Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

mactime-sleuthkit(1) [debian man page]

MACTIME(1)						      General Commands Manual							MACTIME(1)

NAME

       mactime - Create an ASCII time line of file activity

SYNOPSIS

       mactime [-b body ] [-g group file ] [-p password file ] [-i (day|hour) index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]

DESCRIPTION

       mactime	creates  an  ASCII time line of file activity based on the body file specified by '-b' or from STDIN.  The time line is written to
       STDOUT.	The body file must be in the time machine format that is created by 'ils -m', 'fls -m', or the mac-robber tool.

ARGUMENTS

       -b body
	      Specify the location of a body file.  This file must be generated by a tool such as 'fls -m' or  'ils  -m'.   The  'mac-robber'  and
	      'grave-robber' tools can also be used to generate the file.

       -g group file
	      Specify the location of the group file.  mactime will display the group name instead of the GID if this is given.

       -p password file
	      Specify the location of the passwd file.	mactime will display the user name instead of the UID of this is given.

       -i day|hour index file
	      Specify the location of an index file to write to.  The first argument specifies the granularity, either an hourly summary or daily.
	      If the '-d' flag is given, then the summary will be separated by a ',' to import into a spread sheet.

       -d     Display timeline and index files in comma delimited format.  This is used to import the data into a spread sheet	for  presentations
	      or graphs.

       -h     Display header info about the session including time range, input source, and passwd or group files.

       -V     Display version to STDOUT.

       -m     The month is given as a number instead of name.

       -y     The date range is given with the year first.

       -z TIME_ZONE
	      The timezone from where the data was collected.  The name of this argument is system dependent (examples include EST5EDT, GMT+1).

       DATE_RANGE
	      The range of dates to make the time line for.  The standard format is yyyy-mm-dd for a starting date and no ending date. For an end-
	      ing date, use yyyy-mm-dd..yyyy-mm-dd.

LICENSE

       The changes from mactime in TCT and mac-daddy are distributed under the Common Public License, found in the  cpl1.0.txt	file  in  the  The
       Sleuth Kit licenses directory.

HISTORY

       A version of mactime first appeared in The Coroner's Toolkit (TCT) (Dan Farmer) and later mac-daddy (Rob Lee).

AUTHOR

       Brian Carrier <carrier at sleuthkit dot org>

       Send documentation updates to <doc-updates at sleuthkit dot org>

																	MACTIME(1)

Check Out this Related Man Page

ISTAT(1)						      General Commands Manual							  ISTAT(1)

NAME

       istat - Display details of a meta-data structure (i.e. inode)

SYNOPSIS

       istat [-B num ] [-f fstype ] [-i imgtype] [-o imgoffset] [-b dev_sector_size] [-vV] [-z zone ] [-s seconds ] image [images] inode

DESCRIPTION

       istat displays the uid, gid, mode, size, link number, modified , accessed, changed times, and all the disk units a structure has allocated.

       The options are as follows:

       -B num Display the addresses of num disk units.	Useful when the inode is unallocated with size 0, but still has block pointers.

       -f fstype
	      Specify the file system type.  Use '-f list' to list the supported file system types.  If not given, autodetection methods are used.

       -s seconds
	      The  time  skew  of  the	original system in seconds.  For example, if the original system was 100 seconds slow, this value would be
	      -100.

       -i imgtype
	      Identify the type of image file, such as raw or split.  Use '-i list' to list the supported  types.   If	not  given,  autodetection
	      methods are used.

       -o imgoffset
	      The sector offset where the file system starts in the image.

       -b dev_sector_size
	      The  size,  in  bytes,  of  the  underlying  device  sectors.  If not given, the value in the image format is used (if it exists) or
	      512-bytes is assumed.

       -v     Verbose output of debugging statements to stderr

       -V     Display version

       -z zone
	      An ASCII string of the original system's time zone.  For example, EST5EDT or GMT.  These strings are defined by the operating system
	      and may vary.  NOTE: This has changed since TCTUTILs.

       image [images]
	      One (or more if split) disk or partition images whose format is given with '-i'.

       inode  Meta-data number to display stats on

AUTHOR

       Brian Carrier <carrier at sleuthkit dot org>

       Send documentation updates to <doc-updates at sleuthkit dot org>

																	  ISTAT(1)
Man Page