LiFTeR: Changes for December 4, 2020
- libewf-experimental{,-devel,-tools,-python3,-tools}-20201129-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libewf-experimental{,-devel,-tools,-python36,-tools}-20201129-1.el7.x86_64.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
See this page for the list of supported and unsupported formats.
Libewf-Experimental installs packages in /usr/local so that it can be optionally installed along with the conventional Libewf packages, where package contents are installed in /usr. Further, the Libewf-Experimental packages have been installed in the forensics-test repository. You will need to enable this repository with this command for Fedora or CentOS/RHEL 8:
sudo dnf config-manager --set-enabled forensics-test
or this command for CentOS/RHEL 7:
sudo yum-config-manager --enable forensics-test
- musl-{clang,devel,filesystem,gcc,libc,libc-static}-1.2.1-1.{el7,el8}.x86_64.rpm -
MUSL is a fully featured lightweight standard C library for Linux.
This package was built to support AVML.
- avml-0.2.1-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.
AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori.
No on-target compilation or fingerprinting is needed.
AVML can produce a memory image suitable for processing with
Volatility 2 or Volatility 3 once the appropriate profiles
have been created.
- CERT-Forensics-Tools-1.0-93.el6.{i686,x86_64}.rpm and CERT-Forensics-Tools-1.0-93.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
This relese does the following:
- Added AVML for Fedora 31 and beyond and CentOS/RHEL 7 and beyond.
- python3-dfvfs-20201202-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20201202-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
- sleuthkit{,-devel,-libs}-4.10.1-1.3.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
This release attempts to correct an issue with the Sleuth Kit was build with the incorrect version of the Java Development packages.
Note that release 1.3 copies the /usr/share/java/sleuthkit-4.10.1.jar file to the correct place for Autopsy as found in LiFTeR which is /usr/autopsy/autopsy/modules/ext/sleuthkit-4.10.1.jar
If your version of Autopsy is installed in a different place, you will need to copy /usr/share/java/sleuthkit-4.10.1.jar to that place manually.
- autopsy-4.17.0-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
- This version uses Java 8 from Bellsoft.
- This version was tested on Fedora 27 through 32 and CentOS 7 and 8 for the x86_64 architectures using an E01 dataset that contains a 7-Zip file that contains two JPEG images, one of which has EXIF metadata. Those archives were correctly parsed and the EXIF data verified.
- If you wish to run
autopsy
on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical. Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo firewall-cmd --permanent --add-port=3389/tcp; sudo firewall-cmd --reload
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
- libfwsi{,-devel,-python36}-20201204-1.el7.x86_64.rpm and libfwsi{,-devel,-python3}-20201204-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
- libsmdev{,-devel,-python36}-20201204-1.el7.x86_64.rpm and libsmdev{,-devel,-python3}-20201204-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
- pfring-7.8.0-3285.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
- pfring-dkms-7.8.0-3285.{el6,el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-3.4.0-2937.{el6,el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
- fmem-kernel-modules-fc33-x86_64-1.6-1.5.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.9.11-200 for FC33
- 5.9.10-200 for FC33
- lime-kernel-modules-fc33-x86_64-1.1.r17-5.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.9.11-200 for FC33
- 5.9.10-200 for FC33
- fmem-kernel-modules-fc32-x86_64-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.9.11-100 for FC32
- 5.9.10-100 for FC32
- lime-kernel-modules-fc32-x86_64-1.1.r17-27.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.9.11-100 for FC32
- 5.9.10-100 for FC32
- CentOS 6 - Updates to CentOS 6 for both the i686 and x86_64 CPU architectures have ceased.