'mac-robber' is a Forensics & Incident Response tool used to collect the Modified, Access, and Change (MAC) times from allocated files. It recursively reads the MAC times of files and directories and prints them in 'time machine' format to stdout. This format is the same that the 'mactime' tool from The Coroners Toolkit (TCT) reads. It is different than 'grave-robber -m' because: - It is written in C instead of Perl. Therefore, it is easy to compile for several platforms and put them on a CD or floppy for Incident Response cases. - The data is written to stdout, so 'netcat' can be used to transfer the data off of the compromised host. - It is much faster! To make a time line, 'mactime' (v1.09+) is still required. This only replaces the 'grave-robber' step. 'mac-robber' will be included in The @stake Sleuth Kit (TASK) collection of file system tools. mac-robber url: http://www.atstake.com/research/tools/mac-robber-1.00.tar.gz Additional @stake Forensic Tools: http://www.atstake.com/research/tools/index.html#forensic brian ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 18:01:16 PST