[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forensics
Subject:    mac-robber 1.00 release
From:       Brian Carrier <bcarrier () atstake ! com>
Date:       2002-01-25 18:16:00
[Download RAW message or body]

'mac-robber' is a Forensics & Incident Response tool used to collect
the Modified, Access, and Change (MAC) times from allocated files.
It recursively reads the MAC times of files and directories and prints
them in 'time machine' format to stdout.  This format is the same
that the 'mactime' tool from The Coroners Toolkit (TCT) reads.

It is different than 'grave-robber -m' because:
- It is written in C instead of Perl.  Therefore, it is easy to 
  compile for several platforms and put them on a CD or floppy 
  for Incident Response cases.

- The data is written to stdout, so 'netcat' can be used to transfer 
  the data off of the compromised host.

- It is much faster!

To make a time line, 'mactime' (v1.09+) is still required.  This only
replaces the 'grave-robber' step.

'mac-robber' will be included in The @stake Sleuth Kit (TASK) collection
of file system tools.  

mac-robber url: 
  http://www.atstake.com/research/tools/mac-robber-1.00.tar.gz

Additional @stake Forensic Tools: 
  http://www.atstake.com/research/tools/index.html#forensic


brian



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]