The FTimes Project The HashDig Project The WebJob Project The PaD Project
Location: / Home / FTimes
FTimes
Home
Welcome To The FTimes Project

FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.

FTimes is a lightweight tool in the sense that it doesn't need to be "installed" on a given system to work on that system, it is small enough to fit on a single floppy, and it provides only a command line interface.

Preserving records of all activity that occurs during a snapshot is important for intrusion analysis and evidence admissibility. For this reason, FTimes was designed to log four types of information: configuration settings, progress indicators, metrics, and errors. Output produced by FTimes is delimited text, and therefore, is easily assimilated by a wide variety of existing tools.

FTimes basically implements two general capabilities: file topography and string search. File topography is the process of mapping key attributes of directories and files on a given file system. String search is the process of digging through directories and files on a given file system while looking for a specific sequence of bytes. Respectively, these capabilities are referred to as map mode and dig mode.

FTimes supports two operating environments: workbench and client-server. In the workbench environment, the operator uses FTimes to do things such as examine evidence (e.g., a disk image or files from a compromised system), analyze snapshots for change, search for files that have specific attributes, verify file integrity, and so on. In the client-server environment, the focus shifts from what the operator can do locally to how the operator can efficiently monitor, manage, and aggregate snapshot data for many hosts. In the client-server environment, the primary goal is to move collected data from the host to a centralized system, known as an Integrity Server, in a secure and authenticated fashion. An Integrity Server is a hardened system that has been configured to handle FTimes GET, PING, and PUT HTTP/S requests.

The FTimes distribution contains a script called nph-ftimes.cgi that may be used in conjunction with a Web server to implement a public Integrity Server interface. Deeper topics such as the construction and internal mechanics of an Integrity Server are not addressed here.

Highlights and Advantages
  • FTimes is easy to use and fast! The rest is pure gravy...

  • FTimes has been written in C and ported to many popular OSes such as AIX, BSDi, FreeBSD, HP-UX, Linux, Solaris, and Windows 98/ME/NT/2K/XP. FTimes does not require additional runtime support such as a script interpreter (e.g., Perl) or a Virtual Machine (e.g., JVM).

  • FTimes does not need to be installed on the client's machine. In many cases it can be run from a floppy or CDROM. Because of this, FTimes can be configured such that it is minimally invasive to the target system. This is important when trying to collect evidence of an attack on a live system.

  • FTimes has thorough logging. This helps to increase its credibility and admissibility as evidence because the log information can be used to determine the known or potential error rate of the tool under various conditions. FTimes logs four types of information: configuration settings, progress indicators, metrics, and errors.

  • FTimes detects and encodes non-printable characters (e.g., white space, carriage returns, etc.) in filenames. This ensures that your view of the output is not artificially altered by the data you are looking at. The URL encoding scheme used also helps you to quickly focus in on anomalous filenames. Other popular forensic and/or analysis tools don't do this, and because of that, the on-screen output they produce can potentially be manipulated through the use of clever filenames. FTimes has had this feature for many years.

  • FTimes detects and processes Alternate Data Streams (ADS) when running on Windows NT/2K/XP systems. This is quite useful in cases where the perpetrator has used Alternate Data Streams to hide tools and information. As of version 3.8.0, FTimes can process ADS from Linux when an NTFS partition is mounted as the ntfs-3g type. More details on that can be found here.

  • FTimes produces configurable output on a per attribute basis that is delimited ASCII. Therefore, it is conducive to analysis. This output can be assimilated using standard database technology as well as a wide array of existing tools. This makes it more flexible than proprietary database schemes that are essentially opaque to the practitioner. Ultimately, this format yields better analysis results because the practitioner is able to manipulate data freely, and peers may independently verify analysis results. Again, this helps to strengthen its credibility and admissibility as evidence.

  • FTimes can be deployed as an enterprise solution with all information being transmitted to and preserved on a hardened Integrity Server. This allows for centralized management of data, and avoids the problem of leaving data exposed on a client's system. Data stored on a client's system is vulnerable to malicious modification or destruction.

  • FTimes natively supports client initiated HTTP/HTTPS uploads/downloads. This eliminates the need for boundary devices such as firewalls to have a special inbound connection rules. Furthermore, there's a good chance that existing boundary devices already support the required outbound communications path because it is the same as that needed to browse the Web.

  • FTimes provides an efficient string search capability (a.k.a. dig mode). This is particularly useful in investigations when the practitioner has a profile of key words or byte strings that are likely to exist somewhere on the target system.

  • FTimes optionally supports device file digging (block/character).

  • FTimes optionally produces directory hashes. This is a significant analysis advantage in situations where content rarely changes. The advantage is that one hash effectively represents the content of all directories and files contained in a given tree.

  • FTimes optionally produces symlink hashes.

  • FTimes optionally performs file typing via XMagic. When there are hundreds or thousands of unknown hashes, it is difficult to determine which files may have changed as a result of a malicious act. In these situations, type information can be used to categorize files and prioritize the order in which they are examined.

  • FTimes has an extremely fast, tunable compare capability. This enables the practitioner to quickly analyze snapshots and determine change.

  • FTimes has a growing test harness with literally thousands of tests to help ensure reliability, consistency, and accurracy. This also helps to increase its credibility and admissibility as evidence.

Drawbacks and Issues
  • FTimes does not collect all possible attributes on every supported platform.

  • FTimes can't be completely trusted on a compromised host even when statically compiled -- think kernel patch. The best you can hope for is to detect a breach before such a patch is effected. This could potentially be done by running host integrity checks on a frequent basis. By the way, if you suspect a kernel patch, your only true recourse is to take the system down and inspect it from another vantage point.

  • To support batch processing, FTimes stores authentication credentials on the client system. Therefore, one must take measures to prevent and/or detect spoofing and replays. This becomes an issue as soon as the client is compromised.

  • FTimes can't protect client-server exchanges when used without encryption and mutual authentication.

FTimes in Action

To read about the various ways in which FTimes has been put to use, click here...

Copyright 2000-2013 The FTimes Project, All Rights Reserved.
The FreeBSD Project SourceForge Logo KoreLogic, Inc.