WTMParse

wtmparse_logoWTMParse is a project I started when working in computer forensics. There is a distinct lack of good Linux analysis tools, specifically Linux support in EnCase is woeful and seemed to have stalled around Red Hat 7.1. So as a part of getting a case started I whipped-up a Python script that one could run over a wtmp file and get a nice, CSS styled HTML report. It’s far from perfect and development essentially stalled around the time I left the computer forensics field, with the exception of a little cleaning up and optimization as well as a couple of minor bugfixes in the interim. I have a SourceForge project set up with a GIT repository as well as a tar ball. It uses standard Python libs and the only files external to the script that are required are an include file that provides CSS and HTML formatting for the report. The reason I included that as a separate file was so those so inclined could modify the styling to their personal or corporate liking. It’s licensed under the GPL and I’d love it if someone would continue to develop it. I plan to add support for btmp parsing in the future too.  You might be wondering, should you not have worked in computer forensics, why one would need such a tool when you could just use the ‘last’ command to get the same info, is this just to get a nice looking HTML report instead of plain text? Well, in an analysis booting a suspect machine is often a last resort. Most of the time, in fact, you work off of forensically-sound images of storage media and don’t even deal with the actual computer during the analysis. Extracting a wtmp file and running a Python script over it is actually a great deal simpler than booting the machine, which requires the use of caching write blockers and just doesn’t actually work very often!