Difference between revisions of "Mactime output"

From SleuthKitWiki
Jump to: navigation, search
(renamed.)
(ext4 have macb)
 
(3 intermediate revisions by 2 users not shown)
Line 2: Line 2:
  
 
==mactime==
 
==mactime==
[[mactime]] is a tool that reads [[file metadata]] from a text file and sorts the data to create a time line of file activity can be created.  The resulting time line is plain text with several columns. This page describes what each column means.  This program was originally created to analyze Unix file systems and therefore some of the columns have little meaning when analyzing a Windows file system.  
+
[[mactime]] is a [[TSK]] Perl script that reads [[file metadata]] stored in the [[body file]] format and sorts the data to create a [[timeline]] of file activity.  The resulting timeline is plain text with several columns. This page describes what each column means.  This program was originally created to analyze Unix file systems and therefore some of the columns have little meaning when analyzing a Windows file system.  
  
  
Line 12: Line 12:
 
Example:
 
Example:
 
[...]
 
[...]
Thu Aug 21 2003 01:20:38      512      m.c      -/-rwxrwxrwx    0        0        4        /file1.dat
+
Thu Aug 21 2003 01:20:38      512      m.c.       -/-rwxrwxrwx    0        0        4        /file1.dat
                               900      m.c      -/-rwxrwxrwx    0        0        8        /file3.dat
+
                               900      m.c.       -/-rwxrwxrwx    0        0        8        /file3.dat
Thu Aug 21 2003 01:21:36      512      m.c      -/-rwxrwxrwx    0        0        12      /_ILE5.DAT (deleted)
+
Thu Aug 21 2003 01:21:36      512      m.c.       -/-rwxrwxrwx    0        0        12      /_ILE5.DAT (deleted)
Thu Aug 21 2003 01:22:56      512      .a.      -/-rwxrwxrwx    0        0        4        /file1.dat
+
Thu Aug 21 2003 01:22:56      512      .a..      -/-rwxrwxrwx    0        0        4        /file1.dat
 
[...]
 
[...]
 
</pre>
 
</pre>
Line 26: Line 26:
  
 
===Activity Type===
 
===Activity Type===
The third column describes the activity type.  This column can be the source of confusion. It contains the letters 'm', 'a', and 'c'.  Each represents a time associated with the file and the confusion can exist because different file systems have different file times.  Use the following table to determine what time is being shown:
+
The third column describes the activity type for the given time.  This column can be the source of confusion. It contains the letters 'm', 'a', 'c', 'b', and '.'.  Each represents a time associated with the file (and '.' is used when a given time is not being used for that entry).  Confusion can exist because different file systems have different file times.  Use the following table to determine what time is being shown:
  
  
Line 35: Line 35:
 
!a
 
!a
 
!c
 
!c
 +
!b
 
|-
 
|-
|Ext2/3 || Modified || Accessed || Changed
+
|Ext4 || Modified || Accessed || Changed || Created
 
|-
 
|-
|FAT || Written || Accessed || Created
 
 
|-
 
|-
|NTFS || File Modified || Accessed || MFT Modified
+
|Ext2/3 || Modified || Accessed || Changed || N/A
 
|-
 
|-
|UFS || Modified || Accessed || Changed
+
|FAT || Written || Accessed || N/A || Created
 +
|-
 +
|NTFS || File Modified || Accessed || MFT Modified || Created
 +
|-
 +
|UFS || Modified || Accessed || Changed || N/A
 
|}
 
|}
  
  
''Note:'' Some file systems have additional times that will not be displayed.  For example, [[Ext2/3]] has a 'deleted' time that is not displayed and [[NTFS]] has a Created time that is not displayed. NTFS also has another set of times that are stored in the $FILE_NAME [[attribute]] that are not displayed in the time line.  The $FILE_NAME times can be viewed using the [[istat]] tool.
+
''Note:'' Some file systems have additional times that will not be displayed.  For example, [[Ext2/3]] has a 'deleted' time that is not displayed. NTFS also has another set of times that are stored in the $FILE_NAME [[attribute]] that are not displayed in the time line.  The $FILE_NAME times can be viewed using the [[istat]] tool.
  
