Took a peek. TCT mactime can not be used to determine the install date. mactime uses lstat(2) which in turn relies on inode timestamps. Inode timestamps only has one field each for modified, accessed, changed so it can only record the last update.
I think the MAC letters are confusing. C can be mistaken for inode creation timestamp. Like this Security book that mistakenly attributes it. <http://books.google.com/books?id=xVuoTgSL1QoC&pg=PA620&dq=inode+timestamp&sig=Vg6TpwzxPVlqfVOX7pVUxL4Li-U> Know your tools. Ed <blog.eonsec.com> On 12/24/07, Drexx Laggui [personal] <[EMAIL PROTECTED]> wrote: > 24Dec2007 (UTC +8) > > On 12/10/07, Federico Sevilla III <[EMAIL PROTECTED]> wrote: > > On Mon, 2007-12-10 at 20:01 +0800, Drexx Laggui [personal] wrote: > > > > > > On 12/10/07, jan gestre <[EMAIL PROTECTED]> wrote: > > > > I'm just after the install date. > > > > > > 'cat /proc/version' will give you the same output as "uname -a". The > > > installation date is shown there. > > > > Caveat: /proc/version and `uname -a` provide you with the build date of > > the kernel you are running. On systems where the kernel was upgraded > > after the installation was done, this will not be an accurate measure of > > the server's install date. > > > > Perhaps a more appropriate approach will be to try to find the change > > date of the oldest system file (user files may have been extracted from > > a tarball, inheriting the original timestamp... which while also > > possible on system files is probably not as common). Again this isn't > > fool proof, but it may be a bit more accurate when the kernel has been > > modified. > > > > Federico Sevilla III > > F S 3 Consulting Inc. > > http://www.fs3.ph > > Thanks for the tip! "uname -a" or "cat /proc/version" is what is > suggested on many first-responder guides on computer forensics. IIRC, > it started with a CERT.org publication some years ago. Anyway, as > noted by many already, there is not one "smoking gun" evidence that > can give the answer right away, as a Linux system is a complex beast > nowadays. The system analyst or admin must use a combination of tools, > deduce the answer from all the data present, and arrive at a best > possible conclusion. > > Another good tool to use is "mactime". Check out an article on how > it's used here: > http://www.linux.com/feature/41179 > > > Drexx Laggui -- CISA, CISSP, CFE Associate, CCSI, CSA > http://www.laggui.com ( Singapore / Manila / California ) > Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer > PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > [email protected] (#PLUG @ irc.free.net.ph) > Read the Guidelines: http://linux.org.ph/lists > Searchable Archives: http://archives.free.net.ph > _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
