LiFTeR: Changes for July 31, 2019
- python{2,3}-dfvfs-20190714-1.{fc25,fc26,fc27,fc28,fc29,fc30}.noarch.rpm and python{2,36}-dfvfs-20190714-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to
file-system objects from various storage media types and file formats.
- libregf{,-devel,-python2,-python3,-tools}-20190714-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-tools}-20190714-1.el6.{i686,x86_64}.rpm, and libregf{,-devel,-python2,-python36,-tools}-20190714-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
- plaso-20190708-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and plaso-20190708-1.el7.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
This release uses Python 3 instead of Python 2.
Please note that for Fedora 25, of all of the ancillary packages needed by plaso use the pip program in a Python Virtual Environment. Insure that pip works correctly in your environment by connfiguring the /etc/pip.conf file according to the configuration guide found here.
For Fedora 25, this package contains a program named update-plaso, the purpose of which is to update the packages that plaso depends upon. Note that this updates the dependent packages but not plaso. The recommendation is to run update-plaso routinely to keep the plaso dependencies updated.
- testdisk-7.1-1.1.el6.{i686,x86_64}.rpm and qphotorec-7.0-4.1.el6.{i386,x86_64}.rpm - Testdisk is powerful free
data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused
by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a
file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo
Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file
system has been severely damaged or reformatted.
These releases were built to use the latest version of libewf that is installed in this repository.
- analysis-pipeline-5.11.2-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i686,x86_64}.rpm and analysis-pipeline-5.11.2-1.el7.x86_64.rpm -
The analysis-pipeline
processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events,
and to feed interesting data to a security information and event manager (SIEM).
- apfs-fuse-20190723-1.{fc27,fc28,fc29,fc30}.{i386,x86_64}.rpm and apfs-fuse-20190723-1.el7.x86_64.rpm -
APFS-Fuse is a read-only FUSE driver for the new Apple File System.
Since Apple didn't yet document the disk format of APFS, this driver should be considered experimental.
It may not be able to read all files, it may return wrong data, or it may simply crash.
Use at your own risk.
But since it's read-only, at least the data on your apfs drive should be safe.
Be aware that not all compression methods are supported yet (only the ones the author has encountered so far). Thus, the driver may return compressed files instead of uncompressed ones. Although most of the time it should just report an error.
- cutter-1.8.3-20190701.fc30.{i686,x86_64}.rpm -
Cutter is a Qt and C++
GUI for radare2 reverse engineering framework.
Its goal is making an advanced, customizable, and FOSS (free and open-source software) reverse-engineering platform while keeping the user experience at mind.
Cutter is created by reverse engineers for reverse engineers.
This version is built with the source code that is available on 2019-05-14.
Note that this release is only available for Fedora 30 because it relies on Qt version 5.12.
- python{2,3}-dfwinreg-20190714-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm and python{2,36}-dfwinreg-20190714-1.el7.x86_64.rpm -
DFWinreg, or Digital Forensics Windows Registry, provides read-only access to Windows Registry objects.
- libguytools-2.1.0-1.{fc25,fc26,fc27,fc28,fc28,fc30}.{i686,x86_64}.rpm and libguytools-2.1.0-1.el7.x86_64,rpm -
Libguytools is a package of subroutines and header files needed to
build and operate guymager.
The changes are:
- Cleaned up for C++14, some minor prototype changes to ensure same bit widths on different architectures
- Some debugging (handling user errors in configuration files)
- Understands # at beginning of line (first non-blank char) for remarks (REM still remains valid)
- guymager-0.8.11-1.{fc25,fc26,fc27,fc28.fc29,fc30,el6}.{i686,x86_64}.rpm and guymager-0.8.11-1.el7.x86_64.rpm -
Guymager is a forensic imaging package.
See here for the list of changes.
- libmodi{,-devel,-python2,-python3,-tools}-20190513-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libmodi{,-devel,-python2,-tools}-20190513-1.el6.{i686,x86_64}.rpm, and libmodi{,-devel,-python2,-python36,-tools}-20190513-1.el7.x86_64.rpm -
Libmodi is a lbrary and tools to access the Mac OS disk image formats.
- libphdi{,-devel,-python,-python3,-tools}-20190506-1.{fc25,fc26,fc27,fc28,fc29,fc30}.{i686,x86_64}.rpm, libphdi{,-devel,-python,-tools}-20190506-1.el6.{i686,x86_64}.rpm, and libphdi{,-devel,-python,-python36,-tools}-20190506-1.el7.x86_64.rpm -
Libphdi is a library to access the Parallels Hard Disk image format.
- Volatility-2.6.1-3.{fc25,fc26,fc27,fc28,fc29,fc30,el6}.{i386,x86_64}.rpm and Volatility-2.6.1-3.el7.x86_64.rpm -
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
This version of Volatility is the official version of Volatility 2.6.1 that has been patched to July 29, 2019.
You can read about this version here.
To install this update on Fedora 25 and CentOS/RHEL 6 and 7, you must first do the following:
sudo rpm -ev yara-python --nodeps
- Volatility-community-plugins-20190729-1.{fc25,fc26,fc27,fc28,fc29,fc30,el6,el7}.noarch.rpm -
The Volatility Community Plugins is a collection of Volatility plugins written and maintained by authors in the forensics community.
Many of these are the result of the last 3 years of Volatility plugin contests, but some were just written for fun.
Either way, it's an entire arsenal of plugins that you can easily extend into your existing Volatility installation.
These plugins are installed in /usr/share/volatility/plugins/community/ and to use them you need to specify this location on the command line thusly:
volatility --plugins=/usr/share/volatility/plugins/community ...
Note: The following plugins were removed all systems: AlexanderTarasenko, ThomasWhite, ProcessFuzzyHash, AFF4, JavierVallejo, PeterCasey, LorenzLiebler, Citronneur, AlizHammon, and TranVienHa, and the following were also removed for el6: BartoszInglot, DaveLasalle, ESET_Browserhooks, FrankBlock, LoicJaquemet, PhilipHuppert, ThomasChopitea, TranVienHa, and YingLi.
- pfring-7.4.0-2604.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.4.
- pfring-dkms-7.4.0-2604.{el6,el7}.x86_64.rpm - PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-2.8.0-1753.{el6,el7}.x86_64.rpm - ndpi is an open source LGPLv3 library for deep-packet inspection.
Based on OpenDPI it includes ntop extensions.
- fmem-kernel-modules-fc30-{i386,x86_64}-1.6-1.9.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.1.20-300 for FC30
- 5.1.19-300 for FC30
- 5.1.18-300 for FC30
- 5.1.17-300 for FC30
- lime-kernel-modules-fc30-{i386,x86_64}-1.1.r17-9.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.1.20-300 for FC30
- 5.1.19-300 for FC30
- 5.1.18-300 for FC30
- 5.1.17-300 for FC30
- fmem-kernel-modules-fc29-{i386,x86_64}-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.1.20-200 for FC29
- 5.1.18-200 for FC29
- lime-kernel-modules-fc29-{i386,x86_64}-1.1.r17-29.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.1.20-200 for FC29
- 5.1.18-200 for FC29