• dff-1.2.0-3.{fc12,fc13,fc14,fc15,el6}.{i386,x86_64}.rpm - The Digital Forensics Framework (DFF) is both a digital investigation tool and a development platform. This release adds missing support for Expert Witness Format Compression Format (ewf) files.
• regripper-20120206-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - Regripper is a Windows Registry data extraction and correlation tool. This version includes version 20120206 of the plugins from here. This version adds the filesnottosnapshot.pl (extracts from SYSTEM registry files and folders not backed up in Volume Shadow Copies) and spp_clients.pl (list volumes currently monitored by the Volume Shadow Copy Service) plugins.
• xmount-0.4.7-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. This release uses Version 2 of the libewf API.
• Volatility-2.0.1-3.{fc12,fc13,fc14,fc15,el5,el6}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. This version updates the plugins from the Malware Analyst's Cookbook to version R134. See here for the list of recent changes.
• registrydecoder-20120202-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_84}.rpm - Registrydecoder is tool for the acquisition, analysis, and reporting of registry contents. This is version 1.2 of this tool. See here for a list of changes.
• tcpflow-1.1.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored tcpdump packet flows. The changes are: C++ rewrite, improved performance, and DFXML output.

• libewf-{,devel,tools}-20120122-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
  • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
  • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
  • This version provides the a set of tools (libewf-tools) that replace ewftools.
• md5deep-4.0.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep. Here are the list of new features:
  • Fixed hang on DFXML generation on Win32
  • Fixed incorrect hashes via stdin on Win32
  • Fixed "Too many open files" error on OS X
  • Doc files in Win32 have been corrected.

• cert-forensics-tools-release-{13,14,15,16,5.7,6}-7.noarch.rpm - This package was added to provide the new CERT Forensics Repository Key. The fingerprint for this key is: AE8F 91D1 5126 5835 B4DE 765D 9198 DA78 51B6 01A4.

  You must do the following as root to install this new package before updating existing packages installed from our repository:

  yum update cert-forensics-tools-release

  You can then do the following as root to install any other updates for your system:

  yum update

  In addition, all of the packages in the Fedora 13, 14, 15, 16, and RHEL/CentOS repositories have been resigned with this new key.
• CERT-Forensics-Tools-1.0-36.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - This package was updated to include the following:
  • shellbags for Fedora 14, 15, and 16.
  • KHracker for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
  • md5dump for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
  • tcpflow for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
  • registrydecoder for Fedora 13, 14, 15, and 16, and CentOS/RHEL 5 and 6.
  • xplico for Fedora 13, 14, 15, and 16.
  • snort for Fedora 13, 14, 15, and 16.
  • snort-sample-rules for Fedora 13, 14, 15, and 16.
• shellbags-0.5.1-2.{fc14,fc15,fc16}.noarch.rpm - Shellbags Microsoft Windows uses a set of registry keys known as "shellbags" to maintain the size, view, icon, and position of a folder when using Explorer. Shellbags persist information for directories even after the directory is removed, which means that they can be used to enumerate past mounted volumes, deleted files, and user actions. See Using shellbag information to reconstruct user activities for an overview of the investigative value of shellbags. Shellbags is installed in the Fedora 14, 15, and 16 versions of the repository.
• python-registry-0.2.3-1.{fc14,fc15,fc16}.{i386,x86_64}.rpm - Python-registry provides read-only access to Windows Registry files, such as NTUSER.DAT, userdiff, and SOFTWARE. The interface is two-fold: a high-level interface suitable for most tasks, and a low level set of parsing objects and methods which may be used for advanced study of the Windows Registry. python-registry is written in pure Python, making it portable across all major platforms. Python-registry is installed in the Fedora 14, 15, and 16 versions of the repository. This package is required by shellbags.
• KHracker-0.3-1.noarch.rpm - KHracker is a python-based decryption tool for encrypted known_hosts entries. It will attempt to decrypt values stored in SSH known_hosts files, if the encryption option has been enabled for that computer. By default, known_hosts entries are not encrypted, but there is an option to do so. From a forensics perspective, encrypted known_hosts entries can prevent an investigator from seeing other computers to which a user may have been connecting. Information about the connections made from a system can be integral to identifying a complete understanding of the systems involved in a network intrusion or incident response case.
• python-netaddr-0.7.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64} - python-netaddr is a pure Python network address representation and manipulation library. provides a Pythonic way of working with:
  • IPv4 and IPv6 addresses and subnets
  • MAC addresses, OUI and IAB identifiers, IEEE EUI-64 identifiers
  • arbitrary (non-aligned) IP address ranges and IP address sets
  • various non-CIDR IP range formats such as nmap and glob-style formats

  Included are routines for:

  • generating, sorting and summarizing IP addresses and networks
  • performing easy conversions between address notations and formats
  • detecting, parsing and formatting network address representations
  • performing set-based operations on groups of IP addresses and subnets
  • working with arbitrary IP address ranges and formats
  • accessing OUI and IAB organisational information published by IEEE
  • accessing IP address and block information published by IANA

  This package is required by .

• md5deep-4.0.0-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep. Here are the list of new features:
  • Rewrote most of the program in C++.
  • Enabled multiprocessor support on all platforms.
  • Removed ten character limit on file size mode.

• aff{lib,lib-devel,tools}-3.6.15-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.6.15/ChangeLog after the package has been installed.
• fiwalk-0.6.16-1.{fc13,fc14,fc15,fc16,el6}.{i386,x86_64}.rpm - Fiwalk is a program that processes a disk image using the SleuthKit library and outputs its results in Digital Forensics XML, the Attribute Relationship File Format (ARFF) format used by the Weka Datamining Toolkit, or an easy-to-read textual format. See /usr/share/doc/fiwalk-0.6.16/ChangeLog after the package has been installed.
• bulk_extractor-1.1.3-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Bulk_extractor is a C++ program that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results are stored in feature files that can be easily inspected, parsed, or processed with automated tools. bulk_extractor also created a histograms of features that it finds, as features that are more common tend to be more important. See /usr/share/doc/bulk_extractor-1.1.3/ChangeLog after the package has been installed.
• tcpflow-1.0.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored tcpdump packet flows.
• ddrescue-1.15-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. See /usr/share/doc/ddrescue-1.15/ChangeLog after the package has been installed.
• libewf-{,devel,tools}-20111231-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libewf is a library for support of the Expert Witness Compression Format (EWF). It supports both the SMART (EWF-S01) and EnCase (EWF-E01) format. Libewf allows you to read and write EWF files. Recent versions also support the LEV (EWF-L01) format. Note the following:
  • This version provides the development environment for Version 2 of the API using the libewf-devel package. If the Version 1 API is required, install a version of libewf-devel from 2010, for example version 20100226.
  • This version provides the runtime environment for both Version 1 and Version 2 of the API. This means that both libewf.so.1 and libewf.so.2 are provided in this package for all supported operating systems and architectures.
  • This version provides the a set of tools (libewf-tools) that replace ewftools.
• libfixbuf{,-devel}-1.1.1-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). This version contains bug fixes.
• silk-*-2.4.5-6.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The only change was to recompile this package to use the libfixbuf{,-devel}-1.1.1 packages.
• yaf{,-devel}-2.1.2-2.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from The only change was to recompile this package to use the libfixbuf{,-devel}-1.1.1 packages.
• perl-Parse-Evtx-1.1.1-1.{fc13,fc14,fc15,fc16,el5,el6}.noarch.rpm - perl-Parse-Evtx is a Windows Event Log Parser library and tools collection.
• xmount-0.4.6-1.{fc13,fc14,fc15,fc16,el5,el6}.{i386,x86_64}.rpm - Xmount is a tool that allows you to convert on-the-fly between multiple input and output harddisk image types. This release uses Version 2 of the libewf API.

• sleuthkit-{,devel,libs,debuginfo}-3.2.2-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i686,x86_64}.rpm - The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
• yaf{,-devel}-2.0.2-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes in this version:
  • Improvements with Reassembly of TCP Fragments
  • Bug Fix for DNS Deep Packet Inspection
  • --no-frag switch now works
  • Bug Fix for expiring flows that exceed the idle timeout when reading from a file
  • Added the ability to configure YAF with WinPCAP

• Volatility-1.4_rc1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

• libfixbuf{,-devel}-1.0.1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101).
• SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The only change was to recompile all of the tools to use libfixbuf{,-devel}-1.0.1 packages. The packages added to the repository are:
  • silk-analysis-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
  • silk-common-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
  • silk-devel-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
  • silk-flowcap-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
  • silk-rwflowappend-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
  • silk-rwflowpack-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
  • silk-rwpollexec-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
  • silk-rwreceiver-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
  • silk-rwsender-2.4.5-3.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
• yaf{,-devel}-2.0.1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes:
  • This version requires libfixbuf 1.0.0 or greater.
  • Bug Fix for compile error with --enable-daginterface
  • Enhancement for SNMPv3 application labeler
• md5deep-3.9.1-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
• etherape-0.9.12-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network. Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.

• aff{lib,lib-devel,tools}-3.6.12-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.6.11/ChangeLog after the package has been installed.
• log2timeline-0.60-1.{fc11,fc12,fc13,fc14,fc15,el5}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. See /usr/share/doc/log2timeline-0.60/CHANGELOG after the package has been installed. Note that the program glog2timeline has been removed from this release, but may reappear in the future.
• ssdeep-2.6-1.{fc11,fc12,fc13,fc14,fc15,el5}.{i686,x86_64}.rpm - ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes.
• xplico-0.6.3-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. The following changes were made:
  • 32 and 64 bit
  • new decoding manager (DeMa): version 0.3.1
  • mfile manipulator (HTTP file transfer) bug fixes
  • WebMail scripts improved
  • HTTP dissector improved
  • XI: upgraded the javascript libraries

• FC14-foren-2011-01-{i386,x86-64} - These items are VMware-based forensic appliances built with Fedora 14 for the i386 and x86_64 architectures. Please note that they are not a live CDs. See this document that explains how to download, install, and operate the appliance.
• testdisk-6.12-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Testdisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). This package also contains photorec which is a file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media's file system has been severely damaged or reformatted.

• ddrescue-1.14-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors. Here are the changes:
  • Added new option `-R, --reverse'.
  • Added new option `-E, --max-error-rate'.
  • Extended syntax `--max-errors=+N' to specify new errors.
  • Changed short name of option `--retrim' to `-M'.
  • Removed spurious warning about `preallocation not available'.
  • Code reorganization. New class `Genbook'.
• gparted-0.8.0-1.{fc11,fc12,fc13,fc14}.{i386,x86_64}.rpm - Gparted is a free partition editor for graphically managing your disk partitions See the release notes for details. Note that this update does not apply to the CentOS repositories.
• nmap{,-frontend}-5.51-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Nmap is a free and open source utility for network exploration or security auditing. See the change log for details.
• p7zip{,-plugins}-9.20.1-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - P7zip is a quick port of 7z.exe and 7za.exe (command line version of 7zip, see www.7-zip.org) for Unix. 7-Zip is a file archiver with highest compression ratio. Here are the changes:
  • 7-Zip now supports LZMA2 compression method.
  • 7-Zip now can update solid .7z archives.
  • 7-Zip now supports XZ archives.
  • 7-Zip now supports PPMd compression in ZIP archives.
  • 7-Zip now can unpack NTFS, FAT, VHD, MBR, APM, SquashFS, CramFS, MSLZ archives.
  • 7-Zip now can unpack GZip, BZip2, LZMA, XZ and TAR archives from stdin.
  • 7-Zip now can unpack some TAR and ISO archives with incorrect headers.
  • 7-Zip now supports files that are larger than 8 GB in TAR archives.
  • NSIS and WIM support was improved.
  • Partial parsing for EXE resources, SWF and FLV.
  • The support for archives in installers was improved.
  • 7-Zip now can stores NTFS file timestamps to ZIP archives.
  • Speed optimizations in PPMd codec.
  • Speed optimizations in CRC calculation code for Intel's Atom CPUs.
  • New -scrc switch to calculate total CRC-32 during extracting / testing.
  • 7-Zip File Manager now doesn't use temp files to open nested archives stored without compression.
  • Disk fragmentation problem for ZIP archives created by 7-Zip was fixed.
  • Some bugs were fixed.
  • New localizations: Hindi, Gujarati, Sanskrit, Tatar, Uyghur, Kazakh.
  • Not in p7zip : Speed optimizations in AES code for Intel's 32nm CPUs.
• libfixbuf{,-devel}-1.0.0-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Libfixbuf is a compliant implementation of the IPFIX Protocol, as defined in the "Specification of the IPFIX Protocol for the Export of IP Flow Information" (RFC 5101). Here are the changes:
  • Added functionality to adhere to the proposed IPFIX extension: "Export of Structured Data in IPFIX". This proposed standard allows for the following three new data types.
  • Added new data type: fbBasicList_t to house fixbuf "basicLists."
  • Added new data type: fbSubTemplateList_t to house fixbuf "subTemplateLists."
  • Added new data type: fbSubTemplateMultiList_t to house fixbuf "subTemplateMultiLists."
  • Added the functionality to handle multiple listeners, allowing for connections on multiple ports.
  • Support for Netflow V9.
  • Spread support has been expanded to allow for greater flexibility in using one exporter to publish to multiple groups.
  • Templates are now managed on a per-group basis for a Spread exporter.
  • Templates can now be multicasted to select Spread groups.
  • Default Automatic Mode for Listeners is now set to true.
  • Many other bug fixes.
• yaf{,-devel}-2.0.0-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Yaf is Yet Another Flowmeter and yaf is a suite of tools to do flow metering. yaf is used as a sensor to capture flow information on a network and export that information in IPFIX format. It reads packet data from pcap(3) dumpfiles as generated by tcpdump(1), from live capture from an interface using pcap(3), an Endace DAG capture device, or a Napatech adapter, aggregates these packets into flows, and exports flow records via IPFIX over SCTP, TCP or UDP, Spread, or into serialized IPFIX message streams (IPFIX files) on the local file system. Here are the changes:
  • This version requires libfixbuf 1.0.0 or greater.
  • Added Napatech Adapter Integration (requires libpcapexpress).
  • YAF now exports TCP, payload, finger printing, p0f, MAC, entropy, and DPI flow information within an IPFIX subTemplateMultiList data type.
  • Added the ability to export YAF capture statistics using IPFIX Options Templates.
  • The --stats or --no-stats were added to configure YAF stats output.
  • Added the ability to define Spread group types to use Spread as a manifold for flow export based on application, port, protocol, version, or vlan.
  • Added New Application Labels: DHCP, AIM, SOCKS, SMB, SNMP, NETBIOS.
  • Added a time-out buffer flush function.
  • Added SSL Certificate Capture.
  • Added DNS Resource Record Parsing.
  • Added Deep Packet Inspection for the MySQL protocol.
  • The --silk switch will maintain compatibility with SiLK by not nesting TCP information in the subTemplateMultiList data type.
  • Deep Packet Inspection elements are read from one configuration file.
  • Added the ability to create new DPI elements from the configuration file.
  • Added UDP Export and Template Retransmission.
  • Many Bug fixes and other enhancements.
• SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The only change was to recompile all of the tools to use libfixbuf{,-devel}-1.0.0 packages. The packages added to the repository are:
  • silk-analysis-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
  • silk-common-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
  • silk-devel-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
  • silk-flowcap-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
  • silk-rwflowappend-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
  • silk-rwflowpack-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
  • silk-rwpollexec-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
  • silk-rwreceiver-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
  • silk-rwsender-2.4.5-2.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
• unrar-4.0.7-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm and libunrar{,-devel}-4.0.7-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - UNrar is a freeware program for extracting, testing and viewing the contents of archives created with the RAR archiver version 1.50 and above. See the news for a list of changes.

