Linux Forensics Tools Repository: Announcements


April 7, 2014: The following have been released:
  • CERT-Forensics-Tools-1.0-58.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - This package was updated to add the following:
    • plaso - A timeline tool (Fedora 17 and beyond, and CentOS/RHEL 6.5 for x86_64 only)
    • libregf-tools - Tools to access Windows NT Registry files
    • libmsiecf-tools - Tools to access Microsoft Internet Explorer (MSIE) Cache File (index.dat) files
    • libevt-tools - Tools to access Windows Event Log (EVT) format files
    • liblnk-tools - Tools to access Windows NT Registry files
    • libolecf-tools - Tools to access OLE 2 Compound File (OLECF) format files
    • ddrutility (not CentOS/RHEL 5) - Utility for use with gnuddrescue to aid with data recovery
    • fcrackzip - Zip Password Cracker
    • undbx (not CentOS/RHEL 5) - Tool to extract, recover and undelete e-mail messages from Outlook Express .dbx files
    • silk-ipa (Fedora 17 and beyond, and CentOS/RHEL 6.5 for x86_64 only) - Script to enable the IPA-based version of the SiLK tools

    Note: On CentOS/RHEL, installing the CERT-Forensics-Tools meta package or plaso requires postgresql. For Fedora, postgresql is provided in the the CERT Linux Forensics Tools repository. However, for CentOS 6.5 for the x86_x64 architecture only, the version of postgresql comes from the CentOS Software Collections Repository. This means that you must install the centos-release-SCL package by running yum install centos-release-SCL as root before you apply updates from the repository.

  • hachoir-metadata-1.3.3-2.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - hachoir-metadata is a tool that extracts metadata from multimedia files: music, picture, video, and archives. The changes were to correct the permissions of the installed files.
  • plaso-1.0.1alpha-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.0.1alpha-1.el6.x86_64.rpm - Plaso is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.

    To support plaso, the following tools were also installed:
    • libregf-{,devel,python,tools}-20140118-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libregf contains libraries and tools to access the Windows NT Registry File files.
    • libmsiecf-{,devel,python,tools}-20140131-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libmsiecf contains libraries and tools to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
    • libevt-{,devel,python,tools}-20140112-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libevt contains libraries and tools to access the Windows Event Log (EVT) format files.
    • libevtx-{,devel,python,tools}-20140112-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libevtx contains libraries and tools to access the Windows XML Event Log (EVTX) format files.
    • liblnk-{,devel,python,tools}-20140112-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - liblnk contains libraries and tools to access the Windows Shortcut File (LNK) format file.s
    • libolecf-{,devel,python,tools}-20131108-1.(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libolecf contains libraries and tools to access the OLE 2 Compound File (OLECF) format filed. The OLE 2 Compound File format is used to store certain versions of Microsoft Office files, thumbs.db and other file formats.
    • protobuf-c{,-devl}-0.15-2.1.el6.x86_64.rpm - Protobuf-c package provides a code generator and runtime libraries to use Protocol Buffers from pure C (not C++). This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
    • protobuf{,-compiler,-devel,-lite,-lite-devel,-lite-static,-python,-static,-vim)-2.4.1-1.el6.x86_64.rpm - Protobuf (Protocol Buffers) are a way of encoding structured data in an efficient yet extensible format. Google uses Protocol Buffers for almost all of its internal RPC protocols and file formats. This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
    • python-ipython{,-console,-doc,-gui,-notebook,-tests)-0.13.2-1.el6.x86_64.rpm - IPython is an enhanced interactive Python shell. This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
  • perl-Parse-Evtx-{,-tools}1.1.1-2.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - perl-Parse-Evtx is a Windows Event Log Parser library and tools collection. Because files in the previous release - 1.1.1-1 - of perl-Parse-Evtx now conflict with files in libevtx-tools, the tools from perl-Parse-Evtx were moved to perl-Parse-Evtx-tools so that perl-Parse-Evtx, upon which log2timeline depends, could be installed.
  • binplist-0.1.4-0-(fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Binplist is a binary property list (plist) parser module written in python.
  • libewf-{,devel,tools}-20140216-1.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm/libewf-{devel,tools}-20140216-1.{fc19,fc20}.{i686,x86_64}.rpm and ewftools-20140216-1.{fc19,fc20}.{i686,x86_64}.rpm - Libewf supports Expert Witness Compression Format (EWF) formatted files. It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20140216):
    • bug fix in recent process status changes
    • integrating latest update for multi threaded ewfacquire changes
    • changed behavior of empty-block check
    • worked on integrating multi threaded ewfacquire changes
    • updated dependencies
    • added libcdatetime
    • removed borlandc files
    • small updates
    • moved low-level function support from compile time to run time
    • worked on sync with experimental version
    • Also added missing fuse-devel build requirement
  • sleuthkit-{,devel,libs}-4.1.3-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. The changes from the previous version - 4.1.3-1 - are the following:
    • Patch to support pytsk.
    • Rebuilt with libewf-20140216
  • pytsk-20131230-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
  • partclone-0.2.69-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the correct version of libntfs-3g.so.
  • lime-kernel-objects-1.1.r16-1.27.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The changes added support for the following kernels:
    • 3.13.6-200 for FC20
    • 3.13.5-202 for FC20
    • 3.13.5-200 for FC20
    • 3.13.4-200 for FC20
    • 3.13.3-201 for FC20
    • 3.12.10-300 for FC20
    • 3.13.6-100 for FC19
    • 3.13.5-103 for FC19
    • 3.13.5-101 for FC19
    • 3.12.11-201 for FC19
    • 2.6.32-431.5.1 for EL6
  • fmem-kernel-objects-1.6-1.27.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the same kernels noted for lime.
  • ddrutility-2.2-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to gnuddrescue. It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
    • ddru_findbad
    • ddru_ntfsbitmap
    • ddru_ntfsfindbad (NEW)
  • fcrackzip-1.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fcrackzip is a zip password cracker, similar to fzc, zipcrack and others. It is intended to be free, fast, portable, and featureful.
  • undbx-0.21-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Undbx extracts, recovers and undeletes e-mail messages from Outlook Express .dbx files.
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.

    Note: In this release of SiLK (3.8.1-3), support for the IPA extensions have been removed. They have been replaced by an optional repository that is now part of cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root. When that script is run, the following additional packages are installed or updated:

    • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-4.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm or silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-4.el6.x86_64.rpm - The only change to this release is that it was built with the IPA IP address annotation system.
    • postgresql{,-contrib,-devel,-docs,-libs,-plperl,-plpython,-plpython3,-pltcl,-server,-test,-upgrade}-9.3.4-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - PostgreSQL is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql-server sub-package.
    • ipa{,-devel,-python}-0.5.2-3.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and ipa{,-devel,-python}-0.5.2-3.{el6}.x86_64.rpm - IPA is an IP address annotation system. IPA provides a flexible and efficient repository of IP address information, tools for querying and maintaining the data, and shared libraries and modules for data access. For more information, read the IPA documentation.
    • ip4r-2.0-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and ip4r-2.0-1.el6.x86_64.rpm - IP4R and ip4 are types that contain a single IPv4 address and a range of IPv4 addresses respectively. They can be used as a more flexible, indexable version of the cidr type. This version has been built for PostgreSQL version 9.3.4 for Fedora and version 9.2 for CentOS/RHEL using the CentOS Software Collections Repository.

February 12, 2014: The following have been released:
  • lime-kernel-objects-1.1.r16-1.26.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android. The tool supports acquiring memory either to the file system of the device or over the network. LiME is unique in that it is the first tool that allows full memory captures from Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.

    In addition, this package includes a script named CaptureMemoryWithLime and a corresponding man page that manages the installation of the appropriate kernel object and dumps memory on the installed machine to the indicated file.

    LiME can be used with Volatility as described here to analyze memory as part of an investigation of digital assets.

    LiME releases will track with fmem-kernel-objects as to the list of supported kernels.
  • fmem-kernel-objects-1.6-1.26.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
    • 3.12.9-301 for FC20
    • 3.12.8-300 for FC20
    • 3.12.7-300 for FC20
    • 3.12.8-200 for FC19
    • 3.12.7-200 for FC19
    • 2.6.18-371.4.1 for EL5
  • daq-2.0.2-1.{fc16,fc17,fc18,fc19,el6}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort. Here are the changes since the last version:
    • os-daq-modules/daq_ipfw.c: Don't treat being interrupted by a signal as an error.
    • configure.ac, daq.spec, os-daq-modules/daq_afpacket.c: Fix frame length sanity check.
    • README, configure.ac, os-daq-modules/daq_afpacket.c: Fix AFPacket DAQ module to attempt to reconstruct the automatically stripped VLAN header prior to passing it to the reader. Also, use AFPacket TX Ring instead of sendto to improve TX performance. (Requires a newer Linux kernel version, README and configure.ac updated to reflect this.)
  • disktype-9-15.{fc17,fc18,fc19,fc20,el5,el6}.noarch.rpm - Disktype detects the content format of a disk or disk image. This version is based on the standard version with support for exfat, LUKS, f2fs, btrfs, and EXT 2, 3, and 4, all courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA.
  • libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.63-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. Here are the changes from the previous distributed version (0.6.61):
    • Daniel Gryniewicz found buffer overrun in LIST_COPY_TIME
    • Old dependency filter breaks file coloring
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for the list of the changes since the previous version (3.8.0).
  • analysis-pipeline-4.3.2-2.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). This version was rebuilt to use the latest version of SiLK, specifically 3.8.1-1.
  • silk-ipset-{devel,lib,tools}-3.8.1-1.{fc17,fc18,fc19,fc20el5,el6}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed. See here for the list of changes in this release.
  • sleuthkit-{,devel,libs}-4.1.3-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 4.1.2:
    • Fixed bug that could crash UFS/ExtX in inode_lookup
    • More bounds checking in ISO9660 code
    • Image layer bounds checking
    • Update version of SQLITE-JDBC
    • Changed how java loads navite libraries
    • Config file for YAFFS2 spare area
    • New method in image layer to return names
    • Yaffs2 cleanup
    • Escape all strings in SQLite database
    • SQlite code uses NTTFS sequence number to match parent IDs
  • snort-2.9.6.0-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
  • snort-sample-rules-2.9.6.0-1.1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
  • xmount-0.6.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following:
    • Added support for split DD input files.
    • Patch for newer libewf support (meaning packages newer than 20110903), courtesy Erik Uitto from the Silicon Valley Regional Computer Forensics Laboratory in Menlo Park, CA.

January 24, 2014: The following have been released:
  • dff-1.3.0.20140123-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. Note that only Fedora 17, 18, 19, and 20 are supported in this release. This release uses ffmpeg version 2.

    This version is the developer version as of January 23, 2014. Note that these packages have been placed in the cert-test repository which must be enabled in the /etc/yum.repos.d/cert-forensics-tools.repo by setting enabled to 1 (true).

January 22, 2014: The following have been released:
  • analysis-pipeline-4.3.2-1.{fc17,fc18,fc9,fc20,el5,el6}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See the release notes for a list of changes.
  • ffmpeg{,-libs,-devel}-2.1.1-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - FFmpeg is a complete, cross-platform solution to record, convert and stream audio and video. It includes libavcodec - the leading audio/video codec library. These packages have been made available in are support of dff.
  • dff-1.3.0-4.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examiners, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. Note that only Fedora 17, 18, 19, and 20 supported in this release. This release uses ffmpeg version 2.
  • fmem-kernel-objects-1.6-1.25.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
    • 3.12.6-300 for FC20
    • 3.12.5-302 for FC20
    • 3.11.10-301 for FC20
    • 3.12.6-200 for FC19
    • 3.12.5-200 for FC19
    • 3.11.10-200 for FC19
    • 3.11.9-200 for FC19
    • 3.11.8-200 for FC19
    • 3.11.7-200 for FC19
    • 3.11.10-100 for FC18
    • 3.11.9-100 for FC18
    • 3.11.7-100 for FC18
    • 3.11.4-101 for FC18
    • 2.6.32-431.3.1 for EL6
    • 2.6.32-431.1.2.0.1 for EL6
    • 2.6.32-431 for EL6
    • 2.6.18-371.3.1 for EL5
  • guymager-0.7.3-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. See here for the list of changes.
  • netsa-rayon-1.4.3-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython,/a> (for GUI output). See here for a list of changes.
  • python-rarfile-2.2-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Python-rarfile is a Python module for RAR archive reading.
  • python-registry-1.0.1-1.{fc17,fc18,fc19,fc20}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry. Python-registry is written in pure Python, making it portable across all major platforms.
  • pytsk-20131230-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
  • yaf{,-devel}-2.4.0-3.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap dumpfiles as generated by tcpdump, from live capture from an interface using pcap, an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. These packages were rebuilt to remove support for p0f.
  • yara{,python}-2.0.0-1.{fc17,fc18,fc19,fc20el5,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Yara-python is a Python extension that gives access to YARA's powerful features from Python scripts. Here are the changes since the last version (1.7.2):
    • Faster
    • Better multi-thread support
    • Rules can be saved in binary form
  • Volatility-2.3.1-2.el5.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. See here for a list of changes. This version also includes the plugins from the Malware Analyst's Cookbook to version R134. This version was rebuilt to use the latest version of yara.
  • xrdp-0.7.0-1.el6.{i386,x86_64}.rpm - XRDP is an open source Remote Desktop Protocol (RDP) server. CentOS/RHEL 6 did not have such a server so this version was added and released through the repository.
  • CERT-Forensics-Tools-1.0-57.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - This package was updated to add the following:
    • analyzeMFT
    • hdparm
    • kracked, for Fedora and CentOS/RHEL 6 only
    • libpff-tools
    • snarf, for Fedora and CentOS/RHEL 6 only
    • super_mediator
    • vmfs-tools

January 6, 2014: The following have been released:

January 8, 2014: The following have been released:
  • cert-forensics-tools-release-{16,17,18,19,5.10,6}-9.noarch.rpm - These packages were added to provide the new CERT Forensics Oeprations and Investigations Team Key. The fingerprint for this key is: 5FA3 2061 C4A0 F073 D6E7 3C1D BFCC 1527 ED92 ABE3.

    You must do the following as root to install this new package before updating existing packages installed from the repository:
    yum update cert-forensics-tools-release
    You can then do the following as root to install any other updates for your system:
    yum update
    In addition, all of the packages in the Fedora 16, 17, 18, 19, and RHEL/CentOS repositories have been resigned with this new key.

December 13, 2013: The following have been released:
  • libewf-{,devel,tools}-20131210-1.{fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm/{ewftools,libewf,libewf-devel}-20131210-1.fc19.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Note that in Fedora 19, the tools package is named ewftools to reflect the package name found in the Fedora 19 release. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20130416):
    • updated dependencies
    • worked on Python bindings
    • added libcthreads
    • fix in DFXML output for size values
    • worked on ewfmount
  • libfixbuf{,-devel}-1.4.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for the list of the changes since the previous version (3.7.2).
  • yaf{,-devel}-2.4.0-2.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm/yaf{,-devel}-2.2.1-5.el5.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. Yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. These packages were rebuilt to use libfixbuf version 1.4.0.
  • super_mediator-0.3.0-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF. This package was rebuilt to use libfixbuf version 1.4.0.
  • python-apsw-3.8.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
  • pytsk-20131124-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
  • yara{,python}-1.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Yara-python is a Python extension that gives access to YARA's powerful features from Python scripts. Here are the changes since the last version (1.7):
    • BUGFIX: Regular expressions marked as both "wide" and "ascii" were treated as just "wide"
    • BUGFIX: Bug in "n of ()" operator
    • BUGFIX: Bug in get_process_memory could cause infinite loop
    • BUGFIX: Fix SIGABORT in ARM
    • BUGFIX: Failing to detect one-byte strings at the end of a file.
    • BUGFIX: Strings being incorrectly printed when markes both as wide and ascii
    • BUGFIX: Stack overflow while following circular symlinks
    • BUGFIX: Expression "/re/ matches var" always matching if "var" was an empty string
    • BUGFIX: Strings marked as "fullword" were incorrectly matching in some cases
  • Volatility-2.3.1-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. See here for a list of changes. This version also includes the plugins from the Malware Analyst's Cookbook to version R134. See here for the list of recent changes.

November 18, 2013: The following have been released:
  • device-mapper-multipath{,-libs,-sysvinit}-0.4.9-*.1.{fc16,fc17,fc18,fc19}.{i386,x86_64}.rpm,kpartx-0.4.9-*.1.{fc16,fc17.fc18,fc19}.{i386,x86_64}, device-mapper-multipath{,-libs}-0.4.9-64.1.el6.{i386,x86_64}.rpm,kpartx-0.4.9-64.1.el6.{i386,x86_64}, device-mapper-multipath-0.4.7-59.1.el5.{i386,x86_64}.rpm,kpartx-0.4.7-59.1.el6.{i386,x86_64} - Device-mapper-multipath provides tools to manage multipath devices by instructing the device-mapper multipath kernel module what to do. Of particular importance is kpartx which reads partition tables on specified device and create device maps over partitions segments detected. Unfortunately, kpartx as distributed fails if the specified device is not writable. This version opens the specified device read-only which makes it more usable when dealing with read-only evidence. This read-only change is the only change made to the latest distribution for each of Fedora 16-19, and CentOS/RHEL 5 and 6.

November 8, 2013: The following have been released:
  • snort-2.9.5.5-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
  • snort-sample-rules-2.9.5.5-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
  • sleuthkit-{,devel,libs}-4.1.2-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 4.1.0:
    • Core
      • Fixed more visual studio projects to work on 64-bit
      • Added FILE_SHARE_WRITE to all windows open calls
      • Removed unused methods in CRC code that caused compile errors
      • Added NTFS FNAME times to time2 struct in TSK_FS_META to make them easier to access -- should have done this a long time ago!
      • fls -m and tsk_gettimes output NTFS FNAME times to output for timelines
      • hfind with EnCase hashsets works when DB is specified (and not only index)
      • TskAuto now goes into UNALLOC partitions by default too
      • Added support to automatically find all Cellebrite raw dump files given the name of the first image
      • Added 64-bit windows targets to VisualStudio files
      • Added NTFS sequence to parent address in directory and directory itself
      • Updated SQLite code to use sequence when finding parent object ID
    • Java
      • Added method to Image to perform sanity check on image sizes
      • Java bindings JAR files now have native libraries in them
      • Logical files are added with a transaction
    • fiwalk
      • Fixed compile error on Linux etc
  • analyzeMFT-2.0.11-1.1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - AnalyzeMFT is a tool that fully parses the MFT file from an NTFS filesystem and present the results as accurately as possible in multiple formats.
  • Volatility-2.3-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. See here for a list of changes. This version also includes the plugins from the Malware Analyst's Cookbook to version R134. See here for the list of recent changes.
  • fmem-kernel-objects-1.6-1.24.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
    • 3.11.6-201 for FC19
    • 3.11.6-200 for FC19
    • 3.11.4-201 for FC19
    • 3.11.3-201 for FC19
    • 3.11.2-200 for FC19
    • 3.11.1-200 for FC19
    • 3.10.11-200 for FC19
    • 3.10.10-200 for FC19
    • 3.10.9-200 for FC19
    • 3.10.7-200 for FC19
    • 3.10.6-200 for FC19
    • 3.10.5-201 for FC19
    • 3.10.4-300 for FC19
    • 3.11.4-101 for FC18
    • 3.10.14-100 for FC18
    • 3.10.13-101 for FC18
    • 3.10.12-100 for FC18
    • 3.10.11-100 for FC18
    • 3.10.10-100 for FC18
    • 3.10.9-100 for FC18
    • 3.10.7-100 for FC18
    • 3.10.6-100 for FC18
    • 3.10.4-100 for FC18
    • 2.6.32-358.23.2 for EL6
    • 2.6.32-358.18.1 for EL6
    • 2.6.18-348.18.1 for EL5
    • 2.6.18-371.1.2 for EL5

September 17, 2013: The following have been released:
  • postgresql{,-contrib,-devel,-libs,-plperl,-plpython,-server,9.3.0-1PGDG.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - PostgreSQL is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql93-server sub-package.
  • pgadmin3_93-1.18.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - PGadmin III is a powerful administration and development platform for the PostgreSQL database, free for any use. It is designed to answer the needs of all users, from writing simple SQL queries to developing complex databases. The graphical interface supports all PostgreSQL features and makes administration easy.
  • ipa{,-devel,-python}-0.5.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - IPA is an IP address annotation system. IPA provides a flexible and efficient repository of IP address information, tools for querying and maintaining the data, and shared libraries and modules for data access. For more information, read the IPA documentation.
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.7.2-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. This version has support for the IPA library.
  • ip4r93-2.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - IP4R and ip4 are types that contain a single IPv4 address and a range of IPv4 addresses respectively. They can be used as a more flexible, indexable version of the cidr type. This version has been built for PostgreSQL version 9.3.
  • ghostpdl-9.10-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico.
  • testdisk-6.14-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. This version correctly specifies the version of libntfs-3g.so.
  • partclone-0.2.48-4.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the correct version of libntfs-3g.so.
  • libbde{,-devel,-python,-tools}-20130908-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the support formats, protection methods, and additional features. Here are the changes for this release:
    • updated dependencies
    • added libcthreads build support
    • updated msvscpp files
    • bug fixes
    • code clean up
  • pytsk-20130910-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.

September 2, 2013: The following have been released:
  • dd_rescue-1.40-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.33):
    • Release 1.40-1 It brings copying of extended attributes (with -p/--preserve). It doubles the default soft block size for buffered IO, but brings sparse write optimization for half-empty blocks. It also optimizes copying by using the first write to get rid off odd file offsets. It also adds a lot more test cases to make check.
    • Release 1.39-1 It fixes an issue where a copied file could be appended zeros if hardblocksize copy was used (e.g. b/c hardbs==softbs, bnc #833765). There's also a bit better ARM asm optimization, yielding a ~15% performance increase. There's also a help/manpage clarification that syncfreq actually is a size. And we use autoconf now to determine the target system features. Default build target now uses libdl.
    • Release 1.38-1 Improving SSE sparse detection performance (by 40%), adding a testcase for the 1.35/1.36 bug and run it in make check. There's even an AVX version, but it's not enabled by default, as it's untested. --force/-f now allows to ignore a non-zero output position on non-seekable output and the curr.rate and ETA calculations have improved a bit.
    • Release 1.37-1 Fixing an issue with SSE2 sparse detection, which could spuriously detect zero-filled blocks and thus result in corrupted copies if option -a was used. (This would happen for blocks that had no bytes with the uppermost bit set, such as e.g. ASCII text.) Embarassing! Also fixed issues on big-endian machines (although these were inconsequential for dd_rescue).
    • Release 1.36-1 It fixes an overflow issue with the number output for long running dd_rescue processes. SSE2 is now also enabled in x86 (32bit, with runtime detection) and an optimized ARM version (assembler yeah!) to find zero blocks was added.
    • Release 1.35-1 It had some improvements on the output that it prints -- beyond internal improvements it introduces colours to the output unless the terminal type is clearly dumb; there is also an option to control this. Numbers are highlighted for readability. Output is rate limited (10/s). 1.35 also brings a simple rewrite logic for handling write errors. There's an SSE2 optimized version to find zero blocks for sparse writing.
  • python-apsw-3.8.0-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
  • pytsk-20130826-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. See here for a list of changes.
  • regripper-28000000-4.{fc16,fc17,fc18,fc19,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is contains version 2.8 of the regripper tool. The plugins are packaged separately. This release contains version 08-26-13 of the auto_rip.pl. See here for more details about this script.
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. Here are the changes from the previous version (3.7.1):
    • PySiLK changes
      • Add IPSet.is_ipv6() and IPSet.convert() methods.
      • Fix a bug when saving an IPv6-IPset that contains only IPv4 addresses.
    • IPset bug fixes
      • Fix bugs when computing the union or intersection of an IPv4-IPset and an IPv6-IPset that contains only IPv4 addresses.
    • rwfilter bug fixes
      • Fix a spurious warning when loading an IPset.
      • Fix a memory issue during shutdown when an argument to one of the --*cidr switches (--scidr, --dcidr, etc) is mistyped.
    • rwflowpack, flowcap bug fixes
      • Fix a bug where the daemon failed to read TCP flags contained in a SubTemplateMultiList when reading IPFIX data over the network.
      • Fix a memory leak when receiving IPFIX data containing a SubTemplateList or a SubTemplateMultiList.
  • silk-ipset-{devel,lib,tools}-3.7.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.

