Monday 19 May 2008

wtmp

A while back over at forensic wiki I posted a few Mac OSX artefacts which may be evidentially useful.  

The wtmp file was one of them.  This file contains login and shutdown information for Mac OSX 10.4 and earlier, sadly I found out today that wtmp is now deprecated in Leopard and has been super-ceded with asl.db.

To view wtmp you could copy the suspect file to your mac and within terminal use the command Last -f and pipe out the parsed file to a text file in the form:


testac_ console macintoshtestcom Tue Feb 19 21:37 still logged in
reboot
~ Tue Feb 19 21:36
shutdown
~ Tue Feb 19 15:51
testac_
console macintoshtestcom Tue Feb 19 15:26 - 15:51 (00:24)
reboot
~ Tue Feb 19 15:26
shutdown
~ Tue Feb 19 10:37
testac_
console macintoshtestcom Tue Feb 19 10:28 - 10:37 (00:09)
reboot
~ Tue Feb 19 10:26
shutdown
~ Tue Feb 19 00:52
testac_
console macintoshtestcom Mon Feb 18 18:44 - 00:52 (06:07)
reboot
~ Mon Feb 18 18:42
shutdown
~ Mon Feb 18 18:39
testac_
console macintoshtestcom Sun Feb 17 17:55 - 18:39 (1+00:44)
reboot
~ Sun Feb 17 17:51
shutdown
~ Sun Feb 17 17:47
testac_
console macintoshtestcom Mon Feb 11 11:21 - 17:47 (6+06:25)
reboot
~ Mon Feb 11 11:21
shutdown
~ Mon Feb 11 03:31
testac_
console macintoshtestcom Sun Feb 10 14:28 - 03:31 (13:03)
reboot
~ Sun Feb 10 14:27
shutdown
~ Fri Feb 8 15:35
testac_
console macintoshtestcom Fri Feb 8 14:24 - 15:35 (01:10)
reboot
~ Fri Feb 8 14:24
shutdown
~ Fri Feb 8 14:21
 
and so on....

This works fine using Terminal in Tiger but for some reason using the Last command in Leopard does not work.  

I have asked about this elsewhere and someone suggested the wtmp parser within the Encase Case Processor.  The results I got were unintelligible.   

Whilst revisiting this subject I discovered that older  wtmp files are archived into gzip files which may become useful to someone!

No comments: