CERT
search  


 
Historical Documents Virtual Training Environment
 

Linux Forensics Tools Repository

Welcome

Welcome to the CERT Linux Forensics Tools Repository, a repository of packages for Linux distributions. Currently, Fedora and Centos/RHEL are provided in the respository. See here for the Fedora version support table and here for the CentOS/RHEL version support table. If you are interested in porting the repository to other versions of Linux, please see the Contribute section.

The CERT Linux Forensics Tools Repository provides many useful packages for cyber forensics acquisition and analysis practitioners. If you have suggestions for tools to add to the repository, please see the Contribute section.

The CERT Linux Forensics Tools Repository is not a standalone repository, but rather an extension of the supported systems. Tools can be installed as needed or all at once using the CERT-Forensics-Tools meta package.

Also described here is ADIA, the VMware-based Appliance for Digital Analysis and Investigation. ADIA is a Fedora-based VMware guest intended to be installed under VMware Workstation, Player, or Fusion. It is not a Live CD. See the ADIA section for more details.

Finally, also described here are the packages built to support the Win2-7 Transformation Pack for Fedora 13 and 14. This pack is used in ADIA to give a Window 7 look and feel to the default examiner login. Since these packages appear to be generally useful, they were placed in their own repository with their own release repo RPM.

NOTICE - Repository Now Available through RSYNC

The CERT Linux Forensics Tools Repository is now available through rsync. The URL to use is rsync://tools.netsa.cert.org/forensic_rsync. Much thanks goes to the Software Engineering Institute's Information Technology folks for engineering this capacity.

NOTICE - New RPM Signing Key

On January 12, 2012, a new RPM signing key was created to replace the previous key which had expired. You can find this new key here. The fingerprint for this key is: AE8F 91D1 5126 5835 B4DE 765D 9198 DA78 51B6 01A4.

All packages for Fedora 13, 14, 15, 16, and CentOS/RHEL 5 and 6 were resigned with this new key except for the cert-forensics-tools-relese package. That package contains the new key but is signed with the old key.

If you have previously installed the repository, you need to do the following as root:

yum update cert‑forensics‑tools‑release
yum update

The update will prompt you to install and use the new key and you must answer yes to do so. Once you have done this, updates should proceed as usual.


Announcements

May 14, 2013

ADIA-FC17
ADIA, the Appliance for Digital Investigation and Analysis, based on Fedora 17 was released for VMware and VirtualBox for all supported architectures.

May 7, 2013

Partclone
Partclone version 0.2.48 release 3, was installed in the CentOS/RHEL 6 repositories for all supported architectures.

Prism
Prism, version 1.2 release 2, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures.

Rayon
Rayon, version 1.3.3 release 2, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures.

Libvshadow
Libvshadow, version 20130501, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures.

Yaf
Yaf, version 2.4.0 release 1, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 6 repositories for all supported architectures.

Fmem-kernel-objects
Fmem-kernel-objects, version 1.6-1 release 1.21, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures.

April 30, 2013

Regripper
Regripper, version 28000000, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures. Note that plugins are packaged separately.

Regripper-plugins
Regripper-plugins, version 20130429, was installed in the Fedora 15, 16, 17, 18 and CentOS/RHEL 5 and 6 repositories for all supported architectures.

Fmem-kernel-objects
Fmem-kernel-objects, version 1.6-1 release 1.20, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures.

April 26, 2013

scalpel
Scalpel, version 2.0 release 2, was installed in the CentOS/RHEL 5 repositories for all supported architectures.

Snort
Snort, version 2.9.4.6, was installed in the Fedora 15, 16, 17, 18 and CentOS/RHEL 6 repositories for all supported architectures.

Snort-sample-rules
Snort-sample-rules, version 2.9.4.6, was installed in the Fedora 15, 16, 17, 18 and CentOS/RHEL 6 repositories for all supported architectures.

Libvshadow
Libvshadow, version 20130417, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures.

April 22, 2013

Snort
Snort, version 2.9.4.5, was installed in the Fedora 15, 16, 17, 18 and CentOS/RHEL 6 repositories for all supported architectures.

Snort-sample-rules
Snort-sample-rules, version 2.9.4.5, was installed in the Fedora 15, 16, 17, 18 and CentOS/RHEL 6 repositories for all supported architectures.

