Portal:Digital forensics and incident response/Topics
Installing the DFIR packages
The DFIR packages currently live in the openSUSE security repo, A hopefully functional set of packages is in openSUSE 12.2. If you are using openSUSE 12.2 you can skip the repository setup in most cases.
sleuthkit is in the main openSUSE 12.1 repo, but that version does not have libewf or afflib support. If that version of sleuthkit is all you need, you can also skip the below repostory setup steps:
Setting up your repositories
For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured. If you are using openSUSE 12.2 and want to ensure you have the latest packaged version of the tools, you will also need to setup the following repositories. If you are a openSUSE 12.2 log2timeline user, then it is highly recommended you add both the security and devel:languages:perl repositories to get the latest bug fixes.
- security
- devel:languages:perl
- devel:languages:python
This is most easily done from the command line via (assumes openSUSE 12.1):
sudo zypper ar -f http://download.opensuse.org/repositories/security/openSUSE_12.1 security sudo zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/perl/openSUSE_12.1 perl sudo zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_12.1 python zypper lr # used to verify you have the repos installed
Installing the packages
Once you have the repos setup like the above, you can install the DFIR packages just like you would any other openSUSE packages.
For those that prefer the command line, any of the below commands should work.
sudo zypper in ewftools sudo zypper in afflib-tools sudo zypper in exiftool sudo zypper in sleuthkit sudo zypper in mac-robber sudo zypper in dc3dd sudo zypper in bulk_extractor sudo zypper in fiwalk sudo zypper in log2timeline sudo zypper in yara sudo zypper in volatility sudo zypper in analyzeMFT sudo zypper in ssdeep
The packages are built with dependency logic, so you only need to run the above commands for tools you want to use. If they require any of the other packages, they will automatically be installed.
For instance, volatility requires yara, python-yara, and distorm3, so when you install volatility, you will be prompted if you want to install those required packages as well.