bulk_extractor
bulk_extractor copied to clipboard
Published
20 hours ago •
simsong
simsong
wtmp parser not working properly on provided file
@MagicalTux provided wtmp.zip as an example of a valid wtmp file that doesn't parse in bulk_extractor's record carving.
@MagicalTux - can you please provide what the output of parsing this file should look like? Thanks.
Question: do utmp and wtmp have the same format? This appears to be a Solaris-formatted file.
This file is generated by a linux 2.6 machine and is standard. utmpdump will parse it successfully.
However because the file was generated on a sparc machine, it is big endian, and needs to be handled as such.
Utmp dump of /tmp/wtmp
[1792] [-300220416] [/0 ] [user ] [pts/0 ] [:0.0 ] [0.0.0.0 ] [1952-06-20T21:04:09,221053952+00:00]
[2048] [486998016] [si ] [ ] [ ] [2.6.18-5-sparc32 ] [0.0.0.0 ] [1959-05-30T20:19:21,-987561472+00:00]
[512] [00000] [~~ ] [reboot ] [~ ] [2.6.18-5-sparc32 ] [0.0.0.0 ] [1959-05-30T20:19:21,-12451328+00:00]
[256] [843972608] [~~ ] [runlevel] [~ ] [2.6.18-5-sparc32 ] [0.0.0.0 ] [1959-05-30T20:19:21,2051867392+00:00]
[1280] [-401866752] [l2 ] [ ] [ ] [2.6.18-5-sparc32 ] [0.0.0.0 ] [1959-05-30T20:19:21,-1361247488+00:00]
[2048] [-401866752] [l2 ] [ ] [ ] [2.6.18-5-sparc32 ] [0.0.0.0 ] [1998-03-22T19:11:05,1751451648+00:00]
[1280] [672006144] [1 ] [ ] [ ] [2.6.18-5-sparc32 ] [0.0.0.0 ] [1998-03-22T19:11:05,-1613690880+00:00]
[1280] [688783360] [2 ] [ ] [ ] [2.6.18-5-sparc32 ] [0.0.0.0 ] [1998-03-22T19:11:05,-798029568+00:00]
[1280] [705560576] [3 ] [ ] [ ] [2.6.18-5-sparc32 ] [0.0.0.0 ] [1998-03-22T19:11:05,1448610304+00:00]
[1280] [722337792] [4 ] [ ] [ ] [2.6.18-5-sparc32 ] [0.0.0.0 ] [1998-03-22T19:11:05,-2016409088+00:00]
[1536] [688783360] [2 ] [LOGIN ] [tty2 ] [ ] [0.0.0.0 ] [1998-03-22T19:11:05,-363788032+00:00]
[1536] [672006144] [1 ] [LOGIN ] [tty1 ] [ ] [0.0.0.0 ] [1998-03-22T19:11:05,-491583488+00:00]
[1536] [705560576] [3 ] [LOGIN ] [tty3 ] [ ] [0.0.0.0 ] [1998-10-02T23:31:21,758843904+00:00]
...
