[Forensics-changes] [SCM] collects data about allocated files in mounted filesystems branch, debian, updated. upstream/1.02-1-g4103f87

Joao Eriberto Mota Filho eriberto at eriberto.pro.br
Thu May 16 14:31:49 UTC 2013 

The following commit has been merged in the debian branch:
commit 4103f879face2cdefb6d0ee8dc099c1bf04f36ff
Author: Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
Date:   Thu May 16 11:31:30 2013 -0300

    debian directory - first commit.

diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..b3b0cee
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,5 @@
+mac-robber (1.02-1) unstable; urgency=low
+
+  * Initial release (Closes: #708528)
+
+ -- Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>  Thu, 16 May 2013 08:47:18 -0300
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..ec5e937
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,34 @@
+Source: mac-robber
+Section: utils
+Priority: optional
+Maintainer: Debian Forensics <forensics-devel at lists.alioth.debian.org>
+Uploaders: Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
+Build-Depends: debhelper (>= 9)
+Standards-Version: 3.9.4
+Homepage: http://www.sleuthkit.org/mac-robber
+Vcs-Browser: http://anonscm.debian.org/git/forensics/mac-robber.git
+Vcs-Git: git://anonscm.debian.org/forensics/mac-robber.git
+
+Package: mac-robber
+Architecture: any
+Suggests: netcat, sleuthkit
+Enhances: sleuthkit
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: collects data about allocated files in mounted filesystems
+ mac-robber is a digital investigation tool (digital forensics) that collects
+ metadata from allocated files in a mounted filesystem. This is useful during
+ incident response when analyzing a live system or when analyzing a dead
+ system in a lab. The data can be used by the mactime tool in The Sleuth Kit
+ (TSK or SleuthKit only) to make a timeline of file activity. The mac-robber
+ tool is based on the grave-robber tool from TCT (The Coroners Toolkit).
+ .
+ mac-robber requires that the filesystem be mounted by the operating system,
+ unlike the tools in The Sleuth Kit that process the filesystem themselves.
+ Therefore, mac-robber will not collect data from deleted files or files that
+ have been hidden by rootkits. mac-robber will also modify the Access times
+ on directories that are mounted with write permissions.
+ .
+ mac-robber is useful when dealing with a filesystem that is not supported
+ by The Sleuth Kit or other filesystem analysis tools. You can run mac-robber
+ on an obscure, suspect UNIX filesystem that has been mounted read-only on a
+ trusted system.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..9708257
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,29 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: mac-robber
+Source: http://sf.net/projects/mac-robber
+
+Files: *
+Copyright: 2002-2010 Brian Carrier <carrier at sleuthkit.org>
+           2002 @stake Inc.
+License: GPL-2.0+
+
+Files: debian/*
+Copyright: 2013 Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
+License: GPL-2.0+
+
+License: GPL-2.0+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..e845566
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1 @@
+README
diff --git a/debian/install b/debian/install
new file mode 100644
index 0000000..e866868
--- /dev/null
+++ b/debian/install
@@ -0,0 +1,2 @@
+mac-robber usr/bin
+debian/man/mac-robber.1 usr/share/man/man1
diff --git a/debian/man/header.txt b/debian/man/header.txt
new file mode 100644
index 0000000..72122c1
--- /dev/null
+++ b/debian/man/header.txt
@@ -0,0 +1 @@
+.TH mac-robber "1"  "May 2013" "MAC-ROBBER 1.02" "collects data about allocated files in mounted filesystems"
diff --git a/debian/man/mac-robber.1 b/debian/man/mac-robber.1
new file mode 100644
index 0000000..29a5a24
--- /dev/null
+++ b/debian/man/mac-robber.1
@@ -0,0 +1,72 @@
+.\"Text automatically generated by txt2man
+.TH mac-robber "1"  "May 2013" "MAC-ROBBER 1.02" "collects data about allocated files in mounted filesystems"
+.SH NAME
+\fBmac-robber \fP- collects data about allocated files in mounted filesystems
+.SH SYNOPSIS
+.nf
+.fam C
+\fBmac-robber\fP [\fIOPTION\fP]
+\fBmac-robber\fP <DIRECTORY>
+.fam T
+.fi
+.fam T
+.fi
+.SH DESCRIPTION
+\fBmac-robber\fP is a digital investigation tool (digital forensics) that collects
+metadata from allocated files in a mounted filesystem. This is useful during
+incident response when analyzing a live system or when analyzing a dead
+system in a lab. The data can be used by the mactime tool in The Sleuth Kit
+(TSK or SleuthKit only) to make a timeline of file activity. The \fBmac-robber\fP
+tool is based on the grave-robber tool from TCT (The Coroners Toolkit).
+.PP
+\fBmac-robber\fP requires that the filesystem be mounted by the operating system,
+unlike the tools in The Sleuth Kit that process the filesystem themselves.
+Therefore, \fBmac-robber\fP will not collect data from deleted files or files that
