Tuesday, March 11, 2014

Daily Blog #261: RHEL Forensics Part 5 Testing Hal's Mlocator

Hello Reader,
             So I decided to test Hal Pomeranz's mlocator perl script today. Here's what I did, what I saw and what I'm thinking now.

What I did:
1. I downloaded the script, this wasn't easy with hotel wifi
2. I looked up the inode blocks that belong to the group that the mlocate directory is in again, which is still blocks 1081344 - 1114111 for group 33.
3. I ran mlocator with the following options:
mlocator.pl /dev/mapper/VolGroup00-LogVol00 1081344 1114111

where /dev/mapper/VolGroup00-LogVol00 is my partition
1081344 is the beginning block of group 33 where mlocate.db exists
1114111 is the last block of group 33 where mlocate.db exists

 What I saw:
I got this cool output



What I'm thinking now:
I need to extend Hal's script so that it will extract those hits to a file so I made a modification that would write out all the hits stored in the $bytes variable back to ascii to a file. Here is what that file looks like viewed in xxd:


 So we have good data, now I need to modify mlocate-time to be able to parse these file names and timestamps outside of the standard allocated database structure. I'll be giving that a try tomorrow and I'll post my results here.

This is what I believe long term, every filename with a timestamp we can recover (whether contiguous blocks from a known database/time or not) is valuable to provide intelligence on what existed at any point in time in the past.