[NBLUG/talk] Forensics : finding changed files

Kyle Rankin kyle at nblug.org
Mon Dec 19 10:55:16 PST 2005 

On Mon, Dec 19, 2005 at 10:11:40AM -0800, Rick wrote:
> Hi Everyone,
>  
>  I  have a *nix box that hasn't been used much, and I want to search through the filesystems to see what changes have been made since it was installed.  Basically, I can ignore any changes in the last few days, and all the files that were installed as part of the original installation.  This seems like a simple problem, but the find command seems too limited to accomplish this task for the filesystem as a whole.  Or maybe it's just me, but I haven't been able to use the find command solve this problem.
>  
>  One simple solution would be to produce a list of all files and their last modification date, then sort this list by date.  Unfortunately, I haven't found an easy way to accomplish this task.
>  
>  I'm sure there must be a trivial solution to this problem.  Before I develop a brute force method, does anyone know an easier way to gather this information?  This is a rather basic box, with only the standard commands and shells available.
>  
>  Thanks,
>  Rick
>  
> 

Hi Rick,

Probably the best way is to use a full-fledged forensics tool like
grave-robber from the Coroner's toolkit. The main advantage is that its
default invocation will create a database of all of the files on the system
along with permission and MACtimes (it calls this file "body").

I cover some of the basics in a more general Knoppix system rescue talk I give. The slides are at http://greenfly.org/talks/knoppix/rescue.html and skip ahead to slide #30 to get straight to forensics. Basically, install the full coroner's toolkit to your computer (or alternatively boot Knoppix), pick a directory to store the information (perhaps a mounted partition under /mnt/hdb1/data) and pick a mounted partition to scan (for instance under /mnt/hda1). Then you'd type:

   grave-robber -m -c /mnt/hda1 -o LINUX2 -d /mnt/hdb1/data -v

as root.

Then you can run the 'mactime' utility included with the coroner's toolkit
on the data/body database grave-robber creates. Alternatively you can run
mactime directly on the filesystem ifself if you want. It takes as an
option the date (or date range) to display:

   mactime -y 1/1/1970 -b /mnt/hdb1/data/body

With mactime, you can see a complete view of all of the files in your
filesystem sorted by MAC time (Modification, Access, or permissions
Changed).

Here's a second source for information about mactime:

http://www.cert.org/security-improvement/implementations/i046.01.html

Hope this helps. For you or anyone else who are really interested in
forensics, I highly recommend Farmer and Venema's latest book Forensic
Discovery (020163497X). They are the creators of the Coroner's Toolkit
along with a number of other popular Unix tools (Venema is the author of
the postfix MTA) and this book provides a good basis for getting into
computer forensics.

-- 
Kyle Rankin
NBLUG President
The North Bay Linux Users Group
http://nblug.org
IRC: greenfly at irc.freenode.net #nblug 
kyle at nblug.org

More information about the talk mailing list