Now Reading
Carving utmp records

Carving utmp records

by Igor Mikhaylov2018-02-03

This article laconically describes cutting utmp records for intrusion analysis. These files are not text files, but sometimes the files have empty data. That’s why an attacker can delete these files if he has administrative privileges.

There are three types of files: utmp, wtmp and btmp. All these types have the same format as described in “man utmp 5” and their size. Depending on the system, these files can usually be found in different places.

You can get acquainted with utmp cutting utilities for analysis of intrusions in the kazamiya’ post.



Leave a Response

Please enter the result of the calculation above.