August 26, 2013: The following have been released:
  • libvshadow{,-devel,-tools,-python}-20130723-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version:
    • fixes for 32-bit WINAPI build of pyvshadow in file object glue code
    • Changes for stand-alone libbfio build
    • updated msvscpp files
    • remove unnecessary restriction in library include headers
    • updated dependencies
  • daq-2.0.1-1.{fc16,fc17,fc18,fc19,el6}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort. here are the changes since the last version:
    • daq.h, daq_api.h, daq_base.c, daq_common.h, daq_mod_ops.c, daq_afpacket.c, daq_dump.c, daq_ipfw.c, daq_ipq.c, daq_nfq.c, daq_pcap.c, daq_static_modules.c, daq_static_modules.h, sf_bpf_filter.c, sf_bpf_printer.c, sf_gencode.c, sf_nametoaddr.c, sf_optimize.c, sfbpf-int.c, sfbpf-int.h, sfbpf.h, sfbpf_dlt.h: Update copyright year.
    • daq_dump.c, daq_ipfw.c, daq_ipq.c, daq_nfq.c: Ensure verdict is in range before bumping peg counts. Thanks to John Menerick for reporting the issue.
  • snort-2.9.5.3-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - (Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
  • snort-sample-rules-2.9.5.3-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
  • dd_rescue-1.34-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.33):
    • This version provides better support for various *nix systems (specifically had a few fixes for FreeBSD), better compatibility with compilers (clang and g++ and clang++). It can now also load libfallocate at runtime (libdl) and detects a few more fatl write errors as such.
  • ddrescue-1.17-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Here are the changes from the previous distributed version (1.16):
    • Added new option -l, --logfile-size.
    • Added new option -w, --ignore-write-errors.
    • Option --fill has been renamed to --fill-mode.
    • Option --generate-logfile has been renamed to --generate-mode.
    • Added option --sector-size as a synonym of --block-size.
    • Added option --retries as a synonym of --max-retries.
    • Added option --size as a synonym of --max-size.
    • rescuebook.cc: Trimming is now done from both edges of each non-trimmed block. Largest blocks are trimmed first.
    • rescuebook.cc: Largest blocks are now split first until logfile reaches --logfile-size entries.
    • logbook.cc (extend_sblock_vector, truncate_vector): Terminate if truncation would discard finished blocks.
    • rescuebook.cc: Mark failed blocks with 1 sector as bad-sector.
    • logbook.cc (extend_sblock_vector): Remove last block of logfile if it starts at isize and is not marked as finished.
    • io.cc (show_status,update_rates): Detect a jump back in time and adjust status.
    • ddrescue.h (slow_read): Return false for the first 10 seconds.
    • io.cc (show_status) Leave cursor after message so that ^C does not overwrite it.
    • main.cc: Do not require --force for generate mode.
    • ddrescue.h (Logbook::logfile_exists): Do not return false if logfile exists but is empty.
    • Added new chapter 'Using ddrescue safely' to the manual.
    • Documented that 'direct disc access' only reads whole sectors.
    • configure: Options now accept a separate argument.
    • Makefile.in: Added new target install-bin.
  • libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.61-1.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. Here are the changes from the previous distributed version (0.6.61):
    • Move documentation to unversioned directory
  • netsa-rayon-1.4.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Netsa-rayon is compatible with Python versions 2.6 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython (for GUI output). See here for a list of changes.
  • snarf{,-devel,-python}-0.2.2-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system. Applications can use snarf's C and Python APIs to construct and send network alert messages, which can then be routed to multiple destinations in a configurable manner. Here are the changes:
    • Initial release to open source community.
    • Additional documentation.
    • Bug fixes.
  • ghostpdl-9.09-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico. This version attempts to update Xplico's version of pcl6 - the binary installed as part of ghostpdl - as stored in /opt/xplico/bin if Xplico is installed.
  • ssdeep-2.10-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.
  • testdisk-6.14-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. Here are the changes from the last version (6.13):
    • General Improvements
      • The log file generated by the Windows version (cygwin) reports bad sectors in a more readable fashion, example
      • ReadFile Data error (cyclic redundancy check).
      • As openssl isn't used, don't link with this cryptographic library (Debian tries to avoid mixing GPL code and openssl)
    • TestDisk
      • Improvements
        • testdisk /list now displays the disk model, serial number, firmware version and hpa or dco presence if detected
        • Recover WBFS (Wii Backup File System) partition
        • Make FAT RebuildBS works when there is a single FAT table
        • Interface: Display the partition table type if autodetected
        • Interface: modified warning about mismatching geometry between FAT or NTFS boot sector and HD geometry information (Debian #651756)
        • Interface: Remove "Allow partial last cylinder" option
      • Bug fixes
        • Fix crc in EFI backup GPT
        • Rewrote how TestDisk aligns partition on cylinder or 1MB boundary. It avoids to create partition entry where the partition ends after the end of the disk.
    • PhotoRec
      • Improvements
        • Improve Olympus .orf recovery
        • Improve WP Mac/WP5/WP6 Corel Documents .wpd files recovery
        • Fix thumbs.db recovery, avoid some false positive with .doc
        • Interface: if less than 10 file families are enabled, display the results even if zero has been found yet
        • New file formats:
          • .aep After Effects
          • .axx AxCrypt
          • .dp Designer, a Photobook Designer Software
          • .lzh archive
          • .mmap MindManager
          • .plt Gerber Graphix Advantage
          • .prproj Adobe Premiere project
          • .psb Adobe Photoshop Image
          • .pts PTGui, panoramic stitching software
          • .qcp The QCP File Format and Media Types for Speech Data (RFC3625)
          • .shn Shorten audio file
          • .snt Windows Sticky Notes
          • .ttd TinyTag Data
          • .wallet Armory bitcoin wallet
          • .wim Windows imaging (WIM) image
      • Bug fixes
        • Fix an endless loop during .caf file recovery
        • Fix tiff recovery including some raw file formats, 64-bit version wasn't affected

August 1, 2013: The following have been released:
  • CERT-Forensics-Tools-1.0-55.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - This package was updated to do the following:
    • For Fedora 19, use ewftools.
    • For all else, use libewf-tools and obsolete ewftools.
  • libbfio{,devel}-20120425-1.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Libbfio is a library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff. It is used to chain I/O to support file-in-file access. Here are the changes:
    • add VC_EXTRALEAN to config_msc.h
    • add autoconf/make test suite
    • add callback function to resize memory range if needed?
    • additional checks for system strings
    • allow re-set of pool entries?
    • bug fix for POSIX wide character support in path functions
    • check if libbfio.3 is up to date
    • code clean up
    • fixed memory leak due to recent changes
    • remove deprecated functions in libbfio_legacy.[ch]
    • removed deprecated functions
    • updated .pc and .spec file
    • updated codegear files
    • updated common
    • updated configure.ac
    • updated configure.ac and m4 files
    • updated dependencies
    • updated gettext
    • updated libcstring, libuna
    • updated libuna
    • updated list type, offset list
    • updated msvscpp and borlandc files
    • updated msvscpp files
    • updated spec and pc files
    • what about disk full on write
    • wide to narrow (ASCII with codepage) conversion
    • worked on absolute path support with /../
    • worked on file range back end
    • worked on full file name support for open on demand
    • worked on full path functions
    • worked on libcfile rewrite
    • worked on libcpath rewrite
  • libpff-20120802-2.{fc16,fc17,fc18,fc19,el5,el6}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided. Libpff is used by DFF - the Digital Forensics Framework. See the libpff website for the list of changes
  • dff-1.3.0-3.{fc17,fc18,fc19}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. Note that only Fedora 17, 18, and 19 supported in this release. Here are the changes (thanks to Danil Bazin for the bug report and suggested fixes):
    • Added a dynamic loader configuration file, activated them when dff is installed, and deactived them when dff is uninstalled.
    • Added missing PyQt4 dependency.
    • Added missing reglookup dependency.
    • Added the __init__.py file needed for searching.
    • Recomplied with latest libbfio and libpff libraries.
    • Installed the ffmpeg-devel package from the RPMFusion to add video support to dff. This required the installation of these additional pagkages, all also from RPMFusion:
      • ffmpeg-libs
      • librtmp
      • x264-libs
      • xvidcore
  • fmem-kernel-objects-1.6-1.23.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
    • 2.6.32-358.11.1 for EL6
    • 3.9.8-108 for FC17
    • 3.9.10-100 for FC17
    • 3.9.5-201 for FC18
    • 3.9.6-208 for FC18
    • 3.9.9-201 for FC18
    • 3.9.10-200 for FC18
    • 3.9.11-200 for FC18
    • 3.9.5-301 for FC19
    • 3.9.9-302 for FC19
    • 3.10.3-300 for FC19
  • libbde{,-devel,-python,-tools}-20130729-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume. See here for the support formats, protection methods, and additional features. Here are the changes for this release:
    • updated dependencies
    • pybde fixes for >2G file objects in BFIO glue code
    • worked on git support
    • updated dependencies
    • fixed some typos
    • fix for dealing with padding in FVE metadata block
  • partclone-0.2.48-3.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the latest libntfs-3g shared library, bringing all of the releases to the same release level.
  • recoll-1.19.4-2.1.{fc16,fc17,fc18,fc19,el6}.{i686,x86_64}.rpm - Recoll is a text search tool for Unix and Linux desktops. Recoll finds keywords inside documents as well as file names. See here for a list of changes in this version. In addition, tar archives have been enabled and the epub, pstotext, and aspell packages have been added as required packages.
  • stegdetect-0.6.0-2.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - stegdetect is an automated tool for detecting steganographic content in images. This package was rebuilt to remove compiler optimization, the inclusion of which caused stegdetect to crash. Thanks to Pete Troxell for the bug reports and suggested fixes.
  • kracked-0.1-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - Kracked is a tool that creates word lists from files, memory captures for example.
  • {vmfs-tools,ilibvmfs-devel}-0.2.5-1.{fc16,fc17,fc18,fc19,el5,el6}.{i686,x86_64}.rpm - VMfs-tools is a collection of command-line tools for operating on VMFS file system. Included in this release is limited VMFS version 5 support.

August 6, 2013: The following have been released:
  • Support for Fedora 19 i686 and x86_64 architectures - The repository now supports Fedora 19 for both the i686 and x86_64 CPU architectures.
  • Support for Fedora 15 i686 and x86_64 architectures - Updates to Fedora 15 for both the i686 and x86_64 CPU architectures has ceased.

July 10, 2013: The following have been released:
  • libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.60-1.1.{fc15,fc16,fc17,fc18, el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats.
  • sleuthkit-{,devel,libs}-4.1.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 4.0.2:
    • Core
      • Added YAFFS2 support (patch from viaForensics).
      • Added Ext4 support (patch from kfairbanks)
      • changed all include paths to be 'tsk' instead of 'tsk3' (IMPORTANT FOR ALL DEVELOPERS!)
    • Framework
      • Added Linux and MAC support.
      • Added L01 support.
      • Added APIs to find files by name, path and extension.
      • Removed deprecated TskFile::getAttributes methods.
      • moved code around for AutoBuild tool support.
    • Java Bindings
      • added DerivedFile datamodel support
      • added a public method to Content to add ability to close() its tsk handle before the object is gc'd
      • added faster skip() and random seek support to ReadContentInputStream
      • refactored datamodel by pushing common methods up to AbstractFile
      • fixed minor memory leaks
      • improved regression testing framework for java bindings datamodel
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.7.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See the release notes for a list of changes since the previous version, 2.5.0.
  • analysis-pipeline-4.2-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM). See the release notes for a list of changes since the previous version, 3.0.0.
  • silk-ipset-{devel,lib,tools}-3.7.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The SiLK IPset distribution is derived from the SiLK tool suite developed by the CERT Network Situational Awareness Team (CERT NetSA). The SiLK IPset distribution contains a library and a set of command line tools to build and manipulate IPset files, which are binary files containing a set of IP addresses. SiLK IPset can be used by those wishing to use IPsets but who do not need the entire SiLK tool suite. Since the SiLK IPset distribution contains a small subset of the tools in the SiLK distribution, there is no need to install SiLK IPset when SiLK is already installed.
  • super_mediator-0.3.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Super_mediator is an IPFIX mediator for use with the YAF and SiLK tools. It collects and filters YAF output data to various IPFIX collecting processes and/or csv files. Super_mediator can be configured to perform de-duplication of DNS resource records as exported by YAF.
  • netsa-python-1.4.3-1.{fc15,fc16,fc17,fc18,el5,el6}.{i386,x86_64}.rpm - Netsa-python is a library of Python routines and frameworks that the NetSA team at CERT has found helpful when developing analyses using the SiLK toolkit. Of particular note are the netsa.script NetSA Scripting Framework, which provides a standard framework for writing scripts that process flow data, and the netsa.util.shell command line processing system, which provides tools for managing extremely complicated collections of shell processes that should fail or succeed together (extremely useful when working with named pipes). Netsa-python is compatible with Python versions 2.4 and greater. See here for a list of the changes since the last release which was version 1.3.
  • netsa-rayon-1.4.1-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm and netsa-rayon-pipevis-0.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Netsa-rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Netsa-rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Netsa-rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Netsa-rayon is compatible with Python versions 2.4 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython (for GUI output). See here for a list of changes.
  • snarf{,-devel,-python}-0.2.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Snarf is a distributed alert reporting system. Applications can use snarf's C and Python APIs to construct and send network alert messages, which can then be routed to multiple destinations in a configurable manner.
  • prism-1.2-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool. The script can be used directly, or might be used as a component in other more specialized scripts. In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup. This is a new release keeping up with the latest SiLK 3 tools.
  • CERT-Forensics-Tools-1.0-54.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - This package was updated to do the following:
    • Added libbde-tools for all supported architectures
    • Added libfvde-tools for all supported architectures
    • Added libvhdi-tools for all supported architectures
    • Obsoletes rayon and replaces it with netsa-python
  • pytsk-2012113-3.{fc15,fc16,fc17,fc18,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. This release has been rebuilt to use version 4.1.0 of The Sleuth Kit.

June 17, 2013: The following have been released:
  • aff{lib,lib-devel,tools}-3.7.1-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. This version now uses the correct version of libewf-devel.
  • testdisk-6.13-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. This version now uses the correct version of libewf-devel.
  • libbde{,-devel,-python,-tools}-20130422-1.fc18.{i686,x86_64}.rpm - Libbde is a library and tools to access the BitLocker Drive Encryption (BDE) format. The BDE format is used by Windows, as of Vista, to encrypt data on a storage media volume.

    The supported BDE formats are:
    • BitLocker Windows Vista
    • BitLocker Windows 7
    • BitLocker Windows 8 (Consumer Preview)
    • BitLocker To Go

    The supported protection methods are:
    • clear key
    • password
    • recovery password
    • start-up key
    • FKEV and/or TWEAK key data

    The additional features are:
    • support for partial encrypted volumes
    • zeros out the BDE metadata, matches behavior seen on Windows
  • libfvde{,-devel,-tools}-20130422-1.fc18.{i686,x86_64}.rpm - Libfvde is a lbrary and tools to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion, to encrypt data on a storage media volume.

    The supported FileVault2 implementations are:
    • Mac OS X Lion
    • Mac OS X Mountain Lion

    The supported encryption volume types are:
    • removable media volume (initial support as of 20121113 version)
    • system volume

    The supported protection methods are:
    • password
    • recovery password
    • VMK key data (as of 20121114 version)

    The development in progress work areas are:
    • extend CoreStorage volume support
    • partial encrypted volumes
  • libvhdi{,-devel,-python,-tools}-20130512-1.fc18.{i686,x86_64}.rpm - Libvhdi is a library and tools to access the Virtual Hard Disk (VHD) image format. Note that this project has an experimental status.

    The supported formats for reading are:
    • VHD version 1

    The supported image types are:
    • Fixed-size hard disk image
    • Dynamic-size (or sparse) hard disk image

    The image types currently not supported are:
    • Differential (or differencing) hard disk image

    The areas for work in progress are:
    • Differential image support
    • Dokan library support

June 6, 2013: The following have been released:
  • python-apsw-3.7.17-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
  • libewf-{,devel,tools}-20130416-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20130128):
    • added error tolerance for Logicube image with missing checksum in data section
    • bug fix in libcfile.m4 for building on MingW and Cygwin
    • changes and fixes in debug output
    • changes to zlib.m4 for adler32 detection
    • code clean up
    • fix in libsmdev for MinGW build
    • fixed maximum number of segments
    • fixed unknown symbols error related to libbfio
    • moved README.mingw and README.static to wiki
    • sync with experimental version
    • updated codegear files
    • updated dependencies
    • updated msvscpp files
    • updated types.h
    • updates for libsmdev
    • worked on libcdata integration
  • fmem-kernel-objects-1.6-1.22.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
    • 3.9.4-200 for FC18
    • 3.9.2-200 for FC18
    • 3.8.13-100 for FC17
    • 3.8.12-100 for FC17
    • 2.6.32-358.6.2 for EL6
    • 2.6.18-348.6.1 for EL5

May 23, 2013: The following have been released:
  • libvshadow{,-devel,-tools,-python}-20130509-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version>
    • added libcthreads
    • added libvshadow_volume_get_store_identifier function
    • added store read from file IO handle function
    • changes to read block descriptors on demand improves vshadowinfo preformance
    • fixed issue in read buffer due to recent changes
    • fixes for multiple open/close on the same volume object
    • slight improvement of error tolerability of catalog parsing
    • vshadowmount small changes
    • worked on multi-threading support
    • worked on multi-threading support
    • worked on multi-threading support
    • worked on tests
  • libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.59-1.1.{fc15,fc16,fc17,fc18, el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats.
  • regripper-28000000-3.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is contains version 2.8 of the regripper tool. The plugins are packaged separately. This release contains the auto_rip.pl. See here for more details about this script.

May 14, 2013: The following have been released:
  • ADIA-FC17-{i686,x86-64}-{VMware,VirtualBox}.iso - These items are VMware and VirtualBox-based forensic appliances built with Fedora 17 for the i686 and x86_64 architectures. Please note that they are not a live CDs. See here for more details.

May 7, 2013: The following have been released:
  • partclone-0.2.48-3.el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release (3) was built to use the latest libntfs-3g shared library which comes from the fuse-ntfs-3g package. It has only be rebuilt for RHEL/CentOS 6 to fix a conflict with this shared library.
  • prism-1.2-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool. The script can be used directly, or might be used as a component in other more specialized scripts. In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup. The changes in this version are the following:
    • Added new wsgi web UI.
    • Filter DeprecationWarnings to prevent user confusion.
    • Correct runtime dependencies.
  • rayon-1.3.3-2.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Rayon is compatible with Python versions 2.4 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython (for GUI output). This version has been rebuilt to more precisely defined the build and operational dependencies.
  • libvshadow{,-devel,-tools,-python}-20130501-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version>
    • added initial version of qcowmount with Dokan library support
  • yaf{,-devel}-2.4.0-1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE for that OS. Here are the changes since the last version:
    • New HTTP DPI Fields
    • Updated DPI Elements
    • Bug Fix to not replace yaf.conf on install
    • New application label: VMware server console
    • Added support to decode ERSPAN headers
    • Drop statistics are updated when statistics messages are exported
    • yafcollect bug fix
    • Other Bug Fixes
  • fmem-kernel-objects-1.6-1.21.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
    • 3.8.11-200 for FC18
    • 3.8.11-100 for FC17

April 30, 2013: The following have been released:
  • regripper-28000000-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is contains version 2.8 of the regripper tool. The plugins are packaged separately. See the Update History for a list of the changes made since the last release (20130404).
  • regripper-plugins-20130429-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. See the Update History for the list of changes made in this release.
  • fmem-kernel-objects-1.6-1.20.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
    • 3.8.9-200 for FC18
    • 3.8.8-203 for FC18
    • 3.8.8-202 for FC18
    • 3.8.8-100 for FC17
    • 2.6.32-358.6.1 for EL6
    • 2.6.18-348.4.1 for EL5

April 26, 2013: The following have been released:
  • scalpel-2.0-2.el5.{i686,x86_64}.rpm - This package was updated to reflect the new version of the regular expression matching library tre. Note that this change is only for RHEL/CentOS 5.
  • snort-2.9.4.6-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - (Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
  • snort-sample-rules-2.9.4.6-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
  • libvshadow{,-devel,-tools,-python}-20130417-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
    • added tests directory
    • bug fix in dependencies
    • code clean up
    • pyvshadow updates
    • updated README files
    • updated dependencies
    • updates and bug fixes in pyvshadow
    • vshadowtools now detect if there is a VSS signature first and bail out with a different error if not

