Mactime

From SleuthKitWiki
Revision as of 09:31, 17 November 2007 by Dhawkins (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Version 2.09 Man Page

NAME

      mactime - Create an ASCII time line of file activity

SYNOPSIS

      mactime  [-b body ] [-g group file ] [-p password file ] [-i (day|hour)
      index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]

DESCRIPTION

      mactime creates an ASCII time line of file activity based on  the  body
      file specified by ’-b’ or from STDIN.  The time line is written to STD-
      OUT.  The body file must be in the time machine format that is  created
      by
      The options are as follows:
      -b body
             Specify  the  location of a body file.  This file must be gener-
             ated by a tool such as ’fls -m’ or ’ils -m’.   The  ’mac-robber’
             and  ’grave-robber’ tools can also be used to generate the file.
      -g group file
             Specify the location of the group file.   mactime  will  display
             the group name instead of the GID if this is given.
      -p password file
             Specify  the  location of the passwd file.  mactime will display
             the user name instead of the UID of this is given.
      -i day|hour index file
             Specify the location of an index file to write  to.   The  first
             argument  specifies the granularity, either an hourly summary or
             daily.  If the import into a spread sheet.
      -d     Display timeline and index  files  in  comma  delimited  format.
             This  is used to import the data into a spread sheet for presen-
             tations or graphs.
      -h     Display header info about  the  session  including  time  range,
             input source, and passwd or group files.
      -V     Display version to STDOUT.
      -m     The month is given as a number instead of name.
      -y     The date range is given with the year first.
      -z TIME_ZONE
             The  timezone  from  where  the data was collected.  The name of
             this argument is system  dependent  (examples  include  EST5EDT,
             GMT+1).
      DATE_RANGE
             The range of dates to make the time line for.  The standard for-
             mat is 01/01/2002 for a starting date and no ending  date.   For
             an ending date, use 01/01/2002-02/01/2002.

LICENSE

      The changes from mactime in TCT and mac-daddy are distributed under the
      Common Public License, found in the cpl1.0.txt file in the  The  Sleuth
      Kit licenses directory.

HISTORY

      A version of mactime first appeared in The Coroner’s Toolkit (TCT) (Dan
      Farmer) and later mac-daddy (Rob Lee).

AUTHOR

      Brian Carrier <carrier@sleuthkit.org>