24Dec2007 (UTC +8) On 12/10/07, Federico Sevilla III <[EMAIL PROTECTED]> wrote: > On Mon, 2007-12-10 at 20:01 +0800, Drexx Laggui [personal] wrote: > > > > On 12/10/07, jan gestre <[EMAIL PROTECTED]> wrote: > > > I'm just after the install date. > > > > 'cat /proc/version' will give you the same output as "uname -a". The > > installation date is shown there. > > Caveat: /proc/version and `uname -a` provide you with the build date of > the kernel you are running. On systems where the kernel was upgraded > after the installation was done, this will not be an accurate measure of > the server's install date. > > Perhaps a more appropriate approach will be to try to find the change > date of the oldest system file (user files may have been extracted from > a tarball, inheriting the original timestamp... which while also > possible on system files is probably not as common). Again this isn't > fool proof, but it may be a bit more accurate when the kernel has been > modified. > > Federico Sevilla III > F S 3 Consulting Inc. > http://www.fs3.ph
Thanks for the tip! "uname -a" or "cat /proc/version" is what is suggested on many first-responder guides on computer forensics. IIRC, it started with a CERT.org publication some years ago. Anyway, as noted by many already, there is not one "smoking gun" evidence that can give the answer right away, as a Linux system is a complex beast nowadays. The system analyst or admin must use a combination of tools, deduce the answer from all the data present, and arrive at a best possible conclusion. Another good tool to use is "mactime". Check out an article on how it's used here: http://www.linux.com/feature/41179 Drexx Laggui -- CISA, CISSP, CFE Associate, CCSI, CSA http://www.laggui.com ( Singapore / Manila / California ) Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