April 22, 2013: The following have been released:
  • snort-2.9.4.5-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - (Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
  • snort-sample-rules-2.9.4.5-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
  • regripper-plugins-20130404-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. The plugins added are the following:
    • NOTE: these are the packager's comments on what is new in this release, not the authors.
    • NEW PLUGIN attachmgr.pl The Windows Attachment Manager manages how attachments are handled, and settings are on a per-user basis. Malware has been shown to access these settings and make modifications.
    • NEW PLUGIN javasoft.pl Gets contents of JavaSoft/UseJava2IExplorer value
    • NEW PLUGIN lsa_packages.pl Lists various *Packages key contents beneath LSA key
    • NEW PLUGIN olsearch.pl Gets contents of user's OutLook Searches
    • NEW PLUGIN outlook2.pl Gets MAPI (Outlook) settings *BETA*
    • NEW PLUGIN photos.pl Read data on images opened via Win8 Photos app
    • NEW PLUGIN scanwithav.pl Checks ScanWithAV value in Software hive, per KB 883260
    • NEW PLUGIN uac.pl Get User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
    • UPDATE appinitdlls.pl updated to address 64-bit systems
    • UPDATE ares.pl updated based on data provided by J. Weg
    • UPDATE ie_settings.pl added "AutoConfigURL" value info
    • UPDATE inprocserver.pl fixed retrieving LW time from correct key
    • UPDATE landesk.pl added Wow6432Node path
    • UPDATE sevenzip.pl minor updates added
    • UPDATE soft_run.pl updated to include Policies keys; added additional keys
    • UPDATE ssh_host_keys.pl Added rptMsg for key not found errors by Corey Harrell
    • UPDATE termserv.pl updated with autostart locations
    • UPDATE user_run.pl added additional keys; updated to include Policies keys; updated to include additional keys; updated to include 64-bit, additional keys/values
    • UPDATE winlogon_u updated with ThreatExpert info
    • UPDATE winscp_sessions.pl Added rptMsg for key not found errors by Corey Harrell
    • NOTE RegRipperPluginsPackage (RRPP) now counts 236 plugins
  • bloom-1.4.6-2.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Bloom is an NPS bloom filter package that includes the frag_find utility. This version removes the frag_find tool which is now packaged separately.
  • frag_find-1.0.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Frag_find is a program for finding blocks of one or more MASTER files in a disk IMAGE file. This is useful in cases where a MASTER file has been stolen and you wish to establish that the file has been present on a subject's drive. If most of the MASTER file's sectors are found on the IMAGE drive---and if the sectors are in consecutive sector runs---then the chances are excellent that the file was once there.
  • CERT-Forensics-Tools-1.0-53.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - This package was updated to do the following:
    • add frag_find for all supported architectures
  • disktype-9-9.3.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Disktype detects the content format of a disk or disk image. This release corrects a package building error dealing with release numbering.
  • fmem-kernel-objects-1.6-1.19.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following kernels:
    • 3.8.7-201 for FC18
    • 3.8.6-203 for FC18
    • RHEL/CentOS 5: Added the following:
      2.6.18-8.el5.i686
      2.6.18-8.el5.x86_64
      2.6.18-8.el5PAE.i686
      2.6.18-8.1.1.el5.i686
      2.6.18-8.1.1.el5.x86_64
      2.6.18-8.1.1.el5PAE.i686
      2.6.18-8.1.10.el5.i686
      2.6.18-8.1.10.el5.x86_64
      2.6.18-8.1.10.el5PAE.i686
      2.6.18-8.1.14.el5.i686
      2.6.18-8.1.14.el5.x86_64
      2.6.18-8.1.14.el5PAE.i686
      2.6.18-8.1.15.el5.i686
      2.6.18-8.1.15.el5.x86_64
      2.6.18-8.1.15.el5PAE.i686
      2.6.18-8.1.3.el5.i686
      2.6.18-8.1.3.el5.x86_64
      2.6.18-8.1.3.el5PAE.i686
      2.6.18-8.1.4.el5.i686
      2.6.18-8.1.4.el5.x86_64
      2.6.18-8.1.4.el5PAE.i686
      2.6.18-8.1.6.el5.i686
      2.6.18-8.1.6.el5.x86_64
      2.6.18-8.1.6.el5PAE.i686
      2.6.18-8.1.8.el5.i686
      2.6.18-8.1.8.el5.x86_64
      2.6.18-8.1.8.el5PAE.i686
      2.6.18-53.el5.i686
      2.6.18-53.el5.x86_64
      2.6.18-53.el5PAE.i686
      2.6.18-53.1.13.el5.i686
      2.6.18-53.1.13.el5.x86_64
      2.6.18-53.1.13.el5PAE.i686
      2.6.18-53.1.14.el5.i686
      2.6.18-53.1.14.el5.x86_64
      2.6.18-53.1.14.el5PAE.i686
      2.6.18-53.1.19.el5.i686
      2.6.18-53.1.19.el5.x86_64
      2.6.18-53.1.19.el5PAE.i686
      2.6.18-53.1.21.el5.i686
      2.6.18-53.1.21.el5.x86_64
      2.6.18-53.1.21.el5PAE.i686
      2.6.18-53.1.4.el5.i686
      2.6.18-53.1.4.el5.x86_64
      2.6.18-53.1.4.el5PAE.i686
      2.6.18-53.1.6.el5.i686
      2.6.18-53.1.6.el5.x86_64
      2.6.18-53.1.6.el5PAE.i686
      2.6.18-92.el5.i686
      2.6.18-92.el5.x86_64
      2.6.18-92.el5PAE.i686
      2.6.18-92.1.1.el5.i686
      2.6.18-92.1.1.el5.x86_64
      2.6.18-92.1.1.el5PAE.i686
      2.6.18-92.1.10.el5.i686
      2.6.18-92.1.10.el5.x86_64
      2.6.18-92.1.10.el5PAE.i686
      2.6.18-92.1.13.el5.i686
      2.6.18-92.1.13.el5.x86_64
      2.6.18-92.1.13.el5PAE.i686
      2.6.18-92.1.17.el5.i686
      2.6.18-92.1.17.el5.x86_64
      2.6.18-92.1.17.el5PAE.i686
      2.6.18-92.1.18.el5.i686
      2.6.18-92.1.18.el5.x86_64
      2.6.18-92.1.18.el5PAE.i686
      2.6.18-92.1.22.el5.i686
      2.6.18-92.1.22.el5.x86_64
      2.6.18-92.1.22.el5PAE.i686
      2.6.18-92.1.6.el5.i686
      2.6.18-92.1.6.el5.x86_64
      2.6.18-92.1.6.el5PAE.i686
      2.6.18-128.el5.i686
      2.6.18-128.el5.x86_64
      2.6.18-128.el5PAE.i686
      2.6.18-128.1.1.el5.i686
      2.6.18-128.1.1.el5.x86_64
      2.6.18-128.1.1.el5PAE.i686
      2.6.18-128.1.10.el5.i686
      2.6.18-128.1.10.el5.x86_64
      2.6.18-128.1.10.el5PAE.i686
      2.6.18-128.1.14.el5.i686
      2.6.18-128.1.14.el5.x86_64
      2.6.18-128.1.14.el5PAE.i686
      2.6.18-128.1.16.el5.i686
      2.6.18-128.1.16.el5.x86_64
      2.6.18-128.1.16.el5PAE.i686
      2.6.18-128.1.6.el5.i686
      2.6.18-128.1.6.el5.x86_64
      2.6.18-128.1.6.el5PAE.i686
      2.6.18-128.2.1.el5.i686
      2.6.18-128.2.1.el5.x86_64
      2.6.18-128.2.1.el5PAE.i686
      2.6.18-128.4.1.el5.i686
      2.6.18-128.4.1.el5.x86_64
      2.6.18-128.4.1.el5PAE.i686
      2.6.18-128.7.1.el5.i686
      2.6.18-128.7.1.el5.x86_64
      2.6.18-128.7.1.el5PAE.i686
      2.6.18-164.el5.i686
      2.6.18-164.el5.x86_64
      2.6.18-164.el5PAE.i686
      2.6.18-164.10.1.el5.i686
      2.6.18-164.10.1.el5.x86_64
      2.6.18-164.10.1.el5PAE.i686
      2.6.18-164.11.1.el5.i686
      2.6.18-164.11.1.el5.x86_64
      2.6.18-164.11.1.el5PAE.i686
      2.6.18-164.15.1.el5.i686
      2.6.18-164.15.1.el5.x86_64
      2.6.18-164.15.1.el5PAE.i686
      2.6.18-164.2.1.el5.i686
      2.6.18-164.2.1.el5.x86_64
      2.6.18-164.2.1.el5PAE.i686
      2.6.18-164.6.1.el5.i686
      2.6.18-164.6.1.el5.x86_64
      2.6.18-164.6.1.el5PAE.i686
      2.6.18-164.9.1.el5.i686
      2.6.18-164.9.1.el5.x86_64
      2.6.18-164.9.1.el5PAE.i686
      2.6.18-194.el5.i686
      2.6.18-194.el5.x86_64
      2.6.18-194.el5PAE.i686
      2.6.18-194.11.1.el5.i686
      2.6.18-194.11.1.el5.x86_64
      2.6.18-194.11.1.el5PAE.i686
      2.6.18-194.11.3.el5.i686
      2.6.18-194.11.3.el5.x86_64
      2.6.18-194.11.3.el5PAE.i686
      2.6.18-194.11.4.el5.i686
      2.6.18-194.11.4.el5.x86_64
      2.6.18-194.11.4.el5PAE.i686
      2.6.18-194.17.1.el5.i686
      2.6.18-194.17.1.el5.x86_64
      2.6.18-194.17.1.el5PAE.i686
      2.6.18-194.17.4.el5.i686
      2.6.18-194.17.4.el5.x86_64
      2.6.18-194.17.4.el5PAE.i686
      2.6.18-194.26.1.el5.i686
      2.6.18-194.26.1.el5.x86_64
      2.6.18-194.26.1.el5PAE.i686
      2.6.18-194.3.1.el5.i686
      2.6.18-194.3.1.el5.x86_64
      2.6.18-194.3.1.el5PAE.i686
      2.6.18-194.32.1.el5.i686
      2.6.18-194.32.1.el5.x86_64
      2.6.18-194.32.1.el5PAE.i686
      2.6.18-194.8.1.el5.i686
      2.6.18-194.8.1.el5.x86_64
      2.6.18-194.8.1.el5PAE.i686
      2.6.18-238.el5.i686
      2.6.18-238.el5.x86_64
      2.6.18-238.el5PAE.i686
      2.6.18-238.1.1.el5.i686
      2.6.18-238.1.1.el5.x86_64
      2.6.18-238.1.1.el5PAE.i686
      2.6.18-238.12.1.el5.i686
      2.6.18-238.12.1.el5.x86_64
      2.6.18-238.12.1.el5PAE.i686
      2.6.18-238.19.1.el5.i686
      2.6.18-238.19.1.el5.x86_64
      2.6.18-238.19.1.el5PAE.i686
      2.6.18-238.5.1.el5.i686
      2.6.18-238.5.1.el5.x86_64
      2.6.18-238.5.1.el5PAE.i686
      2.6.18-238.9.1.el5.i686
      2.6.18-238.9.1.el5.x86_64
      2.6.18-238.9.1.el5PAE.i686
      2.6.18-274.el5.i686
      2.6.18-274.el5.x86_64
      2.6.18-274.el5PAE.i686
      2.6.18-274.12.1.el5.i686
      2.6.18-274.12.1.el5.x86_64
      2.6.18-274.12.1.el5PAE.i686
      2.6.18-274.17.1.el5.i686
      2.6.18-274.17.1.el5.x86_64
      2.6.18-274.17.1.el5PAE.i686
      2.6.18-274.18.1.el5.i686
      2.6.18-274.18.1.el5.x86_64
      2.6.18-274.18.1.el5PAE.i686
      2.6.18-274.3.1.el5.i686
      2.6.18-274.3.1.el5.x86_64
      2.6.18-274.3.1.el5PAE.i686
      2.6.18-274.7.1.el5.i686
      2.6.18-274.7.1.el5.x86_64
      2.6.18-274.7.1.el5PAE.i686
      2.6.18-308.el5.i686
      2.6.18-308.el5.x86_64
      2.6.18-308.el5PAE.i686
      2.6.18-308.1.1.el5.i686
      2.6.18-308.1.1.el5.x86_64
      2.6.18-308.1.1.el5PAE.i686
      2.6.18-308.11.1.el5.i686
      2.6.18-308.11.1.el5.x86_64
      2.6.18-308.11.1.el5PAE.i686
      2.6.18-308.13.1.el5.i686
      2.6.18-308.13.1.el5.x86_64
      2.6.18-308.13.1.el5PAE.i686
      2.6.18-308.16.1.el5.i686
      2.6.18-308.16.1.el5.x86_64
      2.6.18-308.16.1.el5PAE.i686
      2.6.18-308.20.1.el5.i686
      2.6.18-308.20.1.el5.x86_64
      2.6.18-308.20.1.el5PAE.i686
      2.6.18-308.24.1.el5.i686
      2.6.18-308.24.1.el5.x86_64
      2.6.18-308.24.1.el5PAE.i686
      2.6.18-308.4.1.el5.i686
      2.6.18-308.4.1.el5.x86_64
      2.6.18-308.4.1.el5PAE.i686
      2.6.18-308.8.1.el5.i686
      2.6.18-308.8.1.el5.x86_64
      2.6.18-308.8.1.el5PAE.i686
      2.6.18-308.8.2.el5.i686
      2.6.18-308.8.2.el5.x86_64
      2.6.18-308.8.2.el5PAE.i686
      2.6.18-348.el5.i686
      2.6.18-348.el5.x86_64
      2.6.18-348.el5PAE.i686
      2.6.18-348.1.1.el5.i686
      2.6.18-348.1.1.el5.x86_64
      2.6.18-348.1.1.el5PAE.i686
      2.6.18-348.2.1.el5.i686
      2.6.18-348.2.1.el5.x86_64
      2.6.18-348.2.1.el5PAE.i686
      2.6.18-348.3.1.el5.i686
      2.6.18-348.3.1.el5.x86_64
      2.6.18-348.3.1.el5PAE.i686
    • RHEL/CentOS 6: Added the following:
      2.6.32-71.el6.i686
      2.6.32-71.el6.x86_64
      2.6.32-71.14.1.el6.i686
      2.6.32-71.14.1.el6.x86_64
      2.6.32-71.18.1.el6.i686
      2.6.32-71.18.1.el6.x86_64
      2.6.32-71.18.2.el6.i686
      2.6.32-71.18.2.el6.x86_64
      2.6.32-71.24.1.el6.i686
      2.6.32-71.24.1.el6.x86_64
      2.6.32-71.29.1.el6.i686
      2.6.32-71.29.1.el6.x86_64
      2.6.32-71.7.1.el6.i686
      2.6.32-71.7.1.el6.x86_64
      2.6.32-131.0.15.el6.i686
      2.6.32-131.0.15.el6.x86_64
      2.6.32-220.el6.i686
      2.6.32-220.el6.x86_64
      2.6.32-279.el6.i686
      2.6.32-279.el6.x86_64
      2.6.32-358.0.1.el6.i686
      2.6.32-358.0.1.el6.x86_64
      2.6.32-358.el6.i686
      2.6.32-358.el6.x86_64
      2.6.32-358.2.1.el6.i686
      2.6.32-358.2.1.el6.x86_64
  • cert-forensics-tools-release-5.9-8.noarch.rpm - This package was added to correct a configuration problem where the package could not be installed on all RHEL/CentOS-5 systems.

April 3, 2013: The following have been released:
  • dd_rescue-1.33-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.31):
    • This version brings long options, a new double overwrite mode (-2) and a man page.
  • fmem-kernel-objects-1.6-1.18.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following Fedora kernels:
    • 3.8.5-201 for FC18
    • 3.8.4-102 for FC17
  • python-apsw-3.7.16.1_r1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
  • yara-1.7-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input. Here are the changes since the last version:
    • faster compilation
    • added suport for modulus (%) and bitwise xor (|) operators
    • better hashing of regular expressions
    • BUGFIX: yara-python segfault when using dir() on Rules and Match classes
    • BUGFIX: Integer overflow causing infinite loop
    • BUGFIX: Handling strings containing \x00 characters correctly
    • BUGFIX: Regular expressions not matching at the end of the file when compiled with RE2
    • BUGFIX: Memory leaks
    • BUGFIX: File handle leaks
  • yara-python-1.7-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Yara-python is a Python extension that gives access to YARA's powerful features from Python scripts. See the changes for yara above.

March 26, 2013: The following have been released:
  • guymager-0.7.1-1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.6.13):
    • Duplicate image creation
    • New RunStats module
    • New job queue mechanism - Note that because of this capability and the version of qt-devel on RHEL/CentOS 5, this version of guymager is not available on RHEL/CentOS 5
    • New userfield
    • New configuration table for main Guymager table
    • New font configuration
    • New cfg table HiddenDevices
    • New configuration parameter CommandAcquisitionEnd
    • Writing hidden area info into info file
    • Gray out rescan button when scan is running
    • In order to avoid the "contagious error", DirectIO is switched on in fallback mode.
    • Removed race condition where write thread would write hash into image before it has been calculated by hash thread.
    • SHA-1 support added
  • fmem-kernel-objects-1.6-1.17.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following Fedora kernels:
    • 3.8.4-202 for FC18
    • 3.8.3-203 for FC18
    • 3.8.2-206 for FC18
    • 3.8.3-103 for FC17

March 12, 2013: The following have been released:
  • disktype-9-9.2.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Disktype detects the content format of a disk or disk image. This release corrects a package building error dealing with libewf.
  • libfixbuf{,-devel}-1.3.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.5.0-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. This version has been recompiled to use the latest version of libfixbuf for the supported operating system and architecture.
  • yaf{,-devel}-2.3.3-3.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE for that OS. This version has been recompiled to use the latest version of libfixbuf for the supported operating system and architecture.
  • yaf{,-devel}-2.2.1-4.{el5}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter. Note that this version of Yaf is only available for CentOS/RHEL 5. It has been recompiled to use the latest version of libfixbuf .

March 5, 2013: The following have been released:
  • Support for Fedora 18 i686 and x86_64 architectures - The repository now supports Fedora 18 for both the i686 and x86_64 CPU architectures. All packages have been moved from the cert-test repository to the standard cert repository. If you find any unexpected behavior with the packages as currently distributed, please send email to
  • partclone-0.2.48-2.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat. This release was built to use the latest libntfs-3g shared library.
  • dff-1.3.0-1.{fc17,fc18}.{i686,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. Note that only Fedora 17 and 18 are supported in this release. See here for a list of recent changes
  • fmem-kernel-objects-1.6-1.16.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes added support for the following Fedora kernels:
    • 3.7.9-205 for FC18
    • 3.8.1-201 for FC18
    • 3.7.9-101 for FC17
    • 3.7.9-104 for FC17
  • xplico-1.0.1-3.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - xplico is an Internet traffic decoder. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support. This release includes support for Python version 3.3 which is the default for Fedora 18.
  • snort-2.9.4.1-1.1.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - (Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
  • libvshadow{,-devel,-tools,-python}-20130304-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
    • added PackageMaker files
    • updated include/types.h
    • fixed typo in vhsadowmount
  • regripper-plugins-20130218-1.{fc15,fc16,fc17,fc18,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. The plugins added are the following:
    • NEW PLUGIN by Corey Harrell: uac.pl that gets UAC configuration values (SOFTWARE)
    • UPDATE by Harlan Carvey to comdlg32.pl, many updates (NTUSER)
    • NOTE profile software-all was updated
    • NOTE profiles all DO NOT contain plugins TLN versions: you must create your own profiles or use them directly
    • NOTE RegRipperPluginsPackage (RRPP) counts 236 plugins

February 21, 2013: The following have been released:
  • dd_rescue-1.32-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.31):
    • 1.32: This version has a new option (-x) to append to the output file and you can specify -Y (multiple times if you wish so) to write the same data to secondary output files.
  • ghostpdl-9.07-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico. This version attempts to update Xplico's version of pcl6 - the binary installed as part of ghostpdl - as stored in /opt/xplico/bin if Xplico is installed.
  • fmem-kernel-objects-1.6-1.15.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes are the following:
    • 3.7.6-201 for FC18
    • 3.7.7-201 for FC18
    • 3.7.8-202 for FC18
    • 3.7.9-201 for FC18

February 8, 2013: The following have been released:
  • dd_rescue-1.31-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue. does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors. Here are the changes from the previous distributed version (1.28):
    • 1.31: This version brings a few tiny improvements in the output (such as displaying the total elapsed time in the summary as opposed to ETA of 0, and the amount of data really written with option -W). But importantly, it has the new mode of triple overwriting of data (options -3 and -4), with random numbers, inverse random numbers, new random numbers (only for -4) and zeros, this way allowing paranoia-safe deletion of information.
    • 1.30: This version brought a fix for outputting data to stdout and a fix for a possible double free operation (introduced in 1.29). The message formatting has been streamlined a bit. The PRNG can now be initialized from a file (e.g. -Z /dev/urandom). The program now can also avoid writing to a target block if the target block already has the same data (option -W). Think of SSDs or other devices where you want to avoid writes.
    • 1.29: This contains a bug was fixed, where the last bytes where not copied corrected if hardbs == softbs. 1.29 also brings a number of new features; the ability to write the same (softbs sized) block again and again (option -R, automatically set if infile is /dev/zero), the ability to limit transfer size such that the outfile won't be enlarged (-M) and the possibility to use userspace random numbers (libc/frandom) to fill files with random data (options -z and -Z). Last not least, OBS also builds .deb binaries for Ubu12.04 / Deb6 now.
  • fuse-exfat-1.0.1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fuse-exfat is an exFAT file system implementation with write support. exFAT is a simple file system created by Microsoft. It is intended to replace FAT32 removing some of it's limitations. exFAT is a standard file system for SDXC memory cards. Here are the changes from the previous version:
    • Fixed unexpected removal of a directory if it is moved into itself.
    • Fixed "Operation not permitted" error on reading an empty file.
  • exfat-utils-1.0.1-1.1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. Here are the changes from the previous version:
    • Fixed unexpected removal of a directory if it is moved into itself.
    • Fixed "Operation not permitted" error on reading an empty file.
  • libewf-{,devel,tools}-20130128-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20121209):
    • worked on sync with experimental version
    • docstring changes in pyewf
    • fix for corruption scenario
    • fixes in pyewf examples
    • updated msvscpp files
    • updated codegear files
    • updated pyewf
    • worked on sync with experimental version
    • replace libmfcache by new libfcache
    • updated configure files
    • updated dpkg files
    • updated rpm spec file
    • updated pyewf - fixes multiple issues
    • updated dependencies
    • worked on sync with experimental version
    • added pyewf/setup.py with thanks to Michael Cohen
    • bug fix for 31th day of the month issue
  • libvshadow{,-devel,-tools,-python}-20130131-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
    • worked on pyvshadow
    • worked on exposing block descriptors via vshadowinfo
    • worked on exposing block descriptors via API
    • removed LIBVSHADOW_STORE_FLAG_IO_HANDLE_MANAGED flags
  • sleuthkit-{,devel,libs}-4.0.2-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 4.0.1:
    • New Features
      • Added fiwalk tool from Simson. Not supported in Visual Studio yet.
    • Bug Fixes
      • Fixed fcat to work on NTFS files (still doesn't support ADS though).
      • Fixed HFS+ support in tsk_loaddb / SQLite -- root directory was not added.
      • NTFS code now looks at all MFT entries when listing directory contents. It used to only look at unallocated entries for orphan files. This fixes an image that had allocated files missing from the directory b-tree.
      • NTFS code uses sequence number when searching MFT entries for all files.
      • Libewf detection code change to support v2 API more reliably (ID: 3596212).
      • NTFS $SII code could crash in rare cases if $SDS was multiple of block size.
    • Framework
      • Added new API to TskImgDB that returns the base name of an image.
      • Numerous performance improvements to framework.
      • Removed requirement in framework to specify module extension in pipeline configuration file.
      • Added blackboard artifacts to represent both operating system and network service user accounts.
    • Java Bindings
      • added more APIs to find files by name, path and where clause
      • added API to get currently processed dir when image is being added,
      • added API to return specific types of children of image, volume system, volume, file system.
      • moved more common methods up to Content interface
      • deprecated context of blackboard attributes,
      • deprecated SleuthkitCase.runQuery() and SleuthkitCase.closeRunQuery()
      • fixed ReadContentInputStream bugs (ignoring offset into a buffer, implementing available() )
      • methods that are lazy loading are now thread safe
      • Hash class is now thread-safe
      • use more PreparedStatements to improve performance
      • changed source level from java 1.6 to 1.7
      • Throw exceptions from C++ side better
  • fiwalk-0.6.16-3.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format. This release has been rebuilt to use version 4.0.2 of The Sleuth Kit, which because that release now contains both fiwalk and jpeg_extract, this release no longer contains those to programs.
  • yaf{,-devel}-2.3.3-2.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE. See here for the list of changes.
  • fmem-kernel-objects-1.6-1.14.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes are the following:
    • 3.7.5-201 for FC18

February 5, 2013: The following have been released:
  • Support for Fedora 18 i686 and x86_64 architectures - The repository now supports Fedora 18 for both the i686 and x86_64 CPU architectures. Please note that while the release packages are located in the standard cert repository, all other packages are located in the cert-test repository. To install and use these packages, you must enable the cert-test repository by editing the /etc/yum.repos.d/cert-forensics-tools.repo and changing the enabled=0 line to enabled=1. You must do this as root. The schedule is to move all packages to the standard cert repository on Monday, March 4, 2013 unless testing disrupts this schedule. If you find any unexpected behavior with the packages as currently distributed, please send email to
  • fuse-exfat-1.0.0-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fuse-exfat is an exFAT file system implementation with write support. exFAT is a simple file system created by Microsoft. It is intended to replace FAT32 removing some of it's limitations. exFAT is a standard file system for SDXC memory cards. Here are the changes from the previous version:
    • Fixed crash when renaming a file within a single directory and a new name differs only in case.
    • Fixed clusters allocation: a cluster beyond valid clusters range could be allocated.
    • Fixed crash when a volume is unmounted while some files are open.
    • SConscript now respects AR and RANLIB environment variables.
    • Improved error handling.
    • Enabled big_writes. This improves write speed (larger block size means less switches between kernel- and user-space).
    • Do BLKROGET ioctl to make sure the device is not read-only: after "blockdev --setro" kernel still allows to open the device in read-write mode but fails writes.
  • exfat-utils-1.0.0-1.1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems. Here are the changes from the previous version:
    • Fixed crash when renaming a file within a single directory and a new name differs only in case.
    • Fixed clusters allocation: a cluster beyond valid clusters range could be allocated.
    • Fixed crash when a volume is unmounted while some files are open.
    • SConscript now respects AR and RANLIB environment variables.
    • Improved error handling.
    • Enabled big_writes. This improves write speed (larger block size means less switches between kernel- and user-space).
    • Do BLKROGET ioctl to make sure the device is not read-only: after "blockdev --setro" kernel still allows to open the device in read-write mode but fails writes.
  • libvshadow{,-devel,-tools,-python}-20130113-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
    • 2013 update
    • updated dependencies
    • updated msvscpp files
    • added vshadowmount.1 man page
  • python-apsw-3.7.15.2_r1-1.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
  • libiconv{,-devel,-static,-utils}-1.14-3.{fc15,fc16,fc17,fc18,el6}.{i686,x86_64}.rpm - Libiconv provides an iconv() implementation, for use on systems which don't have one, or whose implementation cannot convert from/to Unicode. Due to conflicts with other packages, notably glibc, the libiconv packages are installed in /usr/libiconf. Note that libiconv is not available for RHEL/CentOS 5. This release makes the library files also available at /usr/libiconf/lib for the architecture which makes the package easier to use when building packages that use libiconv. The only changes in this release are the removal of files in the libiconv package which conflicted with files in the libiconv-devel package.
  • libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.58-1.1.{fc15,fc16,fc17,fc18, el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. The packages include the following:
    • libpst includes:
      • readpst which can convert email messages to both mbox and MH mailbox formats
      • pst2ldif which can convert the contacts to .ldif format for import into ldap databases, and
      • pst2dii which can convert email messages to the DII load file format used by Summation.
    • libpst-libs package contains the shared library used by the pst utilities.
    • libpst-python package contains libpst shared objects from python code.
    • libpst-devel package contains the library links and header files needed to develop applications using the libpst shared library.
    • libpst-devel-doc package contains the doxygen generated documentation for the libpst.so shared library.
    • libpst-doc package contains the html documentation for the pst utilities.

    This version uses the libiconv library. Note that libpst is not available for RHEL/CentOS 5.

    Here are the changes since the last version:
    • fix From quoting on embedded rfc/822 messages.
  • fmem-kernel-objects-1.6-1.13.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes are the following:
    • 3.7.4-204 for FC18
    • 3.6.10-4 for FC18
    • 3.7.3-101 for FC17
    • 3.6.11-4 for FC16
  • CERT-Forensics-Tools-1.0-52.{fc15,fc16,fc17,fc18,el5,el6}.{i686,x86_64}.rpm - This package was updated to do the following:
    • add exfat-utils for all supported architectures
    • remove gpart and ext3grep from Fedora 18 and beyond

January 3, 2013: The following have been released:
  • guymager-0.6.13-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.6.12):
    • Package dependency to udisks added (for recent Ubuntu)
    • libparted search extended to subdirs
    • Added cfg parameter ForceCommandGetSerialNumber
  • libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.57-1.1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. The packages include the following:
    • libpst includes:
      • readpst which can convert email messages to both mbox and MH mailbox formats
      • pst2ldif which can convert the contacts to .ldif format for import into ldap databases, and
      • pst2dii which can convert email messages to the DII load file format used by Summation.
    • libpst-libs package contains the shared library used by the pst utilities.
    • libpst-python package contains libpst shared objects from python code.
    • libpst-devel package contains the library links and header files needed to develop applications using the libpst shared library.
    • libpst-devel-doc package contains the doxygen generated documentation for the libpst.so shared library.
    • libpst-doc package contains the html documentation for the pst utilities.

    This version uses the libiconv library.

    Note that libpst is not available for RHEL/CentOS 5.
  • python-apsw-3.7.15.1_r1-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
  • fmem-kernel-objects-1.6-1.12.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes are the following:
    • Support for 3.6.10-2 for FC17
    • Support for 3.6.10-2 for FC16

December 14, 2012: The following have been released:
  • daq-2.0.0-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort.
  • snort-2.9.4-1.1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - (Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. See here for the changes in this version.
  • snort-sample-rules-2.9.4-1.1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
  • libewf-{,devel,tools}-20121209-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.
  • fmem-kernel-objects-1.6-1.11.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes are the following:
    • Support for 3.6.9-2 for FC17

December 4, 2012: The following have been released:
  • jafat-1.1.6-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - JAFAT is an assortment of tools to assist in the forensc investigation of computer systems.
  • Volatility-2.2-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. See https://code.google.com/p/volatility/source/list for a list of changes. This version also includes the plugins from the Malware Analyst's Cookbook to version R134. See here for the list of recent changes.
  • exfat-utils-0.9.8-1.1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - The EXfat-utils are a set of utilities for creating, checking, dumping and labeling exFAT file systems.
  • epub-0.5.0-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Epub is the distribution and interchange format standard for digital publications and documents based on Web Standards. Epub defines a method for representing, packaging, and encoding structured and semantically enhanced web content - including XHTML, CSS, SVG, images, and other resources - for distribution in a single-file format. Epub allows publishers to produce and send a single digital publication file through distribution and offers interoperability between consumers software / hardware for unencrypted reflowable digital books and other publications. Epub is a helper application for recoll.
  • libiconv{,-devel,-static,-utils}-1.14-2.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Libiconv provides an iconv() implementation, for use on systems which don't have one, or whose implementation cannot convert from/to Unicode. Due to conflicts with other packages, notably glibc, the libiconv packages are installed in /usr/libiconf. Note that libiconv is not available for RHEL/CentOS 5. This release makes the library files also available at /usr/libiconf/lib for the architecture which makes the package easier to use when building packages that use libiconv.
  • libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.55-2.2.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - The libpst utilities convert Outlook .pst files to other formats. The packages include the following:
    • libpst includes:
      • readpst which can convert email messages to both mbox and MH mailbox formats
      • pst2ldif which can convert the contacts to .ldif format for import into ldap databases, and
      • pst2dii which can convert email messages to the DII load file format used by Summation.
    • libpst-libs package contains the shared library used by the pst utilities.
    • libpst-python package contains libpst shared objects from python code.
    • libpst-devel package contains the library links and header files needed to develop applications using the libpst shared library.
    • libpst-devel-doc package contains the doxygen generated documentation for the libpst.so shared library.
    • libpst-doc package contains the html documentation for the pst utilities.
    Note that libpst is not available for RHEL/CentOS 5. This version has been rebuilt to use the libiconv library.
  • pstotext-1.9-2.1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - PStotext is a utility that reads in postscript files and outputs an ASCII rendering. While the rendering is not always accurate, it is often sufficient. PStotext is a helper application for recoll
  • recoll-1.18.1-1.1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Recoll is a text search tool for Unix and Linux desktops. Recoll finds keywords inside documents as well as file names. See here for a list of changes in this version. In addition, tar archives have been enabled and the epub, pstotext, and aspell packages have been added as required packages.
  • fmem-kernel-objects-1.6-1.10.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. The changes are the following:
    • Support for 3.6.8-2 for FC17
    • Support for 3.6.7-4 for FC16

November 27, 2012: The following have been released:
  • fmem-kernel-objects-1.6-1.8.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets. The changes are the following:
    • Support for 3.6.7-4 for FC17
  • sleuthkit-{,devel,libs}-4.0.1-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 3.2.3:
    • New Features:
      • Can open raw Windows devices with write mode sharing.
      • More DOS partition types are displayed.
      • Added fcat tool that takes in file name and exports content (equivalent to using ifind and icat together).
      • Added new API to TskImgDB that returns hash value associated with carved files.
      • Performance improvements with FAT code (maps and dir_add)
      • Performance improvements with NTFS code (maps)
      • Added AONLY flag to block_walk
      • Updated blkls and blkcalc to use AONLY flag -- MUCH faster.
    • Bug Fixes:
      • Fixed mactime issue where it could choose the wrong timezone that did not follow daylight savings times.
      • Fixed file size of alternate data streams in framework.
      • Incorporated memory leak fixes and raw device fixes from ADF Solutions.
  • fiwalk-0.6.16-2.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format. This release has been rebuilt to use version 4.0.1 of The Sleuth Kit.
  • pytsk-2012113-2.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit. This release has been rebuilt to use version 4.0.1 of The Sleuth Kit.
  • testdisk-6.13-2.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. This release was rebuilt to use the ntfs-3g development and library packages required for CentOS/RHEL 5, but all other versions were rebuilt for synchronization purposes.
  • bulk_extractor-1.3.1-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also creates histograms of features that it finds, as features that are more common tend to be more important. This version fixes many issues. In addition, it also contains the BEViewer GUI front-end for bulk_extractor.
  • CERT-Forensics-Tools-1.0-50.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - This package was updated to do the following:
    • added bulk_extrator, bulk_extrator-stoplist, and fiwalk for RHEL/CentOS 5 for all supported architectures
    • obsoletes BEViewer since that tool is now included in bulk_extrator

November 19, 2012: The following have been released:
  • fuse-exfat-0.9.8-1.1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fuse-exfat is an exFAT file system implementation with write support. exFAT is a simple file system created by Microsoft. It is intended to replace FAT32 removing some of it's limitations. exFAT is a standard file system for SDXC memory cards.
  • libiconv{,-devel,-static,-utils}-1.14-1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Libiconv provides an iconv() implementation, for use on systems which don't have one, or whose implementation cannot convert from/to Unicode. Due to conflicts with other packages, notably glibc, the libiconv packages are installed in /usr/libiconf. Note that libiconv is not available for RHEL/CentOS 5.
  • libpst{,-devel,-devel-doc,-doc,-libs,-python}-0.6.55-2.1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - The libpst package includes:
    • readpst which can convert email messages to both mbox and MH mailbox formats
    • pst2ldif which can convert the contacts to .ldif format for import into ldap databases, and
    • pst2dii which can convert email messages to the DII load file format used by Summation.

    The libpst-libs package contains the shared library used by the pst utilities.

    The libpst-python package allows use of the libpst shared object from python code.

    The libpst-devel package contains the library links and header files needed to develop applications using the libpst shared library.

    The libpst-devel-doc package contains the doxygen generated documentation for the libpst.so shared library.

    The libpst-doc package contains the html documentation for the pst utilities.

    Note that libpst is not available for RHEL/CentOS 5.
  • partclone-0.2.48-1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write the ext2 partition. The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
  • CERT-Forensics-Tools-1.0-48.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - This package was updated to do the following:
    • now is architecture-specific to accomodate kernel-PAE-modules-extra for the i686 architecture
    • added fuse-exfat
    • added partclone

November 14, 2012: The following have been released:
  • fmem-kernel-objects-1.6-1.7.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets. The changes are the following:
    • Support for 3.6.6-1 for FC17
    • Support for 3.6.6-1 for FC16
  • libvshadow{,-devel,-tools,-python}-20121107-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
    • updates msvscpp 2010 build
    • pyvshadow: fixes for 32-bit build
  • pytsk-2012113-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit.
  • disktype-9-9beta.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Disktype detects the content format of a disk or disk image. It knows about common file systems, partition tables, and boot codes. This version adds support for ext4, btrfs, and exFAT file systems.
  • CERT-Forensics-Tools-1.0-47.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - This package was updated to do the following:
    • add kernel-modules-extra for both architectures. These kernel modules include support for ufs file systems.
    • add kernel-PAE-modules-extra for the x86 architecture. These kernel modules include support for ufs file systems.
    • added disktype

November 7, 2012: The following have been released:
  • fmem-kernel-objects-1.6-1.6.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets. The changes are the following:
    • Support for 3.6.5-1 for FC17
    • Support for 3.6.5-2 for FC16
  • libvshadow{,-devel,-tools,-python}-20121103-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
    • fix in spec file
    • updated dependencies
    • pyvshadow: fix for Mac OS X build
    • updated msvscpp files
    • code clean up
  • pytsk-20121106-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit.

October 29, 2012: The following have been released:
  • fmem-kernel-objects-1.6-1.5.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets. The changes are the following:
    • Support for 3.6.3-1 for FC17
    • Support for 3.6.2-1 for FC16
  • md5deep-4.3-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - This package was updated to reflect the new version of md5deep. Here are the list of new features:
    • Fixed check for endian-ness, affecting hash generation on big-endian platforms.
    • Fixed minor bugs related to OpenSolaris.
  • libvshadow{,-devel,-tools,-python}-20121016-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.

October 19, 2012: The following have been released:
  • fmem-kernel-objects-1.6-1.3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets. The changes are the following:
    • Support for kernel 3.6.1-1 for FC17
    • Support for kernel 3.6.2-4 for FC17
  • nDPI-1.4.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - nDPI nDPI is a ntop-maintained superset of the popular OpenDPI library. Released under the GPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI. In addition to Unix platforms, we also support Windows, in order to provide you a cross-platform DPI experience. Furthermore, we have modified nDPI do be more suitable for traffic monitoring applications, by disabling specific features that slow down the DPI engine while being them un-necessary for network traffic monitoring.

    nDPI is used by both ntop and nProbe for adding application-layer detection of protocols, regardless of the port being used. This means that it is possible to both detect known protocols on non-standard ports (e.g. detect http non ports other than 80), and also the opposite (e.g. detect Skype traffic on port 80). This is because nowadays the concept of port=application no longer holds.

    See here for the list of supported protocols.
  • xplico-1.0.1-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support. It also assumes a web server, for example Apache, has been configured and is operational. Here are the changes since 1.0.0:
    • nDPI integration
    • performace improved
    • FTP dissector improved
    • Added the prism dissector
    • CLI execution bug fixed
    • PCAP-over-IP SSL encryption
    • IRC dissector improvements
    • File reconstruction from Fragmented Payloads improved
    • FaceBook Chat updated
    • FaceBook Message (partial)
    • HTTP without initial packets (packets lost)
    • RTP dissector imporved
    • PCAP2WAV, RTP2WAV interface added
  • libvshadow{,-devel,-tools,-python}-20121016-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume. Here are the changes since the last version.
    • pyvshadow: bug fixes
      • Missing Py_None increment reference
      • added increment/decrement reference of volume object in store
    • pyvshadow: added creation time as integer function
    • made get store more restrictive
    • added store get size function for python binding
    • updated dpkg and spec files
    • added store get offset function
    • worked on Python bindings
    • fix for dpkg files docs
    • worked on Python bindings
  • sleuthkit-{,devel,libs}-4.0.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. Here are the changes since 3.2.3:
    • New Features:
      • Added multithreaded support
      • Added C++ wrapper classes
      • Added JNI bindings / Java data model classes
      • 3314047: Added utf8-specific versions of 'toid' methods for img,vs,fs types
      • 3184429: More consistent printing of unset times (all zerso instead of 1970)
      • New database design that allows for multiple images in the same database
      • GPT volume system tries other sector sizes if first attempt fails.
      • Added hash calculation and lookup to AutoDB and JNI.
      • Upgraded SQLite to 3.7.9.
      • Added Framework in (windows-only)
      • EnCase hash support
      • Libewf v2 support (it is now non-beta)
      • First file in a raw split or E01 can be specified and the rest of the files are found.
      • mactime displays times as 0 if the time is not set (isntead of 1970)
      • Changed behavior of 'mactime -y' to use ISO8601 format.
      • Updated HFS+ code from ATC-NY.
      • FAT orphan file improvements to reduce false positives.
      • TskAuto better reports errors.
      • Upgrade build projects from Visual Studio 2008 to 2010.
    • Bug Fixes:
      • Relaxed checking when conflict exists between DOS and GPT partitions. Had a Mac image that was failing to resolve which partition table to use.
    • ptk-1.0.5-4.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - PTK is a computer forensic framework for the command line tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the command line tool mysql_secure_installation or equivalent, and operating. It also assumes a web server, for example Apache, has been configured and is operational. Here are the list of changes:
      • Now recognizes that both The Sleuth Kit Version 3 and Version 4 are valid versions.

October 11, 2012: The following have been released:
  • regripper-25000000-2.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is now contains only the version 2.5 of the regripper tool. The plugins are packaged separately. This package corrects a problem where the individual plugins could not be found. This error is corrected by using perl's @INC array to find the plugin directory.
  • regripper-plugins-20120926-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. The plugins added are the following:
    • NEW PLUGIN by Harlan Carvey: appcertdlls.pl that gets entries from AppCertDlls key (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: appcompatcache.pl that parses files from the Shim Cache (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: appcompatcache_tln.pl that parses files from the Shim Cache, TLN output (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: applets_tln.pl that gets the content of Applets key, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: appspecific.pl that gets contents of user's Intellipoint\AppSpecific subkeys (NTUSER)
    • NEW PLUGIN by Harlan Carvey: ares.pl that gets contents of user's Software\Ares key (NTUSER)
    • NEW PLUGIN by Corey Harrell: backuprestore.pl that gets FilesNotToSnapshot, KeysNotToRestore, FilesNotToBackup (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: compatassist.pl that checks user's Compatibility Assistant\Persisted values (NTUSER)
    • NEW PLUGIN by Harlan Carvey: direct.pl that searches Direct keys for MostRecentApplication subkeys (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: direct_tln.pl that searches Direct keys for MostRecentApplication subkeys, TLN output (SOFTWARE)
    • NEW PLUGIN by Corey Harrell: disablesr.pl that gets the on/off value for System Restore (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: installer.pl that determines products install information (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: javafx.pl that gets contents of user's JavaFX key (NTUSER)
    • NEW PLUGIN by Harlan Carvey: legacy_tln.pl that lists LEGACY entries in Enum\Root key, TLN output (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: networklist_tln.pl that collects network info from NetworkList key, TLN output (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: osversion.pl that checks for OSVersion value, malware related (NTUSER)
    • NEW PLUGIN by Corey Harrell: prefetch.pl that gets the Prefetch Parameters (SYSTEM)
    • NEW PLUGIN by Harlan Carvey: runmru_tln.pl that gets contents of user's RunMRU key, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: shellbags.pl that gets contents of users's Shell/BagMRU keys, Windows7 (USRCLASS)
    • NEW PLUGIN by Harlan Carvey: sysinternals.pl that checks for SysInternals apps keys (NTUSER)
    • NEW PLUGIN by Harlan Carvey: sysinternals_tln.pl that checks for SysInternals apps keys, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: tracing.pl that gets list of apps that can be traced (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: tracing_tln.pl that gets list of apps that can be traced, TLN output (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: trustrecords.pl that gets user's Office 2010 TrustRecords values (NTUSER)
    • NEW PLUGIN by Harlan Carvey: trustrecords_tln.pl that gets user's Office 2010 TrustRecords values, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: tsclient_tln.pl that gets contents of user's Terminal Server Client key, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: typedpaths_tln.pl that gets contents of user's typedpaths key, TLN output (NTUSER)
    • NEW PLUGIN by Harlan Carvey: userassist_tln.pl that displays contents of UserAssist subkeys, TLN output (NTUSER)
    • NEW PLUGIN by Mari DeGrazia: winbackup.pl that gets Windows Backup settings (SOFTWARE)
    • NEW PLUGIN by Harlan Carvey: wpdbusenum.pl that gets WpdBusEnumRoot subkey info (SYSTEM)
    • UPDATE by Harlan Carvey to legacy.pl, added analysis tip (SYSTEM)
    • UPDATE by Harlan Carvey to muicache.pl, the plugin works both on NTUSER and/or USRCLASS hives (NTUSER,USRCLASS)
    • UPDATE by Harlan Carvey to networklist.pl, added NameType value reporting (SOFTWARE)
    • UPDATE by Harlan Carvey to soft_run.pl, added support to newer OS and 64 bits (SOFTWARE)
    • UPDATE by Harlan Carvey to tsclient.pl, added parsing of Servers key (NTUSER)
    • UPDATE by Harlan Carvey to userassist.pl (NTUSER)
    • REMOVED TEMPORARILY plugin typedurlstime.pl, postponed on next packages
    • REMOVED TEMPORARILY plugin typedurlstime_tln.pl, postponed on next packages
    • REMOVED plugin bagtest.pl, deprecated
    • REMOVED plugin bagtest2.pl, deprecated
    • REMOVED plugin crashcontrol.pl, too similar to crashdump.pl
    • REMOVED plugin filesnottosnapshot.pl, superseded by backuprestore.pl
    • REMOVED plugin pstools.pl, superseded by the more general sysinternals.pl plugin
    • REMOVED plugin userassist2.pl, deprecated since userassist.pl was updated
    • REMOVED plugin vista_comdlg32.pl, deprecated since comdlg32.pl was updated
    • REMOVED plugin win7_ua.pl, Windows7-RC and Vigenerè encryption are obsolete
    • NOTE added profile usrclass-all for USRCLASS.DAT hive
    • NOTE profiles all-all, ntuser-all, sam-all, security-all, software-all, system-all, usrclass-all were updated
    • NOTE profiles '-all' DO NOT contain plugins TLN versions: you must create your own profiles or use them directly
    • NOTE source code repository was switched to GIT and it was aligned to the current release
    • NOTE RegRipperPluginsPackage (RRPP) now counts 236 plugins
  • libvshadow{,-devel,-tools}-20120922-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
  • fmem-kernel-objects-1.6-1.1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates device /dev/fmem, similar to /dev/mem but without limitations. This device (physical RAM) can be copied using dd or other tool. Works on 2.6 Linux kernels and beyond. Contained in this package are pre-compiled versions of fmem.ko for all kernels release with Fedora 14, 15, 16, and 17. These are installed in /usr/share/fmem-kernel-objects-1.6 by the triple KernelVersion.FedoraRelease.Architecture. In addition, the source code is available in /usr/share/doc/fmem-kernel-object-1.6. Finally, there is a script entitled install-fmem which is installed in the /usr/bin directory that can be used to install the correct fmem.ko kernel object on the current system. This package is intended to provide pre-compiled versions of the fmem module so that they can be installed as needed when doing on-site memory captures during the data collection phase of an investigation that includes digital assets.
  • CERT-Forensics-Tools-1.0-46.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - This package was updated to do the following:
    • add fmem-kernel-objects for all supported releases.
  • log2timeline-0.65-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. Here are the changes in this version:
    • [UTMP input] New input module parsing utmp/wtmp files in Linux, written by Francesco Picasso.
    • [SELINUX input] New input module parsing SELinux audit files in Linux, written by Francesco Picasso.
    • [l2t_process] Renamed to l2t_process_old, being replaced by l2t_process.py from l2t-tools.
    • [EVTX Library] Fixed a small bug in the code, causing some EVTX file parsing to fail.
    • [Altiris input] Fixed a small bug when the date is malformed.
    • [Log2Timeline library] Fixed few bugs:
      • Small error in the format sort, caused oxml to sometimes be skipped in processing.
    • [GENERIC_LINUX input] Added a small extra eval sentence.
    • [LS_QUARANTINE] Fixed a minor bug in the get_time routine, if a database occurs it is caught by an eval sentence.
    • [TEST] Added few more tests.
    • [MOST INPUT MODULES] Changed the line my $line = <$fh> or return undef; in most input modules.
    • [WIN library] Added few more transformations of Windows stored time zones into a "olson" ones understood by DateTime.
    • [CHROME input] Fixed a small unicode bug in the "File Downloaded" section.
    • [faersluskra2timalina] Added a new frontend to the tool, exact copy of log2timeline, except all parameters in Icelandic... kinda
    • [timescanner tool] Removed this frontend from the Makefile since it serves no purpose (as in no longer part of the automatic installation).
  • python-apsw-3.7.14.1_r1-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.

