-devel,-python2,-python3,-tools}-20190323-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
- libfixbuf{,-devel}-2.3.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and libfixbuf{,-devel}-2.3.0-1.el7.x86_64.rpm -
Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
See here for the list of changes.
- pyfixbuf-0.7.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and pyfixbuf-0.7.0-1.el7.x86_64.rpm -
Pyfixbuf is a Python API for libfixbuf,
an implementation of the IPFIX protocol used for building, collecting, and exporting processes.
Pyfixbuf can be used to write applications, often called mediators, that collect and export IPFIX.
Mediators are useful in modifying, filtering, or adding to the contents of a message before forwarding to another
IPFIX collection point, or converting IPFIX to another format (text, database, JSON, etc.).
See this page for a list of problems fixed in this and all releases.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-1.el7.x86_64.rpm and -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
See here for a list of changes in this version.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-2.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm,
silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.18.1-2.{el6,el7}.x86_64.rpm -
This release of the SiLK tools can be found in an optional repository that is now part of
cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo.
This repository is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root.
- libschemaTools{,-devel}-1.3-4.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and libschemaTools{,-devel}-1.3-4.el7.x86_64.rpm -
libschemaTools is a library that provides a standard representation of data records.
It is built on fixbuf, using IPFIX information elements.
It describes data using schemas. Schemas are wrapped in "dataInfo" structures that provide ways to get the next record from the data source.
SchemaTools removes the need for the processing application to know the details of how to retrive data, and to know the structure of the records.
See here for the list of changes for this release.
This package was rebuilt to use libfixbuf 2.3.0.
- analysis-pipeline-5.10-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.10-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
See here for the list of changes.
- super_mediator-1.7.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and super_mediator-1.7.0-1.el7.x86_64.rpm -
Super_mediator
is an IPFIX mediator for use with the YAF
and SiLK tools.
It collects and filters YAF output data to various IPFIX collecting processes and/or csv files.
- yaf{,-devel}-2.11.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and yaf{,-devel}-2.11.0-1.el7.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 6 and 7 for the x86_64 architecture, yaf has been built to use PF_Ring.
- dcp-1.0.6-1.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and dcp-1.0.6-1.el7.x86_64.rpm -
Dcp combines cp, stat, md5sum and shasum to streamline mirroring and gathering information about all the files copied.
All information gathered is written to an output file.
The output file can be fed back into dcp when copying snapshots of a directory, this allows only files which differ in location or hash to be copied.
- femto-1.3.0-1.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and femto-1.3.0-1.el7.x86_64.rpm -
FEMTO is an indexing and search system for queries on sequences of bytes.
FEMTO stands for the FM-index for External Memory with Throughput Optimizations.
This tool supports building large indexes in parallel with MPI and then searching large indexes with a multithreaded server.
- ghidra-9.0-PUBLIC_20190228.{fc24,fc25,fc26,fc27,fc28,fc29}.{i686,x86_64}.rpm and ghidra-9.0-PUBLIC_20190228.el7.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the
National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
Please note that you must install the JDK for Ghidra to work. In testing, The Java Development Kit (JDK) version 11.0.2 was used and worked successfully. Ghidra expects a program named java to be available in the directories named in the PATH variable.
- CERT-Forensics-Tools-1.0-83.{fc24,fc25,fc26,fc27,fc28,fc29,el6}.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-83.el7.x86_64.rpm -
The changes since the last release (1.0-82) are the following:
- The dcp package is installed except for CentOS/RHEL 6.
- The femto package is installed.
- The ghidra package is installed except for CentOS/RHEL 6.
- examiner-tooldocumentation-1.18-10.el7.noarch.rpm - The following packages were updated to added to the documetation suite found on the desktop:
- dcp
- ghidra
- femto_index
- femto_search
- appcompatcache.py
- application_identifiers.py
- mru.py
- msie_zone_info.py
- process_tree.py
- profiles.py
- programscache.py
- sam.py
- services.py
- shellfolders.py
- srum_extensions.py
- sysinfo.py
- task_cache.py
- type_libraries.py
- userassist.py
sudo manage-examiner-login -S -v
to install these changes in the examiner's desktop.
- fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.17.noarch.rpm - Support for the following kernels were added for
Fmem:
- 5.0.4-200 for FC29
- 5.0.3-200 for FC29
- 4.20.16-200 for FC29
- 4.20.15-200 for FC29
- lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-17.noarch.rpm - Support for the following kernels were added for
LiME:
- 5.0.4-200 for FC29
- 5.0.3-200 for FC29
- 4.20.16-200 for FC29
- 4.20.15-200 for FC29
- fmem-kernel-modules-fc28-{i386,x86_64}-1.6-1.35.noarch.rpm - Support for the following kernels were added for
Fmem:
- 4.20.17-100 for FC28
- 4.20.16-100 for FC28
- 4.20.15-100 for FC28
- lime-kernel-modules-fc28-{i386,x86_64}-1.1.r17-35.noarch.rpm - Support for the following kernels were added for
LiME:
- 4.20.17-100 for FC28
- 4.20.16-100 for FC28
- 4.20.15-100 for FC28
- fmem-kernel-modules-el7-x86_64-1.6-1.49.noarch.rpm - Support for the following kernels were added for
Fmem:
- 3.10.0-957.10.1 for EL7
- lime-kernel-modules-el7-x86_64-1.1.r17-49.noarch.rpm - Support for the following kernels were added for
LiME:
- 3.10.0-957.10.1 for EL7