• aff{lib,lib-devel,tools}-3.6.11-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.6.11/ChangeLog after the package has been installed.
• xplico-0.6.2-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - xplico is an Internet traffic decoder. The following changes were made:
  • l7-patterns for all flows/protocols not decoded by xplico
  • Xplico Interface (XI) improved
  • python3 porting of many scripts
  • realtime capture module improved
  • facebook chat realtime views
  • UTC/localtime bug fixes
  • l2tp dissector bug fixes
  • cli and lite dispatchers bug fixes
  • telnet dissector bug fixes

• md5deep-3.9-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - This package was updated to reflect the new version of md5deep.
• scalpel-2.0-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - This package was updated to reflect the new version of scalpel.

• aff{lib,lib-devel,tools}-3.6.10-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.6.10/ChangeLog after the package has been installed.

• aff{lib,lib-devel,tools}-3.6.9-1.{fc11,fc12,fc13,fc14,el5}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5. See /usr/share/doc/afflib-3.6.9/ChangeLog after the package has been installed.
• log2timeline-0.52-1.{fc11,fc12,fc13,fc14,el5}.noarch.rpm - Log2timeline is a framework for the automatic creation of a super timeline. This version contains a few bug fixes, new modules, and a new tool called l2t_process. See /usr/share/doc/log2timeline-0.52/CHANGELOG after the package has been installed. To build and install this package for CentOS, the following Perl modules were installed:
  • perl-Compress-Raw-Zlib-2.033-1.el5.{i386,x86_64}.rpm - See here for details.
  • perl-Archive-Zip-1.30-1.el5.noarch.rpm - See here for details.

• ptfinder-0.3.05-2.{fc11,fc12,fc13,fc14,el5}.noarch.rpm - ptfinder searches a memory dump of a system running Microsoft Windows for traces of processes and threads. This release adds support for Vista, Windows Server 2003, Windows 2000, and Windows XP to the already supported Windows XP SP 2.

• SiLK - SiLK is the System for Internet-Level Knowledge, a collection of traffic analysis tools developed by the CERT Network Situational Awareness Team (CERT NetSA) to facilitate security analysis of large networks. The packages added to the repository are:
  • silk-analysis-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
  • silk-common-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-common package contains the libraries and configuration files required by the other parts of SiLK Toolset, as well as generally useful utilities.
  • silk-devel-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm- The silk-devel package contains the development libraries and headers for SiLK. This package is required to build additional applications or to build shared libraries for use as plug-ins to The silk analysis tools.
  • silk-flowcap-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-flowcap package contains flowcap, a daemon to capture NetFlow v5 or IPFIX flows (Internet Protocol Flow Information eXport), to store the data temporarily in files on its local disk, and to forward these files over the network to a machine where rwflowpack processes the data. flowcap is typically used with an rwsender-rwreceiver pair to move the files across the network.
  • silk-rwflowappend-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-rwflowappend package is used when the final storage location of SiLK data files is on a different machine than that where the files are created by the rwflowpack daemon (see The silk-rwflowpack package). rwflowappend watches a directory for SiLK data files and appends those files to the final storage location where The silk analysis tools (from The silk-analysis package) can process them. To move the files from rwflowpack to rwflowappend, an rwsender-rwreceiver pair is typically used.
  • silk-rwflowpack-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-rwflowpack package converts NetFlow v5 or IPFIX (Internet Protocol Flow Information eXport) data to The silk Flow record format, categorizes each flow (e.g., as incoming or outgoing), and stores the data in binary flat files within a directory tree, with one file per hour-category-sensor tuple.
  • silk-rwpollexec-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-rwpollexec package contains a program (rwpollexec) which monitors a directory for incoming files. For each file, rwpollexec executes a user-specified command. If the command completes successfully, the file is either moved to an archive directory or deleted.
  • silk-rwreceiver-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-rwreceiver package contains a program (rwreceiver) which receives files over the network from one or more rwsender programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
  • silk-rwsender-2.4.5-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - The silk-rwsender package contains a program (rwsender) which transmits files over the network to one or more rwreceiver programs. rwsender-rwreceiver pairs are used to move files from a machine running flowcap and one running rwflowpack, or from the rwflowpack machine to machine(s) running rwflowappend.
• yaf{,-devel}-1.3.2-1.fc1{1,2,3,4}.{i386,x86_64}.rpm - YAF is Yet Another Flow sensor. It processes packet data from pcap(3) dumpfiles as generated by tcpdump(1) or via live capture from an interface using pcap(3) or an Endace DAG card into bidirectional flows, then exports those flows to IPFIX Collecting Processes or in an IPFIX-based file format. YAF's output can be used with the NetSA Aggregated Flow (NAF) toolchain. The yaf-devel package contains static libraries and C header files for yaf.
• aff{tools,lib,lib-devel}-3.6.8-1.fc{11,12,13,14}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
• CERT-Forensics-Tools-1.0-28.fc{11,12,13,14}.noarch.rpm - This package was updated to add the SiLK and YAF tools.

• FC14-foren-2011-01-i386-RC2 - This item is second release candidate for the VMware-based forensic appliance built with Fedora 14. Please note that this is not a live CD. See this document that explains how to download, install, and operate the appliance. This release candidate has PTK Version 1.0.5, a reengineered desktop, and phpMyAdmin.

• ptk-1.0.5-1.fc{11,12,13,14}.noarch.rpm - PTK is a computer forensic framework for the command line tools in the SleuthKit plus many more modules. PTK uses MySQL which is assumed to be configured, using the command line tool mysql_secure_installation or equivalent, and operating. It also assumes a web server, for example Apache, also assumed to be configured and operational.
• CERT-Forensics-Tools-1.0-27.fc{11,12,13,14}.noarch.rpm - This package was updated to add the PTK tool.