Regripper-plugins
Regripper-plugins, version 20130404, was installed in the Fedora 15, 16, 17, 18 and CentOS/RHEL 5 and 6 repositories for all supported architectures.

Bloom
Bloom, version 1.4.6 release 2, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures.

Frag_find
Frag_find, version 1.0.0, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures.

CERT-Forensics-Tools
CERT-Forensics-Tools version 1.0 release 53 was updated to add frag_find for all supported architectures.

Disktype
Disktype version 9-9.3 was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures.

Fmem-kernel-objects
Fmem-kernel-objects, version 1.6-1 release 1.19, was installed in the Fedora 15, 16, 17, 18, and CentOS/RHEL 5 and 6 repositories for all supported architectures.

cert-forensics-tools-release
cert-forensics-tools-release version 5.9 release 8 was installed for the CentOS/RHEL 5 repository for all supported architectures.



all announcements

Repository RPMS

This section lists and explains how to enable the supported repositories on one of the supported operating system versions and architectures.

Fedora Support Table

To add the tools repository on your Fedora system, install the repository rpm appropriate for your version of Fedora. Find the CERT Forensics GPG key here to verify the rpm before installing it.

Fedora 18 Fedora 17 Fedora 16 Fedora 15
Fedora 14 Fedora 13 Fedora 12 Fedora 11
Fedora 8 Fedora 10 Fedora 9

Once you've installed one of these release repository packages, you can do either of the following:

  • Install all of the packages provided in the repository with:
    yum install CERT-Forensics-Tools
  • Install only the packages you need. For example, you can install the AFF tools with:
    yum install afftools
Use the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.

This table lists the Fedora versions and architectures for which packages are provided in the repository and their support status. Please note that support for new versions of Fedora is intended to be provided within 2 weeks from the final release of that version.

Fedora Linux Repository Support
Release X86 RPMS X86_64 RPMS Source RPMS Status
18 View View View Actively being developed
17 View View View Actively being developed
16 View View View Actively being developed
15 View View View Actively being developed
14 View View View Development has ended as of 2013-02-05
13 View View View Development has ended as of 2012-05-31
12 View View View Development has ended as of 2011-11-08
11 View Not Supported View Development has ended as of 2011-06-30
10 View Not Supported View Development has ended as of 2010-11-01
9 View Not Supported View Development has ended as of 2010-06-30
8 View Not Supported List Development has ended as of 2010-06-30

CentOS/RHEL Support Table

To add the tools repository on your CentOS/RHEL system, install the repository rpm appropriate for your version of CentOS/RHEL. Again, find the CERT Forensics GPG key here to verify the rpm before installing it. Please note: it is assumed that both the EPEL and RPMForge repositories are enabled on the target system. Install them as root with the following, after first selecting the appropriate architecture:

CentOS/RHEL 5 
cd /tmp
wget http://download1.fedora.redhat.com/pub/epel/5/(i386,x86_64)/epel-release-5-4.noarch.rpm
rpm -Uvh epel-release-5-4.noarch.rpm
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el5.rf.{i386,x86_64}.rpm
rpm -Uhv rpmforge-release-0.5.3-1.el5.rf.{i386,x86_64}.rpm
yum update epel-release rpmforge-release
CentOS/RHEL 6 
cd /tmp
wget http://download1.fedora.redhat.com/pub/epel/6/(i386,x86_64)/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6-6.noarch.rpm
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.3-1.el6.rf.{i686,x86_64}.rpm
rpm -Uhv rpmforge-release-0.5.3-1.el6.rf.{i686,x86_64}.rpm
yum update epel-release rpmforge-release
CentOS/RHEL 5 CentOS/RHEL 6

Once you've installed one of these release repository packages, you can do either of the following:

  • Install all of the packages provided in the repository with:
    yum install CERT-Forensics-Tools
  • Install only the packages you need. For example, you can install the AFF tools with:
    yum install afftools
Use the table below to list the contents of the folders to see which packages are available for the supported systems and architectures.

CentOS/RHEL Linux Repository Support
Release X86 RPMS X86_64 RPMS Source RPMS Status
5 View View View Actively being developed
6 View View View Actively being developed

ADIA

The next table shows the ADIA versions currently available.

Presently, ADIA for the i386 and x86_64 architectures for Fedora 17 have been developed and are now available. Both are available for VMware and VirtualBox. This document explains how to install, operate, and maintain ADIA.

ADIA - The Appliance for Digital Investigation and Analysis
Fedora Version Architecture Virtualization Software Appliance ISO Image File SHA256 Checksum Signature
17 i386 VMware Link 346d55192c4e2576746734e249ff7ee3ff05c2b988e75601d8cca4549211ee5a Link
17 x86_64 VMware Link f630f39efa52f4fa322551815fb25e9ba729952b5d3c73faf646bda3a9d41466 Link
17 i386 VirtualBox Link 4a10f30d8f654a7982499202951b47e41e5c4fa5c57fd18bf5c68b38d23c9685 Link
17 x86_64 VirtualBox Link 483818ec3399250ce46265f79f4b2a853fa264929dbcad78d693e61b7ff30c8e Link

The ADIA Examiner Login

The examiner account, which is the default and automtically logged into account for ADIA, is, as of Fedora 13, comprised of several packages and a script used to create/reset this account to it's default state. (Note: while where was no version of ADIA based on Fedora 13, this work was begun at this time. This work continues with Fedora 14.) With these packages, changes to ADIA can be reflected in the examiner's desktop.

One such example is the addition of a tool to set of tools available to the analyst. When this tool is added, documentation for that tool can also be added to the examiner's Tool Documentation folder, a folder which appears by default on the examiner's desktop. By updating the packages on ADIA, the documentation also reflects the addition of this new tool.

To this end, there is second repository that defines the set of packages used to manage the examiner's desktop environment. The table below lists the examiner desktop release RPMs for the supported architectures. These release RPMs contains references to the CERT-supplied RPMs for the examiner login, Adobe Acrobat, Webmin, and the CERT Windows 7 theme RPMS (note: this theme is only available for Fedora 14). Install the rpm for your version of Fedora to enable access via yum. Find the CERT Forensics GPG key here.

Fedora 17 Fedora 14 Fedora 13

Windows 7 Theme Support for Fedora

ADIA for Fedora 8 through 12 used a Microsoft Windows XP theme to make the desktop look more familiar to those forensics analysts who are unaccustomed to Linux and the standard GNOME desktop. This concept and its implementation worked well.

ADIA for Fedora 13 and 14 have followed this concept and updated it by using a Microsoft Windows 7 (aka Aero) theme. This Windows 7 theme is based on the Win2-7 Transformation Pack.

Initially the Win2-7 theme did not support Fedora. However, it did support Ubuntu and that served as a model for building the necessary packages to support Fedora 13 and 14. These packages were built (dockbarx, gnomenu, ia_ora-gnome, and screenlets) and they are in the Win2-7 repository.

The GUIInstall.sh script provided as part of the Win2-7 pack changes files installed by various packages. Our approach is to create new packages that install these files. However, to do this properly, some standard Fedora/GNOME packages (control-center, emsene, and gnome-panel) needed to be changed by removing the files in conflict with the Win2-7 package which is provided in the CERT Win2-7 repository. Should these Fedora/GNOME packages change, updates will be provided.

In addition, the previouly noted GUIInstall.sh script needs to be changed to install this Win2-7 package rather than changing the contents of installed files, and then do the necessary configuration. Development of this package is planned.

It is hoped that the Windows 7 Aero theme will become available for the Gnome Shell which as of Fedora 17, now supports 3D in software as well as hardware. If and when this support becomes available, it will be incorporated into ADIA.

To add the Win2-7 repository to your Fedora system, install the appropriate rpm for your version of Fedora. Again, find the CERT Forensics GPG key here.

Fedora 14 Fedora 13

Support and bug-reports

To request support or report bugs, send mail to

FAQ

Have questions? See the Frequently Asked Questions page.

Want to contribute?

If you'd like to contribute, update, or help maintain a package in the CERT Forensics Tools Repository, please send mail to Here are the areas where help is most needed:

  • Suggestions of packages to add to the repository. Please provide a URL for the source code. A pointer to a source RPM would be best.
  • Support for other versions of Linux, specifically Ubuntu.