LiFTeR: Changes for April 7, 2014
- CERT-Forensics-Tools-1.0-58.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
This package was updated to add the following:
- plaso - A timeline tool (Fedora 17 and beyond, and CentOS/RHEL 6.5 for x86_64 only)
- libregf-tools - Tools to access Windows NT Registry files
- libmsiecf-tools - Tools to access Microsoft Internet Explorer (MSIE) Cache File (index.dat) files
- libevt-tools - Tools to access Windows Event Log (EVT) format files
- liblnk-tools - Tools to access Windows NT Registry files
- libolecf-tools - Tools to access OLE 2 Compound File (OLECF) format files
- ddrutility (not CentOS/RHEL 5) - Utility for use with gnuddrescue to aid with data recovery
- fcrackzip - Zip Password Cracker
- undbx (not CentOS/RHEL 5) - Tool to extract, recover and undelete e-mail messages from Outlook Express .dbx files
- silk-ipa (Fedora 17 and beyond, and CentOS/RHEL 6.5 for x86_64 only) - Script to enable the IPA-based version of the SiLK tools
- hachoir-metadata-1.3.3-2.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - hachoir-metadata is a tool
that extracts metadata from multimedia files: music, picture, video, and archives.
The changes were to correct the permissions of the installed files.
- plaso-1.0.1alpha-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm, plaso-1.0.1alpha-1.el6.x86_64.rpm - Plaso
is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines.
The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers
and related systems, such as network equipment to produce a single correlated timeline.
This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system.
- libregf{,-devel,-python,-tools}-20140118-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
libregf contains libraries and tools to access the Windows NT Registry File files.
- libmsiecf{,-devel,-python,-tools}-20140131-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
libmsiecf contains libraries and tools
to access the Microsoft Internet Explorer (MSIE) Cache File (index.dat) files.
- libevt{,-devel,-python,-tools}-20140112-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Libevt
contains libraries and tools to access the Windows Event Log (EVT) format files.
- libevtx{,-devel,-python,-tools}-20140112-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
Libevtx contains libraries and tools
to access the Windows XML Event Log (EVTX) format files.
- liblnk{,-devel,-python,-tools}-20140112-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - liblnk contains libraries and tools
to access the Windows Shortcut File (LNK) format file.s
- libolecf{,-devel,-python,-tools}-20131108-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - libolecf contains libraries and tools
to access the OLE 2 Compound File (OLECF) format filed.
The OLE 2 Compound File format is used to store certain versions of Microsoft Office files, thumbs.db and other file formats.
- protobuf-c{,-devel}-0.15-2.1.el6.x86_64.rpm - Protobuf-c package provides a code generator and runtime libraries
to use Protocol Buffers from pure C (not C++).
This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
- protobuf{,-compiler,-devel,-lite,-lite-devel,-lite-static,-python,-static,-vim}-2.4.1-1.el6.x86_64.rpm - Protobuf (Protocol Buffers)
are a way of encoding structured data in an efficient yet extensible format. Google uses Protocol Buffers for almost all of its internal RPC protocols and file formats.
This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
- python-ipython{,-console,-doc,-gui,-notebook,-tests}-0.13.2-1.el6.x86_64.rpm - IPython is an enhanced interactive Python shell.
This package was only provided for CentOS/RHEL 6 for the x86_64 architecture.
- perl-Parse-Evtx-{,-tools}1.1.1-2.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - perl-Parse-Evtx
is a Windows Event Log Parser library and tools collection.
Because files in the previous release - 1.1.1-1 - of perl-Parse-Evtx now conflict with files in libevtx-tools, the tools from perl-Parse-Evtx were moved to perl-Parse-Evtx-tools so
that perl-Parse-Evtx, upon which log2timeline depends, could be installed.
- binplist-0.1.4-0.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Binplist is a binary property list (plist) parser module written in python.
- libewf{,-devel,-tools}-20140216-1.{fc17,fc18,el5,el6}.{i686,x86_64}.rpm, libewf-{devel,tools}-20140216-1.{fc19,fc20}.{i686,x86_64}.rpm, and ewftools-20140216-1.{fc19,fc20}.{i686,x86_64}.rpm -
Libewf supports Expert Witness Compression Format (EWF) formatted files.
It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format.
Note that beginning with Fedora 19, the tools package is named ewftools to reflect the package name found in those releases of Fedora.
Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Here are the changes from the previous version (20140216):
- bug fix in recent process status changes
- integrating latest update for multi threaded ewfacquire changes
- changed behavior of empty-block check
- worked on integrating multi threaded ewfacquire changes
- updated dependencies
- added libcdatetime
- removed borlandc files
- small updates
- moved low-level function support from compile time to run time
- worked on sync with experimental version
- Also added missing fuse-devel build requirement
- sleuthkit{,-devel,-libs}-4.1.3-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a
library and collection of command line tools that allow you to investigate volume and file system data.
The changes from the previous version - 4.1.3-1 - are the following:
- Patch to support pytsk.
- Rebuilt with libewf-20140216
- pytsk-20131230-1.{fc17,fc18,fc19,fc20,el5,el6}.{i386,x86_64}.rpm - Pytsk
is Python bindings for The Sleuth Kit.
See here for a list of changes.
- partclone-0.2.69-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Partclone is a program similar to the
well-known backup utility "Partition Image" a.k.a partimage. Partclone provides utilities to save and restore used blocks on a
partition and is designed for higher compatibility of the file system by using existing libraries, e.g. e2fslibs is used to read and write
the ext2 partition.
The supported file systems are: ext2, ext3, ext4, hfs+, btrfs, ntfs, fat(12/16/32), and exfat.
This release was built to use the correct version of libntfs-3g.so.
- lime-kernel-objects-1.1.r16-1.27.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - LiME is a
Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, such as those powered by Android.
The changes added support for the following kernels:
- 3.13.6-200 for FC20
- 3.13.5-202 for FC20
- 3.13.5-200 for FC20
- 3.13.4-200 for FC20
- 3.13.3-201 for FC20
- 3.12.10-300 for FC20
- 3.13.6-100 for FC19
- 3.13.5-103 for FC19
- 3.13.5-101 for FC19
- 3.12.11-201 for FC19
- 2.6.32-431.5.1 for EL6
- fmem-kernel-objects-1.6-1.27.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fmem is kernel module that creates
device /dev/fmem, similar to /dev/mem but without limitations.
The changes added support for the same kernels noted for lime.
- ddrutility-2.2-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Ddrutility is meant to be a compliment to
gnuddrescue.
It is a set of utilities to help with hard drive data rescue. It currently contains the following utilities:
- ddru_findbad
- ddru_ntfsbitmap
- ddru_ntfsfindbad (NEW)
- fcrackzip-1.0-1.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm - Fcrackzip is a zip password cracker, similar to fzc, zipcrack and others.
It is intended to be free, fast, portable, and featureful.
- undbx-0.21-1.{fc17,fc18,fc19,fc20,el6}.{i686,x86_64}.rpm - Undbx extracts, recovers and undeletes e-mail messages from
Outlook Express .dbx files.
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-3.{fc17,fc18,fc19,fc20,el5,el6}.{i686,x86_64}.rpm -
SiLK is the System for Internet-Level Knowledge, a collection of
traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks.
Note: In this release of SiLK (3.8.1-3), support for the IPA extensions have been removed. They have been replaced by an optional repository that is now part of cert-forensics-tools-release named forensics-sip, the definition of which can be found in /etc/yum.repos.d/cert-forensics-tools.repo. This repo is diabled by default and can be enabled by running the script named /usr/bin/EnableSilkWithIPA as root. When that script is run, the following additional packages are installed or updated:
- silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-4.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm or silk-{analysis,common,devel,flowcap,rwflowappend,rwflowpack,rwpollexec,rwreceiver,rwsender}-3.8.1-4.el6.x86_64.rpm - The only change to this release is that it was built with the IPA IP address annotation system.
- postgresql{,-contrib,-devel,-docs,-libs,-plperl,-plpython,-plpython3,-pltcl,-server,-test,-upgrade}-9.3.4-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm - PostgreSQL is an advanced Object-Relational database management system (DBMS). The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine as the PostgreSQL server, or on a remote machine that accesses a PostgreSQL server over a network connection. The PostgreSQL server can be found in the postgresql-server sub-package.
- ipa{,-devel,-python}-0.5.2-3.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and ipa{,-devel,-python}-0.5.2-3.{el6}.x86_64.rpm - IPA is an IP address annotation system. IPA provides a flexible and efficient repository of IP address information, tools for querying and maintaining the data, and shared libraries and modules for data access. For more information, read the IPA documentation.
- ip4r-2.0-1.{fc17,fc18,fc19,fc20}.{i686,x86_64}.rpm and ip4r-2.0-1.el6.x86_64.rpm - IP4R and ip4 are types that contain a single IPv4 address and a range of IPv4 addresses respectively. They can be used as a more flexible, indexable version of the cidr type. This version has been built for PostgreSQL version 9.3.4 for Fedora and version 9.2 for CentOS/RHEL using the CentOS Software Collections Repository.