LiFTeR: Changes for May 2, 2021
- libcreg{,-devel,-python2,-python3,-tools}-20210502-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libcreg{,-devel,-python36,-tools}-20210502-1.el7.x86_64.rpm -
Libcreg is a library and tools to access the Windows 9x/Me Registry File (CREG) format.
- libesedb{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libesedb{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libesedb contains a library and tools to access the Extensible Storage Engine (ESE) Database File (EDB) format.
- libevt{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libevt{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
- libevtx{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libevtx{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
- libfsapfs{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfsapfs{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
libfsapfs is a library to access the Apple File System (APFS).
- libfsext{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfsext{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libfsext is a library and tools to access the Extended File System (EXT).
- libfshfs{,-devel,-python3,-tools}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfshfs{,-devel,-python36,-tools}-20210424-1.el7.x86_64.rpm -
Libfshfs is a library and tools to access the Hierarchical File System (HFS).
Note that this project currently only focuses on the analysis of the format.
- libfsntfs{,-devel,-python3}-20210424-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfsntfs{,-devel,-python36}-20210424-1.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
- libfvde{,-devel,-python3,-tools}-20210425-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfvde{,-devel,-python36,-tools}-20210425-1.el7.x86_64.rpm -
Libfvde is a library and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes.
The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.
- libfwnt{,-devel,-python3,-tools}-20210421-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfwnt{,-devel,-python36,-tools}-20210421-1.el7.x86_64.rpm -
LibFWNT is a library for Windows NT data types.
- libfwsi{,-devel,-python3}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libfwsi{,-devel,-python36}-20210419-1.el7.x86_64.rpm -
Libfwsi is a library to access the Windows Shell Item format.
- liblnk{,-devel,-python3,-tools}-20210417-1.{fc31,fc32,fc33,el8}.x86_64.rpm and liblnk{,-devel,-python36,-tools}-20210417-1.el7.x86_64.rpm -
Liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.
- libluksde{,-devel,-python3,-tools}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libluksde{,-devel,-python36,-tools}-20210419-1.el7.x86_64.rpm -
Libluksde is a library and tools used to access LUKS Disk Encryption encrypted volumes.
- libmodi{,-devel,-python3,-tools}-20210501-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libmodi{,-devel,-python36,-tools}-20210501-1.el7.x86_64.rpm -
Libmodi is a library and tools to access the Mac OS disk image formats.
- libmsiecf{,-devel,-python3,-tools}-20210420-1.{fc31,fc32,fc33,el8}.x86_64.rpm and ibmsiecf{,-devel,-python36,-tools}-20210420-1.el7.x86_64.rpm -
Libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
- libolecf{,-devel,-python3,-tools}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpma and libolecf{,-devel,-python36,-tools}-20210419-1.el7.x86_64.rpm -
Libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed.
- libqcow{,-devel,-python3,-tools}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rp and libqcow{,-devel,-python36,-tools}-20210419-1.el7.x86_64.rpm -
Libqcow is a library and tools used to access the QEMU Copy-On-Write (QCOW) image format.
- libregf{,-devel,-python3,-tools}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rp and libregf{,-devel,-python36,-tools}-20210419-1.el7.x86_64.rpm -
Libregf contains libraries and tools to access the Windows NT Registry File files.
- libscca{,-devel,-python3,-tools}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libscca{,-devel,-python36,-tools}-20210419-1.el7.x86_64.rpm -
Libscca is a library to access the Windows Prefetch File (SCCA) format.
- libsigscan{,-devel,-python3}-20210419-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libsigscan{,-devel,-python36}-20210419-1.el7.x86_64.rpm -
Libsigscan is a library and tools used to binary signature scanning.
- libsmdev{,-devel,-python3}-20210418-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libsmdev{,-devel,-python36}-20210418-1.el7.x86_64.rpm -
Libsmdev is a library and tools used to access storage media devices.
- libsmraw{,-devel,-python3,-tools}-20210418-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libsmraw{,-devel,-python36,-tools}-20210418-1.el7.x86_64.rpm -
Libsmraw is a library and tools used to read and write (split) RAW storage media bitstream copies.
- libvhdi{,-devel,-python3,-tools}-20210425-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libvhdi{,-devel,-python36,-tools}-20210425-1.el7.x86_64.rpm -
Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format.
- libvmdk{,-devel,-python3,-tools}-20210418-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libvmdk{,-devel,-python36,-tools}-20210418-1.el7.x86_64.rpm -
Libvmdk is a library and tools used to access the VMware Virtual Disk (VMDK) image format.
