#!/usr/bin/perl -w
#
# mac_merge 
# TCTUTILs package
#
# This script will merge the output from mactime (from TCT) with the 
# mactime output option of fls (fls -m) to stdout
# This gives the investigator the power to view the deleted file entries
#
# Brian Carrier [carrier@cerias.purdue.edu]
#
#  $Revision: 0.3 $
#
# Copyright (c) 2001 Brian Carrier.  All rights reserved
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# 1. Redistributions of source code must retain the above copyright notice,
#    this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
# 3. The name of the author may not be used to endorse or promote
#    products derived from this software without specific prior written
#    permission.     
#
#
# THIS SOFTWARE IS NOT AFFILIATED WITH PURDUE UNIVERSITY OR THE CENTER FOR
# EDUCATION IN INFORMATION ASSURANCE AND SECURITY (CERIAS) AND THEY BEAR
# NO RESPONSIBILITY FOR ITS USE OR MISUSE.
#
#
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR ANY PARTICULAR PURPOSE.
#
# IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, LOSS OF USE, DATA, OR PROFITS OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#

unless (scalar(@ARGV) == 2) {
	print "usage: mac_merge mactimeout flsout\n"; 
	exit;
}

my $macfile = shift;
my $flsfile = shift;

my (@mon, @monname, @day, @year, @hour, @min, @sec, @data, @entry, @del);
my $cnt = 0;

# This table taken from mactime
%name_to_num = ("Jan", 1, "Feb", 2, "Mar", 3, "Apr", 4, "May", 5, "Jun", 6,
    "Jul", 7, "Aug", 8, "Sep", 9, "Oct", 10, "Nov", 11, "Dec", 12);   

sub sortit {
	$year[$a] <=> $year[$b]
	  or
	$mon[$a] <=> $mon[$b]
	  or
	$day[$a] <=> $day[$b]
	  or
	$hour[$a] <=> $hour[$b]
	  or
	$min[$a] <=> $min[$b]
	  or
	$sec[$a] <=> $sec[$b]
}


open (DCAT, $flsfile) or die "Can't open $flsfile\n";
while (<DCAT>) {

	if (/^(\* )?(\w\w\w) (\d\d) (\d\d) (\d\d):(\d\d):(\d\d) (.*)$/) {
		$del[$cnt] = $1;
		$mon[$cnt] =  $name_to_num{$2};
		$monname[$cnt] =  $2;
		$day[$cnt] =  $3;
		if ($4 < 69) {
			$year[$cnt] = $4+2000;
		}
		else {
			$year[$cnt] = $4+1900;
		}
		$hour[$cnt] =  $5;
		$min[$cnt] =  $6;
		$sec[$cnt] =  $7;
		$data[$cnt] =  $8;
		$entry[$cnt] = $cnt;
		$cnt++;
	}
	else {
		print "Missed $_\n";
	}
}
close(DCAT);

@sorted = sort sortit @entry;

my $nxt;
my $nxttime;
my $prevtime = 0;

# check if file was empty
if (scalar(@sorted) > 0) {
	$cnt = 0;
	$nxt = $sorted[$cnt];
	$nxttime = make_next_time();
}
else {
	$nxt = -1;
}

# Make a string/value out of time
sub make_next_time {
	my $str;
	if ($mon[$nxt] < 10) {
		$str = $year[$nxt]."0".$mon[$nxt];
	} else {
		$str = $year[$nxt].$mon[$nxt];
	}
	$str .= ($day[$nxt].$hour[$nxt].$min[$nxt].$sec[$nxt]);
	return $str;
}


# Print the next fls entry and increment the counter
sub print_next {
	if ($nxttime == $prevtime) {
		print "                   $data[$nxt]";
	}
	else {
		my $y = $year[$nxt] % 100; 
		$y = "0$y"   if $y < 10;

		print "$monname[$nxt] $day[$nxt] $y ".
		  "$hour[$nxt]:$min[$nxt]:$sec[$nxt] $data[$nxt]";

		$prevtime = $nxttime;
	}

	if ($del[$nxt] eq "* ") {
		print "  (deleted)";
	}
	print "\n";

	$cnt++;
	if ($cnt == scalar(@sorted)) {
		$nxt = -1;
	} else {
		$nxt = $sorted[$cnt];
		$nxttime = make_next_time();
	}

	return;
}


open (MAC, $macfile) or die "Can't open $macfile\n";

while (<MAC>) {
	if (/^(\w\w\w) (\d\d) (\d\d) (\d\d):(\d\d):(\d\d)(.*)$/) {

		# do the formatting stuff 
		my $mnum = $name_to_num{$1};
		my $yr;
		if ($3 < 69) {
			$yr = $3 + 2000;
		} else {
			$yr = $3 + 1900;
		}

		my $macstr;
		if ($mnum < 10) {
			$macstr = $yr."0".$mnum;
		} else {
			$macstr = $yr.$mnum;
		}
		$macstr .= ($2.$4.$5.$6);
		while ($nxt >= 0) {
			if ($macstr > $nxttime)	{
				print_next();
			} else {
				last;
			}
		}
		$prevtime = $macstr;
		print $_;
	}
	else {
		print $_;
	}
}
