forked from KoreLogicSecurity/ftimes
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathREADME.INSTALL
More file actions
231 lines (164 loc) · 8.15 KB
/
README.INSTALL
File metadata and controls
231 lines (164 loc) · 8.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
1 Overview
FTimes is a forensic system baselining, searching, and evidence
collection tool. Its primary purpose is to gather and/or
develop topographical information and attributes about specified
directories and files in a manner conducive to intrusion and
forensic analysis.
This document explains how to configure and build FTimes.
1.1 Revision
$Id: README.INSTALL,v 1.28 2019/09/03 19:23:57 klm Exp $
1.2 Table of Contents
Section 1 .................... Overview
Section 1.1 .................. Revision
Section 1.2 .................. Table of Contents
Section 1.3 .................. Background
Section 1.4 .................. Caveats
Section 2 .................... Building FTimes
Section 2.1 .................. Requirements
Section 2.2 .................. Unpack the Source Archive
Section 2.3 .................. Verify Installation of Required Components
Section 2.3.1 ................ Verify Installation of KLEL
Section 2.3.2 ................ Verify Installation of PCRE
Section 2.4 .................. UNIX Build Instructions
Section 2.4.1 ................ UNIX Build Gotchas
Section 2.5 .................. WINX MinGW/MSYS Build Instructions
Section 2.5.1 ................ WINX MinGW/MSYS Build Gotchas
1.3 Background
FTimes is a system baselining and evidence collection tool. The
primary purpose of FTimes is to gather and/or develop information
about specified directories and files in a manner conducive to
intrusion analysis.
FTimes is a lightweight tool in the sense that it doesn't need
to be "installed" on a given system to work on that system, has
a small footprint, and provides only a command line interface.
Preserving records of all activity that occurs during a snapshot
is important for intrusion analysis and evidence admissibility.
For this reason, FTimes was designed to log four types of
information: configuration settings, progress indicators, metrics,
and errors. Output produced by FTimes is delimited text, and
therefore, is easily assimilated by a wide variety of existing
tools.
FTimes basically implements two general capabilities: file
topography and string search. File topography is the process of
mapping key attributes of directories and files on a given file
system. String search is the process of digging through directories
and files on a given file system while looking for a specific
sequence of bytes. Respectively, these capabilities are referred
to as map mode and dig mode.
1.4 Caveats
The various programs and scripts referenced throughout this
document are generally specified using relative paths. To avoid
potential complications, you can either make sure that your PATH
environment variable is configured properly or provide full path
information as needed.
2 Building FTimes
This section describes the process for building and installing
FTimes.
2.1 Requirements
FTimes depends on the following libraries:
libcrypto - optional, but deprecated (via --with-ssl)
libklel - required (via --with-klel)
liblua - optional (via --with-lua)
libpcre - required (via --with-pcre)
libperl - optional (via --with-perl)
libpython - optional (via --with-python)
libssl - optional, but deprecated (via --with-ssl)
Required libraries must be present on the build system. If configure
is unable to locate them under one of the standard install paths, use
'--with-<library>=<path>' to specify a valid alternate path.
Building FTimes in UNIX environments requires:
Make
GNU make 3.8.0 or higher is recommended.
GCC
Most any version will do.
Perl
Most any version will do, but it must include pod2man and
pod2html. If it doesn't, be sure to add them.
Autoconf
This tool is only required if you need to remake the configure
script. By default, the configure script is pre-built and
included in each release.
Building FTimes in WINX environments requires:
MinGW+MSYS
MinGW 5.1.4 and MSYS 1.0.10 or higher is recommended.
2.2 Unpack the Source Archive
The source archive needs to be unpacked in a suitable location
before the build process can commence. All commands presented
in this section attempt to unpack the source archive in the current
working directory.
On UNIX/WINX platforms this can be accomplished as follows:
$ tar -zxvf <archive>
If your version of tar doesn't support the 'z' flag, then try the
following command pipeline:
$ gunzip -c <archive> | tar -xvf -
2.3 Verify Installation of Required Components
2.3.1 Verify Installation of KLEL
By default, KLEL support is required. This means that KLEL
libraries must be installed and/or available on the build system.
Refer that project's documentation for details on how to do this.
See also:
https://git.korelogic.com/libklel.git
https://github.com/KoreLogicSecurity/libklel
https://sourceforge.net/projects/libklel
2.3.2 Verify Installation of PCRE
By default, PCRE support is required. This means that PCRE
libraries must be installed and/or available on the build system.
Refer that project's documentation for details on how to do this.
See also:
http://www.pcre.org
2.4 UNIX Build Instructions
Typically, the build process is simply a matter of running configure
and make. In general, you are not required to specify any extra
options/arguments when invoking either command. The most basic
build sequence is as follows:
$ ./configure && make
By default, certain support (KLEL and PCRE) is enabled. This means
that the configure script will attempt to locate the necessary
components (e.g., libraries and include files) on your system.
If these components are not found in one of several common
locations, the script will abort. To override that behavior, you
can specify alternate locations using the --with-<library>=<path>
configure option. For example, if your copy of PCRE was installed
in /usr/local/my_pcre, the build sequence would be as follows:
$ ./configure --with-pcre=/usr/local/my_pcre && make
The default FTimes installation directory is /usr/local/ftimes.
If you want to install in a different location, set the --prefix
configure option. For example, if you wanted to install in the
directory /usr/local/my_ftimes, the build sequence would be as
follows:
$ ./configure --prefix=/usr/local/my_ftimes && make
To see a listing of all available configure options execute the
following command:
$ ./configure --help
When the software has been built to your satisfaction, it can be
tested and installed with the following commands:
# make -s test
# make install
2.4.1 UNIX Build Gotchas
When experimenting with different build/configure options, be
sure to do a "make clean-all" between builds. This ensures that
any intermediate files are removed. In certain situations, build
problems could arise if this is not done.
Executing the built-in tests (i.e., the test target) can take a
considerable amount of time -- especially on older/slower systems.
Also, these tests may fail if you don't have the necessary Perl
modules installed and available in the expected locations.
Make sure pod2man and pod2html are installed and in your PATH. The
documentation will not build properly without these utilities.
Make sure strip(1) is in your PATH.
2.5 WINX MinGW/MSYS Build Instructions
Typically, the build process is simply a matter of running configure
and make. Going on the assumption that you have a static versions of
KLEL and PCRE, the most basic build sequence is as follows:
$ ./configure CFLAGS=-DPCRE_STATIC && make
$ make install
If you need to build a static version of PCRE, follow the
instructions documented in this recipe:
http://ftimes.sourceforge.net/Files/Recipes/pcre-compile-mingw.txt
2.5.1 WINX MinGW/MSYS Build Gotchas
The process documented in the previous section is known to work
with the stated versions of MinGW+MSYS. Other combinations are
not supported at this time.
You may encounter errors building the man pages. If that happens,
put copies of pod2man and pod2html in MinGW's bin directory
(typically C:\MinGW\bin).