From SleuthKitWiki
Revision as of 10:03, 22 October 2008 by Carrier (Talk | contribs)

Jump to: navigation, search

Creating a timeline of system activity will give an investigator clues regarding where to probe further. TSK allows you to generate timelines of activity from a variety of sources.

NOTE: This page is a work in progress. TSK comes with a reference doc on timeline creation, that needs to be updated or merged with this page: http://www.sleuthkit.org/sleuthkit/docs/ref_timeline.txt.


At a high level, generation is a two step process. In the first step, temporal data is gathered from various data sources (such as file systems, registries, logs, etc.) and saved to a general format, which is described in fls. This step is done using the 'fls' tool in TSK or other tools, which are listed below. The second step is to sort and merge all of the temporal data into a single timeline. This step is done using the 'mactime' script in TSK.

Data Gathering

The primary method for collecting temporal data from file systems is to run fls with the '-m' flag. With version 1.X and 2.X of TSK, you also had to run the ils command to get all unallocated files, but that is no longer required. See [1] for more details.

Any data with times can be converted to the format needed by mactime. I have created scripts to convert log files to the format before so that all data was in a single timeline.

Other scripts that are written to convert data to the mactime format include:

  • TODO

Timeline Creating

Add content here about using mactime, or refer to the [2] file.

The Zeitline tool also imports the same data format and has a more graphical display.


See also Ex-Tip: An Extensible Timeline Analysis Framework in Perl (Michael Cloppert)