Network 2 Timeline Utility - Linux Volatile Gathering Tool

Name: Hieu Nguyen
4050-581
Computer System Forensics
Prof. Bill Stackpole
Network 2 Timeline Utility
- Linux volatile date
gathering tool
This document consist a detail Network 2 Time line utility
report, public source code link, tool development process, and
why the tool is important for the forensic community.
Last edit: Aug 9, 2015
Contents
1.
Executive Summary................................................................................................................................................................. 3
2.
Current Condition Overview....................................................................................................................................................3
3.
Tool Selection.......................................................................................................................................................................... 3
4.
Tool development....................................................................................................................................................................3
5.
Challenges and Issues.............................................................................................................................................................. 4
6.
Conclusion............................................................................................................................................................................... 4
7.
Appendix................................................................................................................................................................................. 5
1.
Executive Summary
The intention of this project is to create a script to find out all the running processes, sockets, and
network connections by a specific user. I wrote the Network 2 Timeline (n2tm) script to add
more functionality for the existing list of file (LSOF) tool such as the date and timeline for every
lsof output line.
The n2tm script has the ability to list out all the live IPv4/IPv6 connections to the Internet by a
specify user. Another cool feature is that it can automatically lists all the unique running process
ID by the user along with date and time line.
More n2tm functionality will be added in the future release to make this script more useful for
the forensic communities.
I included a documentation and a BASH script in the zip file to get you started.
2.
Current Condition Overview
I have always wanted to find out all the information about a specific user in the Linux operation
system, such as myself. I want to know the date and the timestamp is running by my programs. I
have spent a lot of time get to know the lsof command and it is a very powerful utility that I just
started to use it recently because my RIT professors told me it is a powerful tool and it tells what
going on in the machine.
The lsof command gives me the ability to accomplish the project goals, however, I have to
manually input the PID under the specific user to find out all the running program processes, and
network sockets -- which is time consuming, so I created the n2tm script. This script is
automatically find all the unique processes ID owns by the current user (see Appendix figure 1.3)
-- which it saves the Forensic Investigators times when they want to find out all about that user.
3.
Tool Selection
I chose BASH and AWK as a scripting language, because these tools allow me to solve a
complicated problem with a few lines of code. For instance AWK allows me to use associative
array functions, and pattern matching for a specific user; if user found, it prints nicely on the
screen. The downside is the learning curve. BASH allows me to write a script that it tights the
existing Linux/Unixs tool, such as who, sort, uniq, and AWK together to give me the result.
4.
Tool development
In order to develop a tool to fit for my forensic needs, I did a research and read plenty of articles
about lsof. What I have found out is that the LSOF tool doesnt provide me the timeline such as
date and timestamp when I issued LSOF -i -n -P, where -i lists the IP and sockets, -n disable IP to
Host name, and lastly, the -P disable the port to name translation. So I implemented the date and
timestamp to make the lsof more robust.
I used the BASH debugging mode when I issued bash x l2m -i $USER, where $USER is the
current user on the machine. The -x allows me to the values changes during the code execution
Future development: Will convert this project into Python script, because it enables me to use
Object-oriented programming (OOP) language.
5.
Challenges and Issues
Creating the comma separated values in a file was the most challenging for me, because I ran
into different issues -- some output values were not in the right field in the Microsoft Excel sheet.
I have spent countless hours and it is nearly completed, and I decided not to put into this release,
because I do not want people to get the wrong output data in the CSV file. The output function to
a CSV feature will be released in the future.
Limitation: 1) AWK program doesnt have the ability to add multiple records to the unique
value. For instance, I want to keep track all the unique port by a user. It took me sometimes to
figure out there is another way to accomplish this problem. I utilized BASH and AWK, BASH
keeps track of the user while AWK finds out all the unique PID by the user.
2) Another limitation is that the script only takes in two arguments because I would like the first
release to be easy to use. I would like to see how the forensic communities react to my script. I
am looking forward to hear their feedback.
6.
Conclusion
I learned how to create a useful script for the forensic communities. I hope I will continue to
build this tool more robustness and add more functionality to it. Now Im able to find out what
are the running processes by my machine, thus it informs me if there are any suspicious
programs are running in the machine.
The download link for the source code can be found at http://code.google.com/p/network-2timeline/downloads/list. The current script version is 1.1.
The script works on Linux (e.g., CentOS 5.6) and Mac OS 10.8.2. I use it, just issue these
commands:
bash n2tm -i $USER
list all the IPv4/IPv6 information owns by $USER, where $USER the BASH
variable. Alternatively, you could specify the user name instead of using the BASH variable.
bash n2tm -p $USER
List all the running processes own by the user.
Note: This script requires a root privilege permission to run.
7.
Appendix
#Sample input of lsof -i -n -P

COMMAND
PID
USER
FD
TYPE DEVICE SIZE NODE NAME
dhclienit
2997
root
5u IPv4 746591
UDP *:68
..data omitting
#output
DATE
TIME
TM
COMMAND
PID
10:28:12 13:45:35 EDT
sshd
16214
>192.168.1.185:52062 (ESTABLISHED)
..data omitting
#Sample input of lsof -p 2997
COMMAND
PID USER
FD
TYPE
dhclient 2997 root cwd
DIR
..data omitting
#Sample output
DATE
TIME
10:28:12 13:46:11
10:28:12 13:46:11
10:28:12 13:46:11
..data omitting
TM
EDT
EDT
EDT
USER
FD
pod1
3u IPv4 938585
TCP 192.168.1.171:22-
DEVICE
253,0
SIZE
NODE NAME
4096 1474561 /root
COMMAND
PID USER
sshd
16214 pod1
sshd
16214 pod1
sshd
16214 pod1
FD
cwd
rtd
txt
TYPE
DIR
DIR
REG
DEVICE
253,0
253,0
253,0
SIZE
4096
4096
414016
NODE NAME
2 /
2 /
965087 /usr/sbin/sshd
Figure 1.1. Sample data.

[root@localhost ~]# n2tm -i pod1
DATE
COMMAND
PID
10:28:12 17:18:46 EDT
TIME
TM
firefox
3354
USER
pod1
FD
34r

IPv4 972525
TCP 192.168.1.171:37825->74.125.228.38:443 (ESTABLISHED)
10:28:12 17:18:46 EDT
firefox
3354
pod1
47u
IPv4 972527
TCP 192.168.1.171:55071->173.194.75.99:443 (ESTABLISHED)
10:28:12 17:18:46 EDT
firefox
3354
pod1
52u
IPv4 972529
TCP 192.168.1.171:46215->199.7.55.72:80 (ESTABLISHED)
10:28:12 17:18:46 EDT
firefox
3354
pod1
55u
IPv4 972530
TCP 192.168.1.171:55073->173.194.75.99:443 (ESTABLISHED)
10:28:12 17:18:46 EDT
firefox
3354
pod1
57u
IPv4 972533
TCP 192.168.1.171:55074->173.194.75.99:443 (ESTABLISHED)
10:28:12 17:18:46 EDT
firefox
3354
pod1
58u
IPv4 972535
TCP 192.168.1.171:50162->74.125.228.79:443 (ESTABLISHED)
10:28:12 17:18:48 EDT
sshd
16214
pod1
3u
IPv4 938585
TCP 192.168.1.171:22->192.168.1.185:52062 (ESTABLISHED)
[root@localhost ~]#
Figure 1.2. IP and Sockets information

The output may look differently in Microsoft Word document.
[root@localhost ~]# n2tm -p pod1
DATE
TIME
TM
COMMAND
PID USER
FD
TYPE
DEVICE
SIZE
NODE NAME
10:28:12 17:18:54 EDT
firefox 3354
pod1
cwd
DIR
253,0
4096 1279737 /home/pod1
10:28:12 17:18:54 EDT
firefox 3354
pod1
rtd
DIR
253,0
10:28:12 17:18:54 EDT
firefox 3354
pod1
txt
REG
253,0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
1693812 1507344 /lib/libc-2.5.so
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
216544 1507383 /lib/libm-2.5.so
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
644472 1507361 /lib/libglib-2.0.so.0.1200.3
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
259128 1507365 /lib/libgobject-2.0.so.0.1200.3
4096
2 /
98896 1221377 /usr/lib/firefox-3.6/firefox

