'Re: [sleuthkit-developers] Suggestion for another tool within the Sleuthkit'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sleuthkit-developers
Subject:    Re: [sleuthkit-developers] Suggestion for another tool within the Sleuthkit
From:       youcef bichbiche <ybichbiche () yahoo ! co ! uk>
Date:       2005-09-29 22:29:49
Message-ID: 20050929222949.71051.qmail () web25405 ! mail ! ukl ! yahoo ! com
[Download RAW message or body]

Surago,
Valid question but Sleuthkit is meant to be a file
system analysis and not an application analysis tool.

stepping over that would open a pandora box of tools
that need to be added. so why not add an windows event
log viewer, a registry viewer, ...etc. the list is
endless.

youcef



--- Surago Jones <surago@sjones.co.nz> wrote:

> Not sure if this exists already somewhere else, and
> am not sure if it
> would be completely transportable between various
> operating systems but
> maybe some form of Tool that reads the
> /var/log/lastlog file and outputs
> the details would be handy.
> 
> I am currently performing the Forensic Challenge
> from the Honeynet
> Project (yeah a couple years later than everyone
> else, but still very
> beneficial for learning the functionality available
> in Autopsy and The
> SleuthKit).  
> 
> During my analysis I have extracted the
> /var/log/lastlog file and have
> used the lastlog.c source provided by Thomas
> Roessler to output the
> details I need, however because my C skills are very
> rusty (and I am
> time limited) I was thinking it would be handy if
> someone could improve
> this source to include the ability to set the
> timezone to use for the
> logon times output, and/or reference a /etc/passwd
> file to correlate the
> user id's to a username.
> 
> I haven't had much experience with other flavours of
> Linux (Mainly used
> the Red Hat varieties), so I don't know if such an
> addition to the
> SleuthKit would be a valuable addition or not, but
> if the lastlog file
> (or similar) is common to varying distributions and
> the data structure
> is similar then possibly this would be a great
> additional tool to
> include.
> 
> As the current method of exporting the data units,
> changing the timezone
> then using the lastlog.c source provided by Thomas
> Roessler, then
> changing my timezone back is somewhat cumbersome. 
> Obviously this is
> only a problem for me as my timzone is different to
> that of the
> compromised machine.
> 
> Just thought this suggestion might be useful, or if
> this wheel as
> already been invented somewhere then can someone
> please point me in the
> right direction.
> 
> Cheers
> 
> Surago.
> 
> 
> 
> 
-------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content,
> downloads, discussions,
> and more.
> http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> sleuthkit-developers mailing list
> sleuthkit-developers@lists.sourceforge.net
> 
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers
> 



	
	
		
___________________________________________________________ 
Yahoo! Messenger - NEW crystal clear PC to PC calling worldwide with voicemail \
http://uk.messenger.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
sleuthkit-developers mailing list
sleuthkit-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic