Neat, thanks for pointing out dumpe2fs(8). At least for ext2/3 file systems it can be used to determine the install date.
Ed <blog.eonsec.com> On Jan 4, 2008 1:54 PM, Jan Macek <[EMAIL PROTECTED]> wrote: > Hi, > > in some cases you can get an idea from dumpe2fs -h > which includes: > > Filesystem created: Fri Dec 7 14:19:28 2007 > > jan > > On Tue, Dec 25, 2007 at 08:30:48AM +0800, Eduardo Tongson wrote: > > Not dismissing it. TCT is useful for forensic, for example a server > > compromise. Yes I used it before but took a better deeper look at > > mactime this time. I thought it could get the created timestamp for > > files. > > > > I think an accurate way to get the install date is by getting the > > creation timestamp of the / partition. It is possible that some > > journaling file systems has a record of the creation time in the > > journal log. That is if the file system retains old information like > > that because as far as I know most of them only record recent updates. > > > > Ed <blog.eonsec.com> > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > [email protected] (#PLUG @ irc.free.net.ph) > Read the Guidelines: http://linux.org.ph/lists > Searchable Archives: http://archives.free.net.ph > _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
