Note: This activity takes place in a Linux system environment using SANS SIFT Workstation, a collection of forensic tools. For instructions to download and set up this environment, click Virtual Workstation in the toolbar.
Time: This activity should take you approximately 20 minutes to complete.
In this activity, you’ll again work with SANS SIFT Workstation and Sleuthkit in a virtual Linux machine. If you didn’t set this up a virtual machine in Unit 2, please see Preparation: Linux Virtual Workstation.
In Unit 3, you used ils and fls to list the files and directory names in ilsBody and flsBody. Now you’ll create a timeline of these files and also explore if and how this timeline can be changed using Linux command touch.
You may want to review my demonstration video Mactime Demo before beginning this activity.
1. Open SANS Investigative Forensic Toolkit (SIFT) Workstation and use the default login:
username: sansforensicspassword: forensics2. Use the Linux/Unix utility touch to create a file called myFile. Check the mac time using stat.
Command: touch myFile; stat myFile3. Change the access time of myFile to '2018-06-03 08:46:26’, and verify the change.
Command: touch -a -d '2018-06-03 08:46:26’ myFile; stat myFile4. Use Sleuthkit’s mactime to create a timeline of the files you created in Unit 3 as flsBody. Save the timeline in a file called flsMactime and examine the timeline.
Command: mactime -b flsBody -d > flsMactime5. Use mactime to create a timeline of the files you created in Unit 3 as ilsBody. Save the timeline in a file called ilsMactime and examine the timeline.
Command: mactime -b ilsBody -d > ilsMactime6. Answer the Check Your Work questions.
转载于:https://www.cnblogs.com/sec875/articles/10015637.html
相关资源:Linux.Forensics.1515037630