September 17, 2012: The following have been released:
  • recoll-1.17.3-1.1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Recoll is a text search tool for Unix and Linux desktops. Recoll finds keywords inside documents as well as file names.
    • It can search any document format.
    • It can reach any storage place: files, archive members, email attachments, transparently handling decompression.
    • One click will open the document inside a native editor or display an even quicker text preview.
    • The software is free, open source, and licensed under the GPL.
    • See here for a list of detailed features.

    This version installs all of the needed helper applications and enables them all by default.
  • untex-1.3-3.1.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Untex removes some LaTeX commands from the files listed in the arguments (or standard input) and prints the output to standard output.
  • CERT-Forensics-Tools-1.0-45.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - This package was updated to do the following:
    • add recoll for all supported releases except RHEL/CentOS 5.
  • libfixbuf{,-devel}-1.2.0-1.{fc14,fc15,fc16,fc17el5,el6}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). See here for the list of changes.
  • yaf{,-devel}-2.3.2-2.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE. See here for the list of changes.
  • silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-2.5.0-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. This version has been recompiled to use the latest version of libfixbuf for the supported operating system and architecture.
  • libvshadow{,-devel,-tools}-20120915-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.

September 4, 2012: The following have been released:
  • prism-1.1.1-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The prism trend script is a tool for quickly visualizing flow data as a time-series broken down into several configurable bins by SiLK's rwfilter tool. The script can be used directly, or might be used as a component in other more specialized scripts.

    In addition to providing immediate visualizations, the Prism trend script can store these breakdowns in a relational database (currently supporting PostgreSQL or sqlite) for later quick lookup.
  • CERT-Forensics-Tools-1.0-44.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - This package was updated to do the following:
    • add prism all systems where the SiLK tools are installed.

August 23, 2012: The following have been released:
  • analysis-pipeline-3.0.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The analysis-pipeline processes SiLK Flow records, and its goals are to automate common tasks, to get closer to "real-time" reporting of events, and to feed interesting data to a security information and event manager (SIEM).

    The Analysis Pipeline supports many types of analysis, including:
    • Watch list alerting (did we see traffic from a known bad IP?)
    • Beacon detection
    • Passive FTP detection
    • IPv6 tunnel detection
    • Thresholding (e.g., is total bytes over a limit?)
    • Collection issues (is a sensor no longer reporting?)

    Although the Analysis Pipeline can be run interactively, it is designed to be incorporated into the SiLK collection and packing infrastructure, where it can analyze every SiLK Flow record produced by rwflowpack as the records are being added to the SiLK data repository.

    When a record matches an analysis, the Analysis Pipeline may output the record in a pipe-delimited textual format. Whether a record is output depends on how often the administrator has configured the Analysis Pipeline to issue that type of output. The administrator can easily configure a SIEM to process the output generated by the Analysis Pipeline.
  • CERT-Forensics-Tools-1.0-43.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - This package was updated to do the following:
    • add BEViewer all systems where bulk_extractor is installed.
    • add analysis-pipeline all systems where the SiLK tools are installed.

August 21, 2012: The following have been released:
  • libewf-{,devel,tools}-20120813-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.
  • registrydecoder-20120816-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_84}.rpm - Registrydecoder is tool for the acquisition, analysis, and reporting of registry contents. See here for a list of changes.
  • regripper-plugins-20120812-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. This version includes version 20120612 of the plugins from here. The plugins added are the following:
    • NEW PLUGIN by Hal Pomeranz: ssh_host_keys.pl that extracts stored Putty and WinSCP host keys from NTUSER hive
    • NEW PLUGIN by Hal Pomeranz: ssh_host_keys.pl that extracts stored Putty and WinSCP host keys from NTUSER hive
    • NEW PLUGIN by Hal Pomeranz: winscp_sessions.pl that extracts WinSCP saved session data from NTUSER hive (with password decoding)
    • NOTE profiles all-all, ntuser-all, sam-all, security-all, software-all and system-all were updated
    • NOTE source code repository was aligned to current release
    • NEW PLUGIN by John Lukach: pstools.pl that displays the content for PsTools EULA Agreements
    • NEW PLUGIN by K. Johnson (with Harlan Carvey updates): filehistory.pl that parses NTUSER FileHistory Registry keys from Windows 8
    • NEW PLUGIN by Elizabeth Schweinsberg: user_runplus.pl that gets contents of the Run, RunOnce, and RunServices keys from NTUSER hive
    • NEW PLUGIN by Elizabeth Schweinsberg: soft_runplus.pl that gets contents of the Run, RunOnce, and RunServices keys from SOFTWARE hive
    • NEW PLUGIN by Elizabeth Schweinsberg: svc_plus.pl that gets services, displaied in short format, from SYSTEM hive
  • tcpflow-1.3.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. Tcpflow can also process stored tcpdump packet flows. Here are the changes in this version:
    • src/tcpdemux.cpp (tcpdemux::process_tcp): fixed bug in which myflow.tlast wasn't being set.
    • src/main.cpp (main): fixed compile bugs that resulted from adoption of standard DFXML header.
    • configure.ac (HAVE_PTHREAD): fixed typo in configure.ac
    • src/tcpdemux.h: removed struct ip as it was redundent to struct iphdr
    • configure.ac: tcpflow now compiles under mingw for Windows
    • src/tcpdemux.cpp: moved tcpdemux class methods into this new file.
    • src/tcpip.cpp (tcpip::close_file): added support for FUTIMENS, but I don't yet have a system on which to test it. Hope that it's good.

August 10, 2012: The following have been released:
  • ghostpdl-9.06-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico. This version attempts to update Xplico's version of pcl6 - the binary installed as part of ghostpdl - as stored in /opt/xplico/bin if Xplico is installed.

August 8, 2012: The following have been released:
  • perl-XML-SAX-Base-1.04-1.1.el6.noarch.rpm - perl-XML-SAX-Base is a base class for PerlSAX drivers and filters. As distributed on RPM Forge, two files (/usr/share/man/man3/XML::SAX::Base.3pm.gz and /usr/share/man/man3/XML::SAX::Exception.3pm.gz) conflict with the files installed with perl-XML-SAX-0.96-7.el6.noarch from RedHat's EPEL repository. This package was rebuilt to remove these conflicts, and the release number changes from 1 to 1.1 so as to prefer this package over the RPM Forge package. Thanks to Joern Franz for the report.

August 7, 2012: The following have been released:
  • guymager-0.6.12-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.6.11):
    • Avoiding -O3 / inline compiler bug
    • Correct srceen output if no log file is in use
    • DD verification: retry with NOATIME switched off if open fails
    • DD verification: Do not exit if open fails
  • distorm3-3-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Distorm3 is a lightweight, easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX. Distorm3 is used by The Volatility Framework.
  • ghostpdl-9.05-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Ghostpdl is Artifex Software's implementation of the PCL-5™ and PCL-XL™ family of page description languages. Ghostpdl is used by Xplico.
  • libpff-20120802-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided. Libpff is used by DFF - the Digital Forensics Framework.
  • tcpflow-1.2.8-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. Tcpflow can also process stored tcpdump packet flows. Here are the changes in this version:
    • src/main.cpp (main): added calling process_infile(expression,device,"",true) when no files are provided to fix bug of no live capture.
    • src/sysdep.h: removed; put code in tcpflow.h for simplicity
    • src/datalink.cpp (dl_null): moved ETHERTYPE_IPV6 from sysdep.h to datalink.cpp
    • bootstrap.sh: added --add-missing to bootstrap.sh

July 30, 2012: The following have been released:
  • ssdeep-2.9-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes. See here for the list of changes.

July 18, 2012: The following have been released:
  • xplico-1.0.0-2.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support. It also assumes a web server, for example Apache, has been configured and is operational. Here is the list of changes:
    • The postinstall script conditions the /etc/php.ini configuration file for PHP so that xplico works without manual intervention. The changes are:
      • Asserts short_open_tag if it is current set to Off.
      • Sets post_max_size to 100M which is the recomended value.
      • Sets upload_max_filesize to 100M which is the recomended value.
      • Sets date.timezone to US/Eastern. If this is not appropriate for your time zone, you will need to edit /etc/php.ini by hand.
    • The preuninstall script undoes the aforementioned change to /etc/php.ini configuration file, but only if the changes were made by the postinstall executed when xplico was installed or updated.
    • The postinstall and preinstall scripts now use systemctl for Fedora 16 and beyond,
  • ptk-1.0.5-3.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - PTK is a computer forensic framework for the command line tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the command line tool mysql_secure_installation or equivalent, and operating. It also assumes a web server, for example Apache, has been configured and is operational. Here are the list of changes:
    • The postinstall script conditions the /etc/php.ini configuration file for PHP so that ptk works without manual intervention. The changes are:
      • Asserts short_open_tag if it is current set to Off.
    • The preuninstall script undoes the aforementioned change to /etc/php.ini configuration file, but only if the changes were made by the postinstall executed when ptk was installed or updated.
  • libguytools-2.0.2-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libguytools is a package of subroutines and header files needed to build and operate guymager. The changes are:
    • Correctly handling decimal point for different locale settings in toolcfg
    • Some small signed/unsigned changes for cleaner linting
    • Copyright notices cleaned up
  • guymager-0.6.11-2.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.6.11 release 1):
    • Rebuilt to use libguytools-2.0.2.

July 12, 2012: The following have been released:
  • guymager-0.6.11-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.6.9):
    • Removed bug where section tables might contain only one entry
    • New cfg parameter EwfNaming supports 2 methods for naming EWF segment files
    • Added warnings for low space on destination path and large number of image files before starting acquisition, new configuration parameters WarnAboutImageSize and WarnAboutSegmentFileCount
    • When opening destination image fails, retry with NOATIME switched off (thus enabling cloning without root rights)
    • Removed bug where section tables might contain only one entry.
  • python-apsw-3.7.13_r1-1.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Python-apsw is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite. See here for a list of the changes.
  • registrydecoder-20120709-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_84}.rpm - Registrydecoder is tool for the acquisition, analysis, and reporting of registry contents. See here for a list of changes.
  • aff{lib,lib-devel,tools}-3.7.1-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See here for the changes.

July 10, 2012: The following have been released:
  • fred-0.1.0beta4-1.{fc14,fc15,fc16,fc17}.noarch.rpm - Fred Forensic Registry EDitor (fred) is a cross-platform Microsoft registry hive editor. This project was born out of the need for a reasonably good registry hive viewer for Linux to conduct forensic analysis. Therefore it includes some functions not found in normal "free" registry editors like a hex viewer with data interpreter and a reporting function that can easily be extended with custom ECMAScript report templates. The current version contains the following reports: NTUSER_RecentDocs, NTUSER_TypedUrls, SAM_UserAccounts, SOFTWARE_WindowsVersion, SYSTEM_CurrentNetworkSettings, SYSTEM_SystemTimeInfo and SYSTEM_UsbStorageDevices.
  • CERT-Forensics-Tools-1.0-41.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - This package was updated to do the following:
    • add fred for Fedora systems only
  • tcpflow-1.2.7-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. Tcpflow can also process stored tcpdump packet flows. Here are the changes in this version:
    • src/main.cpp (main): -r option now allows for multiple files to be specified.
    • src/main.cpp (main): -R option now allows for incomplete tcp connections to be finished.
    • src/main.cpp (main): removed global "tcpdemux demux" variable. Now it's passed as *user in the datalink methods, as it should be.
    • src/tcpdemux.h (class tcpip): bytes_printed renamed to bytes_processed, as it will be used in packet processing as well.
  • pytsk-20120626-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Pytsk is Python bindings for The Sleuth Kit.
  • python-xlwt-0.7.4-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_64}.rpm - Python-xlwt is a library for generating spreadsheet files that are compatible with Excel 97/2000/XP/2003, OpenOffice.org Calc, and Gnumeric. Python-xlwt has full support for Unicode. Excel spreadsheets can be generated on any platform without needing Excel or a COM server.
  • yaf{,-devel}-2.2.1-2.{el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is only available for CentOS/RHEL 5. All other versions use Yaf-2.2.2 and beyond. The change is to use libfixbuf-1.1.2-1.

July 3, 2012: The following have been released:
  • ptk-1.0.5-2.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - PTK is a computer forensic framework for the command line tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the command line tool mysql_secure_installation or equivalent, and operating. It also assumes a web server, for example Apache, also assumed to be configured and operational. This package has been rebuilt to correct directory permissions for the installed files.
  • libvshadow{,-devel,-tools}-20120511-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libvshadow is a ibrary and tools used to support the Volume Service Snapshot (VSS) format. The VSS format is used by Windows, as of Vista, to maintain copies of data on a storage media volume.
  • guymager-0.6.9-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.6.7):
    • Releasing all changes of 0.6.8 (switch to new version in order to have test users update their packages correctly)
    • AEWF: Considering also 1st chunk base offset when checking if chunk can be added to current sectors section.
    • New cfg parameter CheckRootRights
    • If source disk can't be opened, give it another try without option NOATIME
    • Corrected text output for image hash calculation in info file; Translations updated.
    • Error in UtilIsZero removed (leading to wrong image if FifoBlockSizeEwf is set to values above 65536)
    • Package no longer recommends gksu, smartmontools and hdparm but depends on them
    • No longer exits on write errors on info file or in AEWF module (should already have been done in 0.6.4, but the takeover from trunk wasn't done)
    • New cfg parameter EwfCompressionThreshold
    • Also include symlinks when searching for libparted
    • Changes from Mika (unistd.h)
  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.

    The changes are the following:
    • rwflowpack change
      • Modify the log messages produced by libfixbuf to follow the format of other rwflowpack log messages.
      • Modify NetFlow v9 support to require libfixbuf-1.1.0.
    • flowcap change
      • Modify the log messages produced by libfixbuf to follow the format of other rwflowpack log messages.
      • Modify NetFlow v9 support to require libfixbuf-1.1.0.
    • Building
      • Add new configure switch --enable-asa-zero-packet-hack to work around a bug in the NetFlow9 template used by Cisco ASA routers wherein the template is missing a packetTotalCount field, causing rwflowpack to treat these flows as having 0 packets. When the switch is specified, SiLK sets the packet count to 1 for flow records having a source IP, a byte count, but no packet count. In addition, if SiLK is compiled without IPv6 support, the hack causes rwflowpack to a use fully-expanded file format to store IPv4 flow records collected from netflow-v9 probes. This verison of SiLK has been built with --enable-asa-zero-packet-hack.

    The packages added to the repository are:
    • silk-analysis-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-common-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-devel-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
    • silk-flowcap-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
    • silk-rwflowappend-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
    • silk-rwflowpack-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
    • silk-rwpollexec-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
    • silk-rwreceiver-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
    • silk-rwsender-2.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
  • registrydecoder-20120629-1.{fc14,fc15,fc16,fc17,el5,el6}.{i386,x86_84}.rpm - Registrydecoder is tool for the acquisition, analysis, and reporting of registry contents. This is version 1.3 of this tool. See here for a list of changes.
  • CERT-Forensics-Tools-1.0-40.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - This package was updated to do the following:
    • add libvshadow-tools

June 28, 2012: The following have been released:
  • {nmap,nmap-frontend}-6.01-3.{fc14,fc15,fc16,fc17,el6}.{i686,x86_64}.rpm - Nmap has been repackaged in conformance with the way Fedora has been packaged for {nmap,nmap-frontend}-6.00. Please note that the zenmap package has been replaced with the nmap-frontend package. Please also note that nmap versions 6.00 and 6.01 have been withdrawn for the RHEL/CentOS 5 systems.
  • CERT-Forensics-Tools-1.0-39.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - This package was updated to do the following:
    • add nmap-frontend
    • obsolete zenmap
    • obsolete ncat
    • obsolete nping
    • obsolete nmap-update
  • dff-1.2.0-3.fc17.x86_64.rpm - The Digital Forensics Framework (DFF) has been built for the x86_64 CPU architecture. To install it, do the following, as root, on a Fedora 17 x86_64 installation only:
    	yum erase libewf.i386
    	yum clean all
    	yum install dff 
  • xmount-0.5.0-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. The changes in this version are the following:
    • Support to emulate Microsoft's Virtual Hard Disk images (by using the --out vhd arguments).

June 27, 2012: The following have been released:
  • BEViewer-1.3.006-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - BEViwer is a User Interface for browsing features that have been extracted via the bulk_extractor feature extraction tool. BEViewer supports browsing multiple images and bookmarking and exporting features. BEViewer also provides a User Interface for launching bulk_extractor scans.
  • ddrescue-1.16-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. See /usr/share/doc/ddrescue-1.16/ChangeLog after the package has been installed.
  • dd_rescue-1.28-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Dd_rescue is a utility similar to the system utility dd which copies data from a file or block device to another. dd_rescue<./TT> does however not abort on errors in the input file. This makes it suitable for rescuing data from media with errors, e.g. a disk with bad sectors.
  • libfixbuf{,-devel}-1.1.2-1.{fc14,fc15,fc16,fc17el5,el6}.{i686,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). This version contains general bug fixes as well as Netflow V9 bug fixes.
  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The changes are to use libfixbuf-1.1.2-1. The packages added to the repository are:
    • silk-analysis-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-common-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-devel-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
    • silk-flowcap-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
    • silk-rwflowappend-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
    • silk-rwflowpack-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
    • silk-rwpollexec-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
    • silk-rwreceiver-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
    • silk-rwsender-2.4.7-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
  • yaf{,-devel}-2.2.2-2.{fc14,fc15,fc16,fc17,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE. The changes are to use libfixbuf-1.1.2-1.
  • log2timeline-0.64-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. Here are the changes in this version:
    • [TESTSUITE] Added the first version of a test suite to the tool.
      • All tests are located inside the t/ directory.
      • Tests should be constructed for ALL possible uses of the tool, not limited to:
        • Raw parsing of logs using input modules.
        • Correct output for output modules.
        • Correct output from each function inside modules/libraries.
      • The first TEST suite is raw and not nearly complete, needs loads of stuff to be 'proper' but it is a start.
    • [LS_QUARANTINE input] A new input module that parses the LSQuarantineEvents SQLite db in Mac OS X.
    • [Log2Timeline library] Added the possibility to use a dot (.) in the exclusion list.
      • Changed the exclusion list so it can be easily changed
      • Added a call to ->end on each input module if verification failed.
      • Minor bug fixes in the main engine.
      • Changed wording when an output module is loaded (from "Loading output file" to "Loading output module").
      • Added support to detect shortcuts in Windows systems.
      • Added the "path_orig" to all input modules (making it possible to "fix" paths).
    • [CHROME input] - Slight changes to the output based on the value of the typed_count variable, also updated the path to the code that describes the transition types.
    • [SKYPE input] Fixed the verification routine a bit, cleaned it up slightly and fixed a small bug that caused the tool not to include SKYPE data when recursive mode was set on.
      • Also fixed UTF-8 support, should properly display UTF-8 by now.
    • [PREFETCH input] Small changes to the verification module.
    • [WinReg] Fixed a small bug in the code that caused the deleted entries lookup sometimes to loop forever.
    • [SQLITE output] Changed the way the SQLite code is written considerably, pre-compiling statements to prevent them being compiled for each insert, using transactions instead of writing them constantly to the DB, and other minor tweaks to make the DB output faster than before (since it was increadibly slow before).
    • [CHROME input] Small bug to fix UTF-8 support.
    • [FIREFOX3 input] Small bug to fix UTF-8 support.
    • [PREFETCH input] Fixed a bug, added a seekdir so that prefetch information is contained within the timeline if recursive is turned on.
    • [RECYCLER input] Fixed a bug, added a seekdir so that recycler information is contained within the timeline if recursive is turned on.
    • [LIST files] Added few items into the Windows list files, as well as to create a Mac OS X one.
    • [MFT input] Fixed a bug with Unicode support.
    • [RECYCLER input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
    • [SOL input] Fixed a small bug (issue 5) with the path not showing the correct path as indicated by -m TEXT
    • [EVTX input] Changed the dependencies to Parse::Evtx2 instead of Parse::Evtx (same library, changed the namespace).
      • Issue when Parse::Evtx was installed on SIFT, causing the tool to first load the library from Schuster, and not the slightly changed one distributed by the tool, causing the module to not work.
  • md5deep-4.2-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - This package was updated to reflect the new version of md5deep. Here are the list of new features:
    • Fixed padding in Tiger hashes for large files
  • {nmap,ncat,nping,nmap-update,zenmap}-6.01-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Nmap is a free and open source utility for network exploration or security auditing. See the change log for details. Nping is a packet generation and response analysis tool. Ncat is a flexible data transfer, redirection, and debugging tool. Nmap-update is a tool that gets the latest versions of architecture-independent files, such as scripts and databases, for the installed version of Nmap. Zenmap is an advanced GUI and results viewer. It replaces nmap-frontend. See the Changelog for the changes made in this release.
  • regripper-25000000-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This package is now contains only the version 2.5 of the regripper tool. The plugins are now packaged separately.
  • regripper-plugins-20120612-1.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper-plugins are the plugins packaged separately from the regripper application. This version includes version 20120612 of the plugins from here. The plugins added are the following:
    • NEW PLUGIN by Jason Hale: typedurlstime.pl that parses and correlates the TypedURLs and TypedURLsTime subkeys
    • NEW PLUGIN by Jason Hale: typedurlstime_tln.pl that parses and correlates the TypedURLs and TypedURLsTime subkeys (output in TLN format)

June 5, 2012: The following have been released:
  • regripper-20120528-2.{fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This version includes version 20120528 of the plugins from here. The plugins added are the following:
    • NEW PLUGIN by Francesco Picasso: "internet_explorer_cu.pl" that parses the Internet Explorer info from NTUSER.DAT registry
    • NEW PLUGIN by Francesco Picasso: "internet_settings_cu.pl" that parses the Internet Settings info from NTUSER.DAT registry
    • REMOVED plugin "ie_main.pl", since superseded by "internet_explorer_cu.pl"
    • REMOVED plugin "iexplore.pl", since superseded by "internet_explorer_cu.pl"
    • FIXED plugin "timezone.pl", see Issue14 and see source code comments
    • FIXED plugin "userassist2.pl", now it parses Windows7 entries, see source code comments
    • ADDED profiles with every plugin listed in alphabetical order: all-all (3), ntuser-all (98), sam-all (1), security-all (3), software-all (56), system-all (46)
    • NOTE RegRipperPlugins now counts 207 plugins
    • KNOWN ISSUES: comdlg32 does not parse Vista/7 subkeys (Issue 15)

June 4, 2012: The following have been released:
  • bulk_extractor-1.2.2-3.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor has been repackaged, where all of the supporting tools are now installed as distributed by the author. These tools are installed in /usr/bin and are the following:
    • bulk_diff.py - compares two bulk_extractor runs and reports what's changed.
    • identify_filenames.py - reads feature files and a DFXML file for a disk image and reports the file from which each feature came
    • post_process_exif.py - reads the exif.txt feature file and produces a CSV file from all of the XML-encoded EXIF information
    • This directory also contains modules for working with digital forensics XML:
      • bulk_extractor.py - a DFXML python module for reading the report.xml file created by bulk_extractor and reading the feature files. Also allows reading a ZIP file produced from a bulk_extrator output directory as if it were uncompressed.
      • dfxml.py - a DFXML python module for reading DFXML files
      • fiwalk.py - a DFXML python module for producing DFXML streams using fiwalk
      • ttable.py - produces nicely formatted Python tables
    • This directory also contains an out-of-date multi-drive correlator; this will be operational by August 1, 2012:
      • cda2.py - multi drive correlator
      • cda_test.py - test program for multi-drive correlator
      • cda_tool.py - another multi-drive correlator
  • libewf-{,devel,tools}-20120603-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.
  • ssdeep-2.8-1.{fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes.

June 1, 2012: The following have been released:
  • bulk_extractor-1.2.2-2.{fc13,fc14,fc15,fc16,fc17,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor was packaged incorrectly, producing incorrect version installed in /usr/bin/bulk_extractor. This release corrects that problem.

May 31, 2012: The following have been released:
  • Support for Fedora 17 i386 and x86_64 architectures - The repository now supports Fedora 17 for both the i386 and x86_64 CPU architectures.
  • Support for Fedora 13 - Development of repository for Fedora 13 has stopped as of 2012-05-31.
  • BEViewer-1.2.1.004-1.{fc13,fc14,fc15,fc16,fc17,el5,el6}.noarch.rpm - BEViwer is a User Interface for browsing features that have been extracted via the bulk_extractor feature extraction tool. BEViewer supports browsing multiple images and bookmarking and exporting features. BEViewer also provides a User Interface for launching bulk_extractor scans.

May 29, 2012: The following have been released:
  • bulk_extractor-1.2.2-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. Bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important. See the ChangeLog file (/usr/share/doc/bulk_extractor-1.2.2/ChangeLog) in the package for a list of changes.

May 23, 2012: The following have been released:
  • libewf-{,devel,tools}-20120504-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.
  • netsa-python-1.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Netsa-python is a library of Python routines and frameworks that the NetSA team at CERT has found helpful when developing analyses using the SiLK toolkit. Of particular note are the netsa.script NetSA Scripting Framework, which provides a standard framework for writing scripts that process flow data, and the netsa.util.shell command line processing system, which provides tools for managing extremely complicated collections of shell processes that should fail or succeed together (extremely useful when working with named pipes). netsa-python is compatible with Python versions 2.4 and greater.
  • rayon-1.3.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Rayon is a Python library and set of tools for generating basic two-dimensional statistical visualizations. Rayon can be used to automate reporting; provide data visualization in command-line, GUI or web applications; or do ad-hoc exploratory data analysis. Rayon can generate visualizations in PDF, PNG, SVG and PostScript formats using Pycairo. It can also be used in wxPython GUI applications. Rayon is compatible with Python versions 2.4 and greater, and requires netsa-python and at least one of Pycairo (for static output) or wxPython (for GUI output).
  • {nmap,ncat,nping,nmap-update,zenmap}-6.00-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Nmap is a free and open source utility for network exploration or security auditing. See the change log for details. Nping is a packet generation and response analysis tool. Ncat is a flexible data transfer, redirection, and debugging tool. Nmap-update is a tool that gets the latest versions of architecture-independent files, such as scripts and databases, for the installed version of Nmap. Zenmap is an advanced GUI and results viewer. It replaces nmap-frontend.
  • CERT-Forensics-Tools-1.0-38.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - This package was updated to do the following:
    • obsolete nmap-frontend
    • add zenmap
    • add ncat
    • add nping
    • add nmap-update
    • remove registrydecoder for RHEL/CentOS 5 (it requires too many dependencies)

May 1, 2012: The following have been released:
  • guymager-0.6.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.6.5):
    • Configuration parameter CommandGetAddStateInfo now understands placeholder %local for distinguishing between local and non-local devices
    • New configuration parameter QueryDeviceMediaInfo for devices that do not like HPA/DCO querying
    • MD5 calculation of destination disk corrected for disks whose size is not a multiple of the block size
    • No longer depends on libproc (using libc functions instead)
    • New, fast SHA256 and MD5 routines (from package coreutils)
    • No longer depends on libcrypto or libcrypto for fast hash functions

April 23, 2012: The following have been released:
  • libewf-{,devel,tools}-20120416-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.
  • log2timeline-0.63-1.{fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. Here are the changes in this version:
    • ALL modules/files were run through perltidy using the configuration file of dev/perltidy.conf.
    • Also several modules have had their documentation updated and code reformed to reflect recent release of a style guide for the project. perltidy is not enough to enforce that, but at least a start. Rewriting the documentation (pod) is also a vital portion of making the modules easier to use/understand/develop.
    • All libraries within the tool and the main API have been rewritten with this in mind, making 'man' documentation considerably more useful than it was.
    • [SERIALIZE output] JSON::XS used to serialize the timestamp output, a very simple output module that simply stores
      • This makes it possible to output using this method and then sorting is simpler since it does not require the module to read in the csv and change it into something like a hash, since it is already stored as such.
      • This might become the default output of the tool, and then run l2t_process on that output, turning that into CSV instead of using CSV as default and trying to filter that output.
      • This also makes it easier to filter, based on certain attributes, instead of at the line level. the timestamp object without really doing anything to it. Use that for easy sorting in later stages.
    • [WIN7 list] Fixed a small bug in Win7 list file (and win7_noreg). The evt module was loaded up and not the evtx one.
    • [FIREFOX3 input] Added a check to see if the SQlite database contains a -wal or -shm (in addition to -journal) And if it does, then do the same procedure as if it was a -journal (read-only database that gets copied to a temp location) This was pointed to me by Svante
    • [PREFETCH input] Changed the default output so that loaded DLLs are not included by default, unless the -d|--detail option/parameter is used.
    • [MFT input] Inside the verification routine a check is made to see if the magic value is FILE0, it should only be FILE. Fixed that, making the mft module capable of parsing those $MFT files that do not the standard offset to the fixup array.
    • [SAM input] Changed the handling of SAM database data, it did not properly parse the SAM database file in certain cases due to the keys being prefilled with the CMI-CREATE....
    • [NTUSER input] Changed a value check in UserAssist key parsing causing UserAssist keys not properly being parsed.
    • [WIN_LINK input] The values for mtime and atime got swapped (the correct order is CAM not CMA like it was)
    • [SETUPAPI input] Added a 'detailed_time' check, to reduce the text inside the alert by default, unless detail option used.
    • [log2timeline] Updated the man page to reflect updates to the 'detailed_time' changes to setupapi input module.
    • [WIN library] Added a mapping to map up all Windows use of timezones to the one used in the DateTime library.
    • [win_sysinfo PreProc] Updated the pre-processing library so that it checks if a known transform of a Windows named timezone information is available and if it is it will compare it to the chosen timezone (and change it if they differ).
    • [LOG2TIMELINE] Small bug in the log2timeline library, causing input modules list that has more than one - sign in it not properly verified.
    • [IEHISTORY input] Switched time1 and time2, and started to update the module so it adheres to the newly released, not yet complete, style guide.
    • [EVTX input] Updated the EVTX library to the latest release, version 1.1.1 (written by Andreas Schuster)
      • Also changed the 50 attempts to 15 (in case of an error in reading an entry), also only output error message if debug is turned on.
  • tcpflow-1.2.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. Tcpflow can also process stored tcpdump packet flows. Here are the changes in this version:
    • configure.ac: incremented version to 1.2.6 (1.2.5 had a bad tag)
    • src/tcpip.cpp (tcpip::print_packet): fixed error in fwrite().
    • src/main.cpp (print_usage): fixed misspelling of name
    • src/tcpip.cpp (tcpdemux::tcpdemux): default outdir is now "."

April 10, 2012: The following have been released:
  • python-pefile-1.2.10_114-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - Python-pefile is a multi-platform Python module to read and work with Portable Executable (aka PE) files. Most of the information in the PE Header is accessible, as well as all the sections, section's information and data. pefile requires some basic understanding of the layout of a PE file. Armed with it it's possible to explore nearly every single feature of the file. Some of the tasks that pefile makes possible are:
    • Modifying and writing back to the PE image
    • Header Inspection
    • Sections analysis
    • Retrieving data
    • Warnings for suspicious and malformed values
    • Packer detection with PEiD’s signatures
    • PEiD signature generation
    Please, refer to UsageExamples for starting points on how to use pefile. To work with authenticated binaries, including Authenticode signatures, please check the project verify-sigs.
  • AdobeMalwareClassifier-1.0-1.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - AdobeMalwareClassifier is a tool that perform quick, easy classification of binaries for malware analysis.

    The Adobe Malware Classifier is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file contains malware so they can develop malware detection signatures faster, reducing the time during which users' systems are vulnerable.

    The tool uses machine-learning algorithms to classify Win32 binaries - EXEs and DLLs - into three classes: 0 for "clean," 1 for "malicious," or "UNKNOWN."

    The tool extracts seven key features from an unknown binary, feeds them to one of the four classifiers or all of them, and presents its classification of the unknown binary as "clean," "malicious," or "unknown."

    The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a dataset of approximately 100,000 malicious programs and 16,000 clean programs.

April 3, 2012: The following have been released:
  • aff{lib,lib-devel,tools}-3.7.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.7.0/ChangeLog after the package has been installed.
  • yaf{,-devel}-2.2.2-1.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE. This release fixes bugs in VLAN tagging.

March 30, 2012: The following have been released:
  • tcpflow-1.2.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. Tcpflow can also process stored tcpdump packet flows. he changes are: bug fixes and performance improvements.
  • safecopy-1.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Safecopy is a data recovery tool which tries to extract as much data as possible from a problematic (i.e. damaged sectors) source - like floppy drives, harddisk partitions, CDs, tape devices, ..., where other tools like dd would fail doe to I/O errors. Here are the changes:
    • New --forceopen option to wait for removable drives to come back
    • New -c (continue) option to resume when copying directly unto devices
    • Return codes: (0 for success, 2 for abort/ error, 1 for incomplete copy)
    • Adapted test suite to test for these return codes
    • Code cleanup
  • testdisk-6.13-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted. Here are the changes:
    • Fix UAC manifests for Windows, so users don't need to use right-click "Run As Administrator"
    • TestDisk
      • Fix image creation, image.dd file wasn't created (Regression introduced in 6.12)
      • Detect Vmware VMFS partition
      • Locate lost GFS2 partition but not yet the size
      • Log HDD serial number and firmware revision
      • List NTFS Alternate Data Streams (ADS)
    • PhotoRec
      • Session recovery restarts at the previous location
      • Better MPEG recovery, there should be less concatenated videos.
      • Better JPG recovery, there should be less cases where thumbnails were recovered instead of the picture itself.
      • Handle large avi files using "AVIX" or mov files using 64-bit chunk size.
      • Rename recovered pdf using the title (not perfect)
      • Major cleanup of PhotoRec core code
  • libp0f{,-devel}-2.0.8-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libp0f is a library implementation of p0f version 2 available from here. This library splits the core p0f functionality from the p0f application in order to support 3rd-party linkage. libp0f does not change any of the fingerprinting algorithms from p0f version 2, nor has it upgraded any of the p0f fingerprints. The library is required for use with Yaf. To enable p0f in Yaf, configure Yaf with --enable-p0fprinter (see the next item), and run Yaf with --p0fprint.
  • yaf{,-devel}-2.2.1-3.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Note that this release of Yaf is not available for CentOS/RHEL 5 due to an outdated version of PCRE. This release was built with the following configuration options enabled:
    • enable-applabel - enable the packet payload application label engine
    • enable-p0fprinter - enable the p0f based OS finger printing capability
    • enable-plugins - enable YAF to load plugin extensions
    • enable-ltdl-install=no - do not install files that would otherwise conflict with libtool-ltdl
  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The changes are to enable adns, the Asynchronous-capable DNS Client Library. The packages added to the repository are:
    • silk-analysis-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-common-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-devel-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
    • silk-flowcap-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
    • silk-rwflowappend-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
    • silk-rwflowpack-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
    • silk-rwpollexec-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
    • silk-rwreceiver-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
    • silk-rwsender-2.4.7-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.

March 12, 2012: The following have been released:
  • tcpflow-1.2.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. Tcpflow can also process stored tcpdump packet flows. The changes are: bug fixes and performance improvements.
  • guymager-0.6.5-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.6.3):
    • Device scan: Assume that a device will not be included more than once in a scan
    • New CFG parameter AvoidEncaseProblems for Encase EWF string limitations
    • No longer exits on write errors in AEWF module
    • No longer exits on info file write errors
    • Center info dialog relative to application (not screen)
  • yaf{,-devel}-2.2.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. The changes are bug fixes.
  • reglookup-1.0.1-2.{fc12,fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - Release 2 of the reglookup package was installed to include the following patches:
    • Patch 278: fix for pyregfi install
    • Patch 277: incorporated a version of Adam Golebiowski's build patches reworked REGFI_VERSION and began using it in pyregfi installation
    • Patch 276: added 1.0.1 target

March 7, 2012: The following have been released:
  • xplico-1.0.0-1.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. Note that RHEL/CentOS 5 is not supported due to a lack of Python Version 3 support. Here is the list of changes:
    • SQLite dispatcher performance improved
    • Added the PPI dissector
    • Added the syslog dissector
    • Added "Bogus IP length" correction with checksum verification disabled
    • New Facebook Chat dissector for the new Facebook chat protocol
    • SIP dissector improved
    • IMAP dissector improved and bugs fixed
    • DNS dissector PIPI improved
    • Yahoo Webmail bugs fixed
    • Live/Hotmail WebMail Spanish version
    • GeoMap improved
    • PCap-over-IP
    To build and install this package for CentOS 6, the following were installed in the CentOS/RHEL repository:
    • python3-3.1.2-7.fc13.i686.rpm
    • python3-libs-3.1.2-7.fc13.i686.rpm
    • python3-httplib2-0.6.0-3.fc14.noarch.rpm

February 24, 2012: The following have been released:
  • regripper-20120224-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This version includes version 20120224 of the plugins from here. The plugins added are the following:
    • EMDMgt.pl (Brad Reninger) - this plugin parses the EMDMgt registry key located in the SOFTWARE Hive. This registry key identifies the volume serial number of USB devices.
    • ccleaner.pl (Adrian Leong) - this plugin gets CCleaner User's Settings from NTUSER.DAT.
  • md5deep-4.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep. Here are the list of new features:
    • Added expert mode option to parse Windows PE files
    and bug fixes:
    • Fixed junction point handling on Win32

February 17, 2012: The following have been released:
  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. See here for the list of changes. The packages added to the repository are:
    • silk-analysis-2.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-common-2.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-devel-2.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
    • silk-flowcap-2.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
    • silk-rwflowappend-2.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
    • silk-rwflowpack-2.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
    • silk-rwpollexec-2.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
    • silk-rwreceiver-2.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
    • silk-rwsender-2.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.

February 15, 2012: The following have been released:
  • bulk_extractor-1.2.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. Bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important. See this Changelog for a list of changes.
  • libewf-{,devel,tools}-20120122-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.

February 7, 2012: The following have been released:
  • dff-1.2.0-3.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. This release adds missing support for Expert Witness Format Compression Format (ewf) files.
  • regripper-20120206-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This version includes version 20120206 of the plugins from here. This version adds the filesnottosnapshot.pl (extracts from SYSTEM registry files and folders not backed up in Volume Shadow Copies) and spp_clients.pl (list volumes currently monitored by the Volume Shadow Copy Service) plugins.
  • xmount-0.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. This release uses Version 2 of the libewf API.
  • Volatility-2.0.1-3.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version updates the plugins from the Malware Analyst's Cookbook to version R134. See here for the list of recent changes.
  • registrydecoder-20120202-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_84}.rpm - Registrydecoder is tool for the acquisition, analysis, and reporting of registry contents. This is version 1.2 of this tool. See here for a list of changes.
  • tcpflow-1.1.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored tcpdump packet flows. The changes are: C++ rewrite, improved performance, and DFXML output.

January 27, 2012: The following have been released:
  • libewf-{,devel,tools}-20120122-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.
  • md5deep-4.0.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep. Here are the list of new features:
    • Fixed hang on DFXML generation on Win32
    • Fixed incorrect hashes via stdin on Win32
    • Fixed "Too many open files" error on OS X
    • Doc files in Win32 have been corrected.

January 12, 2012: The following have been released:
  • cert-forensics-tools-release-{13,14,15,16,5.7,6}-7.noarch.rpm - This package was added to provide the new CERT Forensics Repository Key. The fingerprint for this key is: AE8F 91D1 5126 5835 B4DE 765D 9198 DA78 51B6 01A4.

    You must do the following as root to install this new package before updating existing packages installed from our repository:
    yum update cert-forensics-tools-release
    You can then do the following as root to install any other updates for your system:
    yum update
    In addition, all of the packages in the Fedora 13, 14, 15, 16, and RHEL/CentOS repositories have been resigned with this new key.
  • CERT-Forensics-Tools-1.0-36.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - This package was updated to include the following:
    • shellbags for Fedora 14, 15, and 16.
    • KHracker for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
    • md5dump for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
    • tcpflow for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
    • registrydecoder for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
    • xplico for Fedora 13, 14, 15, and 16.
    • snort for Fedora 13, 14, 15, and 16.
    • snort-sample-rules for Fedora 13, 14, 15, and 16.
  • shellbags-0.5.1-2.{fc14,fc15,fc16}.noarch.rpm - Shellbags Microsoft Windows uses a set of registry keys known as "shellbags" to maintain the size, view, icon, and position of a folder when using Explorer. Shellbags persist information for directories even after the directory is removed, which means that they can be used to enumerate past mounted volumes, deleted files, and user actions. See Using shellbag information to reconstruct user activities for an overview of the investigative value of shellbags. Shellbags is installed in the Fedora 14, 15, and 16 versions of the repository.
  • python-registry-0.2.3-1.{fc14,fc15,fc16}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry. python-registry is written in pure Python, making it portable across all major platforms. Python-registry is installed in the Fedora 14, 15, and 16 versions of the repository. This package is required by shellbags.
  • KHracker-0.3-1.noarch.rpm - KHracker is a python-based decryption tool for encrypted known_hosts entries. It will attempt to decrypt values stored in SSH known_hosts files, if the encryption option has been enabled for that computer. By default, known_hosts entries are not encrypted, but there is an option to do so. From a forensics perspective, encrypted known_hosts entries can prevent an investigator from seeing other computers to which a user may have been connecting. Information about the connections made from a system can be integral to identifying a complete understanding of the systems involved in a network intrusion or incident response case.
  • python-netaddr-0.7.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64} - python-netaddr is a pure Python network address representation and manipulation library. provides a Pythonic way of working with:
    • IPv4 and IPv6 addresses and subnets
    • MAC addresses, OUI and IAB identifiers, IEEE EUI-64 identifiers
    • arbitrary (non-aligned) IP address ranges and IP address sets
    • various non-CIDR IP range formats such as nmap and glob-style formats

    Included are routines for:
    • generating, sorting and summarizing IP addresses and networks
    • performing easy conversions between address notations and formats
    • detecting, parsing and formatting network address representations
    • performing set-based operations on groups of IP addresses and subnets
    • working with arbitrary IP address ranges and formats
    • accessing OUI and IAB organisational information published by IEEE
    • accessing IP address and block information published by IANA

    This package is required by KHracker.
  • md5deep-4.0.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep. Here are the list of new features:
    • Rewrote most of the program in C++.
    • Enabled multiprocessor support on all platforms.
    • Removed ten character limit on file size mode.

January 3, 2012: The following have been released:
  • aff{lib,lib-devel,tools}-3.6.15-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.6.15/ChangeLog after the package has been installed.
  • fiwalk-0.6.16-1.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - Fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format. See /usr/share/doc/fiwalk-0.6.16/ChangeLog after the package has been installed.
  • bulk_extractor-1.1.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important. See /usr/share/doc/bulk_extractor-1.1.3/ChangeLog after the package has been installed.
  • tcpflow-1.0.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored tcpdump packet flows.
  • ddrescue-1.15-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. See /usr/share/doc/ddrescue-1.15/ChangeLog after the package has been installed.
  • libewf-{,devel,tools}-20111231-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.
  • libfixbuf{,-devel}-1.1.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). This version contains bug fixes.
  • silk-*-2.4.5-6.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The only change was to recompile this package to use the libfixbuf{,-devel}-1.1.1 packages.
  • yaf{,-devel}-2.1.2-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. The only change was to recompile this package to use the libfixbuf{,-devel}-1.1.1 packages.
  • perl-Parse-Evtx-1.1.1-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - perl-Parse-Evtx is a Windows Event Log Parser library and tools collection.
  • xmount-0.4.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. This release uses Version 2 of the libewf API.

December 8, 2011: The following have been released:
  • Support for Fedora 16 i386 and x86_64 architectures - The repository now supports Fedora 16 for both the i386 and x86_64 CPU architectures.
  • registrydecoder-20111108-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_84}.rpm - registrydecoder is tool for the acquisition, analysis, and reporting of registry contents.
  • regripper-20111118-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - regripper is a Windows Registry data extraction and correlation tool. This version includes version 20111118 of the plugins from here.
  • log2timeline-0.62-1.{fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. Here are the changes in this version:
    • [FF_CACHE input] New input module, designed to parse the cache files of Firefox. Contributed by John Ritchie
    • [OPENVPN input] New input module, desigend to parse the OpenVPN log files.
    • [L2T_PROCESS] Added a few more allowed characters in the keyword list
    • [proftpd_xferlog input] Willi Ballenthin added a new module to parse the ProFTPD XFerlog file
    • [Log2Timeline library] Fixed a bug, when the 'all' moduiles option is used (or -f is omitted) no modules get loaded
      • Added a small change to try to parse the MFT directly even though the $MFT might not be directly visible
      • Fixed a small bug whereas the tool would crash if the local timezone was used.
      • Fixed a small bug whereas the tool is not able to find the default directory (. does not exist) or if the file in question does not really exist that the tool is pointing to... that made the tool return a double error instead of just dying on the first one.
      • The tool will now accept a separate output timezone so the tool can output in a different timezone than the hosts one.
    • [log2timeline] Added the -Z ZONE parameter so the tool can output in a different timezone than the host timezone.
    • [CSV output] Changed the output timezone so it now prints using the -Z definition, so it now supports different output timezone than the host one.
    • [EVTX input] Fixed a bug in where the tool could go into a endless loop in the case where you have a EVTX that is somehow broken and the function get_next_event dies. If the tool runs into such occurance it returned an empty timestamp object, that in turn let the tool query for it again, thus possibly getting into an endless loop. Added a counter so the tool tries to get the next event 50 times, otherwise it will die.
    • [log2timeline-sift] Moved the mount command out of the script and into the configuration file
      • Changed the mount command, since there were few errors with the previous one
      • Added an addional check to see if the $MFT file can be directly called (and if so, skip the icat call)
  • xplico-0.7.1-1.{fc13,fc14,fc15,fc16}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. See the Xplico website for the list of changes in this version. Note that RHEL/CentOS is not supported due to a lack of Python Version 3 support.
  • guymager-0.6.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.5.9):
    • Better HPA/DCO log output
    • Bug removed where acquisition hash codes were not shown in info file if verification was aborted.
    • Additional State Info added
    • New configuration parameter DirectIO
    • Setting sectors per chunk correctly for libewf
    • Removed full path of image file names from .info file, only show the image filename
    • New thread debugging messages
    • New EWF module reduces memory footprint significantly.
    • Posibility to compute MD5 hashes of the individual image files and write them to the .info file.
    • Better log output always contains acquired device
    • Bug removed where libewf only did empty block compression (slight API change in libewf20100226)
    • Compression problem with libewf20100226 fixed
    • Wrong file size check in acquisition dialog corrected


October 20, 2011: The following have been released:
  • regripper-20111014-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - regripper is a Windows Registry data extraction and correlation tool. This version includes the version 20111014 plugins from here.


October 13, 2011: The following have been released:
  • daq-0.6.2-1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Data Acquisition Library (Daq) is a library used by snort.
  • snort{,mysql,postgresql,unixODBC}-2.9.1.1-1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - (Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.
  • snort-sample-rules-1.0-1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - These rules are sample rules only and are intended to allow snort to start successfully. These rules only flag HTTP traffic destined for port 80. Please see the snort rules page to acquire a current set of snort rules.
  • libewf-{,devel,tools}-20111016-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.
  • nmap{,-frontend}-5.51-3.{fc12,fc13,fc14,el5,el6}.{i386,x86_64}.rpm - Nmap is a free and open source utility for network exploration or security auditing. See the change log for details.
  • CERT-Forensics-Tools-1.0-33.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - This package was updated to select a correct version of the libewf-tools package.


October 13, 2011: The following have been released:
  • dff-1.2.0-2.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. This release fixes incorrect directory permissions and adds python-apsw as a dependency.
  • python-apsw-3.6.7_r1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Another Python SQL wrapper (python-apsw) is a Python wrapper for the SQLite embedded relational database engine. In contrast to other wrappers such as pysqlite it focuses on being a minimal layer over SQLite attempting just to translate the complete SQLite API into Python. The documentation has a section on the differences between APSW and pysqlite.


October 12, 2011: The following have been released:
  • libewf-{,devel,tools}-20111011-1.{fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
    • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
    • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
    • This version provides the a set of tools (libewf-tools) that replace ewftools.
  • xmount-0.4.5-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. Release 2 of xmount was made to use Version 2 of the libewf API.
  • sleuthkit-{,devel,libs}-3.2.3-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data. See the included NEWS.txt for a list of changes. Note that this version has been built using Version 2 of the libewf API.
  • dff-1.2.0-1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. is a free and Open Source platform dedicated to digital forensic and eDiscovery sciences. Note that this version requires the Version 2 API of libewf. Note that the CentOS/RHEL 5 is not supported in this release.
  • CERT-Forensics-Tools-1.0-32.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - This package was updated to add these packages:
    • libewf-tools
    and remove these packages:
    • ewftools


October 4, 2011: The following have been released:
  • bulk_extractor-1.0.7-1.{fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important.
  • reglookup-1.0.1-1.{fc12,fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - The reglookup package version 1.0.0 was installed for all supported architectures.
  • ssdeep-2.7-1.{fc12,fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes.
  • yaf{,-devel}-2.1.2-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes in this version:
    • Added new --plugin-conf switch for adding a configuration file to a plugin
    • Added new --p0f-fingerprints switch to give location of p0f fingerprint files
    • Bug Fixes
  • log2timeline-0.61-2.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. Here are the changes in this version:
    • Bug fixess
    • Changes to sqlite output
    • User contributed new input modules


September 13, 2011: The following have been released:
  • libfixbuf{,-devel}-1.0.2-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). This version contains bug fixes.
  • silk-*-2.4.5-5.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The only change was to recompile this package to use the libfixbuf{,-devel}-1.0.2 packages.
  • yaf{,-devel}-2.1.1-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from The only change was to recompile this package to use the libfixbuf{,-devel}-1.0.2 packages.


September 9, 2011: The following have been released:
  • regripper-20110830-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - regripper is a Windows Registry data extraction and correlation tool. This version includes the version 20110830 plugins from here.


August 23, 2011: The following have been released:
  • ataraw-0.2.1-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - ATAraw allows user-level Linux programs to send arbitrary commands to ATA and SATA devices. The system currently supports programmed IO and DMA modes, but does not support asynchronous or multiple-queued commands.
  • bloom-1.4.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Bloom is an NPS bloom filter package that includes the frag_find utility.
  • bulk_extractor-1.0.2-1.{fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important.
  • bulk_extractor-stoplist-1.0-1.{fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Bulk_extractor-stoplist is a context stop list for bulk_extractor.
  • fiwalk-0.6.15-1.{fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - Fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format.
  • jafat-1.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - JAFAT is an assortment of tools to assist in the forensc investigation of computer systems.
  • log2timeline-0.60-2.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. This version removes perl-Parse-Evtx since that is now a separate package.
  • perl-Parse-Evtx-1.0.8-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - perl-Parse-Evtx is a Windows Event Log Parser library and tools collection.
  • tln_tools-20110729-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - tln_tools are time line tools.
  • Volatility-2.0.1-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version adds the following plugins from the Malware Analyst's Cookbook:
    • apihooks - API hooks
    • callbacks - system-wide notification routines
    • devicetree - device tree
    • driverirp - IRP hook detection
    • gdt - Global Descriptor Table
    • idt - Interrupt Descriptor Table
    • impscan - a module for imports (API calls)
    • ldrmodules - unlinked DLLs
    • malfind - hidden and injected code
    • psxview - hidden processes with various process listings
    • ssdt_ex - Hook Explorer for IDA Pro (and SSDT by thread)
    • svcscan - for Windows services
    • threads - _ETHREAD and _KTHREADs

    These plugins required the following additional packages:
    • yara-1.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yara scans the given FILE or the process indentified by PID looking if it matches the patterns and rules provided in a special purpose language. The rules are read from RULEFILEs or standard input.
    • yara-python-1.6-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yara-python is a Python extension that gives access to YARA's powerful features from Python scripts.
    • distorm3-1.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Distorm3 is a lightweight, easy-to-use and fast decomposer library. It disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD's SVM and AVX.
  • xmount-0.4.5-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual representation can be in raw DD, VirtualBox'svirtual disk file format or in VMware's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format) or AFF (Advanced Forensic Format) files. In addition, xmount also supports virtual write access to the output files that is redirected to a cache file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VMware or alike.
  • CERT-Forensics-Tools-1.0-31.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - This package was updated to add these packages:
    • ataraw
    • bloom
    • bulk_extractor (not for Fedora 12 nor CentOS/RHEL 5)
    • bulk_extractor-stoplist (not for Fedora 12 nor CentOS/RHEL 5)
    • fiwalk (not for Fedora 12 nor CentOS/RHEL 5)
    • jafat
    • perl-Parse-Evtx
    • tln_tools
    • xmount


August 16, 2011: The following have been released:
  • yaf{,-devel}-2.1.1-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes in this version:
    • Important bug fix for application labeling SSL plugin.


August 10, 2011: The following have been released:
  • dff-1.1.0-1.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. The framework is used by system administrators, law enforcement examinors, digital forensics researchers and students, and security professionals world-wide. Written in Python and C++, it exclusively uses Open Source technologies. DFF combines an intuitive user interface with a modular and cross-platform architecture. is a free and Open Source platform dedicated to digital forensic and eDiscovery sciences. The following additional packages were change or installed in support of DFF:
    • aff{lib,lib-devel,tools}-3.6.12-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. This version includes static versions of the libraries.
    • libpff-20110413-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Libpff is a library and tools to access the Personal Folder File (PFF) and the Offline Folder File (OFF) format. PFF is used in PAB (Personal Address Book), PST (Personal Storage Table) and OST (Offline Storage Table) files. Static and dynamic versions of the libraries are provided.
    • libbfio{,devel}-20110625-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Libbfio is a library that provides basic file input/output abstraction. Libbfio is used in multiple other libraries like libewf, libmsiecf, libnk2, libolecf and libpff. It is used to chain I/O to support file-in-file access. Static and dynamic versions of the libraries are provided.
  • dc3dd-7.1.614.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64} - dc3dd is a patched version of GNU dd that includes several features useful for computer forensics. New in this version are the following:
    • Log output may be sent to multiple job logs and hash logs. Simply specify log=LOG and/or hlog=LOG more than once.
    • Verification of an image restored to a device larger than the image is now supported. Specify phod=DEVICE to hash only the bytes dc3dd writes to the device. Specify fhod=DEVICE to hash both the bytes dc3dd writes to the device and all the bytes that follow, up to the end of the device.
  • CERT-Forensics-Tools-1.0-30.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - This package was updated to add the DFF package. Note that DFF is not provided for CentOS/RHEL version 5.


August 3, 2011: The following have been released:
  • Volatility-2.0-2.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This package was updated because the versions for RHEL/CentOS were incorrectly configured.
  • regripper-20110518-2.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - regripper is a Windows Registry data extraction and correlation tool. This version installs all of the plugins available at this link.
  • perl-DateTime-Format-WindowsFileTime-0.02-1.{fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - perl-DateTime-Format-WindowsFileTime converts a Windows FILETIME into a DateTime object. The Windows FILETIME structure holds a date and time associated with a file. The structure identifies a 64-bit integer specifying the number of 100-nanosecond intervals which have passed since January 1, 1601. This package was built and installed in support of regripper.


August 1, 2011: The following has been released:
  • Volatility-2.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research. See here for the list of changes.


July 29, 2011: The following have been released:
  • md5deep-3.9.2-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
  • yaf{,-devel}-2.1.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes in this version:
    • New Information Element exported in every flow record, flowAttributes (CERT PEN 6871, IE 40).
    • YAF now checks if a flow has fixed-size packets and exports this flag using the new flowAttributes Information Element (see yaf)
    • Reset Application Label on UDP-uniflows for Deep Packet Inspection
    • Fixed yafscii invalid parameter bug that may have existed on certain platforms
    • Added VNC (RFB Protocol) application label
    • DPI Enhancements
    • FlowEndReason IPFIX field is now set to 31 for udp-uniflows
    • For Cygwin: Added support for getting the yaf config directory via the Windows Registry
    • Several other bug fixes


July 8, 2011: The following has been released:
  • guymager-0.5.9-1.{fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - Guymager is a forensic imaging package. Here are the changes since the last release (0.5.7):
    • The 2GiB limit for EWF files no longer exists (the max. size now is 8EiB)
    • A new AutoExit function has been added. If activated, guymager ends as soon as all acquisitions terminated successfully. By means of the program's exit code, a script might decide, for instance, to shut down the system. This feature is interesting for acquisitions taking place overnight or during the weekend.
    • A new menu point in Gnome allows for launching Guymager from the menu Application / System tools.
    • The problems with UDisks under KDE / Kubuntu no longer exist.


June 23, 2011: The following have been released:
  • DropboxReader-1.0-1.{fc11,fc12,fc13,fc14,fc15,el5,el6}.noarch.rpm - The DropboxReader package version 1.0 was installed for all supported architectures. Dropbox Reader is a suite of command-line tools for parsing configuration and cache files associated with the Dropbox cloud storage software.
  • CERT-Forensics-Tools-1.0-29.{fc11,fc12,fc13,fc14,fc15,el6,el6}.noarch.rpm - This package was updated to add the DropboxReader package.


June 22, 2011: The following have been released:
  • grokevt-0.5.0-2.{fc11,fc12,fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - The grokevt package version 0.5.0 was installed for all supported architectures. Here are the changes since the previous version (0.4.1):
    • Redesigned grokevt-builddb to use RegLookup's pyregfi library instead of executing the command line tools
    • Added work-around for the fact that many Linux distributions no longer make case-insensitive filesystem mounts easy
    • Support for Python 3
    • Changed license to GPLv3
    • Various unicode and other bug fixes
  • reglookup-1.0.0-1.{fc12,fc13,fc14,fc15,el5,el6}.{i686,x86_64}.rpm - The reglookup package version 1.0.0 was installed for all supported architectures, except for Fedora 11. Here are the changes since the previous version (0.4.0):
    • SK records and security descriptors now accessible in pyregfi
    • Added key caching to regfi, reintroduced SK caching
    • Minor API simplifications and improved documentation
    • Numerous bug fixes
    • Made regfi a proper library and made major improvements to the API
    • Added Python bindings (pyregfi) for regfi
    • Replaced Make-based build system with a SCons-based one
    • Numerous improvements in regfi for multithreaded use, memory management
    • Improved API documentation


June 15, 2011: The following have been released:
  • lame{,-libs}-3.98.4-1.fc14.{i686,x86_64}.rpm - The lame and lame-libs packages version 3.98.4 were installed in the Fedora 15 repository for the i386 and x86_64 architectures. These additions make the repository dependant only upon the Fedora and Fedora Updates repositories.
  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The only change for version 2.4.5 release 4 was to recompile all of the tools to use the local timezone for command inputs and for printing records. Files continue to be stored by UTC time.


June 14, 2011: The following have been released:
  • sleuthkit-{,devel,libs,debuginfo}-3.2.2-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
  • yaf{,-devel}-2.0.2-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes in this version:
    • Improvements with Reassembly of TCP Fragments
    • Bug Fix for DNS Deep Packet Inspection
    • --no-frag switch now works
    • Bug Fix for expiring flows that exceed the idle timeout when reading from a file
    • Added the ability to configure YAF with WinPCAP


June 9, 2011: The following has been released:
  • Volatility-1.4_rc1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.


June 8, 2011: The following have been released:
  • libfixbuf{,-devel}-1.0.1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The only change was to recompile all of the tools to use libfixbuf{,-devel}-1.0.1 packages. The packages added to the repository are:
    • silk-analysis-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-common-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-devel-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
    • silk-flowcap-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
    • silk-rwflowappend-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
    • silk-rwflowpack-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
    • silk-rwpollexec-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
    • silk-rwreceiver-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
    • silk-rwsender-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
  • yaf{,-devel}-2.0.1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes:
    • This version requires libfixbuf 1.0.0 or greater.
    • Bug Fix for compile error with --enable-daginterface
    • Enhancement for SNMPv3 application labeler
  • md5deep-3.9.1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
  • etherape-0.9.12-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network. Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.

June 6, 2011: The following have been released:
  • aff{lib,lib-devel,tools}-3.6.12-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.6.11/ChangeLog after the package has been installed.
  • log2timeline-0.60-1.{fc11,fc12,fc13,fc14,fc15,el5}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. See /usr/share/doc/log2timeline-0.60/CHANGELOG after the package has been installed. Note that the program glog2timeline has been removed from this release, but may reappear in the future.
  • ssdeep-2.6-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i686,x86_64}.rpm - ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes.
  • xplico-0.6.3-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. The following changes were made:
    • 32 and 64 bit
    • new decoding manager (DeMa): version 0.3.1
    • mfile manipulator (HTTP file transfer) bug fixes
    • WebMail scripts improved
    • HTTP dissector improved
    • XI: upgraded the javascript libraries

May 23, 2011: The following have been released:
  • FC14-foren-2011-01-{i386,x86-64} - These items are VMware-based forensic appliances built with Fedora 14 for the i386 and x86_64 architectures. Please note that they are not a live CDs. See this document that explains how to download, install, and operate the appliance.
  • testdisk-6.12-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.

May 10, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, 14, and CentOS versions of the cert repository, except as noted:
  • ddrescue-1.14-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Here are the changes:
    • Added new option `-R, --reverse'.
    • Added new option `-E, --max-error-rate'.
    • Extended syntax `--max-errors=+N' to specify new errors.
    • Changed short name of option `--retrim' to `-M'.
    • Removed spurious warning about `preallocation not available'.
    • Code reorganization. New class `Genbook'.
  • gparted-0.8.0-1.{fc11,fc12,fc13,fc14}.{i386,x86_64}.rpm - Gparted is a free partition editor for graphically managing your disk partitions See the release notes for details. Note that this update does not apply to the CentOS repositories.
  • nmap{,-frontend}-5.51-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Nmap is a free and open source utility for network exploration or security auditing. See the change log for details.
  • p7zip{,-plugins}-9.20.1-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - P7zip is a quick port of 7z.exe and 7za.exe (command line version of 7zip, see www.7-zip.org) for Unix. 7-Zip is a file archiver with highest compression ratio. Here are the changes:
    • 7-Zip now supports LZMA2 compression method.
    • 7-Zip now can update solid .7z archives.
    • 7-Zip now supports XZ archives.
    • 7-Zip now supports PPMd compression in ZIP archives.
    • 7-Zip now can unpack NTFS, FAT, VHD, MBR, APM, SquashFS, CramFS, MSLZ archives.
    • 7-Zip now can unpack GZip, BZip2, LZMA, XZ and TAR archives from stdin.
    • 7-Zip now can unpack some TAR and ISO archives with incorrect headers.
    • 7-Zip now supports files that are larger than 8 GB in TAR archives.
    • NSIS and WIM support was improved.
    • Partial parsing for EXE resources, SWF and FLV.
    • The support for archives in installers was improved.
    • 7-Zip now can stores NTFS file timestamps to ZIP archives.
    • Speed optimizations in PPMd codec.
    • Speed optimizations in CRC calculation code for Intel's Atom CPUs.
    • New -scrc switch to calculate total CRC-32 during extracting / testing.
    • 7-Zip File Manager now doesn't use temp files to open nested archives stored without compression.
    • Disk fragmentation problem for ZIP archives created by 7-Zip was fixed.
    • Some bugs were fixed.
    • New localizations: Hindi, Gujarati, Sanskrit, Tatar, Uyghur, Kazakh.
    • Not in p7zip : Speed optimizations in AES code for Intel's 32nm CPUs.
  • libfixbuf{,-devel}-1.0.0-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). Here are the changes:
    • Added functionality to adhere to the proposed IPFIX extension: "Export of Structured Data in IPFIX". This proposed standard allows for the following three new data types.
    • Added new data type: fbBasicList_t to house fixbuf "basicLists."
    • Added new data type: fbSubTemplateList_t to house fixbuf "subTemplateLists."
    • Added new data type: fbSubTemplateMultiList_t to house fixbuf "subTemplateMultiLists."
    • Added the functionality to handle multiple listeners, allowing for connections on multiple ports.
    • Support for Netflow V9.
    • Spread support has been expanded to allow for greater flexibility in using one exporter to publish to multiple groups.
    • Templates are now managed on a per-group basis for a Spread exporter.
    • Templates can now be multicasted to select Spread groups.
    • Default Automatic Mode for Listeners is now set to true.
    • Many other bug fixes.
  • yaf{,-devel}-2.0.0-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes:
    • This version requires libfixbuf 1.0.0 or greater.
    • Added Napatech Adapter Integration (requires libpcapexpress).
    • YAF now exports TCP, payload, finger printing, p0f, MAC, entropy, and DPI flow information within an IPFIX subTemplateMultiList data type.
    • Added the ability to export YAF capture statistics using IPFIX Options Templates.
    • The --stats or --no-stats were added to configure YAF stats output.
    • Added the ability to define Spread group types to use Spread as a manifold for flow export based on application, port, protocol, version, or vlan.
    • Added New Application Labels: DHCP, AIM, SOCKS, SMB, SNMP, NETBIOS.
    • Added a time-out buffer flush function.
    • Added SSL Certificate Capture.
    • Added DNS Resource Record Parsing.
    • Added Deep Packet Inspection for the MySQL protocol.
    • The --silk switch will maintain compatibility with SiLK by not nesting TCP information in the subTemplateMultiList data type.
    • Deep Packet Inspection elements are read from one configuration file.
    • Added the ability to create new DPI elements from the configuration file.
    • Added UDP Export and Template Retransmission.
    • Many Bug fixes and other enhancements.
  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The only change was to recompile all of the tools to use libfixbuf{,-devel}-1.0.0 packages. The packages added to the repository are:
    • silk-analysis-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-common-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-devel-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
    • silk-flowcap-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
    • silk-rwflowappend-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
    • silk-rwflowpack-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
    • silk-rwpollexec-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
    • silk-rwreceiver-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
    • silk-rwsender-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
  • unrar-4.0.7-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm and libunrar{,-devel}-4.0.7-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - UNrar is a freeware program for extracting, testing and viewing the contents of archives created with the RAR archiver version 1.50 and above. See the news for a list of changes.

May 6, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, 14, and CentOS versions of the cert repository:
  • aff{lib,lib-devel,tools}-3.6.11-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.6.11/ChangeLog after the package has been installed.
  • xplico-0.6.2-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. The following changes were made:
    • l7-patterns for all flows/protocols not decoded by xplico
    • Xplico Interface (XI) improved
    • python3 porting of many scripts
    • realtime capture module improved
    • facebook chat realtime views
    • UTC/localtime bug fixes
    • l2tp dissector bug fixes
    • cli and lite dispatchers bug fixes
    • telnet dissector bug fixes

April 26, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, 14, and CentOS versions of the cert repository:
  • md5deep-3.9-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
  • scalpel-2.0-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - This package was updated to reflect the new version of scalpel.

April 18, 2011: The following has been released:
  • aff{lib,lib-devel,tools}-3.6.10-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.6.10/ChangeLog after the package has been installed.

April 14, 2011: The following have been released:
  • aff{lib,lib-devel,tools}-3.6.9-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.6.9/ChangeLog after the package has been installed.
  • log2timeline-0.52-1.{fc11,fc12,fc13,fc14,el5}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. This version contains a few bug fixes, new modules, and a new tool called l2t_process. See /usr/share/doc/log2timeline-0.52/CHANGELOG after the package has been installed. To build and install this package for CentOS, the following Perl modules were installed:
    • perl-Compress-Raw-Zlib-2.033-1.el5.{i386,x86_64}.rpm - See here for details.
    • perl-Archive-Zip-1.30-1.el5.noarch.rpm - See here for details.

April 12, 2011: The following has been released:
  • ptfinder-0.3.05-2.{fc11,fc12,fc13,fc14,el5}.noarch.rpm - ptfinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads. This release adds support for Vista, Windows Server 2003, Windows 2000, and Windows XP to the already supported Windows XP SP 2.

March 22, 2011: The following have been released:
  • SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The packages added to the repository are:
    • silk-analysis-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-common-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
    • silk-devel-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
    • silk-flowcap-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
    • silk-rwflowappend-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
    • silk-rwflowpack-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
    • silk-rwpollexec-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
    • silk-rwreceiver-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
    • silk-rwsender-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
  • yaf{,-devel}-1.3.2-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - YAF is Yet Another Flow sensor. It processes packet data from pcap(3) dumpfiles as generated by tcpdump(1) or via live capture from an interface using pcap(3) or an Endace DAG card into bidirectional flows, then exports those flows to IPFIX Collecting Processes or in an IPFIX-based file format. YAF's output can be used with the NetSA Aggregated Flow (NAF) toolchain. The yaf-devel package contains static libraries and C header files for yaf.
  • aff{tools,lib,lib-devel}-3.6.8-1.fc{11,12,13,14}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
  • CERT-Forensics-Tools-1.0-28.fc{11,12,13,14}.noarch.rpm - This package was updated to add the SiLK and YAF tools.

March 16, 2011: The following has been released:
  • FC14-foren-2011-01-i386-RC2 - This item is second release candidate for the VMware-based forensic appliance built with Fedora 14. Please note that this is not a live CD. See this document that explains how to download, install, and operate the appliance. This release candidate has PTK Version 1.0.5, a reengineered desktop, and phpMyAdmin.

March 14, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • ptk-1.0.5-1.fc{11,12,13,14}.noarch.rpm - PTK is a computer forensic framework for the command line tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the command line tool mysql_secure_installation or equivalent, and operating. It also assumes a web server, for example Apache, also assumed to be configured and operational.
  • CERT-Forensics-Tools-1.0-27.fc{11,12,13,14}.noarch.rpm - This package was updated to add the PTK tool.

March 1, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • xplico-0.6.1-6.fc{12,13,14}.{i386,x86_64}.rpm, xplico-0.6.1-6.fc11.i386.rpm - xplico is an Internet traffic decoder. This release no longer automatically configures xplico to automatically start on system boot. This configuration should be done in tandem with the configuration of httpd upon which it relies.
  • sleuthkit-{,devel,libs,debuginfo}-3.2.1-1.fc1{1,2,3,4}.{i686,x86_64}.rpm - The The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.

February 28, 2011: The following has been released:
  • FC14-foren-2011-01-i386-RC1 - This item is a VMware-based forensic appliance built with Fedora 14. Please note that this is not a live CD. See this document that explains how to download, install, and operate the appliance.

