modDetective is a small Python tool that chronologizes files based on modification time in order to investigate recent system activity. This can be used in CTF’s in order to pinpoint where escalation and attack vectors may exist.

To see the tool in its most useful form, try running the command as follows: python3 modDetective.py -i /usr/share,/usr/lib,/lib. This will ignore the /usr/lib/usr/share, and /lib directories, which tend not to have anything of interest. Also note that by default the “dynamic” directories are ignored (/proc/sys/run/snap/dev).

What is modDetective Doing?

modDetective is very elementary in how it operates. It simply walks the filesystem, with bounds determined by user specified options (-i is for ignore, meaning the tool will walk every directory EXCEPT for the ones specified in the -i option, and -e is for exclusive, meaning the tool will ONLY walk the directories specified). While walking, it picks up the modification times of each file, then orders these modification times in order to output them chronologically.

Additionally, in the output you will potentially see some files highlighted red. These files are denoted as “Indicators of User Activity,” Since recent modifications to these files indicate that a user is currently active. As of now, these files include .swp files, .bash_history.python_history and .viminfo. This list will be extended as I brainstorm more files that indicate present user activity.

Requirements

modDetective currently works only with python3; python2 compatability will be completed shortly (hence the lack of f strings). Standard libraries should be fine.