security-forensics/sleuthkit
SHA256
4
0
Fork 0
forked from pool/sleuthkit
Code Pull Requests Activity

- version update to 4.14.0

Browse Source 
* This release REVERTS many changes from 4.13.0. It is more close to 4.12.1 than it is to 4.13.0.
  * It was created from the Dec 3, 2024 ct-3.13.0 tag (28a838d) and has changes from the Sleuth Kit Labs team.
        Added BitLocker support (Windows only)
        Updated LibVMDK and LibVHDI
        Updated to Visual Studio 2019
        Updated logical folder caching
        Java changes listed in the 4.13.0 release
  * Use of the optimize pragma was added to the Java SQLite code (after the 4.13.0 release)
- added patches
  8d710c36a9
  + sleuthkit-no-bool.patch

OBS-URL: https://build.opensuse.org/package/show/security:forensics/sleuthkit?expand=0&rev=38
This commit is contained in:
Jan Engelhardt
2025-07-13 10:33:15 +00:00
committed by Git OBS Bridge
commit f67a48e246
9 changed files with 886 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
.gitattributes vendored Normal file
View File

@@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
.osc

32
0001-build-support-libewf-V3.patch Normal file
View File

@@ -0,0 +1,32 @@
From b55196f9da7de4a5bad23bf0051a2d6c6ee7f04d Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Tue, 14 Feb 2023 09:14:43 +0000
Subject: [PATCH] build: support libewf V3
References: https://github.com/sleuthkit/sleuthkit/pull/2810
---
tsk/img/ewf.cpp | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tsk/img/ewf.cpp b/tsk/img/ewf.cpp
index 1dc8c81da..3ae381e6b 100755
--- a/tsk/img/ewf.cpp
+++ b/tsk/img/ewf.cpp
@@ -67,8 +67,14 @@ ewf_image_read(TSK_IMG_INFO * img_info, TSK_OFF_T offset, char *buf,
tsk_take_lock(&(ewf_info->read_lock));
#if defined( HAVE_LIBEWF_V2_API )
+#if LIBEWF_VERSION >= 20160319
+ /* V3 API */
+ cnt = libewf_handle_read_buffer_at_offset(ewf_info->handle,
+ buf, len, offset, &ewf_error);
+#else
cnt = libewf_handle_read_random(ewf_info->handle,
buf, len, offset, &ewf_error);
+#endif
if (cnt < 0) {
char *errmsg = NULL;
tsk_error_reset();
--
2.39.1

55
sleuthkit-4.12.0_add-lvm-support.patch Normal file
View File

@@ -0,0 +1,55 @@
diff -uN sleuthkit-4.12.0/tsk/pool/tsk_lvm.hpp ../../src/sleuthkit/4.12.0/tsk/pool/tsk_lvm.hpp
--- sleuthkit-4.12.0/tsk/pool/tsk_lvm.hpp 1970-01-01 01:00:00.000000000 +0100
+++ ../../src/sleuthkit/4.12.0/tsk/pool/tsk_lvm.hpp 2023-03-31 16:51:59.863371629 +0100
@@ -0,0 +1,51 @@
+/*
+ * The Sleuth Kit - Add on for Linux LVM support
+ *
+ * Copyright (c) 2022 Joachim Metz <joachim.metz@gmail.com>
+ *
+ * This software is distributed under the Common Public License 1.0
+ */
+
+#pragma once
+
+#include "tsk/base/tsk_base_i.h"
+
+#if HAVE_LIBVSLVM
+
+#include "tsk_pool.hpp"
+
+#include <libbfio.h>
+#include <libvslvm.h>
+
+class LVMPool;
+
+class LVMPool : public TSKPool {
+ protected:
+ TSK_IMG_INFO *_img;
+ // Start of the pool data within the image
+ TSK_OFF_T _offset;
+ libbfio_pool_t *_file_io_pool = NULL;
+ libvslvm_handle_t *_lvm_handle = NULL;
+ libvslvm_volume_group_t *_lvm_volume_group = NULL;
+
+ public:
+ LVMPool(std::vector<img_t> &&imgs);
+
+ // Moveable
+ LVMPool(LVMPool &&) = default;
+ LVMPool &operator=(LVMPool &&) = default;
+
+ // Not copyable because of TSK_IMG_INFO pointer
+ LVMPool(const LVMPool &) = delete;
+ LVMPool &operator=(const LVMPool &) = delete;
+
+ ~LVMPool();
+
+ std::string identifier;
+
+ ssize_t read(uint64_t address, char *buf, size_t buf_size) const
+ noexcept final;
+};
+
+#endif /* HAVE_LIBVSLVM */
+

