LiFTeR: Changes for November 19, 2021
- python3-elasticsearch-7.15.2-1.{fc32,fc33,fc34,fc35,el8}.x86_64.rpm and python36-elasticsearch-7.15.2-1.el7.x86_64.rpm -
ElasticSearch is the official low-level client for Elasticsearch.
Its goal is to provide common ground for all Elasticsearch-related code in Python; because of this it tries to be opinion-free and very extendable.
- python3-pytsk3-20211111-1.{fc32,fc33,fc34,fc35,el8}.x86_64.rpm and python36-pytsk3-20211111-1.el7.x86_64.rpm -
Pytsk is Python bindings for The Sleuth Kit.
- sleuthkit{,-devel,-libs}-4.11.1-1.1.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
- autopsy-4.19.2-1.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools.
It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer.
You can even use it to recover photos from your camera's memory card.
Notes:
- This version uses Java 8 from Bellsoft.
- This version was tested on Fedora 32 through 35 and CentOS 7 and 8 for the x86_64 architectures using an E01 dataset that contains a 7-Zip file that contains two JPEG images, one of which has EXIF metadata. Those archives were correctly parsed and the EXIF data verified.
- If you wish to run
autopsy
on a system that you are accessing via Microsoft's Remote Desktop Protocol (RDP), testing has shown that the setting the color depth on the backend X server is critical. Use the following to install the XRDP client, if necessary, adjust the host's firewall to allow RDP connection, adjust this depth parameter, and start or restart the XRDP client:
[ -f /etc/xrdp/xrdp.ini ] || (sudo $(uname -r | grep -q el7 && echo yum || echo dnf) install xrdp && sudo systemctl enable xrdp)
sudo firewall-cmd --permanent --add-port=3389/tcp; sudo firewall-cmd --reload
sudo sed --in-place 's/#xserverbpp=24/xserverbpp=24/' /etc/xrdp/xrdp.ini
sudo systemctl stop xrdp
sudo systemctl start xrdp
- mac_apt-1.4.3.dev-1.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Mac_apt is a DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines)
and extract data/metadata useful for forensic investigation.
It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, etc.).
Here are a list of features:
- Cross platform (no dependency on pyobjc)
- Works on E01, VMDK, AFF4, DD, split-DD, DMG (no compression), SPARSEIMAGE & mounted images
- XLSX, CSV, TSV, Sqlite outputs
- Analyzed files/artifacts are exported for later review
- zlib, lzvn, lzfse compressed files are supported!
- Native HFS & APFS parser
- Reads the Spotlight database and Unified Logging (tracev3) files
- Can read Axiom created targeted collection zip files
- ios_apt can read GrayKey extracted file system
- Can read RECON created .sparseimage files
- Support for macOS Big Sur Sealed volumes (11.0)
- Introducing ios_apt for processing iOS/ipadOS images
- FAST mode ⏳
- Encrypted 🔒 APFS images can now be processed using password/recovery-key 🔑
- macOS Catalina (10.15+) separately mounted SYSTEM & DATA volumes now supported
- AFF4 images (including macquisition created) are supported
- python3-dfvfs-20211107-1.{fc32,fc33,fc34,fc35,el8}.noarch.rpm and python36-dfvfs-20211107-1.el7.noarch.rpm -
dfVFS, the Digital Forensics Virtual File System, provides read-only access to file-system objects from various storage media types and file formats.
- python3-dfdatetime-20211113-1.{fc32,fc33,fc34,fc35,el8}.noarch.rpm and python36-dfdatetime-20211113-1.el7.noarch.rpm -
dfDateTime, or Digital Forensics Date and Time, provides date and time objects to preserve accuracy and precision.
- libvshadow{,-devel,-python3,-tools}-20211114-1.{fc32,fc33,fc34,fc35,el8}.x86_64.rpm and libvshadow{,-devel,-python36,-tools}-20211114-1.el7.x86_64.rpm -
Libvshadow is a library and tools used to support the Volume Service Snapshot (VSS) format.
- python3-redis-4.0.1-1.{fc32,fc33}.noarch.rpm and python36-redis-4.0.1-1.el7.noarch.rpm -
Redis is a Python interface to the Redis key-value store.
- libvsgpt{,-devel,-python3,-tools}-20211115.{fc32,fc33,fc34,fc35,el8}.x86_64.rpm and libfsgpt{,-devel,-python36,-tools}-20211115.el7.x86_64.rpm -
Libvsgpt is a library and tools used to access the GUID Partition Table (GPT) volume system.
- pfring-8.0.0-7094.{el7,el8}.x86_64.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package contains header files and libraries, among other files, to support the PF_Ring network socket.
Here is the announcement of PF_Ring 7.8.
- pfring-dkms-8.0.0.7094-7094.{el7,el8}.noarch.rpm -
PF_Ring is a new type of network socket that dramatically improves the packet capture speed.
This package conains the code and supporting files needed to create the PF_Ring kernel module.
- ndpi-4.0.0-3423.{el7,el8}.x86_64.rpm -
ndpi is an open source LGPLv3 library for deep-packet inspection.
- bulk_extractor-1.6.0-4.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
This version fixes many issues.
In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
Note 1: This version was built with the expat-devel library to facility restarting
bulk_extractor
.
- bulk_extractor-2.0.0.dev-2.{fc32,fc33,fc34,fc35,el7,el8}.x86_64.rpm -
Bulk_extractor
is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures.
The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools.
Bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important.
This is the development version for 2.0.0.
Note 1: These packages have been installed in the forensics-test repository.
Note 2: This version was built with the expat-devel library to facility restarting
bulk_extractor
.
- lime-kernel-modules-fc35-x86_64-1.9.1-3.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.14.18-300 for FC35
- 5.14.17-301 for FC35
- fmem-kernel-modules-fc35-x86_64-1.6-1.3.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.14.18-300 for FC35
- 5.14.17-301 for FC35
- fmem-kernel-modules-fc34-x86_64-1.6-1.26.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.14.18-200 for FC34
- 5.14.17-201 for FC34
- lime-kernel-modules-fc34-x86_64-1.9.1-26.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.14.18-200 for FC34
- 5.14.17-201 for FC34
- fmem-kernel-modules-fc33-x86_64-1.6-1.46.noarch.rpm -
Support for the following kernels were added for Fmem:
- 5.14.18-100 for FC33
- 5.14.17-101 for FC33
- lime-kernel-modules-fc33-x86_64-1.9.1-46.noarch.rpm -
Support for the following kernels were added for LiME:
- 5.14.18-100 for FC33
- 5.14.17-101 for FC33
- fmem-kernel-modules-el8-x86_64-1.6-1.29.noarch.rpm -
Support for the following kernels were added for Fmem:
- 4.18.0-348.2.1 for EL8
- lime-kernel-modules-el8-x86_64-1.9.1-29.noarch.rpm -
Support for the following kernels were added for LiME:
- 4.18.0-348.2.1 for EL8