FTimes
FTimes is a system baselining and evidence collection tool. Its primary purpose is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis. It was designed to support the following initiatives: content integrity monitoring, incident response, intrusion analysis, and computer forensics.
| Tags | Security Monitoring |
|---|---|
| Licenses | BSD Revised |
| Operating Systems | POSIX AIX Windows Windows Windows Mac OS X BSD FreeBSD Linux Solaris |
| Implementation | C |
Recent releases
- 14 Apr 2007 23:34
Changes: Code was cleaned up and refined as necessary. Several bugs have been fixed. This release includes support for SHA256 hashes, include/exclude filters, and a number of additional file systems (DATAPLOW_ZFS, NTFS-3G, NWCOMPAT, UDF). HashDig utilities have been updated to support SHA1 and SHA256 hashes, and the following tools have been been added to the project: ftimes-crv2dbi.pl, ftimes-dig2dbi.pl, hashdig-find.pl, and tarmap. Documentation is now built at compile time, so the build system must have the tools needed to perform that task.
- 18 Jul 2006 22:30
Changes: Generally, code was cleaned up and refined as necessary. Several bugs have been fixed. The main focus of this release was to improve XMagic by adding new test modes, types, and operators. In particular, 16 new XMagic types and 8 new test operators have been added. Additionally, XMagic has crossed over into dig mode. Now, it is possible to use magic incantations on all the blocks in a given file. Together, these enhancements represent a significant jump forward in XMagic technology. Finally, ftimes-crv2raw.pl has been added to the project.
- 17 Apr 2006 00:39
Changes: Generally, code was cleaned up and refined as necessary. Several bugs have been fixed. Externally, there have been number of important changes. SHA1 hashes are now a standard file attribute. Compressed snapshots can now be compared directly. XMagic now includes regular expression file typing (via PCRE). HashSymbolicLinks is now on by default. Support for the following file systems has been added: NWFS, RAMFS, VZFS, and XFS. Put mode has been removed. Several of the companion utilities and the test harness have been improved. ftimes-cmp2dbi.pl has been added to the project.
- 17 Jun 2005 11:24
Changes: Generally, code was cleaned up and refined as necessary. Several bugs have been fixed. The default installation directory has changed. New controls have been added. Regular expression and case insensitive digs are now supported. Support for additional file systems has been added. A test harness has been added, along with tests to validate MD5 hashes using sample vectors provided and used by NIST. Internally, the main improvements are MD5 performance and the addition of large file support. The companion utilities have been improved.
- 17 Jun 2005 11:24
Changes: Generally, code was cleaned up and refined as necessary, and several bugs have been fixed. Support for the following platforms has been added: HP-UX, amd64, and x86_64. The following controls have been added to FTimes: AnalyzeDeviceFiles, AnalyzeRemoteFiles, BaseNameSuffix, EnableRecursion, and FileSizeLimit. The nph-ftimes.cgi script has been completely overhauled. Support for OpenSSL and HashKeeper data sets has been added to the HashDig tools, and hipdig.pl has been given the ability to dig for SSNs. Finally, ftimes-map2dbi.pl and hashdig-stat.pl have been added to the project.
- All comments
Recent commentsRe: please contact me
Thanks Klayton,
Yep got your email, but for some reason my return email kept bouncing back.
So here's my story I purchased a netgear sc101 about 6 months ago as it offered a network storage system which took 2 drives and one could be a mirror of the other, so I set my 2 drives up as a mirror. To cut a long story short I was experiencing some issues (seeing different data from 2 machines) and the management tool suggested a firmware upgrade which I did only to experience more issues (could then only see old data) so I restored my machines to 2 days prior (without the software and firmare upgrades) and did a reset of the actual device (I have since discovered they recommend against that, they have also removed the software and firmware upgrade as it caused alot of people issues).
I've been thru the netgear channels (and still am chasing that) but they shouldn't be praised for their customer service.
So my situation now is that the device does not recognise the 2 drives at all and whilst I think the device itself will become a door stop or a paper weight I need to get my data back from the disks. I know this much that the device itself runs the dataflow-zfs file system from zetera. I can obviously put these drives in my desktop and while the drives appear healthy I cannot read them, so I need a utility like ftimes or something that can and I noticed that in the changelog you suggest that ftimes implements the dataflow-zfs.
So what I was hoping you could help me with is firstly to confirm whether I should be able to read the drives with your utility and if so I was a bit vague on building it and it's usage. If ftimes doesn't I'd appreciate if you could point me in the direction to sort my problem out if possible that is.
Thanks for replying and I appreciate greatly any help
Cheers,
Phil.
Re: please contact me
> Klayton,
>
> Can you please contact me as I have some
> questions as to whether I can use ftimes
> to extract some files off my drives that
> use the dataflow-zfs filesystem. My
> email address is phil@aliado.com.au
>
> Cheers,
> Phil.
Phil,
I sent an email to your address on April 21st. Hopefully, it made it through.
later,
Klayton
please contact me
Klayton,
Can you please contact me as I have some questions as to whether I can use ftimes to extract some files off my drives that use the dataflow-zfs filesystem. My email address is phil@aliado.com.au
Cheers,
Phil.