Cooking with FTimes
This section is dedicated to capturing, in the form of recipes,
information about how FTimes can be used, how its data may be
processed and analyzed, and any other related topics. Each recipe
attempts to solve a particular task or objective and is designed,
if possible, to be scripted. The goal of this effort is to create
an electronic cookbook that allows the practitioner to benefit
directly from the past experiences of others.
All recipes and the scripts or programs contained within them are
distributed under same terms and conditions as FTimes.
Compiling and Testing
- Compile OpenSSL for use with FTimes using MinGW/MSYS
- Compile PCRE for use with FTimes using MinGW/MSYS
Decoder - Decode encoded/compressed snapshots
- Decode and/or compare an encoded (or natively compressed) snapshot
DigMode - Dig (Search) for Hex/ASCII/Combo strings in specified files or devices
- Dig for strings on a remote system over ssh
- Extract (ftimes-dig2ctx.pl) context surrounding specified DigStrings
- Extract JPEG files from a pile of bits
- Extract PNG files from a pile of bits
- Extract a zip file from an iso image
GetMode - Get (Download) Map/Dig config files from an Integrity Server
- Download a config file to the local file system
- Download a config file to stdout
- Download a config file to stdout, map files, and upload results using a command pipeline
MapMode - Map (File Topography) specified files, directories, links, devices, or alternate data streams
- Map selected directories and files on a remote system over ssh
- Little ditties based around the size attribute
- Verify the integrity of a backup (e.g., tar ball)
HashDig - Perform hash resolution on unknown hashes
- Build and maintain HashDig reference database
Analysis - Process/Analyze FTimes data using various techniques
- Preprocess map data, load it into MySQL, and run analysis queries
- Create a MAC timeline using MySQL and SQL queries
- Create a MAC/MACH timeline (ftimes-map2mac.pl) and analyze the results
Integrity Monitoring - Various integrity monitoring frameworks, techniques, and tools
- Basic Integrity Monitoring Via SSH -- or BIMVS for short
- Basic Integrity Monitoring Via WebJob -- or BIMVW for short
- Process BIMVW output and create a set of browsable HTML reports
|