[prev in list] [next in list] [prev in thread] [next in thread]
List: forensics
Subject: mac-robber 1.00 release
From: Brian Carrier <bcarrier () atstake ! com>
Date: 2002-01-25 18:16:00
[Download RAW message or body]
'mac-robber' is a Forensics & Incident Response tool used to collect
the Modified, Access, and Change (MAC) times from allocated files.
It recursively reads the MAC times of files and directories and prints
them in 'time machine' format to stdout. This format is the same
that the 'mactime' tool from The Coroners Toolkit (TCT) reads.
It is different than 'grave-robber -m' because:
- It is written in C instead of Perl. Therefore, it is easy to
compile for several platforms and put them on a CD or floppy
for Incident Response cases.
- The data is written to stdout, so 'netcat' can be used to transfer
the data off of the compromised host.
- It is much faster!
To make a time line, 'mactime' (v1.09+) is still required. This only
replaces the 'grave-robber' step.
'mac-robber' will be included in The @stake Sleuth Kit (TASK) collection
of file system tools.
mac-robber url:
http://www.atstake.com/research/tools/mac-robber-1.00.tar.gz
Additional @stake Forensic Tools:
http://www.atstake.com/research/tools/index.html#forensic
brian
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic