Directory Tree Analysis File Generator is a Practical Extraction and Reporting Language (PERL) script that simplifies and automates the collection of information for forensic analysis of compromised computer systems. During such an analysis, it is sometimes necessary to collect and analyze information about files on a specific directory tree. Directory Tree Analysis File Generator collects information of this type (except information about directories) and writes it to a text file. In particular, the script asks the user for the root of the directory tree to be processed, the name of the output file, and the number of subtree levels to process. The script then processes the directory tree and puts out the aforementioned text file. The format of the text file is designed to enable the submission of the file as input to a spreadsheet program, wherein the forensic analysis is performed. The analysis usually consists of sorting files and examination of such characteristics of files as ownership, time of creation, and time of most recent access, all of which characteristics are among the data included in the text file.
This program was written by Thomas Wolfe of Caltech for NASA’s Jet Propulsion Laboratory.
This software is available for commercial licensing. Please contact Don Hart of the California Institute of Technology at (818) 393-3425. Refer to NPO-40165.
This Brief includes a Technical Support Package (TSP).
Forensic Analysis of Compromised Computers
(reference NPO40165) is currently available for download from the TSP library.
Don't have an account?
Overview
The document is a Technical Support Package from NASA's Jet Propulsion Laboratory, focusing on the forensic analysis of compromised computers. It is identified as NPO-40165 and is part of NASA Tech Briefs, aimed at disseminating aerospace-related developments with broader technological applications.
The primary tool discussed in the document is a Perl script designed for analyzing files within a specified directory tree. This tool is particularly useful during forensic investigations, where understanding file ownership, access times, and other metadata is crucial. The script generates an analysis file that can be imported into spreadsheet programs for further examination. The output file contains detailed information about each file, including the file name and path, file type, owner user ID, owner group ID, inode date and time, last modified date and time, and last accessed date and time, all formatted in a tab-separated values structure.
The document outlines the operational process of the tool, which begins by prompting the user for the root directory to analyze, the desired output file name, and the number of subtree levels to process. The default setting is to analyze all levels. The script can be executed on PCs using a bundled version of ActivePerl, making it a portable and standalone tool. A simple batch file is provided to facilitate execution.
Additionally, the document details command line arguments that enhance the script's functionality. These include various debug options that provide additional information during execution, as well as a verbose mode that reassures users that the script is actively processing data.
The document emphasizes the importance of forensic analysis in understanding compromised systems, highlighting the need for accurate data collection and analysis. It serves as a resource for professionals involved in cybersecurity and forensic investigations, providing them with the necessary tools and methodologies to effectively analyze file systems.
Overall, this Technical Support Package is a valuable resource for those engaged in forensic analysis, offering practical tools and insights into the processes involved in examining compromised computers. It underscores NASA's commitment to sharing technological advancements that have broader applications beyond aerospace.
