|
|
| Line 1: |
Line 1: |
| | Back to [[Help Documents]] | | Back to [[Help Documents]] |
| | | | |
| − | ==mactime==
| + | mactime creates an ASCII time line of file activity based on the output of the fls or ils tools. It can be used to detect anomalous behavior. |
| − | Version 2.09
| + | |
| | | | |
| − | | + | * [http://www.sleuthkit.org/sleuthkit/man/mactime.html Automatically Updated man Page] |
| − | ===Purpose===
| + | |
| − | Creates an ASCII time line of file activity based on the body file specified by ’-b’ or from STDIN. The time line is written to STDOUT. The body file must be in the time machine format that is created by ''unknown missing text''.
| + | |
| − | | + | |
| − | | + | |
| − | ===Usage===
| + | |
| − | mactime [-b body ] [-g group file ] [-p password file ] [-i (day|hour) index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]
| + | |
| − | | + | |
| − | | + | |
| − | ===Options===
| + | |
| − | | + | |
| − | {| border="1" cellpadding="5"
| + | |
| − | !Switch
| + | |
| − | !Purpose
| + | |
| − | |-
| + | |
| − | | -b body || Specify the location of a body file. This file must be generated by a tool such as ’fls -m’ or ’ils -m’. The ’mac-robber’ and ’grave-robber’ tools can also be used to generate the file.
| + | |
| − | |-
| + | |
| − | | -g group file || Specify the location of the group file. mactime will display the group name instead of the GID if this is given.
| + | |
| − | |-
| + | |
| − | | -p password file || Specify the location of the passwd file. mactime will display the user name instead of the UID of this is given.
| + | |
| − | |-
| + | |
| − | | -i day|hour index file || Specify the location of an index file to write to. The first argument specifies the granularity, either an hourly summary or daily. If the import into a spread sheet.
| + | |
| − | |-
| + | |
| − | | -d || Display timeline and index files in comma delimited format. This is used to import the data into a spread sheet for presentations or graphs.
| + | |
| − | |-
| + | |
| − | | -h || Display header info about the session including time range, input source, and passwd or group files.
| + | |
| − | |-
| + | |
| − | | -V || Display version to STDOUT.
| + | |
| − | |-
| + | |
| − | | -m || The month is given as a number instead of name.
| + | |
| − | |-
| + | |
| − | | -y || The date range is given with the year first.
| + | |
| − | |-
| + | |
| − | | -z TIME_ZONE || The timezone from where the data was collected. The name of this argument is system dependent (examples include EST5EDT, GMT+1).
| + | |
| − | |-
| + | |
| − | | DATE_RANGE || The range of dates to make the time line for. The standard format is 01/01/2002 for a starting date and no ending date. For an ending date, use 01/01/2002-02/01/2002.
| + | |
| − | |}
| + | |
| − | | + | |
| − | | + | |
| − | ===Example===
| + | |
| − | ''No example provided.''
| + | |
| − | | + | |
| − | | + | |
| − | ===License===
| + | |
| − | The changes from mactime in TCT and mac-daddy are distributed under the Common Public License, found on the [[Licenses]] page.
| + | |
| − | | + | |
| − | | + | |
| − | ===History===
| + | |
| − | A version of mactime first appeared in The Coroner’s Toolkit (TCT) (Dan Farmer) and later mac-daddy (Rob Lee).
| + | |
| − | | + | |
| − | | + | |
| − | ===Author===
| + | |
| − | Brian Carrier <carrier@sleuthkit.org>
| + | |
mactime creates an ASCII time line of file activity based on the output of the fls or ils tools. It can be used to detect anomalous behavior.
