LiFTeR: Changes for October 29, 2021
- Volatility3-2.0.0-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Volatility 3 is a completely open collection of tools,
implemented in Python under the Volatility Software License,
for the extraction of digital artifacts from volatile memory (RAM) samples.
This release is the version of Volatility 3 which can be found here.
- libfsntfs{,-devel,-python3}-20211023-2.{fc32,fc33,fc34,el8}.x86_64.rpm and libfsntfs{,-devel,-python36}-20211023-2.el7.x86_64.rpm -
Libfsntfs contains library and tools to access the New Technology File System (NTFS).
- python36-pyparsing-3.0.0-2.el7.noarch.rpm, python3-pyparsing-3.0.0-2.el8.noarch.rpm, and pyparsing-doc-3.0.0-2.{el7,el8}.noarch.rpm -
Pyparsing is a module that provides an alternative approach to creating and executing simple grammars, vs. the traditional lex/yacc approach, or the use of regular expressions.
Note: based on the requirements of Plaso, versions of pyparsing newer than version 3.0.0 need to be removed and 3.0.0 installed as described below:
For CentOS/RHEL 8, do the following:
sudo rpm -ev python3-pyparsing plaso --nodeps; sudo dnf install plaso -y --refresh
For CentOS/RHEL 7, do the following:
sudo rpm -ev python36-pyparsing plaso --nodeps; sudo yum clean all; sudo yum install plaso -y
We regret this inconvenience.
- yaf{,-devel}-2.12.2-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering.
Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format.
It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using
pcap(3), an Endace DAG capture device,
or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX
over SCTP, TCP or
UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system.
Note that for CentOS 7 and 8 for the x86_64 architecture, yaf has been built to use PF_Ring.
- plaso-20211024-1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Plaso is the Python-based back-end engine used by tools such as
log2timeline for automatic creation of a super timelines.
The goal of log2timeline.py (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
Details of this update are available here.
- ghidra-10.0.4-PUBLIC_20210928.1.{fc32,fc33,fc34,el7,el8}.x86_64.rpm -
Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms
including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features.
Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes.
Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python.
See the list of changes and improvements
here.
- pfring-8.0.0-7059.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
- pfring-dkms-8.0.0.7059-7059.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-4.0.0-3399.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
- fmem-kernel-modules-fc34-x86_64-1.6-1.24.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.14.13-200 for FC34
- lime-kernel-modules-fc34-x86_64-1.9.1-24.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.14.13-200 for FC34
- fmem-kernel-modules-fc33-x86_64-1.6-1.44.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.14.13-100 for FC33
- lime-kernel-modules-fc33-x86_64-1.9.1-44.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.14.13-100 for FC33
- bellsoft-java8-full-1.8.0.312-1+7.x86_64.rpm -
Bellsoft Java
was installed for Fedora 32, 33, and 34 and CentOS/RHEL 7 and 8.
Bellsoft Java 8 is the recommended version of Java for Autopsy.
See these instructions for installing Autopsy on Linux where this recommendation can be found.
- fmem-kernel-modules-el8-x86_64-1.6-1.27.noarch.rpm -
Support for the following kernels were added for Fmem:
- 4.18.0-348 for EL8
- lime-kernel-modules-el8-x86_64-1.9.1-27.noarch.rpm -
Support for the following kernels were added for LiME:
- 4.18.0-348 for EL8