Difference between revisions of "Mactime"
From SleuthKitWiki
(New page: Version 2.09 Man Page NAME mactime - Create an ASCII time line of file activity SYNOPSIS mactime [-b body ] [-g group file ] [-p password file ] [-i (day|hour) inde...) |
m (Reformatted) |
||
| Line 1: | Line 1: | ||
| − | + | Back to [[Help Documents]] | |
| − | + | ==mactime== | |
| − | + | Version 2.09 | |
| − | |||
| − | |||
| − | |||
| − | + | ===Purpose=== | |
| − | + | Creates an ASCII time line of file activity based on the body file specified by ’-b’ or from STDIN. The time line is written to STDOUT. The body file must be in the time machine format that is created by ''unknown missing text''. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | |||
| − | + | ===Usage=== | |
| − | + | mactime [-b body ] [-g group file ] [-p password file ] [-i (day|hour) index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE] | |
| − | + | ||
| − | + | ||
| − | |||
| − | |||
| − | |||
| − | + | ===Options=== | |
| − | + | ||
| − | + | ||
| − | + | {| border="1" cellpadding="5" | |
| − | + | !Switch | |
| − | + | !Purpose | |
| − | + | |- | |
| + | | -b body || Specify the location of a body file. This file must be generated by a tool such as ’fls -m’ or ’ils -m’. The ’mac-robber’ and ’grave-robber’ tools can also be used to generate the file. | ||
| + | |- | ||
| + | | -g group file || Specify the location of the group file. mactime will display the group name instead of the GID if this is given. | ||
| + | |- | ||
| + | | -p password file || Specify the location of the passwd file. mactime will display the user name instead of the UID of this is given. | ||
| + | |- | ||
| + | | -i day|hour index file || Specify the location of an index file to write to. The first argument specifies the granularity, either an hourly summary or daily. If the import into a spread sheet. | ||
| + | |- | ||
| + | | -d || Display timeline and index files in comma delimited format. This is used to import the data into a spread sheet for presentations or graphs. | ||
| + | |- | ||
| + | | -h || Display header info about the session including time range, input source, and passwd or group files. | ||
| + | |- | ||
| + | | -V || Display version to STDOUT. | ||
| + | |- | ||
| + | | -m || The month is given as a number instead of name. | ||
| + | |- | ||
| + | | -y || The date range is given with the year first. | ||
| + | |- | ||
| + | | -z TIME_ZONE || The timezone from where the data was collected. The name of this argument is system dependent (examples include EST5EDT, GMT+1). | ||
| + | |- | ||
| + | | DATE_RANGE || The range of dates to make the time line for. The standard format is 01/01/2002 for a starting date and no ending date. For an ending date, use 01/01/2002-02/01/2002. | ||
| + | |} | ||
| − | |||
| − | |||
| − | |||
| − | + | ===Example=== | |
| − | + | ''No example provided.'' | |
| − | |||
| − | + | ===License=== | |
| + | The changes from mactime in TCT and mac-daddy are distributed under the Common Public License, found on the [[Licenses]] page. | ||
| − | |||
| − | + | ===History=== | |
| − | + | A version of mactime first appeared in The Coroner’s Toolkit (TCT) (Dan Farmer) and later mac-daddy (Rob Lee). | |
| − | + | ||
| − | + | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | ===Author=== | |
| − | + | Brian Carrier <carrier@sleuthkit.org> | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
Revision as of 09:14, 18 November 2007
Back to Help Documents
mactime
Version 2.09
Purpose
Creates an ASCII time line of file activity based on the body file specified by ’-b’ or from STDIN. The time line is written to STDOUT. The body file must be in the time machine format that is created by unknown missing text.
Usage
mactime [-b body ] [-g group file ] [-p password file ] [-i (day|hour) index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]
Options
| Switch | Purpose |
|---|---|
| -b body | Specify the location of a body file. This file must be generated by a tool such as ’fls -m’ or ’ils -m’. The ’mac-robber’ and ’grave-robber’ tools can also be used to generate the file. |
| -g group file | Specify the location of the group file. mactime will display the group name instead of the GID if this is given. |
| -p password file | Specify the location of the passwd file. mactime will display the user name instead of the UID of this is given. |
| hour index file | Specify the location of an index file to write to. The first argument specifies the granularity, either an hourly summary or daily. If the import into a spread sheet. |
| -d | Display timeline and index files in comma delimited format. This is used to import the data into a spread sheet for presentations or graphs. |
| -h | Display header info about the session including time range, input source, and passwd or group files. |
| -V | Display version to STDOUT. |
| -m | The month is given as a number instead of name. |
| -y | The date range is given with the year first. |
| -z TIME_ZONE | The timezone from where the data was collected. The name of this argument is system dependent (examples include EST5EDT, GMT+1). |
| DATE_RANGE | The range of dates to make the time line for. The standard format is 01/01/2002 for a starting date and no ending date. For an ending date, use 01/01/2002-02/01/2002. |
Example
No example provided.
License
The changes from mactime in TCT and mac-daddy are distributed under the Common Public License, found on the Licenses page.
History
A version of mactime first appeared in The Coroner’s Toolkit (TCT) (Dan Farmer) and later mac-daddy (Rob Lee).
Author
Brian Carrier <carrier@sleuthkit.org>