3
sleuthkit-4.12.1.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:6b2de0baabc6a38429a33993114ca3820329b477d5038cbf45fcf69fca8addfd
size 3768424

3
sleuthkit-4.14.0.tar.gz Normal file
View File

@@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:fb6ea1801bcfc4c7d3a283d7592c6bd65add655411749513b5c429b86541e9a9
size 3831626

34
sleuthkit-no-bool.patch Normal file
View File

@@ -0,0 +1,34 @@
Index: sleuthkit-4.14.0/tsk/base/crc.h
===================================================================
--- sleuthkit-4.14.0.orig/tsk/base/crc.h
+++ sleuthkit-4.14.0/tsk/base/crc.h
@@ -82,6 +82,8 @@ Status : Copyright (C) Ross Williams, 1
#ifndef CM_DONE
#define CM_DONE
+#include <stdbool.h>
+
/******************************************************************************/
/* The following definitions are extracted from my style header file which */
@@ -91,7 +93,6 @@ Status : Copyright (C) Ross Williams, 1
#ifndef DONE_STYLE
typedef unsigned long ulong;
-typedef unsigned bool;
typedef unsigned char * p_ubyte_;
#ifndef TRUE
Index: sleuthkit-4.14.0/tsk/img/aff.c
===================================================================
--- sleuthkit-4.14.0.orig/tsk/img/aff.c
+++ sleuthkit-4.14.0/tsk/img/aff.c
@@ -14,8 +14,6 @@
#if HAVE_LIBAFFLIB
-typedef int bool;
-
#include "aff.h"
/* Note: The routine -assumes- we are under a lock on &(img_info->cache_lock)) */

