| 1 | #!/bin/sh |
|---|
| 2 | |
|---|
| 3 | # This script is a wrapper for reglookup, and reads one or more registry |
|---|
| 4 | # files to produce an MTIME sorted output. This is helpful when building |
|---|
| 5 | # timelines for investigations. |
|---|
| 6 | # |
|---|
| 7 | # Copyright (C) 2005-2007 Timothy D. Morgan |
|---|
| 8 | # |
|---|
| 9 | # This program is free software; you can redistribute it and/or modify |
|---|
| 10 | # it under the terms of the GNU General Public License as published by |
|---|
| 11 | # the Free Software Foundation; version 2 of the License. |
|---|
| 12 | # |
|---|
| 13 | # This program is distributed in the hope that it will be useful, |
|---|
| 14 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
|---|
| 15 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|---|
| 16 | # GNU General Public License for more details. |
|---|
| 17 | # |
|---|
| 18 | # You should have received a copy of the GNU General Public License |
|---|
| 19 | # along with this program; if not, write to the Free Software |
|---|
| 20 | # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. |
|---|
| 21 | # |
|---|
| 22 | # $Id: reglookup-timeline 90 2007-03-28 19:22:38Z tim $ |
|---|
| 23 | |
|---|
| 24 | |
|---|
| 25 | usage() |
|---|
| 26 | { |
|---|
| 27 | echo "Usage: $0 [-H] <REGISTRY_FILE> [<REGISTRY_FILE> ...]" 1>&2 |
|---|
| 28 | } |
|---|
| 29 | |
|---|
| 30 | if [ $# -eq 0 ]; then |
|---|
| 31 | usage |
|---|
| 32 | echo "ERROR: requires at least one parameter" 1>&2 |
|---|
| 33 | exit 1 |
|---|
| 34 | fi |
|---|
| 35 | |
|---|
| 36 | PRINT_HEADER=true |
|---|
| 37 | if [ "$1" = "-H" ]; then |
|---|
| 38 | PRINT_HEADER=false |
|---|
| 39 | shift |
|---|
| 40 | fi |
|---|
| 41 | |
|---|
| 42 | if [ "$PRINT_HEADER" = "true" ]; then |
|---|
| 43 | echo "MTIME,FILE,PATH" |
|---|
| 44 | fi |
|---|
| 45 | |
|---|
| 46 | for F in $@; do |
|---|
| 47 | reglookup -t KEY -H "$F" | awk -F',' '{ printf "%s,'"$F"',%s\n",$4,$1; }' |
|---|
| 48 | done | sort |
|---|
