Re: [sleuthkit-users] Using mac-robber
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Using mac-robber
|
From: Brian C. <ca...@sl...> - 2003-12-10 20:02:06
|
> I'm thinking of moving from "grave-robber" to > "mac-robber". Could anyone tell me if "mac-robber" > has everything that "grave-robber" has and more? Or > "grave-robber" has some functionalities that > "mac-robber" doesn't have. Thanks. Tranh, They are MUCH different. mac-robber only grabs the MAC time info (grave-robber -m I think) and that is it. grave-robber copies binaries, grabs logs and lots of other things that I have forgotten. I found grave-robber to be too big for incident response and this is the more focused version. mac-robber can send the data to a remote host with netcat, which can't be done in grave-robber (which writes data to the local system or a network share). I actually find mac-robber only useful in scenarios where The Sleuth Kit doesn't support the platform. The Sleuth Kit will give you the timelines with deleted files and it can bypass the kernel rootkits. brian |
