FTimes is a system baselining and evidence collection tool.
FTimes is a lightweight tool in the sense that it doesn't need to be "installed" on a given system to work on that system, it is small enough to fit on a single floppy, and it provides only a command line interface.
Preserving records of all activity that occurs during a snapshot is important for intrusion analysis and evidence admissibility. For this reason, FTimes was designed to log four types of information: configuration settings, progress indicators, metrics, and errors. Output produced by FTimes is delimited text, and therefore, is easily assimilated by a wide variety of existing tools.
FTimes basically implements two general capabilities: file topography and string search. File topography is the process of mapping key attributes of directories and files on a given file system. String search is the process of digging through directories and files on a given file system while looking for a specific sequence of bytes. Respectively, these capabilities are referred to as map mode and dig mode.
FTimes supports two operating environments: workbench and client-server. In the workbench environment, the operator uses FTimes to do things such as examine evidence (e.g., a disk image or files from a compromised system), analyze snapshots for change, search for files that have specific attributes, verify file integrity, and so on. In the client-server environment, the focus shifts from what the operator can do locally to how the operator can efficiently monitor, manage, and aggregate snapshot data for many hosts. In the client-server environment, the primary goal is to move collected data from the host to a centralized system, known as an Integrity Server, in a secure and authenticated fashion. An Integrity Server is a hardened system that has been configured to handle FTimes GET, PING, and PUT HTTP/S requests.
The FTimes distribution contains a script called nph-ftimes.cgi that may be used in conjunction with a Web server to implement a public Integrity Server interface. Deeper topics such as the construction and internal mechanics of an Integrity Server are not addressed here.
- FTimes is easy to use and fast! The rest is pure gravy...
- FTimes has been written in C and ported to many popular OSes such as AIX, BSDi, FreeBSD, HP-UX, Linux, Solaris, and Windows 98/ME/NT/2K/XP. FTimes does not require additional runtime support such as a script interpreter (e.g., Perl) or a Virtual Machine (e.g., JVM).
- FTimes does not need to be installed on the client's machine. In many cases it can be run from a floppy or CDROM. Because of this, FTimes can be configured such that it is minimally invasive to the target system. This is important when trying to collect evidence of an attack on a live system.
- FTimes has thorough logging. This helps to increase its credibility and admissibility as evidence because the log information can be used to determine the known or potential error rate of the tool under various conditions. FTimes logs four types of information: configuration settings, progress indicators, metrics, and errors.
- FTimes detects and encodes non-printable characters (e.g., white space, carriage returns, etc.) in filenames. This ensures that your view of the output is not artificially altered by the data you are looking at. The URL encoding scheme used also helps you to quickly focus in on anomalous filenames.
- FTimes detects and processes Alternate Data Streams (ADS) when running on Windows NT/2K/XP systems. This is quite useful in cases where the perpetrator has used Alternate Data Streams to hide tools and information.
- FTimes' output is delimited ASCII, and therefore, is conducive to analysis. This output can be assimilated using standard database technology as well as a wide array of existing tools. This makes it more flexible than proprietary database schemes that are essentially opaque to the practitioner. Ultimately, this format yields better analysis results because the practitioner is able to manipulate data freely, and peers may independently verify analysis results. Again, this helps to strengthen its credibility and admissibility as evidence.
- FTimes can be deployed as an enterprise solution with all information being transmitted to and preserved on a hardened Integrity Server. This allows for centralized management of data, and avoids the problem of leaving data exposed on a client's system. Data stored on a client's system is vulnerable to malicious modification or destruction.
- FTimes natively supports client initiated HTTP/HTTPS uploads/downloads. This eliminates the need for boundary devices such as firewalls to have a special inbound connection rules. Furthermore, there's a good chance that existing boundary devices already support the required outbound communications path because it is the same as that needed to browse the Web.
- FTimes provides an efficient string search capability (a.k.a. dig mode). This is particularly useful in investigations when the practitioner has a profile of key words or byte strings that are likely to exist somewhere on the target system.
- FTimes optionally supports device file digging (block/character).
- FTimes' output is configurable on a per attribute basis. This allows users to develop data in a way that's best suited to their needs.
- FTimes optionally produces directory hashes. This is a significant analysis advantage in situations where content rarely changes. The advantage is that one hash effectively represents the content of all directories and files contained in a given tree.
- FTimes optionally produces symlink hashes.
- FTimes optionally performs file typing via XMagic. When there are hundreds or thousands of unknown hashes, it is difficult to determine which files may have changed as a result of a malicious act. In these situations, type information can be used to categorize files and prioritize the order in which they are examined.
- FTimes has an extremely fast, tunable compare capability. This enables the practitioner to quickly analyze snapshots and determine change.
In a hurry? Add it to your Download Basket!
What's New in This Release:
- The code was cleaned up and refined as necessary.
- Several bugs have been fixed.
- This release includes updated support for file hooks and introduces KL-EL-based XMagic.
- Consequently, the minimum required version of libklel has been rasied to 1.1.0, which has a library version of 2:0:1.