Incident Response Forensic Toolset Macdaddy

This toolset is a modified version of the two programs tree.pl and mactime from the Coroner's Toolkit by Dan Farmer and Venema Weiste.  This program is portable and can be run directly from a floppy or a cdrom with a perl interpretter that can also be on the floppy or cdrom.  

The idea behind modifying these programs is to allow for a first responder to grab mactimes without having to install the full Coroner's Toolkit.  In addition, you need something portable that will not write to the evidence itself on the victim system while in response to an intrusion.  In fact, this tool can be run to see if an actual intrusion had taken place.  

The output of the tool will write to standard out and grab every timestamp instead of a specific date.  You can always parse out your data later.  This will allow for the responder to netcat it to another machine or redirect it to the floppy drive or an NFS mounted partition.

In order to keep it small and as portable as possible, there are no options.  

This program was developed out of the need for a portable mactime analysis capability from actualy response to intrusions.  If you have any questions or concerns please direct them to Rob Lee.  These programs were modified by Rob Lee rob@karrde.com

Please let me know if there are any problems.

USAGE:

perl macdaddy.pl {directory} 

example

#perl macdaddy.pl /tmp | nc xxx.xxx.xxx.xxx 636 

 (with the opposite system in netcat listening mode on port 636)

The following will be sent to the analysis system on the opposite side.  

Oct 25 2000 12:59:23        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-23831-agent
Oct 26 2000 12:59:57        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-5402-agent
Oct 26 2000 13:00:04        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-5417-agent
Oct 30 2000 12:24:25        0 mac -rwxrwxrwx root     root     /tmp/.ICE-unix/22102
Oct 30 2000 12:24:29        0 mac -rwxr-xr-x root     root     /tmp/orbit-root/orb-2293195611406103745
                            0 mac -rwxr-xr-x root     root     /tmp/orbit-root/orb-2297936481463942794
                            0 mac -rwxr-xr-x root     root     /tmp/orbit-root/orb-9182693762097201394
Oct 30 2000 12:24:32        0 mac -rwxr-xr-x root     root     /tmp/orbit-root/orb-1816352341492000872
                            0 mac -rwxr-xr-x root     root     /tmp/orbit-root/orb-19045796361896873762
Oct 30 2000 19:58:26        0 mac -rwxr-xr-x root     root     /tmp/orbit-root/orb-9234307881931546741
Oct 31 2000 16:39:07        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-1412-agent
Oct 31 2000 19:33:57        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-3174-agent
Nov 01 2000 13:56:55        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-31438-agent
Nov 02 2000 13:42:11        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-32252-agent
Nov 02 2000 13:45:43        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-32440-agent
Nov 03 2000 13:06:23        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-9900-agent
Nov 06 2000 14:55:07        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-832-agent
Nov 06 2000 18:04:02        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-1570-agent
Nov 08 2000 14:33:49        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-16651-agent
Nov 10 2000 20:02:37        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-30907-agent
Nov 10 2000 20:02:55        0 mac -rw------- root     root     /tmp/ssh-root/ssh2-30922-agent