11492
958320 /usr/lib/libplds4.so
129900 1507331 /lib/ld-2.5.so

9412
961080 /usr/lib/libXau.so.6.0.0
20668 1507377 /lib/libdl-2.5.so

137908 1507357 /lib/libpthread-2.5.so
75120 1507379 /lib/libz.so.1.2.3
48156 1507359 /lib/librt-2.5.so
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
20092
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
1062108
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
62008
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
11396 1507421 /lib/libgmodule-2.0.so.0.1200.3
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
526896
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
133184 1507532 /lib/libexpat.so.0.5.0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
194008
961072 /usr/lib/libfontconfig.so.1.1.0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
153504
961078 /usr/lib/libpng12.so.0.10.0
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
32708
10:28:12 17:18:54 EDT
firefox 3354
pod1
mem
REG
253,0
448940
962704 /usr/lib/libcairo.so.2.9.2
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
114828
965603 /usr/lib/libatk-1.0.so.0.1212.0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
31096
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
8476
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
185100
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
35012
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
5436 1049350 /usr/lib/gconv/ISO8859-1.so
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
7812 1510018 /lib/libcom_err.so.2.1
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
7880 1510016 /lib/libkeyutils-1.2.so
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:55 EDT

firefox 3354
3.6/components/libbrowserdirprovider.so
pod1
mem
961082 /usr/lib/libXdmcp.so.6.0.0
961116 /usr/lib/libX11.so.6.2.0
963181 /usr/lib/libXext.so.6.4.0
961067 /usr/lib/libfreetype.so.6.3.10
962108 /usr/lib/libXrender.so.1.3.0
963455 /usr/lib/libXi.so.6.0.0
963415 /usr/lib/libXinerama.so.1.0.0
962706 /usr/lib/libpangoft2-1.0.so.0.1400.9
972211 /usr/lib/libSM.so.6.0.0
9540 1049398 /usr/lib/gconv/UTF-16.so

21948 1507364 /lib/libnss_dns-2.5.so
REG
253,0
66708
1221610
/usr/lib/firefox-
10:28:12 17:18:55 EDT

firefox
1.9.2/components/libdbusservice.so
3354
pod1
mem
REG
253,0
43936
1411015
/usr/lib/xulrunner-
10:28:12 17:18:55 EDT

firefox
1.9.2/components/libimgicon.so
3354
pod1
mem
REG
253,0
69892
1411016
/usr/lib/xulrunner-
10:28:12 17:18:55 EDT

firefox
2.0/2.10.0/engines/libclearlooks.so
3354
pod1
mem
REG
253,0
71944
1212949
/usr/lib/gtk-
10:28:12 17:18:55 EDT

firefox 3354
2.0/2.10.0/loaders/libpixbufloader-png.so
pod1
mem
REG
253,0
15440
1212637
/usr/lib/gtk-
10:28:12 17:18:55 EDT

firefox
3.6/components/libbrowsercomps.so
3354
pod1
pod1
mem
REG
mem
57220
1221609
1411018
/usr/lib/firefox-
3354
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
9816
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
9264 1182590 /usr/lib/pango/1.5.0/modules/pango-hangul-fc.so
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:55 EDT

firefox
1.9.2/components/libmozgnome.so
3354
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
348488
962132 /usr/lib/libsoftokn3.so
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
236788
961081 /usr/lib/libfreebl3.so
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
431168
961085 /usr/lib/libnssckbi.so
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
56692 1410365 /usr/lib/gnome-vfs-2.0/modules/libfile.so
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
15780 1507524 /lib/libattr.so.1.1.0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
25624 1510026 /lib/libacl.so.1.1.0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
27896
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
34472
962708 /usr/lib/libpangocairo-1.0.so.0.1400.9
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
17408
963457 /usr/lib/libXfixes.so.3.1.0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
254668
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
38480
963458 /usr/lib/libXcursor.so.1.0.2
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
94272
961003 /usr/lib/libgdk_pixbuf-2.0.so.0.1000.4
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
578312
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
12296
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
109740 1507367 /lib/libnsl-2.5.so
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
253392 1507355 /lib/libdbus-1.so.3.4.0
10:28:12 17:18:55 EDT
firefox 3354
pod1
mem
REG
253,0
135716
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
30488
mem
253,0
266904
10:28:12 17:18:55 EDT

firefox
1.9.2/components/libnkgnomevfs.so
pod1
REG
253,0
/usr/lib/xulrunner-
963194 /usr/lib/libXss.so.1.0.0
50848 1509982 /lib/libnss_files-2.5.so

1250176
REG
968639 /usr/lib/libxml2.so.2.6.26
253,0
52696
1411017
/usr/lib/xulrunner-
972228 /usr/lib/libfam.so.0.0.0
9268 1180006 /usr/lib/pango/1.5.0/modules/pango-basic-fc.so
961065 /usr/lib/libpango-1.0.so.0.1400.9
965108 /usr/lib/libgdk-x11-2.0.so.0.1000.4
963456 /usr/lib/libXrandr.so.2.0.0
245376 1509988 /lib/libsepol.so.1

93508 1509989 /lib/libselinux.so.1
11560 1507351 /lib/libcap.so.1.10
962909 /usr/lib/libjpeg.so.62.0.0
966415 /usr/lib/libpopt.so.0.0.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
42752
972208 /usr/lib/libesd.so.0.2.36
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
92784
972153 /usr/lib/libbonobo-activation.so.4.0.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
51372
972213 /usr/lib/libgnome-keyring.so.0.0.1
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
16212 1510015 /lib/libgthread-2.0.so.0.1200.3
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
23056
972151 /usr/lib/libORBitCosNaming-2.so.0.1.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
15556
958299 /usr/lib/libplc4.so
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
3765668
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
124128
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
908940 1510021 /lib/libasound.so.2.0.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
613716
971882 /usr/lib/libkrb5.so.3.3
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
157336
971583 /usr/lib/libk5crypto.so.3.1
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
218628
967955 /usr/lib/libgconf-2.so.4.1.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
33968
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
357160
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
45516
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
403388
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
11460
972148 /usr/lib/libavahi-glib.so.1.0.1
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
63260
972149 /usr/lib/libavahi-client.so.3.2.1
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
171292
972155 /usr/lib/libaudiofile.so.0.0.2
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
183156
967730 /usr/lib/libgnomecanvas-2.so.0.1400.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
409536
972154 /usr/lib/libbonobo-2.so.0.0.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
92760
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
603140
972214 /usr/lib/libgnomeui-2.so.0.1600.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
420176
972212 /usr/lib/libbonoboui-2.so.0.0.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
88968
972209 /usr/lib/libgnome-2.so.0.1600.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
102788
958454 /usr/lib/libnssutil3.so
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
228060
958188 /usr/lib/libnspr4.so
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
1205444
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
936908
966113 /usr/lib/libstdc++.so.6.0.8
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
166740
958638 /usr/lib/libsmime3.so
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
217560
958514 /usr/lib/libssl3.so
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
359364
961768 /usr/lib/libXt.so.6.0.0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
566568 1409288 /usr/lib/xulrunner-1.9.2/libsqlite3.so
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0 24152420 1409852 /usr/lib/xulrunner-1.9.2/libxul.so
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
1095860 1179854 /usr/share/icons/hicolor/icon-theme.cache
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
6228832 1250753 /usr/share/icons/gnome/icon-theme.cache
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0 14043180 1221048 /usr/share/icons/Bluecurve/icon-theme.cache
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT

Bold.ttf
firefox 3354
pod1
mem
10:28:12 17:18:56 EDT

Bold.ttf
firefox 3354
pod1
mem
REG
REG
965615 /usr/lib/libgtk-x11-2.0.so.0.1000.4
80636 1510017 /lib/libresolv-2.5.so

95728
972210 /usr/lib/libICE.so.6.3.0
1297124 1507547 /lib/libcrypto.so.0.9.8e

958025 /usr/lib/libdbus-glib-1.so.2.1.0
970146 /usr/lib/libkrb5support.so.0.1
967954 /usr/lib/libORBit-2.so.0.1.0
46676 1507545 /lib/libgcc_s-4.1.2-20080825.so.1

190712
972098 /usr/lib/libgssapi_krb5.so.2.2
15308 1510020 /lib/libutil-2.5.so

293428 1510019 /lib/libssl.so.0.9.8e
972104 /usr/lib/libavahi-common.so.3.4.3
972150 /usr/lib/libgnomevfs-2.so.0.1600.2
960605 /usr/lib/libart_lgpl_2.so.2.3.17
958508 /usr/lib/libnss3.so
17664 1410366 /usr/lib/xulrunner-1.9.2/libxpcom.so
1198208 1409791 /usr/lib/xulrunner-1.9.2/libmozjs.so

446304 1181442 /usr/share/fonts/dejavu-lgc/DejaVuLGCSans.ttf
147140 1221452 /usr/share/fonts/default/Type1/n021003l.pfb
253,0
253,0
199476 1181451 /usr/share/fonts/dejavu-lgc/DejaVuLGCSerif426444 1181438 /usr/share/fonts/dejavu-lgc/DejaVuLGCSans-
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
211672 1181454 /usr/share/fonts/dejavu-lgc/DejaVuLGCSerif.ttf
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
527625 1411008 /usr/lib/xulrunner-1.9.2/chrome/toolkit.jar
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
63684 1147581 /usr/share/fonts/bitstream-vera/VeraIt.ttf
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
65932 1147578 /usr/share/fonts/bitstream-vera/Vera.ttf
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
54220 1148703 /usr/share/icons/Clearlooks/icon-theme.cache
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
58716 1147580 /usr/share/fonts/bitstream-vera/VeraBd.ttf
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
607292 1221589 /usr/lib/firefox-3.6/chrome/browser.jar
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
116651 1221592 /usr/lib/firefox-3.6/chrome/classic.jar
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
266629 1410999 /usr/lib/xulrunner-1.9.2/chrome/classic.jar
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
139146 1411004 /usr/lib/xulrunner-1.9.2/chrome/en-US.jar
10:28:12 17:18:56 EDT
firefox 3354
pod1
DEL
REG
0,9
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
6881294 /SYSV00000000
56679 1221594 /usr/lib/firefox-3.6/chrome/en-US.jar
10:28:12
17:18:56
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/b79f3aaa7d385a141ab53ec885cc22a8-x86.cache-2
REG
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0
10:28:12 17:18:56 EDT
firefox 3354
pod1
mem
REG
253,0 56471024
25462
253,0
22832
66072
66387 /usr/lib/gconv/gconv-modules.cache
961073 /usr/lib/locale/locale-archive
10:28:12
17:18:57
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/7ddba6133ef499da58de5e8c586d3b75-x86.cache-2
REG
253,0
20544
65605
10:28:12
17:18:57
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/e19de935dec46bbf3ed114ee4965548a-x86.cache-2
REG
253,0
32152
65603
10:28:12
17:18:57
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/87f5e051180a7a75f16eb6fe7dbd3749-x86.cache-2
REG
253,0
5120
66081
10:28:12
17:18:57
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/e3ead4b767b8819993a6fa3ae306afa9-x86.cache-2
REG
253,0
7176
65589
18288
66073
10:28:12
17:18:57
EDT
firefox
3354
pod1
mem
/var/cache/fontconfig/beeeeb3dfe132a8a0633a017c99ce0c0-x86.cache-2
REG
253,0
10:28:12 17:18:57 EDT
firefox 3354
pod1
0u
CHR
136,1
3 /dev/pts/1
10:28:12 17:18:57 EDT
firefox 3354
pod1
1u
CHR
136,1
3 /dev/pts/1
10:28:12 17:18:57 EDT
firefox 3354
pod1
2u
CHR
136,1
10:28:12 17:18:57 EDT
firefox 3354
pod1
3u
unix 0xeef7e3c0
748241 socket
10:28:12 17:18:57 EDT
firefox 3354
pod1
4r
FIFO
0,6
748243 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
5w
FIFO
0,6
748243 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
6r
FIFO
0,6
748246 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
7w
FIFO
0,6
748246 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
8r
FIFO
0,6
748247 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
9w
FIFO
0,6
748247 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
10u
unix 0xeef7e040
748248 socket
10:28:12 17:18:57 EDT
firefox 3354
pod1
11u
unix 0xca14bc80
748253 socket
10:28:12 17:18:57 EDT
firefox 3354
pod1
12u
unix 0xca14b900
748255 /tmp/orbit-pod1/linc-d1a-0-3f82f94671efd
10:28:12 17:18:57 EDT
firefox 3354
pod1
13u
unix 0xca14b580
10:28:12
17:18:57
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/.parentlock
3 /dev/pts/1
748258 /tmp/orbit-pod1/linc-d1a-0-3f82f94671efd
14wW
REG
0,11
253,0
10:28:12 17:18:57 EDT
firefox 3354
pod1
15r
0000
10:28:12 17:18:57 EDT
firefox 3354
pod1
16u
unix 0xca14b3c0
748264 socket
10:28:12 17:18:57 EDT
firefox 3354
pod1
17u
unix 0xca14b200
748265 socket
10:28:12 17:18:57 EDT
firefox 3354
pod1
18r
FIFO
0,6
748266 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
19w
FIFO
0,6
748266 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
20r
FIFO
0,6
748267 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
21w
FIFO
0,6
748267 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
22u
unix 0xca14b040
748268 socket
10:28:12 17:18:57 EDT
firefox 3354
pod1
23r
FIFO
0,6
748270 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
24w
FIFO
0,6
748270 pipe
10:28:12 17:18:57 EDT
firefox 3354
pod1
25r
CHR
1,9
1281661
53698560
1281688
748263 eventpoll
953 /dev/urandom
10:28:12
17:18:57
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/urlclassifier3.sqlite
26u
10:28:12 17:18:57 EDT
56679 1221594 /usr/lib/firefox-3.6/chrome/en-US.jar
firefox 3354
pod1
27r
REG
253,0
10:28:12
17:18:57
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/permissions.sqlite
REG
28u
REG
253,0
253,0
2048
1281668
10:28:12 17:18:57 EDT
firefox 3354
pod1
29r
REG
253,0
607292 1221589 /usr/lib/firefox-3.6/chrome/browser.jar
10:28:12 17:18:57 EDT
firefox 3354
pod1
30r
REG
253,0
139146 1411004 /usr/lib/xulrunner-1.9.2/chrome/en-US.jar
10:28:12 17:18:57 EDT
firefox 3354
pod1
31r
REG
253,0
266629 1410999 /usr/lib/xulrunner-1.9.2/chrome/classic.jar
10:28:12 17:18:58 EDT
firefox 3354
pod1
32r
REG
253,0
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/places.sqlite
10:28:12 17:18:58 EDT
firefox 3354
f6.1e100.net:https (ESTABLISHED)
10:28:12 17:18:58 EDT
firefox 3354
pod1
pod1
35r
34r
IPv4
REG
firefox 3354
pod1
37u
DIR
REG
972525
253,0
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/search.sqlite
10:28:12 17:18:58 EDT
527625 1411008 /usr/lib/xulrunner-1.9.2/chrome/toolkit.jar

33uw
151552
1281666
TCP 192.168.1.171:37825->iad23s06-in-
116651 1221592 /usr/lib/firefox-3.6/chrome/classic.jar

36u
0,10
253,0
REG
0
253,0
2048
1281673
469 inotify
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/formhistory.sqlite
38u
REG
253,0
4096
1281677
10:28:12
17:18:58
EDT
firefox
3354
pod1
39u
/home/pod1/.mozilla/firefox/lwarezv6.default/content-prefs.sqlite
REG
253,0
7168
1281687
8192
1281678
5672
1281689
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/cookies.sqlite
40uw
REG
10:28:12
17:18:58
EDT
firefox
3354
pod1
41u
/home/pod1/.mozilla/firefox/lwarezv6.default/cookies.sqlite-journal
10:28:12 17:18:58 EDT
firefox 3354
pod1
42r
DIR
REG
253,0
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/Cache/_CACHE_MAP_
253,0
253,0
4096 1281653 /home/pod1/.mozilla/firefox/lwarezv6.default

43u
REG
253,0
8468
1769489
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/Cache/_CACHE_001_
44u
REG
253,0
363395
1769490
10:28:12
17:18:58
EDT
firefox
3354
pod1
45u
REG
253,0
675148
1769491
1156406
1769492
10:28:12
17:18:58
EDT
firefox
3354
pod1
10:28:12 17:18:58 EDT
(ESTABLISHED)
firefox 3354
pod1
47u
IPv4
46u
REG
972527
253,0
TCP 192.168.1.171:55071->ve-in-f99.1e100.net:https
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/cert8.db
48u
REG
253,0
65536
1281685
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/key3.db
49u
REG
253,0
16384
1281686
10:28:12 17:18:58 EDT
firefox 3354
pod1
50r
FIFO
0,6
10:28:12 17:18:58 EDT
firefox 3354
pod1
51w
FIFO
0,6
10:28:12 17:18:58 EDT

firefox 3354
>OCSP.AMS1.VERISIGN.COM:http (ESTABLISHED)
pod1
52u
748276 pipe
748276 pipe
IPv4
972529
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/signons.sqlite
53u
REG
10:28:12
17:18:58
EDT
firefox
3354
pod1
54u
/home/pod1/.mozilla/firefox/lwarezv6.default/places.sqlite-journal
10:28:12 17:18:58 EDT
(ESTABLISHED)
firefox 3354
pod1
55u
IPv4
10:28:12 17:18:58 EDT

(ESTABLISHED)
firefox 3354
pod1
10:28:12 17:18:58 EDT

firefox 3354
f15.1e100.net:https (ESTABLISHED)
57u
pod1
IPv4
58u
REG
972533
firefox 3354
DATE
COMMAND
TIME
TM
pod1
PID USER
66u
FD
253,0
972535
REG
253,0
TYPE
DEVICE
1281693
1281647
2048
1281695
10:28:12
17:18:58
EDT
firefox
3354
pod1
59u
/home/pod1/.mozilla/firefox/lwarezv6.default/webappsstore.sqlite
10:28:12 17:18:58 EDT
253,0
11264
56u
IPv4
192.168.1.171:46215-
253,0
REG
972530
10:28:12
17:18:58
EDT
firefox
3354
pod1
/home/pod1/.mozilla/firefox/lwarezv6.default/downloads.sqlite
TCP
TCP 192.168.1.171:50162->iad23s07-inREG
192512
SIZE
253,0
3072
1281705
133436 /tmp/moz_media_cache (deleted)

NODE NAME
10:28:12 17:18:58 EDT
sshd
16214
pod1
cwd
DIR
253,0
4096
10:28:12 17:18:59 EDT
sshd
16214
pod1
rtd
DIR
253,0
4096
2 /
10:28:12 17:18:59 EDT
sshd
16214
pod1
txt
REG
253,0
414016
965087 /usr/sbin/sshd
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
190712
972098 /usr/lib/libgssapi_krb5.so.2.2
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
613716
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
11492
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
50848 1509982 /lib/libnss_files-2.5.so
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10508 1507588 /lib/security/pam_env.so
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
29852
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0 1297124 1507547 /lib/libcrypto.so.0.9.8e
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0 1205444
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
48308 1507627 /lib/security/pam_unix.so
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
15556
2 /
7812 1510018 /lib/libcom_err.so.2.1

245376 1509988 /lib/libsepol.so.1
33968
970146 /usr/lib/libkrb5support.so.0.1
7880 1510016 /lib/libkeyutils-1.2.so

44532 1508230 /lib/libpam.so.0.81.5
971882 /usr/lib/libkrb5.so.3.3
958320 /usr/lib/libplds4.so
137908 1507357 /lib/libpthread-2.5.so
971111 /usr/lib/libcrack.so.2.8.0
2952 1507586 /lib/security/pam_deny.so

12376 1507584 /lib/security/pam_cracklib.so
5140 1507602 /lib/security/pam_loginuid.so
80636 1510017 /lib/libresolv-2.5.so
958508 /usr/lib/libnss3.so
958299 /usr/lib/libplc4.so
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0 1693812 1507344 /lib/libc-2.5.so
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
45432 1509990 /lib/libcrypt-2.5.so
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
20668 1507377 /lib/libdl-2.5.so
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
13140 1507599 /lib/security/pam_limits.so
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
97220 1507563 /lib/libaudit.so.0.0.0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
6632
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
4508 1507607 /lib/security/pam_nologin.so
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
75120 1507379 /lib/libz.so.1.2.3
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
93508 1509989 /lib/libselinux.so.1
10:28:12 17:18:59 EDT
sshd
16214
pod1
mem
REG
253,0
10:28:12 17:18:59 EDT
sshd
16214
pod1
DEL
REG
0,9
938612 /dev/zero
10:28:12 17:18:59 EDT
sshd
16214
pod1
DEL
REG
0,9
938599 /dev/zero
10:28:12 17:18:59 EDT
sshd
16214
pod1
0u
CHR
1,3
1505 /dev/null
10:28:12 17:18:59 EDT
sshd
16214
pod1
1u
CHR
1,3
1505 /dev/null
10:28:12 17:18:59 EDT
sshd
16214
pod1
2u
CHR
1,3
1505 /dev/null
10:28:12 17:18:59 EDT

(ESTABLISHED)
sshd
16214
pod1
3u
IPv4
129900 1507331 /lib/ld-2.5.so

15308 1510020 /lib/libutil-2.5.so
11932 1507620 /lib/security/pam_succeed_if.so
102788
958454 /usr/lib/libnssutil3.so
32824 1510023 /lib/libwrap.so.0.7.6
964147 /usr/lib/libfipscheck.so.1.1.0
109740 1507367 /lib/libnsl-2.5.so

21948 1507364 /lib/libnss_dns-2.5.so
228060
958188 /usr/lib/libnspr4.so
5644 1507597 /lib/security/pam_keyinit.so

157336
971583 /usr/lib/libk5crypto.so.3.1
3292 1507608 /lib/security/pam_permit.so
938585
TCP 192.168.1.171:ssh->192.168.1.185:52062
10:28:12 17:18:59 EDT
sshd
16214
pod1
4u
unix 0xc32caac0
938617 socket
10:28:12 17:18:59 EDT
sshd
16214
pod1
5u
unix 0xc32ca740
938621 socket
10:28:12 17:18:59 EDT
sshd
16214
pod1
6r
FIFO
0,6
938627 pipe
10:28:12 17:18:59 EDT
sshd
16214
pod1
7w
FIFO
0,6
938627 pipe
10:28:12 17:18:59 EDT
sshd
16214
pod1
8u
CHR
5,2
957 /dev/ptmx
10:28:12 17:18:59 EDT
sshd
16214
pod1
9u
CHR
5,2
957 /dev/ptmx
10:28:12 17:18:59 EDT
sshd
16214
pod1
10u
CHR
5,2
957 /dev/ptmx
[root@localhost ~]#
Figure 1.3. All processes owns by this user, pod1
10

Network 2 Timeline Utility - Linux Volatile Gathering Tool

Uploaded by

Document Information

Original Title

Copyright

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Network 2 Timeline Utility - Linux Volatile Gathering Tool

Uploaded by

Copyright:

Name: Hieu Nguyen

Current Condition Overview....................................................................................................................................................3

Challenges and Issues.............................................................................................................................................................. 4

Current Condition Overview

Challenges and Issues

#Sample input of lsof -i -n -P

Figure 1.1. Sample data.

10:28:12 17:18:46 EDT

TYPE DEVICE SIZE NODE NAME

TCP 192.168.1.171:37825->74.125.228.38:443 (ESTABLISHED)

10:28:12 17:18:46 EDT

TCP 192.168.1.171:55071->173.194.75.99:443 (ESTABLISHED)

10:28:12 17:18:46 EDT

TCP 192.168.1.171:46215->199.7.55.72:80 (ESTABLISHED)

10:28:12 17:18:46 EDT

TCP 192.168.1.171:55073->173.194.75.99:443 (ESTABLISHED)

10:28:12 17:18:46 EDT

TCP 192.168.1.171:55074->173.194.75.99:443 (ESTABLISHED)

10:28:12 17:18:46 EDT

TCP 192.168.1.171:50162->74.125.228.79:443 (ESTABLISHED)

10:28:12 17:18:48 EDT

TCP 192.168.1.171:22->192.168.1.185:52062 (ESTABLISHED)

Figure 1.2. IP and Sockets information

10:28:12 17:18:54 EDT

4096 1279737 /home/pod1

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

1693812 1507344 /lib/libc-2.5.so

10:28:12 17:18:54 EDT

216544 1507383 /lib/libm-2.5.so

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

644472 1507361 /lib/libglib-2.0.so.0.1200.3

10:28:12 17:18:54 EDT

259128 1507365 /lib/libgobject-2.0.so.0.1200.3

98896 1221377 /usr/lib/firefox-3.6/firefox

129900 1507331 /lib/ld-2.5.so

20668 1507377 /lib/libdl-2.5.so

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

11396 1507421 /lib/libgmodule-2.0.so.0.1200.3

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

133184 1507532 /lib/libexpat.so.0.5.0

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:54 EDT

10:28:12 17:18:55 EDT

10:28:12 17:18:55 EDT

10:28:12 17:18:55 EDT

10:28:12 17:18:55 EDT

10:28:12 17:18:55 EDT

10:28:12 17:18:55 EDT

5436 1049350 /usr/lib/gconv/ISO8859-1.so

10:28:12 17:18:55 EDT

7812 1510018 /lib/libcom_err.so.2.1