539
sleuthkit.changes Normal file
View File

@@ -0,0 +1,539 @@
-------------------------------------------------------------------
Tue Jul 8 12:54:38 UTC 2025 - pgajdos@suse.com
- version update to 4.14.0
* This release REVERTS many changes from 4.13.0. It is more close to 4.12.1 than it is to 4.13.0.
* It was created from the Dec 3, 2024 ct-3.13.0 tag (28a838d) and has changes from the Sleuth Kit Labs team.
Added BitLocker support (Windows only)
Updated LibVMDK and LibVHDI
Updated to Visual Studio 2019
Updated logical folder caching
Java changes listed in the 4.13.0 release
* Use of the optimize pragma was added to the Java SQLite code (after the 4.13.0 release)
- added patches
https://github.com/sleuthkit/sleuthkit/commit/8d710c36a947a2666bbef689155831d76fff56b9
+ sleuthkit-no-bool.patch
-------------------------------------------------------------------
Sat Jan 27 16:08:26 UTC 2024 - Greg Freemyer <Greg.Freemyer@gmail.com>
- update to 4.12.1
* C/C++:
* Bug fixes from Luis Nassif and Joachim Metz
* Added check to stop for very large folders to prevent memory exhaustion
* Java:
* Added File Repository concept for files to be stored in another location
* Schema updated to 9.4
* Fixed OS Account merge bug and now fire events when accounts are merged
- remove sleuthkit-4.12.0_add-missing-include-file.patch
* No longer missing
* gh#sleuthkit/sleuthkit#2812
- add sleuthkit-4.12.0_add-lvm-support.patch
* Joachem Metz submitted changes to 4.12.0 to allow lvm support, but one header file was missed
-------------------------------------------------------------------
Fri Feb 17 22:36:16 UTC 2023 - Greg Freemyer <Greg.Freemyer@gmail.com>
- update to 4.12.0
* Add Linux LVM support
* Logical File System support (a folder structure is parsed by TSK libraries)
* Many small fixes
- update to 4.11.1
* C/C++:
* Several fixes from @joachimmetz
* NTFS Decompression bug fix from @kastonework and @uckelman-sf
* Java:
* Fixed connection leak when making OS Accounts in bridge
* OsAccount updates for instance types and special Windows SIDs
Fixed issue with duplicate value in Japanese timeline translation
- update to 4.11.0
* C/C++:
* Added checks at various layers to detect encrypted file systems and disks to give more useful error messages.
* Added checks to detect file formats that are not supported (such as AD1, ZIP, etc.) to give more useful error messages.
* Added tsk_imageinfo tool that detects if an image is supported by TSK and if it is encrypted.
* Add numerous bound checks from @joachimmetz
* Clarified licenses as pointed out by @joachimmetz
* Java:
* Updated from Schema 8.6 to 9.1.
* Added tables and classes for OS Accounts and Realms (Domains).
* Added tables and classes for Host Addresses (IP, MAC, etc.).
* Added tables and classes for Analysis Results vs Data Artifacts by adding onto BlackboardArtifacts.
* Added tables and classes for Host and Person to make it easier to group data sources.
* Added static types for standard artifact types.
* Added File Attribute table to allow custom information to be stored for each file.
* Made ordering of getting lock and connection consistent.
* Made the findFile methods more efficient by using extension (which is indexed).
- add 0001-build-support-libewf-V3.patch to support the experimental release branch of libewf
- add sleuthkit-4.12.0_add-missing-include-file.patch
-------------------------------------------------------------------
Sat Jun 26 20:52:56 UTC 2021 - Greg Freemyer <Greg.Freemyer@gmail.com>
- update to 4.10.2:
* C/C++
* Added support for Ext4 inline data
* Java
* New Blackboard Artifacts for ALEAPP/ILEAPP, Yara, Geo Area, etc.
* Upgraded to PostgreSQL JDBC Driver 42.2.18
* Added SHA256 to files table in DB and added utility calculation methods.
* Changed TimelineManager to make events for any artifact with a time stamp
* Added Japanese translations
* Fixed synchronization bug in getUniquePath
-------------------------------------------------------------------
Sat Jun 26 14:44:48 UTC 2021 - Greg Freemyer <Greg.Freemyer@gmail.com>
- fix overly picky Buildrequires statement
-------------------------------------------------------------------
Wed Jun 9 11:07:50 UTC 2021 - Greg Freemyer <Greg.Freemyer@gmail.com>
- update Buildrequires line for libewf
- all libyal packages have been updated from github
-------------------------------------------------------------------
Sun Jan 17 23:45:25 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 4.10.1:
* Changed Windows build to use Nuget for libewf, libvmdk, libvhdi.
* Fixed compiler warnings
* Clarified licenses and added Apache license to distribution
* Improved error handling for out of memory issues
* Rejistry++ memory leak fixes
- spec-cleaner
-------------------------------------------------------------------
Wed Dec 16 03:47:42 UTC 2020 - Greg Freemyer <Greg.Freemyer@gmail.com>
- Update spec file to call for libewf version 0~20140811
* Newer versions of libewf are experimental and not to be used in production
-------------------------------------------------------------------
Sun Nov 8 00:16:24 UTC 2020 - Greg Freemyer <Greg.Freemyer@gmail.com>
- Update to 4.10.0:
* C/C++:
- Removed PostgreSQL code (that was used only by Java code)
- Added Java callback support so that database inserts are done in Java.
* Java:
- Added methods and callbacks as required to allow database population to happen in Java instead of C/C++.
- Added support to allow Autopsy streaming ingest where files are added in batches.
- Added TaggingManager class and concept of a TagSet to support ProjectVic categories.
- Fixed changes to normalization and validation of emails and phone numbers.
- Added a CASE/UCO JAR file that creates JSON-LD based on TSK objects.
-------------------------------------------------------------------
Wed May 27 10:21:02 UTC 2020 - Paolo Stivanin <info@paolostivanin.com>
- Update to 4.9.0:
* C/C++
- Removed framework project. Use Autopsy instead if you need an analysis framework.
- Various fixes from Google-based fuzzing.
- Ensure all reads (even big ones) are sector aligned when reading from Windows device.
- Ensure all command line tools support new pool command line arguments.
- Create virtual files for APFS unallocated space
- HFS fix to display type
* Java:
- More artifact helper methods
- More artifacts and attributes for drones and GPS coordinates
- Updated TimelineManager to insert GPS artifacts into events table
-------------------------------------------------------------------
Tue Jan 28 12:46:52 UTC 2020 - Greg Freemyer <Greg.Freemyer@gmail.com>
- Update to 4.8.0:
* added APFS support which required significant changes
* added pool logic as required for APFS
* fixes to the logical imager support
* various other fixes
- Update to 4.7.0
* improvements to the logical imager
* feature enhancements in support of autopsy release
- added pstat tool
-------------------------------------------------------------------
Tue Jan 28 11:31:43 UTC 2020 - Greg Freemyer <Greg.Freemyer@gmail.com>
- update libewf buildrequires from 20140608 to 20140808
* libewf 20140608 is from the stable branch
* libewf 20140808 is the latest stable branch release
-------------------------------------------------------------------
Mon Aug 19 02:22:48 UTC 2019 - Greg Freemyer <Greg.Freemyer@gmail.com>
-Update to 4.6.7:
* First release of new logical imager tool
* VHD image writer fixes for out of space scenarios
-Update to 4.6.6:
* Acquisition details are set in DB for E01 files
* Fix NTFS decompression issue (from Joe Sylve)
* Image reading fix when cache fails (Joe Sylve)
* Fix HFS+ issue with large catalog files (Joe Sylve)
* Fix free memory issue in srch_strings (Derrick Karpo)
-------------------------------------------------------------------
Fri Jan 18 06:43:11 UTC 2019 - seanlew@opensuse.org
-Update to 4.6.5:
* HFX boundary check fix
* New fields for hash value and acquisitions details
* Store "created schema version" in case database
* New Java artifacts and attributes defined
* Fixed bug in SleuthkitCase.getContentById()
* Fixed bug in LayoutFile.read() that could allow oob reading
-------------------------------------------------------------------
Fri Jan 4 13:50:54 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
- Avoid name repetition in summaries.
-------------------------------------------------------------------
Fri Dec 21 09:54:58 UTC 2018 - atoptsoglou@suse.com
-Update to 4.6.4:
*Java Code:
- Increase max statements in database to prevent errors under load
- Have a max timeout for SQLite retries
-Update to 4.6.3:
*C/C++ Code:
- Hashdb bug fixes for corrupt indexes and 0 hashes
- New code for testing power of number in ExtX code
*Java Code:
- New class that allows generic database access
- New methods that check for duplicate artifacts
- Added caches for frequently used content
*Database Schema:
- Added Examiner table
- Tags are now associated with Examiners
- Changed parent_path for logical files to be consistent with FS files.
-Update to 4.6.2:
*C/C++ Code:
- Various compiler warning fixes
- Added small delay into image writer to not starve other threads
*Java Code:
- Added more locking to ensure that handles were not closed while other threads were using them.
- Added APIs to support more queries by data source
- Added memory-based caching when detecting if an object has children or not.
-Update to 4.6.1:
*C/C++ Code:
- Lots of bounds checking fixes from Google's fuzzing tests. Thanks Google.
- Cleanup and fixes from uckelman-sf and others
- PostgreSQL, libvhdi, & libvmdk are supported
- Fixed display of NTFS GUID in istat - report from Eric Zimmerman.
- NTFS istat shows details about all FILE_NAME attributes, not just the first. report from Eric Zimmerman.
*Java Code:
- Reports can be URLs
- Reports are Content
- Added APIs for graph view of communications
- JNI library is extracted to name with user name in it to avoid conflicts
*Database:
- Version upgraded from to 8.0 because Reports are now Content
-Update to 4.6.0:
*New Features
- New Communications related Java classes and database tables.
- Java build updates for Autopsy Linux build
- Blackboard artifacts are now Content objects in Java and part of tsk_objects table in database.
- Increased cache sizes.
- Lots of bounds checking fixes from Google's fuzzing tests. Thanks Google.
- HFS fix from uckelman-sf.
-Update to 4.5.0:
*New Features:
- Support for LZVN compressed HFS files (from Joel Uckelman)
- Use sector size from E01 (helps with 4k sector sizes)
- More specific version number of DB schema
- New Local Directory type in DB to differentiate with Virtual Directories
- All blackboard artifacts in DB are now 'content'. Attachments can now be children of their parent message.
- Added extension as a column in tsk_files table.
*Bug Fixes:
- Faster resolving of HFS hard links
- Lots of fixes from Google Fuzzing efforts.
-------------------------------------------------------------------
Thu Sep 14 22:07:19 UTC 2017 - Greg.Freemyer@gmail.com
- update to 4.4.2
* usnjls tool for NTFS USN log (from noxdafox)
* Added index to mime type column in DB
* Use local SQLite3 if it exists (from uckelman-sf)
* Blackboard Artifacts have a shortDescription metho
* Fix for highest HFS+ inum lookup (from uckelman-sf)
* Fix ISO9660 crash
* various performance fixes and added thread safety checks
- add files related to the new usnjls tool
-------------------------------------------------------------------
Sat Feb 25 20:30:33 UTC 2017 - Greg.Freemyer@gmail.com
- update to 4.4.0
* Compiling in Windows now uses Visual Studio 2015
* tsk_loaddb now adds new files for slack space
and JNI was upgraded accordingly.
-------------------------------------------------------------------
Fri Jul 29 23:02:03 UTC 2016 - Greg.Freemyer@gmail.com
- update to 4.3.0
* PostgreSQL support (Windows only)
* Support for virtual machine formats via libvmdk and libvhdi (Windows only)
* Schema updates (data sources table, mime type, attributes store type)
* tsk_img_open can take externally created TSK_IMG_INFO
* New Release_ NoLibs Visual Studio target
* Various bug fixes
-------------------------------------------------------------------
Wed Feb 3 23:18:34 UTC 2016 - Greg.Freemyer@gmail.com
- upgrade to 4.2.0
* ExFAT support added
* New database schema
* New Sqlite hash database
* Added secondary hash database index
* Various bug fixes
* NTFS pays more attention to sequence and loads metadata only
if it matches.
- README.txt renamed README.md
- patch sleuthkit-4.1.3-python-tsk.patch removed, now upstream
-------------------------------------------------------------------
Wed Aug 13 19:48:56 UTC 2014 - Greg.Freemyer@gmail.com
- upgrade to 4.1.3
* fixed bug that could crash UFS/ExtX in inode_lookup.
* More bounds checking in ISO9660 code
* Image layer bounds checking
* Update version of SQLITE-JDBC
* changed how java loads navite libraries
* Config file for YAFFS2 spare area
* New method in image layer to return names
* Yaffs2 cleanup.
* Escape all strings in SQLite database
* SQlite code uses NTTFS sequence number to match parent IDs
* FILE_NAME times in timelines
* Cellebrite disk image auto-detect
* 64-bit windows targets
* Fixed bug with Sqlite code not using NTFS Sequence
* Jar files have native libraries in them
- remove sleuthkit-4.1.0-UPSTREAM-crc.patch, now in upstream release
- add sleuthkit-4.1.3-python-tsk.patch, needed by python-tsk
-------------------------------------------------------------------
Tue Oct 15 23:45:40 UTC 2013 - Greg.Freemyer@gmail.com
- remove BuildRequires libaff - The format never got popular, and libewf is now recommended
- libaff is being dropped from factory
-------------------------------------------------------------------
Sat Jun 22 02:46:38 UTC 2013 - Greg.Freemyer@gmail.com
- this upgrade breaks most packages that build against sleuthkit-devel
- upgrade to 4.1.0
* New Features in Core:
Added YAFFS2 support (patch from viaForensics).
Added Ext4 support (patch from kfairbanks)
* Framework:
Added Linux and MAC support.
Added L01 support.
Added APIs to find files by name, path and extension.
Removed deprecated TskFile::getAttributes methods.
moved code around for AutoBuild tool support.
* Java Bindings:
added DerivedFile datamodel support
added a public method to Content to add ability to close() its tsk handle before the object is gc'd
added faster skip() and random seek support to ReadContentInputStream
refactored datamodel by pushing common methods up to AbstractFile
fixed minor memory leaks
improved regression testing framework for java bindings datamodel
* -devel
proper soname handling requires fixes in packages linking to libtsk
/usr/include/tsk3 renamed /usr/include/tsk
libtsk3-9.so renamed libtsk-10.so due to proper soname handling
other include file changes
- rm fiwalk patch, now in upstream
- add crc.c patch, now in upstream git repo
- sortr renamed sorter by upstream
- upstream improved soname handling, reflect improvements
- add the java bindings to sleuthkit-devel (Packaging not well tested)
- resolves BNC#815061
-------------------------------------------------------------------
Sun Mar 3 18:10:35 UTC 2013 - Greg.Freemyer@gmail.com
- Add obsoletes statement for fiwalk
- add patch to support "fiwalk -m"
-------------------------------------------------------------------
Wed Feb 13 14:58:21 UTC 2013 - hpj@urpla.net
- Version 4.0.2
New Features in Core:
fiwalk is now included.
Bug Fixes in Core:
Fixed fcat to work on NTFS files (still doesn't support ADS though).
Fixed HFS+ support in tsk_loaddb / SQLite -- root directory was not added.
NTFS code now looks at all MFT entries when listing directory contents. It used to only look at unallocated entries for orphan files. This fixes an image that had allocated files missing from the directory b-tree.
NTFS code uses sequence number when searching MFT entries for all files.
Libewf detection code change to support v2 API more reliably (ID: 3596212).
NTFS $SII code could crash in rare cases if $SDS was multiple of block size.
Framework:
Added new API to TskImgDB that returns the base name of an image.
Numerous performance improvements to framework.
Removed requirement in framework to specify module extension in pipeline configuration file.
Added blackboard artifacts to represent both operating system and network service user accounts.
Java Bindings
More methods to query files
Methods to get current directory when being added to DB.
Modified class structure a bit
More lazy loading for children / parents.
Better exception throwing from C++
- Version 4.0.1
New Features:
More DOS partition types are displayed.
Added fcat tool that takes in file name and exports content (equivalent to using ifind and icat together).
performance improvements with FAT code (maps and dir_add)
performance improvements with NTFS code (maps)
added AONLY flag to block_walk
Updated blkls and blkcalc to use AONLY flag -- MUCH faster.
Bug Fixes:
Fixed mactime issue where it could choose the wrong timezone that did not follow daylight savings times.
Fixed file size of alternate data streams in framework.
Incorporated memory leak fixes and raw device fixes from ADF Solutions.