 
===Unix Permissions===
 
===Unix Permissions===
Line 58: Line 62:
  
 
===File Name===
 
===File Name===
The eighth column is the file name.  If the file name is not allocated deleted, then it will have "(deleted)" after the name.  This can be seen in the previous example. If the name is not allocated, but the metadata for the file is allocated, then it will have "(realloc)" in the name.  This shows that the metadata associated with this file name may not be valid any more because it could correspond to a different file.
+
The eighth column is the file name.  If the file name is not allocated, then it will have "(deleted)" after the name.  This can be seen in the previous example. If the name is not allocated, but the metadata for the file is allocated, then it will have "(realloc)" in the name.  This shows that the metadata associated with this file name may not be valid any more because it could correspond to a different file.

Latest revision as of 04:53, 8 October 2016

Back to Help Documents

mactime

mactime is a TSK Perl script that reads file metadata stored in the body file format and sorts the data to create a timeline of file activity. The resulting timeline is plain text with several columns. This page describes what each column means. This program was originally created to analyze Unix file systems and therefore some of the columns have little meaning when analyzing a Windows file system.


Example Output

Columns:
      Date/Time              Size    Activity         Unix      User     Group     inode     File Name
                            (Bytes)    Type        Permissions   Id        Id     
Example:
[...]
Thu Aug 21 2003 01:20:38      512       m.c.       -/-rwxrwxrwx     0        0        4        /file1.dat
                              900       m.c.       -/-rwxrwxrwx     0        0        8        /file3.dat
Thu Aug 21 2003 01:21:36      512       m.c.       -/-rwxrwxrwx     0        0        12       /_ILE5.DAT (deleted)
Thu Aug 21 2003 01:22:56      512       .a..       -/-rwxrwxrwx     0        0        4        /file1.dat
[...]

Date/Time

The first column is the date and time of the activity. If the following line is for activity during the same second as the previous line, then the time is not duplicated. We can see this in the above example. Both 'file1.dat' and 'file3.dat' had activity at the same time.

File Size

The second column is the size of the file (in bytes).

Activity Type

The third column describes the activity type for the given time. This column can be the source of confusion. It contains the letters 'm', 'a', 'c', 'b', and '.'. Each represents a time associated with the file (and '.' is used when a given time is not being used for that entry). Confusion can exist because different file systems have different file times. Use the following table to determine what time is being shown:


MAC Meaning by File System

File System m a c b
Ext4 Modified Accessed Changed Created
Ext2/3 Modified Accessed Changed N/A
FAT Written Accessed N/A Created
NTFS File Modified Accessed MFT Modified Created
UFS Modified Accessed Changed N/A


Note: Some file systems have additional times that will not be displayed. For example, Ext2/3 has a 'deleted' time that is not displayed. NTFS also has another set of times that are stored in the $FILE_NAME attribute that are not displayed in the time line. The $FILE_NAME times can be viewed using the istat tool.

Unix Permissions

The fourth column is the permissions of the file (in Unix format). In this example, we have a FAT file system and therefore all permissions are displayed (because FAT does not have a notion of permissions outside of "read only").

User & Group IDs

The fifth and sixth columns contain the User and Group Ids. These will be non-zero only on Ext2/3 or UFS file systems.

inode

The seventh column is the "inode" or metadata address of the file.

File Name

The eighth column is the file name. If the file name is not allocated, then it will have "(deleted)" after the name. This can be seen in the previous example. If the name is not allocated, but the metadata for the file is allocated, then it will have "(realloc)" in the name. This shows that the metadata associated with this file name may not be valid any more because it could correspond to a different file.