• xplico-0.6.1-6.fc{12,13,14}.{i386,x86_64}.rpm, xplico-0.6.1-6.fc11.i386.rpm - xplico is an Internet traffic decoder. This release no longer automatically configures xplico to automatically start on system boot. This configuration should be done in tandem with the configuration of httpd upon which it relies.
• sleuthkit-{,devel,libs,debuginfo}-3.2.1-1.fc1{1,2,3,4}.{i686,x86_64}.rpm - The The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.

• FC14-foren-2011-01-i386-RC1 - This item is a VMware-based forensic appliance built with Fedora 14. Please note that this is not a live CD. See this document that explains how to download, install, and operate the appliance.

• gpart-0.1h-12.fc12.i686.rpm - This package was copied from the Fedora 12 and Fedora 13 i386 releases to the CERT x64_64 Fedora 12 and 13 repositories.
• gpart-0.1h-13.fc14.i686.rpm - This package was copied from the Fedora 14 i386 releases to the CERT x64_64 Fedora 14 repository.
• CERT-Forensics-Tools-1.0-26.fc{11,12,13,14}.{i386,x86_64}.rpm - This package was updated to make the gpart package no longer conditional on the i386 architecture. See here for more information.

• CERT-Forensics-Tools-1.0-24.fc{11,12,13,14}.noarch.rpm - This package was updated to reflect the addition of the xplico dependency for all supported architectures. Xplico 0.6.1 was previously released on December 10, 2010.
• etherape-0.9.10.fc{11,12,13,14}.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network. Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.

• dc3dd-7.0.0.fc{11,12,13,14}.{i386,x86_64} - dc3dd is a patched version of GNU dd to include a number of features useful for computer forensics. Many of these features were inspired by dcfldd, but were rewritten for dc3dd.
  • Pattern writes. The program can write a single hexadecimal value or a text string to the output device for wiping purposes.
  • Piecewise and overall hashing with multiple algorithms. Supports MD5, SHA-1, SHA-256, and SHA-512.
  • Progress meter with automatic input/output file size probing.
  • Combined log for hashes and errors.
  • Error grouping. Produces one error message for identical sequential errors.
  • Verify mode. Able to hash output files and compare hashes to the acquisition hash.
  • Ability to split the output into chunks with numerical or alphabetic extensions.
  • Ability to write multiple output files simultaneuously.

• CERT-Forensics-Tools-1.0-23.fc{11,12,13,14}.noarch.rpm - This package was updated to reflect the conditional addition of the gpart dependency only for the x86 architecture.

• CERT-Forensics-Tools-1.0-22.fc{11,12,13,14}.noarch.rpm - This package was updated to reflect the addition of all of the following tool and supporting package:
  • gpart - gpart is a tool which tries to guess the primary partition table of a PC-type hard disk in case the primary partition table in sector 0 is damaged, incorrect or deleted. The guessed table can be written to a file or device. Supported (guessable) filesystem or partition types:
    • DOS/Windows FAT (FAT 12/16/32)
    • Linux ext2
    • Linux swap partitions versions 0 and 1 (Linux >= v2.2.X)
    • OS/2 HPFS
    • Windows NTFS
    • *BSD disklabels
    • Solaris/x86 disklabels
    • Minix FS
    • Reiser FS
    • Linux LVM physical volume module (LVM by Heinz Mauelshagen)

• etherape-0.9.9.fc{11,12,13,14}.{i386,x86_64} - etherape is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network. Note: this version is the latest available from the Sourceforge website which is newer than the version available from the standard Fedora repositories.

• CERT-Forensics-Tools-1.0-21.fc{11,12,13,14}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
  • nmapfe - nmapfe is a convenient X Window front end for the Nmap Security Scanner. Most of the options correspond directly to Nmap options, which are described in detail in the Nmap man page. We recom- mend you read that first. There is also limited help available via the NmapFE "Help" menu.
  • etherape - etherape is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.

• aff{tools,lib,lib-devel}-3.6.6-2.fc{11,12,13,14}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.

• md5deep-3.7-1.fc{11,12,13,14}.*.rpm - This package was updated to reflect the new version of md5deep.

• log2timeline-0.51-1.fc{12,13,14}.{i386,x86_64}.rpm, log2timeline-0.51-1.fc11.i386.rpm - log2timeline is a framework for the automatic creation of a super timeline.
• perl-Mac-PropertyList-1.33-1.fc1{1,2,3,4}.noarch.rpm - perl-Mac-PropertyList is a low-level interface to the Mac OS X Property List (plist) format. log2timeline-0.51 uses this package.

• xplico-0.6.1-5.fc{12,13,14}.{i386,x86_64}.rpm, xplico-0.6.1-5.fc11.i386.rpm - xplico is an Internet traffic decoder. It has both a command cli interface and a Web interface (using http://localhost:9876). Please note that this version preserves previous instances of the xplico database that contains created cases and uploaded sessions.

• xplico-0.6.0-10.fc{12,13,14}.{i386,x86_64}.rpm, xplico-0.6.0-10.fc11.i386.rpm - xplico is an Internet traffic decoder. It has both a command cli interface and a Web interface (using http://localhost:9876).

• CERT-Forensics-Tools-1.0-20.fc{11,12,13,14}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
  • ssldump - ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. When it identifies SSLv3/TLS traffic, it decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
  • socat - socat is a command line based utility that establishes two bidirectional byte streams and transfers data between them.

• {libunrar,libunrar-devel,unrar}-3.9.10-3.fc1{1,2,3,4}.{i386,x86_64}.rpm - UnRAR is a RAR archive unarchiver.
• aff{tools,lib,lib-devel}-3.6.4-1.fc{11,12,13,14}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.

• sleuthkit-{,devel,libs,debuginfo}-3.2.0-1.fc1{1,2,3,4}.{i686,x86_64}.rpm - The The Sleuth Kit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.

• aff{tools,lib,lib-devel}-3.6.3-3.fc{10,11,12,13}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.

• aff{tools,lib,lib-devel}-3.6.2-3.fc{10,11,12,13}.{i386,x86_64}.rpm - Afflib is the library and tools to manipulate files using the Advanced Forensic Format. Please note: as of AFFLIB 3.6, all tool names start with the string aff which marks a change from AFFLIB version 3.5.
• FC12-foren-2010-02 - The CERT Forensics Appliance, a VMware-based Fedora 12 system was released. Please note that this is a VMware guest but it is not a Live CD. You must install the VMware files from the downloaded ISO image. See the README.txt for details.

• CERT-Forensics-Tools-1.0-18.fc{10,11,12,13}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
  • hachoir-core-1.3.4-1.fc{10,11,12,13}.*.rpm - hachoir-core is a Python library used to represent a binary file as a tree of Python objects.
  • hachoir-metadata-1.3.3-1.fc{10,11,12,13}.*.rpm - hachoir-metadata is a tool that extracts metadata from multimedia files: music, picture, video, and archives.
  • hachoir-parser-1.3.5-1.fc{10,11,12,13}.*.rpm - hachoir-parser is a Python library used by the hachoir tool suite to parse binary files.
  • hachoir-regex-1.0.5-1.fc{10,11,12,13}.*.rpm - hachoir-regex is a Python library used for regular expression (regex or regexp) manupulation.
  • hachoir-subfile-0.5.3-1.fc{10,11,12,13}.*.rpm - hachoir-subfile is a tool that finds subfiles in any binary stream.
  • hachoir-urwid-1.1-1.fc{10,11,12,13}.*.rpm - hachoir-urwid is a binary file explorer based on Hachoir library to parse the files.
  • hachoir-wx-0.3.1-1.fc{10,11,12,13}.*.rpm - hachoir-wx is a wxWidgets-based program that's meant to provide a (more) user-friendly interface to the facilities provided by the hachoir binary parser core.

• CERT-Forensics-Tools-1.0-17.fc{10,11,12,13}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
  • ext3grep-0.1?.?-?.fc{10,11,12,13}.*.rpm - ext3grep.
  • gparted-0.?.?-?.fc{10,11,12,13}.*.rpm - gparted.
  • scrounge-ntfs-0.9-1.fc{10,11,12,13}.*.rpm - scrounge-ntfs which was also added to the repository.

• ssdeep-2.5-1.fc{10,11,12,13}.{i686,x86_64}.rpm - ssdeep is a program for computing context triggered piecewise hashes (CTPH), also called fuzzy hashes.

• sfdumper-2.2-1.fc1{0,1,2,3}.noarch.rpm - Sfdumper is a selective file dumper script.

• sleuthkit-{,devel,libs,debuginfo}-3.1.3-1.fc1{0,1,2,3}.{i686,x86_64}.rpm - The Sleuthkit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.
• CERT-Forensics-Tools-1.0-16.fc{10,11,12}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
  • ghex-2.2?.?-?.fc{10,11,12}.*.rpm - The ghex Gnome Hex Editor was added.

• log2timeine-0.50.1.fc{{8,9,10,11,12,13}.*.rpm - log2timeline is a framework for the automatic creation of a super timeline.
• perl-File-Mork-0.3-1.fc{{8,9,10,11,12,13}.*.rpm - is a module to read Mozilla URL history files. This module is needed to build log2timeline-0.50.
• perl-Thread-Pool-Simple-0.24-1.fc{{8,9,10,11,12,13}.*.rpm - provides a simple thread-pool implementaion without external dependencies outside core modules. This module is needed to run log2timeline-0.50.

• log2timeine-0.43.1.fc{{8,9,10,11,12,13}.*.rpm - log2timeline is a framework for the automatic creation of a super timeline.

• libguytools-2.0.1-1.fc1{0,1,2,3}.{i686,x86_64}.rpm - Libguytools is a package of subroutines and header files needed to build and operate guymager.
• guymager-0.5.3beta1-2.fc1{0,1,2,3}.{i686,x86_64}.rpm - Guymager is a forensic imaging package.
• sleuthkit-{,devel,libs,debuginfo}-3.1.2-1.fc1{0,1,2,3}.{i686,x86_64}.rpm - The Sleuthkit (TSK) is a library and collection of command line tools that allow you to investigate volume and file system data.

• autopsy-2.24-1.fc{8,9,10,11,12}.noarch.rpm - This package was updated to reflect the new version of autopsy.