-------------------------------------------------------------------
Tue Oct 2 17:04:51 UTC 2012 - Greg.Freemyer@gmail.com
- Version 4.0.0
- general release of the 4.0.0b1 beta release
- only tested by upstream in windows
-------------------------------------------------------------------
Thu Sep 6 21:30:48 UTC 2012 - Greg.Freemyer@gmail.com
- Version 4.0.0b1
- Builds with libewf-20120813 (libewf v2)
- drop sleuthkit-gcc47.patch: upstreamed
4.0.0b1 has a lot of new features, including:
. Framework with first set of basic modules (hash calculation, hash lookup, entropy calculation, RegRipper, ZIP file extraction, extraction via name signatures, etc.) -- Windows-only
. Multithreaded support
. C++ wrapper classes
. JNI bindings and data model classes
. All non-set times are displayed as 0 instead of 1970.
. Only first file in split or E01 needs to be specified.
. EnCase Hashset support in hash tools.
. New table schema for loaddb database that supports more data types (carved, local files, etc.).
-------------------------------------------------------------------
Wed Apr 11 12:08:24 UTC 2012 - dimstar@opensuse.org
- Add sleuthkit-gcc47.patch: Fix buffer overflow.
-------------------------------------------------------------------
Fri Oct 21 12:56:42 UTC 2011 - Greg.Freemyer@gmail.com
- Add EnCase image support for reading
- Source code support was already present, this just involved linking libewf into the build
-------------------------------------------------------------------
Fri Oct 7 22:53:03 UTC 2011 - Greg.Freemyer@gmail.com
- VERSION 3.2.3
New Features:
- new TskAuto method (handleNotification()) that gets verbose messages that allow for debugging when the class makes decisions.
- DOS partitions are loaded even if an extended partition fails to load
- new TskAuto::findFilesInFs(TSK_FS_INFO *) method
- Need to only specify first E01 file and the rest are found
- Changed docs license to opensuse accepted one (by upstream)
- Unicode conversion routines fix invalid UTF-16 text during conversion
- Added '-d' to tsk_recover to specify directory to recover
Bug Fixes:
- Added check to fatfs_open to compare first sectors of FAT if we used backup boot sector and verify it is FAT32.
- More checks to make sure that FAT short names are valid ASCII
- 3406523: Mactime size sanity check
- 3393960: hfind reading of Windows input file
- 3316603: Error reading last blocks of RAW CD images
- Fixed bugs in how directories and files were detected in TskAuto
-------------------------------------------------------------------
Thu Aug 4 02:44:10 UTC 2011 - toganm@opensuse.org
- Update sleuthkit-3.2.2.tar.gz
* cleaned spec
-------------------------------------------------------------------
Mon Sep 13 17:12:04 UTC 2010 - toganm@dinamizm.com
- Reworking the spec file
-------------------------------------------------------------------
Mon Sep 13 16:36:53 UTC 2010 - toganm@opensuse.org
- Spec file corrections
-------------------------------------------------------------------
Mon Sep 13 2010 Togan Muftuoglu <toganm@opensuse.org> -3.1.3
- Adaptation of spec file from fedora project
- Update to 3.1.3
Thu Apr 29 2010 Nicolas Chauvet <kwizart@fedoraproject.org> - 3.1.1-1
- Update to 3.1.1
Sun Jul 26 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 3.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
Tue Feb 10 2009 kwizart < kwizart at gmail.com > - 3.0.1-1
- Update to 3.0.1 (final)
Tue Oct 28 2008 kwizart < kwizart at gmail.com > - 3.0.0-1
- Update to 3.0.0 (final)
Fri Oct 3 2008 kwizart < kwizart at gmail.com > - 3.0.0-0.1.b4
- Update to 3.0.0b4
Tue Jun 17 2008 kwizart < kwizart at gmail.com > - 2.52-1
- Update to 2.52
- Remove merged patches
- Remove clean unused-direct-shlib-dependencies
- Fix rpath at source.
- Sort license within the spec
- Move configure.ac to pkg-config detection
- Remove Perl-Date-Manip installation
Tue Mar 18 2008 kwizart < kwizart at gmail.com > - 2.51-1
- Update to 2.51
- Add libewf/afflib BR
- Requires mac-robber external package.
- Remove internal perl-Date-Manip.
Fri Dec 28 2007 kwizart < kwizart at gmail.com > - 2.10-1
- Update to 2.10
Mon Oct 29 2007 kwizart < kwizart at gmail.com > - 2.09-1
- Initial package for Fedora
(inspired from Oden Eriksson mdk spec).

