Difference between revisions of "Body file"
From SleuthKitWiki
(Created page from old fls page contents.) |
|||
| Line 1: | Line 1: | ||
| − | The body file is an intermediate file when creating a timeline of file activity. It is a pipe ("|") delimited text file that contains one line for each file (or other even type, such as a log or registry key). The [[fls]], [[ils]], and [[mac-robber]] tools all output this data format. The [[mactime]] tool reads this file and sorts the contents. | + | The body file is an intermediate file when creating a [[timeline]] of file activity. It is a pipe ("|") delimited text file that contains one line for each file (or other even type, such as a log or registry key). The [[fls]], [[ils]], and [[mac-robber]] tools all output this data format. The [[mactime]] tool reads this file and sorts the contents. |
The body file format in TSK 3.0+ is different from the format used in TSK 1.X and 2.X. | The body file format in TSK 3.0+ is different from the format used in TSK 1.X and 2.X. | ||
Revision as of 12:36, 26 October 2008
The body file is an intermediate file when creating a timeline of file activity. It is a pipe ("|") delimited text file that contains one line for each file (or other even type, such as a log or registry key). The fls, ils, and mac-robber tools all output this data format. The mactime tool reads this file and sorts the contents.
The body file format in TSK 3.0+ is different from the format used in TSK 1.X and 2.X.
The 3.X output has the following fields:
MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
The times are reported in UNIX time format.
The 2.X output has the following fields:
MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links | UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks
For example:
0|/wusagedl.exe|0|6|33279|-/-rwxrwxrwx|1|0|0|0|3827200|1220846400|1216831874|1216831874|512|0