- libvshadow{,-devel,-python3,-tools}-20210425-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libvshadow{,-devel,-python36,-tools}-20210425-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
- libvslvm{,-devel,-python3,-tools}-20210425-1.{fc31,fc32,fc33,el8}.x86_64.rpm and libvslvm{,-devel,-python36,-tools}-20210425-1.el7.x86_64.rpm -
Libvslvm is a library and tools to access the Linux Logical Volume Manager (LVM) volume system format.
- python2-yara-4.1.0-1.{fc31,fc32,fc33,el8}.x86_64.rpm -
Python-yara is a Python extension that gives access to Yara's powerful features from Python scripts.
- zeek{,-core,ctl,-debugsource,-devel,-libcaf-devel}-4.0.1-1.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm, and libbroker-devel-4.0.1-1.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.
While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Well grounded in more than 20 years of research, Zeek has successfully bridged the traditional gap between academia and operations since its inception. Today, it is relied upon operationally by both major companies and numerous educational and scientific institutions for securing their cyberinfrastructure.
See here for the changes for all versions of Zeek.
Zeek was originally developed by Vern Paxson. Robin Sommer now leads the project, jointly with a core team of researchers and developers at the International Computer Science Institute in Berkeley, CA; and the National Center for Supercomputing Applications in Urbana-Champaign, IL.
Please note: zeek packages install files in /opt/zeek. To use these files, add the following to your ~/.bashrc file:
[[ -d /opt/zeek/bin && ! "$PATH" =~ /opt/zeek/bin ]] && PATH=$PATH:/opt/zeek/bin
[[ -d /opt/zeek/share/man && ! "$MANPATH" =~ /opt/zeek/share/man ]] && MANPATH=$MANPATH:/opt/zeek/share/man
Then run:
. ~/.bashrc
- xva-img-1.4.2-1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
XVA-IMG is a tool for working with Citrix XEN disk images.
Citrix Xen uses a custom virtual appliance format for import/export called "XVA".
It's basically a strangely crafted tar-file.
You don't need this program to unpack this tar-file, just use your favourite tar unpacker (tar, gtar, bsdtar).
Once unpacked you will end up with a lot of different files, ova.xml (which contains the settings for the virtual appliance, think VMware vmx) and a number of folders called Ref:/, this is your disks.
Each of these folders contain hundreds of files named 00000000, 00000001 with a accompanying .CHECKSUM file (SHA1).
Each file is a 1MB slice of the disk, but some of the files in the sequence will probably be missing this is because XVA do not use compression; instead it will exclude slices of the disk that only contains zeros (are empty).
This tool can assemble the disk for you (you will end up with a RAW disk) that can easily be mounted and modified.
It can then also split the file again and generate checksum.
Once ready, you will probably want to use the "package" command to rebuild the XVA file.
- python3-dfvfs-20210501-1.{fc31,fc32,fc33,el8}.noarch.rpm and python36-dfvfs-20210501-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
- libtommath{,-devel}-1.2.01.2.0--1.el8.x86_64.rpm -
LibTOMMath is a free open source portable number theoretic multiple-precision integer library written entirely in C.
The library is designed to provide a simple to work with API that provides fairly efficient routines that build out of the box without configuration.
- rifiuti2-0.7.0-5.1.{fc31,fc32,fc33,el7,el8}.x86_64.rpm -
rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
This package was updated to avoid a conflict with the rifiuti package.
- pfring-7.8.0-3406.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
- pfring-dkms-7.8.0-3406.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-3.4.0-3150.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
- fmem-kernel-modules-1.6-1.21.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for Fmem.
Support for the Fedora 34 x86_64 architecture was added.
- lime-kernel-modules-1.1.r17-21.noarch.rpm -
This is a meta-package that requires all of the supporting kernel objects for LiME.
Support for the Fedora 34 x86_64 architecture was added.
- fmem-kernel-modules-fc33-x86_64-1.6-1.22.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.11.16-200 for FC33
- lime-kernel-modules-fc33-x86_64-1.9.1-22.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.11.16-200 for FC33
- fmem-kernel-modules-fc32-x86_64-1.6-1.43.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.11.16-100 for FC32
- lime-kernel-modules-fc32-x86_64-1.9.1-43.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.11.16-100 for FC32
- fmem-kernel-modules-el7-x86_64-1.6-1.76.noarch.rpm -
Due to configuration errors, support for the following kernels were added for Fmem:
- 3.10.0-1160.25.1 for EL7
- lime-kernel-modules-el7-x86_64-1.1.r17-76.noarch.rpm -
Due to configuration errors, support for the following kernels were added for LiME:
- 3.10.0-1160.25.1 for EL7
- Fedora 34 - The repository now supports Fedora 34
for the x86_64 CPU architecture.
Here is the list of tools provided for Fedora 34: