Recovering file attributes from snapshot

Andy Bair pab at korelogic.com
Tue Jul 3 15:47:32 EDT 2007 

Michael,

What attributes do you want to restore exactly?  UID, GID, permissions?
Can you show me some sample data?

Thanks,
Andy

On Tue, Jul 03, 2007 at 02:55:02PM -0400, Michael ODonnell wrote:
> 
> 
> Andy Bair wrote:
> > FTimes can do what you want.
> 
> It can apparently do only half of what I want, the gathering-
> file-attribute-info-beforehand part.  But what I need is to be
> able to use that "before" snapshot to actually restore the old
> attributes.  None of the (admittedly useful sounding) tools in
> that FTimes suite claims to do that second part:
> 
> >ftimes          system baselining and evidence collection tool.
> >                The primary purpose of FTimes is to gather and/or develop
> >                topographical information and attributes about specified
> >                directories and files in a manner conducive to intrusion
> >                and forensic analysis.
> >
> >ftimes-cmp2dbi  preprocesses FTimes compare data for MySQL DB import.
> >
> >ftimes-crv2dbi  preprocesses FTimes carve data for MySQL DB import.
> >
> >ftimes-crv2raw  carves arbitrary blocks of data and assembles them into
> >                raw files.
> >
> >ftimes-dig2ctx  extracts context around matched dig strings.
> >
> >ftimes-dig2dbi  preprocesses FTimes dig data for MySQL DB import.
> >
> >ftimes-map2dbi  preprocesses FTimes map data for MySQL DB import.
> >
> >ftimes-map2mac  creates MAC/MACH timelines using FTimes map data.
> >
> >hashdig-bash    bashes one HashDig database against another.
> >
> >hashdig-bind    binds resolved hashes to filenames.
> >
> >hashdig-dump    enumerates a HashDig database.
> >
> >hashdig-filter  filters filenames by directory type.
> >
> >hashdig-harvest harvests hashes from one or more files.
> >
> >hashdig-make    creates or updates a HashDig database.
> >
> >hashdig-stat    produces statistics on HashDig files and databases.
> >
> >hashdig-weed    deleted hashes from a HashDig database.
> >
> >hipdig          digs for hosts, IPs, passwords, and more...
> >
> >tarmap          utility for mapping the files in a tar archive without
> >                having to unpack and write them to disk first.
> >
> >hashdig-harvest-sunsolve
> >                harvests hashes from a directory of sunsolve output.
> >
> >hashdig-resolve-sunsolve
> >                resolves hashes against Sun's Solaris Fingerprint
> >                Database.
> 
> 
> > If you need more help, please give me a shout.
> 
> OK...   "Hey!  Andy!"
>  
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

-- 
Andy

KoreLogic Security
603.465.3236 (Office)
603.340.2498 (Mobile)
http://www.korelogic.com
GnuPG Fingerprint: 688A 79EC B1E5 5748 CE87  1F20 2C45 60E7 0583 23B6

More information about the gnhlug-discuss mailing list