February 24, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • gpart-0.1h-12.fc12.i686.rpm - This package was copied from the Fedora 12 and Fedora 13 i386 releases to the CERT x64_64 Fedora 12 and 13 repositories.
  • gpart-0.1h-13.fc14.i686.rpm - This package was copied from the Fedora 14 i386 releases to the CERT x64_64 Fedora 14 repository.
  • CERT-Forensics-Tools-1.0-26.fc{11,12,13,14}.{i386,x86_64}.rpm - This package was updated to make the gpart package no longer conditional on the i386 architecture. See here for more information.

February 23, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • CERT-Forensics-Tools-1.0-24.fc{11,12,13,14}.noarch.rpm - This package was updated to reflect the addition of the xplico dependency for all supported architectures. Xplico 0.6.1 was previously released on December 10, 2010.
  • etherape-0.9.10.fc{11,12,13,14}.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network. Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.

February 10, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • dc3dd-7.0.0.fc{11,12,13,14}.{i386,x86_64} - dc3dd is a patched version of GNU dd to include a number of features useful for computer forensics. Many of these features were inspired by dcfldd, but were rewritten for dc3dd.
    • Pattern writes. The program can write a single hexadecimal value or a text string to the output device for wiping purposes.
    • Piecewise and overall hashing with multiple algorithms. Supports MD5, SHA-1, SHA-256, and SHA-512.
    • Progress meter with automatic input/output file size probing.
    • Combined log for hashes and errors.
    • Error grouping. Produces one error message for identical sequential errors.
    • Verify mode. Able to hash output files and compare hashes to the acquisition hash.
    • Ability to split the output into chunks with numerical or alphabetic extensions.
    • Ability to write multiple output files simultaneuously.

January 31, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • CERT-Forensics-Tools-1.0-23.fc{11,12,13,14}.noarch.rpm - This package was updated to reflect the conditional addition of the gpart dependency only for the x86 architecture.

January 17, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • CERT-Forensics-Tools-1.0-22.fc{11,12,13,14}.noarch.rpm - This package was updated to reflect the addition of all of the following tool and supporting package:
    • gpart - gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted. The guessed table can be written to a file or device. Supported (guessable) filesystem or partition types:
      • DOS/Windows FAT (FAT 12/16/32)
      • Linux ext2
      • Linux swap partitions versions 0 and 1 (Linux >= v2.2.X)
      • OS/2 HPFS
      • Windows NTFS
      • *BSD disklabels
      • Solaris/x86 disklabels
      • Minix FS
      • Reiser FS
      • Linux LVM physical volume module (LVM by Heinz Mauelshagen)

January 11, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • etherape-0.9.9.fc{11,12,13,14}.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network. Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.

January 10, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • CERT-Forensics-Tools-1.0-21.fc{11,12,13,14}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
    • nmapfe - nmapfe is a convenient X Window front end for the Nmap Security Scanner. Most of the options correspond directly to Nmap options, which are described in detail in the Nmap man page. We recom- mend you read that first. There is also limited help available via the NmapFE "Help" menu.
    • etherape - etherape is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.

January 4, 2011: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • aff{tools,lib,lib-devel}-3.6.6-2.fc{11,12,13,14}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.

December 20, 2010: The following packages and tools have been updated in the Fedora 10, 11, 13, and 14 versions of the cert repository:
  • md5deep-3.7-1.fc{11,12,13,14}.*.rpm - This package was updated to reflect the new version of md5deep.

December 16, 2010: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • log2timeline-0.51-1.fc{12,13,14}.{i386,x86_64}.rpm, log2timeline-0.51-1.fc11.i386.rpm - log2timeline is a framework for the automatic creation of a super timeline.
  • perl-Mac-PropertyList-1.33-1.fc1{1,2,3,4}.noarch.rpm - perl-Mac-PropertyList is a low-level interface to the Mac OS X Property List (plist) format. log2timeline-0.51 uses this package.

December 10, 2010: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • xplico-0.6.1-5.fc{12,13,14}.{i386,x86_64}.rpm, xplico-0.6.1-5.fc11.i386.rpm - xplico is an Internet traffic decoder. It has both a command cli interface and a Web interface (using http://localhost:9876). Please note that this version preserves previous instances of the xplico database that contains created cases and uploaded sessions.

November 30, 2010: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • xplico-0.6.0-10.fc{12,13,14}.{i386,x86_64}.rpm, xplico-0.6.0-10.fc11.i386.rpm - xplico is an Internet traffic decoder. It has both a command cli interface and a Web interface (using http://localhost:9876).

November 17, 2010: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • CERT-Forensics-Tools-1.0-20.fc{11,12,13,14}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
    • ssldump - ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
    • socat - socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them.

November 16, 2010: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • {libunrar,libunrar-devel,unrar}-3.9.10-3.fc1{1,2,3,4}.{i386,x86_64}.rpm - UnRAR is a RAR archive unarchiver.
  • aff{tools,lib,lib-devel}-3.6.4-1.fc{11,12,13,14}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.

November 11, 2010: The following packages and tools have been updated in the Fedora 11, 12, 13, and 14 versions of the cert repository:
  • sleuthkit-{,devel,libs,debuginfo}-3.2.0-1.fc1{1,2,3,4}.{i686,x86_64}.rpm - The The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.

November 5, 2010: Fedora 14 for the i386 and x86_64 architectures is now supported by the repository.


October 25, 2010: The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
  • aff{tools,lib,lib-devel}-3.6.3-3.fc{10,11,12,13}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.

October 4, 2010: The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
  • aff{tools,lib,lib-devel}-3.6.2-3.fc{10,11,12,13}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
  • FC12-foren-2010-02 - The CERT Forensics Appliance, a VMware-based Fedora 12 system was released. Please note that this is a VMware guest but it is not a Live CD. You must install the VMware files from the downloaded ISO image. See the README.txt for details.

August 17, 2010: The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
  • CERT-Forensics-Tools-1.0-18.fc{10,11,12,13}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
    • hachoir-core-1.3.4-1.fc{10,11,12,13}.*.rpm - hachoir-core is a Python library used to represent a binary file as a tree of Python objects.
    • hachoir-metadata-1.3.3-1.fc{10,11,12,13}.*.rpm - hachoir-metadata is a tool that extracts metadata from multimedia files: music, picture, video, and archives.
    • hachoir-parser-1.3.5-1.fc{10,11,12,13}.*.rpm - hachoir-parser is a Python library used by the hachoir tool suite to parse binary files.
    • hachoir-regex-1.0.5-1.fc{10,11,12,13}.*.rpm - hachoir-regex is a Python library used for regular expression (regex or regexp) manupulation.
    • hachoir-subfile-0.5.3-1.fc{10,11,12,13}.*.rpm - hachoir-subfile is a tool that finds subfiles in any binary stream.
    • hachoir-urwid-1.1-1.fc{10,11,12,13}.*.rpm - hachoir-urwid is a binary file explorer based on Hachoir library to parse the files.
    • hachoir-wx-0.3.1-1.fc{10,11,12,13}.*.rpm - hachoir-wx is a wxWidgets-based program that's meant to provide a (more) user-friendly interface to the facilities provided by the hachoir binary parser core.

August 16, 2010: The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
  • CERT-Forensics-Tools-1.0-17.fc{10,11,12,13}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
    • ext3grep-0.1?.?-?.fc{10,11,12,13}.*.rpm - ext3grep.
    • gparted-0.?.?-?.fc{10,11,12,13}.*.rpm - gparted.
    • scrounge-ntfs-0.9-1.fc{10,11,12,13}.*.rpm - scrounge-ntfs which was also added to the repository.

August 4, 2010: The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
  • ssdeep-2.5-1.fc{10,11,12,13}.{i686,x86_64}.rpm - ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes.

August 2, 2010: The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
  • sfdumper-2.2-1.fc1{0,1,2,3}.noarch.rpm - Sfdumper is a selective file dumper script.

July 23, 2010: The following packages and tools have been updated in the Fedora 10, 11, 12, and 13 versions of the cert repository:
  • sleuthkit-{,devel,libs,debuginfo}-3.1.3-1.fc1{0,1,2,3}.{i686,x86_64}.rpm - The Sleuthkit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
  • CERT-Forensics-Tools-1.0-16.fc{10,11,12}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
    • ghex-2.2?.?-?.fc{10,11,12}.*.rpm - The ghex Gnome Hex Editor was added.


July 6, 2010: The following packages and tools have been updated in the Fedora 8, 9, 10, 11, 12, and 13 versions of the cert repository:

NOTE: These modules represent the last modules to be built for Fedora 8 and Fedora 9.


June 22, 2010: The following packages and tools have been updated in the Fedora 8, 9, 10, 11, 12, and 13 versions of the cert repository:
  • log2timeine-0.43.1.fc{{8,9,10,11,12,13}.*.rpm - log2timeline is a framework for the automatic creation of a super timeline.

June 11, 2010: The following packages and tools have been updated in the Fedora 10, 11, 12, 13 versions of the cert repository:
  • libguytools-2.0.1-1.fc1{0,1,2,3}.{i686,x86_64}.rpm - Libguytools is a package of subroutines and header files needed to build and operate guymager.
  • guymager-0.5.3beta1-2.fc1{0,1,2,3}.{i686,x86_64}.rpm - Guymager is a forensic imaging package.
  • sleuthkit-{,devel,libs,debuginfo}-3.1.2-1.fc1{0,1,2,3}.{i686,x86_64}.rpm - The Sleuthkit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.

June 10, 2010: Fedora 13 x86_64 is now supported by the repository.


June 8, 2010: Fedora 13 i386 is now supported by the repository.


April 6, 2010: The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
  • autopsy-2.24-1.fc{8,9,10,11,12}.noarch.rpm - This package was updated to reflect the new version of autopsy.

April 5, 2010: The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
  • CERT-Forensics-Tools-1.0-14.fc{8,9,10,11,12}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
    • rifiuti2-0.5.1-1.fc{8,9,10,11,12}.*.rpm - rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
    • stegdetect-0.61-1.fc{8,9,10,11,12}.*.rpm - stegdetect is an automated tool for detecting steganographic content in images.
    • regripper-2008909-1.fc{8,9,10,11,12}.*.rpm - regripper is a Windows Registry data extraction and correlation tool.
    • rar-3.9.3-1.fc{8,9,10,11,12}.*.rpm - rar is a compression and decompresson program.
    • unrar-3.8.4-1.fc{8,9,10,11,12}.*.rpm - unrar is for extracting, testing and viewing the contents of archives created with the RAR archiver version 1.50 and above.
    • missidentify-1.0-1.fc{8,9,10,11,12}.*.rpm - missidentify is a program to find Win32 applications.
    • log2timeine-0.42.1.fc{{8,9,10,11,12}.*.rpm - log2timeline is a framework for the automatic creation of a super timeline. log2timeline required the following additional Perl package be built and installed:
      • perl-Data-Hexify-1.00-1.fc{8,9,10,11,12}.noarch.rpm
      • perl-DBD-SQLite-1.29-1.fc{8,9,10,11,12}.*.rpm
      • perl-Digest-Crc32-0.01-1.fc{8,9,10,11,12}.noarch.rpm
      • perl-NetPacket-0.42.0-1.fc{8,9,10,11,12}.noarch.rpm
      • perl-Net-Pcap-0.16-1.fc{8,9,10,11,12}.*.rpm
      • perl-Parse-Win32Registry-0.51-1.fc{8,9,10,11,12}.noarch.rpm
    • In addition, the following tools have been added by reference. They are all part of the standard Fedora repositories:
      • aimage - A disk imager.
      • ewftools - Tools to acquire, verify and export EWF files.
      • afftools - Tools that use the Advanced Forensic Format (AFF) library.
      • mdbtools - A suite of programs for accessing data stored in Microsoft Access databases.
      • antiword - A free Microsoft Word reader. It converts the documets from Word 6, 7, 97 and 2000 to ASCII and Postscript. Antiword tries to keep the layout of the document intact.
      • perl-Image-ExifTool - A Perl module with an included command-line application for reading and writing meta information in image, audio, and video files. It reads EXIF, GPS, IPTC, XMP, JFIF, MakerNotes, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP, and ID3 meta information from JPG, JP2, TIFF, GIF, PNG, MNG, JNG, MIFF, EPS, PS, AI, PDF, PSD, BMP, THM, CRW, CR2, MRW, NEF, PEF, ORF, DNG, and many other types of images. ExifTool also extracts information from the maker notes of many digital cameras by various manufacturers including Canon, Casio, FujiFilm, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Ricoh, Sanyo, Sigma/Foveon, and Sony.
      • p7zip - A file archiver with a very high compression ratio.
      • safecopy - A data recovery tool which tries to extract as much data as possible from a problematic (i.e. damaged sectors) source - like floppy drives, harddisk partitions, CDs, tape devices, ..., where other tools like dd would fail doe to I/O errors. Note: safecopy is not available in Fedora 8.
      • poppler-utils - Command line tools for converting PDF files to a number of other formats.

March 25, 2010: The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
  • md5deep-3.6-1.fc{8,9,10,11,12}.*.rpm - This package was updated to reflect the new version of md5deep.

March 18, 2010: The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
  • reglookup-0.12-1.fc{8,9,10,11,12}.*.rpm - This package was updated to reflect the new version of reglookup.

March 8, 2010: The x86_64 architecture has been added to the Fedora 12 repository. Simply follow the instructions for Fedora 12 and the tools will be automatically installed on that architecture.

The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
  • autopsy-2.23-1.noarch.rpm - Version 2.23 was installed. Here are the changes since the previously installed (2.21) version:

         --------------------------- Version 2.23 --------------------------------
         2/12/10: bug fix: resolved issue 2950693 where previous searches were not shown
                           if they used quotes.

         2/12/10: bug fix: resolved issue 2932385 where wrong flag was being used to do
                           only doing category searching

         2/12/10: bug fix: resolved issue 2779244 where wrong sorter path was being used.

         --------------------------- Version 2.22 --------------------------------
         10/27/09: Update: Change istat to use -B instead of -b (new change in TSK).

         11/19/09: Update: Improved configure script process and error message
                           for FILE_EXE check.

         11/25/09: Fixed MD5 exe bug when building live CD

         12/30/09: Fixed issue 2923857 re: cookie errors for the icon and css file
                                           links when cookies are used.

  • ssdeep-2.4-1.fc{8,9,10,11,12}.i686.rpm - Version 2.4 was installed. Here are the changes made since the previously installed (2.3) version:

         ** Version 2.4 - 25 Feb 2010
                Added -k mode to compare unknown signatures against known signatures.

March 4, 2010: The x86_64 architecture has been added to the Fedora 12 repository. Simply follow the instructions for Fedora 12 and the tools will be automatically installed on that architecture.

The following packages and tools have been updated in the Fedora 12 version of the cert repository:
  • CERT-Forensics-Tools-1.0-10.fc12.noarch.rpm - This package was updated but in essense, no changes were made.
  • memdump-1.01-2.fc12.*.rpm - This package is now made from source and has been moved from the memdump repository to the cert repository.
  • fatback-1.3-1.fc12.*.rpm - This package is now made from source and has been moved from the fatback repository to the cert repository.

March 3, 2010: The following packages and tools have been updated in the Fedora 8, 9, 10, 11, and 12 versions of the cert repository:
  • foremost-1.5.7-1.fc{8,9,10,11,12}.i386.rpm - This package was updated to reflect the new version of foremost.
  • splunk-4.0.9-74233.i386.rpm - Splunk, version 4.0.9, build 74223. See the release notes here.

March 2, 2010: The following packages and tools have been updated in the Fedora 9, 10, 11, and 12 versions of the cert repository:
  • CERT-Forensics-Tools-1.0-5.fc{9,10,11,12}.noarch.rpm - This update includes the nmap as a dependency. This release of nmap includes ncat, an improved version of the netcat program.

February 19, 2010: The following packages and tools have been updated in the Fedora 10, 11, and 12 versions of the cert repository:
  • CERT-Forensics-Tools-1.0-4.fc1{0,1,2}.noarch.rpm - This update includes the following tools as dependencies:
    • guymager-0.4.2-1.fc1{0,1,2}.i686.rpm - Guymager is a forensic imaging package.
    • libguytools-1.1.1-1.fc1{0,1,2}.i686.rpm - Libguytools is a package of subroutines and header files needed to build and operate guymager.
    • sfdumper-2.1-1.fc1{0,1,2}.noarch.rpm - Sfdumper is a selective file dumper script.
    • mount_ewf-20090113-1.fc1{0,1,2}.noarch.rpm - Mount_ewf is a script that mounts EWF files as mounted images using the loopback capability.
    • fundl-2.0-1.fc1{0,1,2}.noarch.rpm - Fundl is a script that uses the Sleuthkit for recovering deleted files.
    • cryptcat-1.2.1-1.fc1{0,1,2}.i686.rpm - Cryptcat is a lightweight version of netcat with integrated transport encryption capabilities.

February 8, 2010: All of the Fedora 8 packages have been signed with the new CERT Forensics Team GPG key. To use this key, you must install the cert-forensics-tools-release-8-3.noarch.rpm package first.

In addition, the following tools have been updated in the Fedora 10 version of the cert repository:
  • CERT-Forensics-Tools-1.0-4.fc8.noarch.rpm - This update includes dc3dd as a dependency.
  • cert-forensics-tools-release-8-3.noarch.rpm - This update contains the new CERT Forensics Team Key.
  • dcfldd-1.3.4.1-2.fc8.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
  • foremost-1.5.6-1.fc8.i386.rpm - This package was updated to reflect the new version of foremost.
  • md5deep-3.5.1-1.fc8.i386.rpm - This package was updated to reflect the new version of md5deep.
  • reglookup-0.11.0-1.fc8.i386.rpm - This package was updated to reflect the new version of reglookup.
  • ssdeep-2.3-1.fc8.i386.rpm - This package was updated to reflect the new version of ssdeep.


February 8, 2010: All of the Fedora 9 packages have been signed with the new CERT Forensics Team GPG key. To use this key, you must install the cert-forensics-tools-release-9-4.noarch.rpm package first.

In addition, the following tools have been updated in the Fedora 10 version of the cert repository:
  • CERT-Forensics-Tools-1.0-4.fc9.noarch.rpm - This update includes dc3dd as a dependency.
  • cert-forensics-tools-release-9-4.noarch.rpm - This update contains the new CERT Forensics Team Key.
  • dcfldd-1.3.4.1-2.fc9.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
  • foremost-1.5.6-1.fc9.i386.rpm - This package was updated to reflect the new version of foremost.
  • md5deep-3.5.1-1.fc9.i386.rpm - This package was updated to reflect the new version of md5deep.
  • reglookup-0.11.0-1.fc9.i386.rpm - This package was updated to reflect the new version of reglookup.
  • ssdeep-2.3-1.fc9.i386.rpm - This package was updated to reflect the new version of ssdeep.


February 8, 2010: All of the Fedora 10 packages have been signed with the new CERT Forensics Team GPG key. To use this key, you must install the cert-forensics-tools-release-10-3.noarch.rpm package first.

In addition, the following tools have been updated in the Fedora 10 version of the cert repository:
  • CERT-Forensics-Tools-1.0-2.fc10.noarch.rpm - This update includes dc3dd as a dependency.
  • cert-forensics-tools-release-10-3.noarch.rpm - This update contains the new CERT Forensics Team Key.
  • dcfldd-1.3.4.1-2.fc10.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
  • foremost-1.5.6-1.fc10.i386.rpm - This package was updated to reflect the new version of foremost.
  • md5deep-3.5.1-1.fc10.i386.rpm - This package was updated to reflect the new version of md5deep.
  • reglookup-0.11.0-1.fc10.i386.rpm - This package was updated to reflect the new version of reglookup.
  • ssdeep-2.3-1.fc10.i386.rpm - This package was updated to reflect the new version of ssdeep.
The following tool has been updated in the Fedora 11 version of the cert repository:
  • ssdeep-2.3-1.fc11.i386.rpm - This package was updated to reflect the new version of ssdeep.
The following tool has been updated in the Fedora 12 version of the cert repository:
  • ssdeep-2.3-1.fc12.i386.rpm - This package was updated to reflect the new version of ssdeep.


February 3, 2010: All of the Fedora 11 packages have been signed with the new CERT Forensics Team GPG key. To use this key, you must install the cert-forensics-tools-release-11-5.noarch.rpm package first.

In addition, the following tools have been updated in the Fedora 11 version of the cert repository:
  • CERT-Forensics-Tools-1.0-3.fc11.noarch.rpm - This update includes dc3dd as a dependency.
  • cert-forensics-tools-release-11-5.noarch.rpm - This update contains the new CERT Forensics Team Key.
  • dcfldd-1.3.4.1-2.fc11.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
  • foremost-1.5.6-1.fc11.i386.rpm - This package was updated to reflect the new version of foremost.
  • md5deep-3.5.1-1.fc11.i386.rpm - This package was updated to reflect the new version of md5deep.
  • reglookup-0.11.0-1.fc11.i386.rpm - This package was updated to reflect the new version of reglookup.
  • ssdeep-2.2-1.fc11.i386.rpm - This package was updated to reflect the new version of ssdeep.


February 2, 2010: The CERT Forensics Appliance based on VMware and Fedora 12 has been released.


February 2, 2010: Fedora 12 is now supported by the repository.

January 7, 2010: A new key has been issued for the CERT Forensics Team. As of this time, only the Fedora 12 packages have been signed with this new key.

August 24, 2009: The following tools have been added to the Fedora 11 version of the cert repository:
  • hal-no-no-ignore-0.5.12-29.20090226git.fc11.i386.rpm - This package causes the Hardware Abstraction Layer (hal) to not ignore various file system types (ntfs, vfat) that are normally ignored by default. See the documentation on hal.

July 10, 2009: Fedora 11 is now supported by the repository.

June 2, 2009: The following tools have been repaired and installed in the Fedora 8, 9, 10 repositories:
  • Volatility-1.1.2-2.fc10.i386.rpm - Missing files were added and the command language interpreter, python in this case, was correctly referenced.

May 26, 2009: The following tools have been added to the Fedora 8, 9, 10 version of the splunk repository:
  • splunk-3.4.9-57762.i386.rpm - Splunk, version 3.4.9, build 57762. See the release notes here.

April 28, 2009: The following tools have been added to the Fedora 10 version of the cert-test repository:
  • libewf-devel-static-20080501-3.fc10.i386.rpm - A static version of the libewf libraries. These libararies are needed to build PyFlag.
  • pyflag-0.87.pre1-7.i386.rpm - The Python-based Forensic and Log Analysis (FLAG) GUI.


April 23, 2009: The following tools have been added to the Fedora 10 version of the cert-test repository:
  • python-urwid-0.9.8.4-1.noarch.rpm - Python library for making text console applications. This is needed to build PyFlag.


April 15, 2009: The following tools have been added to the Fedora 10 version of the cert-test repository:
  • sfdumper-1.6-1.fc10.noarch.rpm - A Selective File Dumper build on top of the Sleuthkit


April 14, 2009: The following tools have been added to the Fedora 10 version of the cert-test repository:
  • guymager-0.3.1-2.fc10.i386.rpm - A GUI imager
  • libguytools-1.0.4-1.fc10.i386.rpm - Libraries for guymager
  • gtkhash-0.2.1-1.fc10.i386.rpm - A GUI front-end for hashing
  • fundl-1.0-1.fc10.noarch.rpm - A File UNDeLtion script


April 14, 2009: A tool test entry has been made in the Fedora 10 version of the /etc/yum.repos.d/cert-forensics-tools.repo repository definitions file. This lets us provide tools for testing purposes. The test entry needs to be enabled by editing the cert-forensics-tools.repo file and setting enabled to the value 1 as in enabled=1.



Last updated: April 7, 2014