[NBLUG/talk] Forensics : finding changed files

thiessen at sonic.net thiessen at sonic.net
Mon Dec 19 11:03:48 PST 2005


> Hi Everyone,
>
>  I  have a *nix box that hasn't been used much, and I want to search through
> the filesystems to see what changes have been made since it was installed.
> Basically, I can ignore any changes in the last few days, and all the files
> that were installed as part of the original installation.  This seems like a
> simple problem, but the find command seems too limited to accomplish this
> task for the filesystem as a whole.  Or maybe it's just me, but I haven't
> been able to use the find command solve this problem.

Looks like you can supply the "-mtime n" option twice to the find command and
bracket a range of dates.  E.g.:

find / -mtime -<days since system installed> -mtime +<# of recent days to ignore>

Should do the trick.  If you need finer control over the time range selected,
look at the "-mmin" option.

Source:

http://www.dsl.org/cookbook/cookbook_10.html

Justin



>
>  One simple solution would be to produce a list of all files and their last
> modification date, then sort this list by date.  Unfortunately, I haven't
> found an easy way to accomplish this task.
>
>  I'm sure there must be a trivial solution to this problem.  Before I develop
> a brute force method, does anyone know an easier way to gather this
> information?  This is a rather basic box, with only the standard commands and
> shells available.
>
>  Thanks,
>  Rick
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>





More information about the talk mailing list