• CERT-Forensics-Tools-1.0-14.fc{8,9,10,11,12}.noarch.rpm - This package was updated to reflect the addition of all of the following tools and supporting packages:
  • rifiuti2-0.5.1-1.fc{8,9,10,11,12}.*.rpm - rifiuti2 is a rewrite of rifiuti, a tool for analyzing Windows Recycle Bin INFO2 file.
  • stegdetect-0.61-1.fc{8,9,10,11,12}.*.rpm - stegdetect is an automated tool for detecting steganographic content in images.
  • regripper-2008909-1.fc{8,9,10,11,12}.*.rpm - regripper is a Windows Registry data extraction and correlation tool.
  • rar-3.9.3-1.fc{8,9,10,11,12}.*.rpm - rar is a compression and decompresson program.
  • unrar-3.8.4-1.fc{8,9,10,11,12}.*.rpm - unrar is for extracting, testing and viewing the contents of archives created with the RAR archiver version 1.50 and above.
  • missidentify-1.0-1.fc{8,9,10,11,12}.*.rpm - missidentify is a program to find Win32 applications.
  • log2timeine-0.42.1.fc{{8,9,10,11,12}.*.rpm - log2timeline is a framework for the automatic creation of a super timeline. log2timeline required the following additional Perl package be built and installed:
    • perl-Data-Hexify-1.00-1.fc{8,9,10,11,12}.noarch.rpm
    • perl-DBD-SQLite-1.29-1.fc{8,9,10,11,12}.*.rpm
    • perl-Digest-Crc32-0.01-1.fc{8,9,10,11,12}.noarch.rpm
    • perl-NetPacket-0.42.0-1.fc{8,9,10,11,12}.noarch.rpm
    • perl-Net-Pcap-0.16-1.fc{8,9,10,11,12}.*.rpm
    • perl-Parse-Win32Registry-0.51-1.fc{8,9,10,11,12}.noarch.rpm
  • In addition, the following tools have been added by reference. They are all part of the standard Fedora repositories:
    • aimage - A disk imager.
    • ewftools - Tools to acquire, verify and export EWF files.
    • afftools - Tools that use the Advanced Forensic Format (AFF) library.
    • mdbtools - A suite of programs for accessing data stored in Microsoft Access databases.
    • antiword - A free Microsoft Word reader. It converts the documets from Word 6, 7, 97 and 2000 to ASCII and Postscript. Antiword tries to keep the layout of the document intact.
    • perl-Image-ExifTool - A Perl module with an included command-line application for reading and writing meta information in image, audio, and video files. It reads EXIF, GPS, IPTC, XMP, JFIF, MakerNotes, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP, and ID3 meta information from JPG, JP2, TIFF, GIF, PNG, MNG, JNG, MIFF, EPS, PS, AI, PDF, PSD, BMP, THM, CRW, CR2, MRW, NEF, PEF, ORF, DNG, and many other types of images. ExifTool also extracts information from the maker notes of many digital cameras by various manufacturers including Canon, Casio, FujiFilm, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Ricoh, Sanyo, Sigma/Foveon, and Sony.
    • p7zip - A file archiver with a very high compression ratio.
    • safecopy - A data recovery tool which tries to extract as much data as possible from a problematic (i.e. damaged sectors) source - like floppy drives, harddisk partitions, CDs, tape devices, ..., where other tools like dd would fail doe to I/O errors. Note: safecopy is not available in Fedora 8.
    • poppler-utils - Command line tools for converting PDF files to a number of other formats.

• md5deep-3.6-1.fc{8,9,10,11,12}.*.rpm - This package was updated to reflect the new version of md5deep.

• reglookup-0.12-1.fc{8,9,10,11,12}.*.rpm - This package was updated to reflect the new version of reglookup.

• autopsy-2.23-1.noarch.rpm - Version 2.23 was installed. Here are the changes since the previously installed (2.21) version:
  
       --------------------------- Version 2.23 --------------------------------
       2/12/10: bug fix: resolved issue 2950693 where previous searches were not shown
                         if they used quotes.
  
       2/12/10: bug fix: resolved issue 2932385 where wrong flag was being used to do
                         only doing category searching
  
       2/12/10: bug fix: resolved issue 2779244 where wrong sorter path was being used.
  
       --------------------------- Version 2.22 --------------------------------
       10/27/09: Update: Change istat to use -B instead of -b (new change in TSK).
  
       11/19/09: Update: Improved configure script process and error message
                         for FILE_EXE check.
  
       11/25/09: Fixed MD5 exe bug when building live CD
  
       12/30/09: Fixed issue 2923857 re: cookie errors for the icon and css file
                                         links when cookies are used.
  
  
• ssdeep-2.4-1.fc{8,9,10,11,12}.i686.rpm - Version 2.4 was installed. Here are the changes made since the previously installed (2.3) version:
  
       ** Version 2.4 - 25 Feb 2010
              Added -k mode to compare unknown signatures against known signatures.
  

• CERT-Forensics-Tools-1.0-10.fc12.noarch.rpm - This package was updated but in essense, no changes were made.
• memdump-1.01-2.fc12.*.rpm - This package is now made from source and has been moved from the memdump repository to the cert repository.
• fatback-1.3-1.fc12.*.rpm - This package is now made from source and has been moved from the fatback repository to the cert repository.

• foremost-1.5.7-1.fc{8,9,10,11,12}.i386.rpm - This package was updated to reflect the new version of foremost.
• splunk-4.0.9-74233.i386.rpm - Splunk, version 4.0.9, build 74223. See the release notes here.

• CERT-Forensics-Tools-1.0-5.fc{9,10,11,12}.noarch.rpm - This update includes the nmap as a dependency. This release of nmap includes ncat, an improved version of the netcat program.

