The wtmp file was one of them. This file contains login and shutdown information for Mac OSX 10.4 and earlier, sadly I found out today that wtmp is now deprecated in Leopard and has been super-ceded with asl.db.
To view wtmp you could copy the suspect file to your mac and within terminal use the command Last -f and pipe out the parsed file to a text file in the form:
testac_ console macintoshtestcom Tue Feb 19 21:37 still logged in
reboot ~ Tue Feb 19 21:36
shutdown ~ Tue Feb 19 15:51
testac_ console macintoshtestcom Tue Feb 19 15:26 - 15:51 (00:24)
reboot ~ Tue Feb 19 15:26
shutdown ~ Tue Feb 19 10:37
testac_ console macintoshtestcom Tue Feb 19 10:28 - 10:37 (00:09)
reboot ~ Tue Feb 19 10:26
shutdown ~ Tue Feb 19 00:52
testac_ console macintoshtestcom Mon Feb 18 18:44 - 00:52 (06:07)
reboot ~ Mon Feb 18 18:42
shutdown ~ Mon Feb 18 18:39
testac_ console macintoshtestcom Sun Feb 17 17:55 - 18:39 (1+00:44)
reboot ~ Sun Feb 17 17:51
shutdown ~ Sun Feb 17 17:47
testac_ console macintoshtestcom Mon Feb 11 11:21 - 17:47 (6+06:25)
reboot ~ Mon Feb 11 11:21
shutdown ~ Mon Feb 11 03:31
testac_ console macintoshtestcom Sun Feb 10 14:28 - 03:31 (13:03)
reboot ~ Sun Feb 10 14:27
shutdown ~ Fri Feb 8 15:35
testac_ console macintoshtestcom Fri Feb 8 14:24 - 15:35 (01:10)
reboot ~ Fri Feb 8 14:24
shutdown ~ Fri Feb 8 14:21
and so on....
This works fine using Terminal in Tiger but for some reason using the Last command in Leopard does not work.
I have asked about this elsewhere and someone suggested the wtmp parser within the Encase Case Processor. The results I got were unintelligible.
Whilst revisiting this subject I discovered that older wtmp files are archived into gzip files which may become useful to someone!
Posts
No comments:
Post a Comment