Friday, November 30, 2007

Building FTimes on Windows using Visual Studio

FTimes is a system baselining and evidence collection tool. The primary purpose of FTimes is to gather and/or develop topographical information and attributes about specified directories and files in a manner conducive to intrusion and forensic analysis.

On systems like FreeBSD you can use ports to build FTimes, but on Windows you'll need to build it yourself.

Building FTimes on Windows is quite a complex tasks, and requires building OpenSSL and PCRE first (if you want SSL / PCRE / XMagic support). Make sure you read the INSTALL file in the FTimes distribution. You'll need the following tools:

Step 1: Build OpenSSL libraries:

  1. Unzip the source code (to say c:\build\openssl)
  2. Fire up CMD Shell (SetEnv.cmd from VisualStudio) and change to that dir (cd c:\build\openssl)
  3. perl Configure VC-WIN32
  4. MS\do_ms
  5. Edit ms\nt.mak and change /MD to /MT
  6. nmake -f ms\nt.mak (to build a static version - creates the *.lib files)
  7. Copy libeay32.lib and ssleay32.lib to C:\openssl\lib

Step 2: Build FTimes:

  1. nmake -f Makefile.vs USE_PCRE=N
  2. nmake -f Makefile.vs test
  3. nmake -f Makefile.vs install INSTALL_DIR="C:\Program Files\FTimes"
  4. Use ftimes: C:\Program Files\FTimes\bin\ftimes.exe

C:\Program Files\FTimes\bin>ftimes

Usage: ftimes --cfgtest file mode [-s]
ftimes --compare mask baseline snapshot [-l level]
ftimes --decoder snapshot [-l level]
ftimes --digauto file [-l level] [list]
ftimes --digfull file [-l level] [list]
ftimes --diglean file [-l level] [list]
ftimes --getmode file [-l level]
ftimes --mapauto mask [-l level] [list]
ftimes --mapfull file [-l level] [list]
ftimes --maplean file [-l level] [list]
ftimes --version

C:\Program Files\FTimes\bin>ftimes --version
ftimes 3.8.0 ssl 32-bit