+have been hidden by rootkits.
+.PP
+\fBmac-robber\fP will also modify the Access times on directories that are mounted
+with write permissions. When in forensics analysis you should mount the target
+partition as read-only.
+.PP
+\fBmac-robber\fP is useful when dealing with a filesystem that is not supported
+by The Sleuth Kit or other filesystem analysis tools. You can run \fBmac-robber\fP
+on an obscure, suspect UNIX filesystem that has been mounted read-only on a
+trusted system.
+.SH OPTIONS
+.TP
+.B
+\fB-h\fP
+Print help.
+.TP
+.B
+\fB-V\fP
+Show the version.
+.SH EXAMPLE
+To see metadata from all files in a directory (recursively):
+.PP
+.nf
+.fam C
+      $ mac-robber /home/user/directory
+
+.fam T
+.fi
+To make a timeline using mactime command from The Sleuth Kit (TSK) and setting Brazilian timezone:
+.PP
+.nf
+.fam C
+      $ mac-robber /home/user/directory | mactime \-z BRT
+
+.fam T
+.fi
+An alternative is write the results into a file and read it using mactime:
+.PP
+.nf
+.fam C
+      $ mac-robber /home/user/directory > /tmp/files.mr
+      $ mactime \-b /tmp/files.mr \-z BRT
+.fam T
+.fi
+.SH AUTHOR
+Brian Carrier <carrier at sleuthkit.org>.
+.PP
+This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> for the Debian project (but may be used by others).
diff --git a/debian/man/mac-robber.txt b/debian/man/mac-robber.txt
new file mode 100644
index 0000000..29d16aa
--- /dev/null
+++ b/debian/man/mac-robber.txt
@@ -0,0 +1,46 @@
+NAME
+  mac-robber - collects data about allocated files in mounted filesystems
+SYNOPSIS
+  mac-robber [OPTION]
+  mac-robber <DIRECTORY>
+DESCRIPTION
+  mac-robber is a digital investigation tool (digital forensics) that collects
+  metadata from allocated files in a mounted filesystem. This is useful during
+  incident response when analyzing a live system or when analyzing a dead
+  system in a lab. The data can be used by the mactime tool in The Sleuth Kit
+  (TSK or SleuthKit only) to make a timeline of file activity. The mac-robber
+  tool is based on the grave-robber tool from TCT (The Coroners Toolkit).
+
+  mac-robber requires that the filesystem be mounted by the operating system,
+  unlike the tools in The Sleuth Kit that process the filesystem themselves.
+  Therefore, mac-robber will not collect data from deleted files or files that
+  have been hidden by rootkits.
+
+  mac-robber will also modify the Access times on directories that are mounted
+  with write permissions. When in forensics analysis you should mount the target
+  partition as read-only.
+
+  mac-robber is useful when dealing with a filesystem that is not supported
+  by The Sleuth Kit or other filesystem analysis tools. You can run mac-robber
+  on an obscure, suspect UNIX filesystem that has been mounted read-only on a
+  trusted system.
+OPTIONS
+  -h     Print help.
+  -V     Show the version.
+EXAMPLE
+  To see metadata from all files in a directory (recursively):
+
+      $ mac-robber /home/user/directory
+
+  To make a timeline using mactime command from The Sleuth Kit (TSK) and setting Brazilian timezone:
+
+      $ mac-robber /home/user/directory | mactime -z BRT
+
+  An alternative is write the results into a file and read it using mactime:
+
+      $ mac-robber /home/user/directory > /tmp/files.mr
+      $ mactime -b /tmp/files.mr -z BRT
+AUTHOR
+  Brian Carrier <carrier at sleuthkit.org>.
+
+  This manual page was written by Joao Eriberto Mota Filho <eriberto at eriberto.pro.br> for the Debian project (but may be used by others).
diff --git a/debian/patches/Makefile.patch b/debian/patches/Makefile.patch
new file mode 100644
index 0000000..45f3a21
--- /dev/null
+++ b/debian/patches/Makefile.patch
@@ -0,0 +1,14 @@
+Description: Add GCC hardening.
+Author: Joao Eriberto Mota Filho <eriberto at eriberto.pro.br>
+Last-Update: 20130516
+--- a/Makefile
++++ b/Makefile
+@@ -14,7 +14,7 @@
+ 	$(CC) $(GCC_CFLAGS) -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c
+ 
+ linux_notstatic: 
+-	$(CC) -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c
++	$(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -D_FILE_OFFSET_BITS=64 -o mac-robber mac-robber.c
+ 
+ sun:
+ 	cc $(SUN_CFLAGS) -o mac-robber mac-robber.c
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..5b1c0a4
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+Makefile.patch
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..40f548d
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,10 @@
+#!/usr/bin/make -f
+
+# Uncomment this to turn on verbose mode.
+export DH_VERBOSE
+
+%:
+	dh $@ --parallel
+
+override_dh_auto_build:
+	make linux_notstatic
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..b03d328
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,2 @@
+version=3
+http://sf.net/mac-robber/mac-robber-(.*)\.tar\.gz

-- 
collects data about allocated files in mounted filesystems

More information about the forensics-changes mailing list