196
sleuthkit.spec Normal file
View File

@@ -0,0 +1,196 @@
#
# spec file for package sleuthkit
#
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define sosuffix 23
Name: sleuthkit
Version: 4.14.0
Release: 0
Summary: Tools for file system and volume forensic analysis
License: CPL-1.0 AND IPL-1.0 AND GPL-2.0-or-later
Group: System/Monitoring
URL: https://www.sleuthkit.org/
Source0: https://github.com/%{name}/%{name}/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz
# PATCH-FIX-UPSTREAM upsteam_tarball_left_a_file_out gh#sleuthkit/sleuthkit#642
Patch1: 0001-build-support-libewf-V3.patch
# Joachim Metz provided support, but 1 header file was missed in the tarball
Patch2: sleuthkit-4.12.0_add-lvm-support.patch
# https://github.com/sleuthkit/sleuthkit/commit/8d710c36a947a2666bbef689155831d76fff56b9
Patch3: sleuthkit-no-bool.patch
BuildRequires: gcc-c++
#BuildRequires: libtool
# libewf - Newer versions are plain BSD (older are BSD with advertising)
#BuildRequires: libewf-devel = 20140811
BuildRequires: libewf-devel
BuildRequires: libbfio-devel
BuildRequires: libopenssl-devel
BuildRequires: zlib-devel
Requires: file
Requires: libtsk%{sosuffix} = %{version}
Requires: mac-robber
# fiwalk has been incorporated into sleuthkit. Last standalone version was 0.6.16
Provides: fiwalk = %{version}
Obsoletes: fiwalk < %{version}
%description
The Sleuth Kit (TSK) is a collection of UNIX-based command line tools that
allow you to investigate a computer. The current focus of the tools is the
file and volume systems and TSK supports FAT, Ext2/3, NTFS, UFS,
and ISO 9660 file systems
%package -n libtsk%{sosuffix}
Summary: Library for file system and volume forensic analysis
Group: System/Libraries
%description -n libtsk%{sosuffix}
The libtsk%{sosuffix} package contains library for %{name}.
The name of the library was changed from libtsk3 to libtsk
%package devel
Summary: Development files for %{name}
Group: Development/Libraries/Other
Requires: libtsk%{sosuffix} = %{version}
%description devel
The %{name}-devel package contains libraries and header files for
developing applications that use %{name}.
%prep
%autosetup -p1
%build
export LIBS=' -lpthread -ldl'
%configure --disable-static
# remove rpath from libtool
# closed by tm
sed -i.rpath 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i.rpath 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
# clean unused-direct-shlib-dependencies
#sed -i -e 's! -shared ! -Wl,--as-needed\0!g' libtool
# export CFLAGS="%%{optflags}"
# export CXXFLAGS="%%{optflags}"
export LDFLAGS="-avoid-version -module"
%make_build
%install
%if 0%{?sles_version}
make install DESTDIR=%{buildroot} INSTALL="install -p"
%else
%make_install INSTALL="install -p"
%endif
find %{buildroot} -type f -name "*.la" -delete -print
mkdir -p %{buildroot}/%{_datadir}/sleuthkit
cp --archive bindings %{buildroot}/%{_datadir}/sleuthkit/bindings
%post -n libtsk%{sosuffix} -p /sbin/ldconfig
%postun -n libtsk%{sosuffix} -p /sbin/ldconfig
%files
%doc ChangeLog.txt NEWS.txt README.md licenses/*
# License is CPL 1.0 exept for some files.
%{_bindir}/blkcalc
%{_bindir}/blkcat
%{_bindir}/blkls
%{_bindir}/blkstat
#{_bindir}/disk_sreset
#{_bindir}/disk_stat
%{_bindir}/fcat
%{_bindir}/ffind
%{_bindir}/fiwalk
%{_bindir}/fls
%{_bindir}/fsstat
%{_bindir}/hfind
%{_bindir}/icat
%{_bindir}/ifind
%{_bindir}/ils
%{_bindir}/img_cat
%{_bindir}/img_stat
%{_bindir}/istat
%{_bindir}/jcat
%{_bindir}/jls
%{_bindir}/jpeg_extract
# This file is described as GPL in the doc
# But the license remains CPL in the source.
%{_bindir}/mactime
##
%{_bindir}/mmcat
%{_bindir}/mmls
%{_bindir}/mmstat
%{_bindir}/pstat
%{_bindir}/sigfind
%{_bindir}/sorter
%{_bindir}/usnjls
## This file is GPLv2+
%{_bindir}/srch_strings
#
%{_mandir}/man1/blkcalc.1%{?ext_man}
%{_mandir}/man1/blkcat.1%{?ext_man}
%{_mandir}/man1/blkls.1%{?ext_man}
%{_mandir}/man1/blkstat.1%{?ext_man}
#{_mandir}/man1/disk_sreset.1*
#{_mandir}/man1/disk_stat.1*
%{_mandir}/man1/fcat.1%{?ext_man}
%{_mandir}/man1/ffind.1%{?ext_man}
%{_mandir}/man1/fls.1%{?ext_man}
%{_mandir}/man1/fsstat.1%{?ext_man}
%{_mandir}/man1/hfind.1%{?ext_man}
%{_mandir}/man1/icat.1%{?ext_man}
%{_mandir}/man1/ifind.1%{?ext_man}
%{_mandir}/man1/ils.1%{?ext_man}
%{_mandir}/man1/img_cat.1%{?ext_man}
%{_mandir}/man1/img_stat.1%{?ext_man}
%{_mandir}/man1/istat.1%{?ext_man}
%{_mandir}/man1/jcat.1%{?ext_man}
%{_mandir}/man1/jls.1%{?ext_man}
%{_mandir}/man1/mactime.1%{?ext_man}
%{_mandir}/man1/mmcat.1%{?ext_man}
%{_mandir}/man1/mmls.1%{?ext_man}
%{_mandir}/man1/mmstat.1%{?ext_man}
%{_mandir}/man1/sigfind.1%{?ext_man}
%{_mandir}/man1/sorter.1%{?ext_man}
%{_mandir}/man1/usnjls.1%{?ext_man}
%dir %{_datadir}/tsk
%{_datadir}/tsk/sorter/
%{_bindir}/tsk_comparedir
%{_bindir}/tsk_gettimes
%{_bindir}/tsk_loaddb
%{_bindir}/tsk_recover
%{_bindir}/tsk_imageinfo
%{_mandir}/man1/tsk_comparedir.1%{?ext_man}
%{_mandir}/man1/tsk_gettimes.1%{?ext_man}
%{_mandir}/man1/tsk_loaddb.1%{?ext_man}
%{_mandir}/man1/tsk_recover.1%{?ext_man}
%files -n libtsk%{sosuffix}
# CPL and IBM
%{_libdir}/*.so.*
%files devel
# CPL and IBM
%{_includedir}/tsk/
%{_libdir}/*.so
%{_libdir}/pkgconfig/tsk.pc
%{_datadir}/sleuthkit
%changelog