Difference between revisions of "Mactime"
(New page: Version 2.09 Man Page NAME mactime - Create an ASCII time line of file activity SYNOPSIS mactime [-b body ] [-g group file ] [-p password file ] [-i (day|hour) inde...) |
|||
| (7 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | Back to [[Help Documents]] | |
| − | + | mactime creates an ASCII [[timeline]] of file activity based on the output of the [[fls]] tool. It can be used to detect anomalous behavior and reconstruct events. The [[fls]] command must use the ''-m'' flag to generate a output with timestamps. | |
| − | + | ||
| − | + | mactime reads the [[body file]] (using the '-b' argument), which contains a line for each file or event. mactime then sorts the data based on its temporal data and prints the result. It can optionally use a starting date or a date range to limit the data being printed. | |
| − | + | ||
| − | + | ||
| − | + | The following reads body.txt and outputs all activity starting in March of 2002. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | <pre> | |
| + | # mactime -b body.txt 2002-03-01 > tl.03.01.2002.txt | ||
| + | </pre> | ||
| − | + | Some of the arguments for mactime help to make the output more readable. On a Unix system, the User and Group IDs can be mapped to actual names by using the '-p' and '-q' flags. The '-z' flag can be used to specify the time zone, if it is different from the local timezone. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | <pre> | |
| − | + | # mactime -b body.txt -z EST5EDT 2002-03-01 > tl.03.01.2002.txt | |
| − | + | </pre> | |
| − | + | The [[mactime output]] is text that contains the file activity. | |
| − | + | ||
| − | + | ||
| − | + | If you are going to include the resulting timeline in a document, then it maybe better to supply the '-d' argument to output in comma delimited format. The resulting timeline can then be imported into a spread sheet and included as a table. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | The '-i' option to 'mactime' creates an index summary file, including how many hits were found per day or hour. Using '-d' with '-i' allows one to easily import data into a spread sheet that can be graphed to spot suspicious behavior. | |
| − | + | ||
| − | + | ||
| − | + | <pre> | |
| − | + | # mactime -b body.txt -d -i hour data/tl-hour-sum.txt > timeline.txt | |
| − | + | </pre> | |
| − | + | ||
| − | + | * [http://www.sleuthkit.org/sleuthkit/man/mactime.html Automatically Updated man Page] | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
Latest revision as of 09:41, 13 August 2010
Back to Help Documents
mactime creates an ASCII timeline of file activity based on the output of the fls tool. It can be used to detect anomalous behavior and reconstruct events. The fls command must use the -m flag to generate a output with timestamps.
mactime reads the body file (using the '-b' argument), which contains a line for each file or event. mactime then sorts the data based on its temporal data and prints the result. It can optionally use a starting date or a date range to limit the data being printed.
The following reads body.txt and outputs all activity starting in March of 2002.
# mactime -b body.txt 2002-03-01 > tl.03.01.2002.txt
Some of the arguments for mactime help to make the output more readable. On a Unix system, the User and Group IDs can be mapped to actual names by using the '-p' and '-q' flags. The '-z' flag can be used to specify the time zone, if it is different from the local timezone.
# mactime -b body.txt -z EST5EDT 2002-03-01 > tl.03.01.2002.txt
The mactime output is text that contains the file activity.
If you are going to include the resulting timeline in a document, then it maybe better to supply the '-d' argument to output in comma delimited format. The resulting timeline can then be imported into a spread sheet and included as a table.
The '-i' option to 'mactime' creates an index summary file, including how many hits were found per day or hour. Using '-d' with '-i' allows one to easily import data into a spread sheet that can be graphed to spot suspicious behavior.
# mactime -b body.txt -d -i hour data/tl-hour-sum.txt > timeline.txt
