[NBLUG/talk] Forensics : finding changed files

Chris Palmer chris at eff.org
Mon Dec 19 10:57:34 PST 2005


Rick writes:

> I  have a *nix box that hasn't been used much, and I want to search
> through the filesystems to see what changes have been made since it
> was installed.

Is this an actual forensic investigation, or just regular admin duty? If
it's a real forensic investigation, you don't want to (a) modify the
evidence (the disk) or (b) trust the software, file contents or file
metadata on the disk.

If it's regular admin duty, find(1) (for recursion) and stat(1) (for
file metadata, including last modified times) are your friends. From
there it's "sort -n" and the usual stuffs.

With GNU stat (on Linux):

    # find / -exec stat -c "%y %N" {} \;

With BSD stat (BSDs, Mac OS X, maybe /usr/ucb/stat on Solaris?):

    # find / -exec stat -f "%m %N" {} \;

The mtimes are printed in seconds from the epoch, but you can make them
human-readable in post-processing.


-- 
https://www.eff.org/about/staff/#chris_palmer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
Url : http://nblug.org/pipermail/talk/attachments/20051219/5435262a/attachment.pgp


More information about the talk mailing list