Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Update: mac-robber.py SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Update: mac-robber.py

Almost 4 years ago, I wrote a python version of mac-robber. I use it fairly regularly at $dayjob. This past week, one of my co-workers was using it, but realized that it hashes large files a little too slowly. He decided to use mac-robber.py to collect the MAC times and do the hashing separately so he could limit the hashes to to files under a certain size. That sounded reasonable, so I've added a switch (-s or --size). If hashing is turned on the new switch will limit the hashing to files under the given size.

To see it in action, see the next figure.

I hope others find this new feature useful. If anyone has more suggestions for new features, you can let me know via comments here, e-mail, or our contact form. The tool can be found at the same place as before: 

https://github.com/att/docker-forensics/blob/master/mac-robber.py

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Live Online Europe February 2022 Volume 1

Jim

423 Posts
ISC Handler
Jun 13th 2021

Sign Up for Free or Log In to start participating in the conversation!