Documentation

Installing:

Acorer is distributed as a tar.gz file, and a .deb package

tar.gz installation:
-----------------------
The easiest way to install the source is to unpack it and run it from the source directory.
$ gunzip -dc acorer-xx.tar.gz | tar xvf -
$ cd acorer-xx
$ ./acorer.pl --help

.deb file installation
----------------------
The .deb file is packaged specifically for the SANS SIFT v2.13 but should work on all Debian based systems

• Download the acorer-05.deb file from http://acorer.sourceforge.net
• Install the acorer-xx.deb file
  • Become root:
    • $ sudo su
  • Install the files from the .deb package into the /usr/local/acorer directory:
    • # dpkg -i acorer-05.deb
• Patch the Mac::PropertyList perl module to fix a bug with displaying dates:
  • # cd /usr/local/acorer
  • # ./patch_macprop_sift.sh
• (OPTIONAL) Add the acorer directory to the $PATH variable
  • Edit the .profile and add /usr/local/acorer to the line with $PATH

Running:
The Acorer application is not forensically sound, so hardware or software write blocking should be used when file access times need to be preserved.
Acorer should be run as root to ensure it has permission to read any files it needs to access.

Examples:
Running acorer on an OSX system disk connected to your Linux system via a write blocker mounted on /mnt, or image files mounted as /mnt:

• Edit the config.txt file and select the modules you would like to run. Select the module by removing the "#" from the module name. Disable a module by placing a "#" in front of the name
  
  
• If you want to run the program and output the results to /cases/case123
  • ./acorer.pl --basepath /mnt --outputdir=/cases/case123
    
    
• If you want to see status message as the script is running use the --verbose flag
  • ./acorer.pl --basepath /mnt --outputdir=/cases/case123 --verbose
    
    
• If you want to gether information about the system and a particular username, use the --user flag
  • ./acorer.pl --basepath /mnt --outputdir=/cases/case123 --user jake
  
  
  At a minimum the outputdir will contain a logfile with module output. It may contain other files depending on which modules were selected.

  
  
  Below is a list of the available command line options:
  
  --logfile (file that contains all the output - default is $outputdir/logfile.txt)
  --basepath < path/to/OSX/filesystem/mountpoint >
  --outputdir < directory/to/output/results >
  --user < username > (parse user specific entries under /Users/home/)
  --config < filename > (configuration file that specifies the plugin names to use [default config.txt in program directory])
  --appdir < directory containg external apps >
  --verbose (Print detailed information to the screen as the program runs)
  --module < modulename > (run module from cmd line rather than config file )
  --usage (Print this message, then quit)
  -h (This message [same as --usage])
  
  
  
  

   

  © COPYRIGHT 2012 Jake Cunningham

  | |