• CERT-Forensics-Tools-1.0-4.fc1{0,1,2}.noarch.rpm - This update includes the following tools as dependencies:
  • guymager-0.4.2-1.fc1{0,1,2}.i686.rpm - Guymager is a forensic imaging package.
  • libguytools-1.1.1-1.fc1{0,1,2}.i686.rpm - Libguytools is a package of subroutines and header files needed to build and operate guymager.
  • sfdumper-2.1-1.fc1{0,1,2}.noarch.rpm - Sfdumper is a selective file dumper script.
  • mount_ewf-20090113-1.fc1{0,1,2}.noarch.rpm - Mount_ewf is a script that mounts EWF files as mounted images using the loopback capability.
  • fundl-2.0-1.fc1{0,1,2}.noarch.rpm - Fundl is a script that uses the Sleuthkit for recovering deleted files.
  • cryptcat-1.2.1-1.fc1{0,1,2}.i686.rpm - Cryptcat is a lightweight version of netcat with integrated transport encryption capabilities.

In addition, the following tools have been updated in the Fedora 10 version of the cert repository:

• CERT-Forensics-Tools-1.0-4.fc8.noarch.rpm - This update includes dc3dd as a dependency.
• cert-forensics-tools-release-8-3.noarch.rpm - This update contains the new CERT Forensics Team Key.
• dcfldd-1.3.4.1-2.fc8.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
• foremost-1.5.6-1.fc8.i386.rpm - This package was updated to reflect the new version of foremost.
• md5deep-3.5.1-1.fc8.i386.rpm - This package was updated to reflect the new version of md5deep.
• reglookup-0.11.0-1.fc8.i386.rpm - This package was updated to reflect the new version of reglookup.
• ssdeep-2.3-1.fc8.i386.rpm - This package was updated to reflect the new version of ssdeep.

In addition, the following tools have been updated in the Fedora 10 version of the cert repository:

• CERT-Forensics-Tools-1.0-4.fc9.noarch.rpm - This update includes dc3dd as a dependency.
• cert-forensics-tools-release-9-4.noarch.rpm - This update contains the new CERT Forensics Team Key.
• dcfldd-1.3.4.1-2.fc9.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
• foremost-1.5.6-1.fc9.i386.rpm - This package was updated to reflect the new version of foremost.
• md5deep-3.5.1-1.fc9.i386.rpm - This package was updated to reflect the new version of md5deep.
• reglookup-0.11.0-1.fc9.i386.rpm - This package was updated to reflect the new version of reglookup.
• ssdeep-2.3-1.fc9.i386.rpm - This package was updated to reflect the new version of ssdeep.

In addition, the following tools have been updated in the Fedora 10 version of the cert repository:

• CERT-Forensics-Tools-1.0-2.fc10.noarch.rpm - This update includes dc3dd as a dependency.
• cert-forensics-tools-release-10-3.noarch.rpm - This update contains the new CERT Forensics Team Key.
• dcfldd-1.3.4.1-2.fc10.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
• foremost-1.5.6-1.fc10.i386.rpm - This package was updated to reflect the new version of foremost.
• md5deep-3.5.1-1.fc10.i386.rpm - This package was updated to reflect the new version of md5deep.
• reglookup-0.11.0-1.fc10.i386.rpm - This package was updated to reflect the new version of reglookup.
• ssdeep-2.3-1.fc10.i386.rpm - This package was updated to reflect the new version of ssdeep.

The following tool has been updated in the Fedora 11 version of the cert repository:

• ssdeep-2.3-1.fc11.i386.rpm - This package was updated to reflect the new version of ssdeep.

The following tool has been updated in the Fedora 12 version of the cert repository:

• ssdeep-2.3-1.fc12.i386.rpm - This package was updated to reflect the new version of ssdeep.

In addition, the following tools have been updated in the Fedora 11 version of the cert repository:

• CERT-Forensics-Tools-1.0-3.fc11.noarch.rpm - This update includes dc3dd as a dependency.
• cert-forensics-tools-release-11-5.noarch.rpm - This update contains the new CERT Forensics Team Key.
• dcfldd-1.3.4.1-2.fc11.i386.rpm - This update fixes a problem with the man page in previous versions of dcfldd.
• foremost-1.5.6-1.fc11.i386.rpm - This package was updated to reflect the new version of foremost.
• md5deep-3.5.1-1.fc11.i386.rpm - This package was updated to reflect the new version of md5deep.
• reglookup-0.11.0-1.fc11.i386.rpm - This package was updated to reflect the new version of reglookup.
• ssdeep-2.2-1.fc11.i386.rpm - This package was updated to reflect the new version of ssdeep.

• splunk-3.4.9-57762.i386.rpm - Splunk, version 3.4.9, build 57762. See the release notes here.

• libewf-devel-static-20080501-3.fc10.i386.rpm - A static version of the libewf libraries. These libararies are needed to build PyFlag.
• pyflag-0.87.pre1-7.i386.rpm - The Python-based Forensic and Log Analysis (FLAG) GUI.

• python-urwid-0.9.8.4-1.noarch.rpm - Python library for making text console applications. This is needed to build PyFlag.

• sfdumper-1.6-1.fc10.noarch.rpm - A Selective File Dumper build on top of the Sleuthkit

• guymager-0.3.1-2.fc10.i386.rpm - A GUI imager
• libguytools-1.0.4-1.fc10.i386.rpm - Libraries for guymager
• gtkhash-0.2.1-1.fc10.i386.rpm - A GUI front-end for hashing
• fundl-1.0-1.fc10.noarch.rpm - A File UNDeLtion script