Portal:Digital forensics and incident response/Topics

Jump to: navigation, search

Installing the DFIR packages

The DFIR packages currently live in the openSUSE security repo, A hopefully functional set of packages is in openSUSE 12.2. If you are using openSUSE 12.2 you can skip the repository setup in most cases.

sleuthkit is in the main openSUSE 12.1 repo, but that version does not have libewf or afflib support. If that version of sleuthkit is all you need, you can also skip the below repostory setup steps:

Setting up your repositories

For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured. If you are using openSUSE 12.2 and want to ensure you have the latest packaged version of the tools, you will also need to setup the following repositories. If you are a openSUSE 12.2 log2timeline user, then it is highly recommended you add both the security and devel:languages:perl repositories to get the latest bug fixes.

  • security
  • devel:languages:perl
  • devel:languages:python

This is most easily done from the command line via (assumes openSUSE 12.1): 

sudo zypper ar -f http://download.opensuse.org/repositories/security/openSUSE_12.1 security
sudo zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/perl/openSUSE_12.1 perl
sudo zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_12.1 python

zypper lr               # used to verify you have the repos installed

Installing the packages

Once you have the repos setup like the above, you can install the DFIR packages just like you would any other openSUSE packages.

For those that prefer the command line, any of the below commands should work. 

sudo zypper in ewftools
sudo zypper in afflib-tools
sudo zypper in exiftool
sudo zypper in sleuthkit
sudo zypper in mac-robber
sudo zypper in dc3dd
sudo zypper in bulk_extractor
sudo zypper in fiwalk
sudo zypper in log2timeline 
sudo zypper in yara
sudo zypper in volatility
sudo zypper in analyzeMFT
sudo zypper in ssdeep

The packages are built with dependency logic, so you only need to run the above commands for tools you want to use. If they require any of the other packages, they will automatically be installed.

For instance, volatility requires yara, python-yara, and distorm3, so when you install volatility, you will be prompted if you want to install those required packages as well.

Retrieved from "https://en.opensuse.org/index.php?title=Portal:Digital_forensics_and_incident_response/Topics&oldid=56018"