[sleuthkit-developers] Suggestion for another tool within the Sleuthkit
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-developers] Suggestion for another tool within the Sleuthkit
|
From: Surago J. <su...@sj...> - 2005-09-29 07:11:24
|
Not sure if this exists already somewhere else, and am not sure if it would be completely transportable between various operating systems but maybe some form of Tool that reads the /var/log/lastlog file and outputs the details would be handy. I am currently performing the Forensic Challenge from the Honeynet Project (yeah a couple years later than everyone else, but still very beneficial for learning the functionality available in Autopsy and The SleuthKit). =20 During my analysis I have extracted the /var/log/lastlog file and have used the lastlog.c source provided by Thomas Roessler to output the details I need, however because my C skills are very rusty (and I am time limited) I was thinking it would be handy if someone could improve this source to include the ability to set the timezone to use for the logon times output, and/or reference a /etc/passwd file to correlate the user id's to a username. I haven't had much experience with other flavours of Linux (Mainly used the Red Hat varieties), so I don't know if such an addition to the SleuthKit would be a valuable addition or not, but if the lastlog file (or similar) is common to varying distributions and the data structure is similar then possibly this would be a great additional tool to include. As the current method of exporting the data units, changing the timezone then using the lastlog.c source provided by Thomas Roessler, then changing my timezone back is somewhat cumbersome. Obviously this is only a problem for me as my timzone is different to that of the compromised machine. Just thought this suggestion might be useful, or if this wheel as already been invented somewhere then can someone please point me in the right direction. Cheers Surago. |
