Difference between revisions of "Body file"

From SleuthKitWiki
Jump to: navigation, search
(Created page from old fls page contents.)
 
Line 1: Line 1:
The body file is an intermediate file when creating a timeline of file activity.  It is a pipe ("|") delimited text file that contains one line for each file (or other even type, such as a log or registry key). The [[fls]], [[ils]], and [[mac-robber]] tools all output this data format.  The [[mactime]] tool reads this file and sorts the contents.  
+
The body file is an intermediate file when creating a [[timeline]] of file activity.  It is a pipe ("|") delimited text file that contains one line for each file (or other even type, such as a log or registry key). The [[fls]], [[ils]], and [[mac-robber]] tools all output this data format.  The [[mactime]] tool reads this file and sorts the contents.  
  
 
The body file format in TSK 3.0+ is different from the format used in TSK 1.X and 2.X.  
 
The body file format in TSK 3.0+ is different from the format used in TSK 1.X and 2.X.  

Revision as of 13:36, 26 October 2008

The body file is an intermediate file when creating a timeline of file activity. It is a pipe ("|") delimited text file that contains one line for each file (or other even type, such as a log or registry key). The fls, ils, and mac-robber tools all output this data format. The mactime tool reads this file and sorts the contents.

The body file format in TSK 3.0+ is different from the format used in TSK 1.X and 2.X.

The 3.X output has the following fields:

MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime

The times are reported in UNIX time format.

The 2.X output has the following fields:

 MD5 | path/name | device | inode | mode_as_value | mode_as_string | num_of_links
 | UID | GID | rdev | size | atime | mtime | ctime | block_size | num_of_blocks

For example:

0|/wusagedl.exe|0|6|33279|-/-rwxrwxrwx|1|0|0|0|3827200|1220846400|1216831874|1216831874|512|0