Difference between revisions of "Mactime"

From SleuthKitWiki
Jump to: navigation, search
m (Reformatted)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
Back to [[Help Documents]]
 
Back to [[Help Documents]]
  
==mactime==
+
mactime creates an ASCII [[timeline]] of file activity based on the output of the [[fls]] tool. It can be used to detect anomalous behavior and reconstruct events. The [[fls]] command must use the ''-m'' flag to generate a output with timestamps.
Version 2.09
+
  
 +
mactime reads the [[body file]] (using the '-b' argument), which contains a line for each file or event.  mactime then sorts the data based on its temporal data and prints the result. It can optionally use a starting date or a date range to limit the data being printed. 
  
===Purpose===
+
The following reads body.txt and outputs all activity starting in March of 2002.  
Creates an ASCII time line of file activity based on the body file specified by ’-b’ or from STDIN. The time line is written to STDOUT.  The body file must be in the time machine format that is created by ''unknown missing text''.
+
  
 +
<pre>
 +
# mactime -b body.txt 2002-03-01 > tl.03.01.2002.txt
 +
</pre>
  
===Usage===
+
Some of the arguments for mactime help to make the output more readable. On a Unix system, the User and Group IDs can be mapped to actual names by using the '-p' and '-q' flags.  The '-z' flag can be used to specify the time zone, if it is different from the local timezone.
mactime [-b body ] [-g group file ] [-p password file ] [-i (day|hour) index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]
+
  
 +
<pre>
 +
# mactime -b body.txt -z EST5EDT 2002-03-01 > tl.03.01.2002.txt
 +
</pre>
  
===Options===
+
The [[mactime output]] is text that contains the file activity.
  
{| border="1" cellpadding="5"
+
If you are going to include the resulting timeline in a document, then it maybe better to supply the '-d' argument to output in comma delimited format.  The resulting timeline can then be imported into a spread sheet and included as a table.
!Switch
+
!Purpose
+
|-
+
| -b body || Specify the location of a body file. This file must be generated by a tool such as ’fls -m’ or ’ils -m’. The ’mac-robber’ and ’grave-robber’ tools can also be used to generate the file.
+
|-
+
| -g group file || Specify the location of the group file. mactime will display the group name instead of the GID if this is given.
+
|-
+
| -p password file || Specify the location of the passwd file. mactime will display the user name instead of the UID of this is given.
+
|-
+
| -i day|hour index file ||  Specify the location of an index file to write to. The first argument specifies the granularity, either an hourly summary or daily. If the import into a spread sheet.
+
|-
+
| -d || Display timeline and index files in comma delimited format.  This is used to import the data into a spread sheet for presentations or graphs.
+
|-
+
| -h || Display header info about the session including time range, input source, and passwd or group files.
+
|-
+
| -V || Display version to STDOUT.
+
|-
+
| -m || The month is given as a number instead of name.
+
|-
+
| -y || The date range is given with the year first.
+
|-
+
| -z TIME_ZONE ||  The timezone from where the data was collected. The name of this argument is system dependent (examples include EST5EDT, GMT+1).
+
|-
+
| DATE_RANGE || The range of dates to make the time line for. The standard format is 01/01/2002 for a starting date and no ending date. For an ending date, use 01/01/2002-02/01/2002.
+
|}
+
  
 +
The '-i' option to 'mactime' creates an index summary file, including how many hits were found per day or hour.  Using '-d' with '-i' allows one to easily import data into a spread sheet that can be graphed to spot suspicious behavior.
  
===Example===
+
<pre>
''No example provided.''
+
# mactime -b body.txt -d -i hour data/tl-hour-sum.txt > timeline.txt
 
+
</pre>
 
+
 
===License===
+
* [http://www.sleuthkit.org/sleuthkit/man/mactime.html Automatically Updated man Page]
The changes from mactime in TCT and mac-daddy are distributed under the Common Public License, found on the [[Licenses]] page.
+
 
+
 
+
===History===
+
A version of mactime first appeared in The Coroner’s Toolkit (TCT) (Dan Farmer) and later mac-daddy (Rob Lee).
+
 
+
 
+
===Author===
+
Brian Carrier <carrier@sleuthkit.org>
+

Latest revision as of 08:41, 13 August 2010

Back to Help Documents

mactime creates an ASCII timeline of file activity based on the output of the fls tool. It can be used to detect anomalous behavior and reconstruct events. The fls command must use the -m flag to generate a output with timestamps.

mactime reads the body file (using the '-b' argument), which contains a line for each file or event. mactime then sorts the data based on its temporal data and prints the result. It can optionally use a starting date or a date range to limit the data being printed.

The following reads body.txt and outputs all activity starting in March of 2002.

# mactime -b body.txt 2002-03-01 > tl.03.01.2002.txt

Some of the arguments for mactime help to make the output more readable. On a Unix system, the User and Group IDs can be mapped to actual names by using the '-p' and '-q' flags. The '-z' flag can be used to specify the time zone, if it is different from the local timezone.

# mactime -b body.txt -z EST5EDT 2002-03-01 > tl.03.01.2002.txt

The mactime output is text that contains the file activity.

If you are going to include the resulting timeline in a document, then it maybe better to supply the '-d' argument to output in comma delimited format. The resulting timeline can then be imported into a spread sheet and included as a table.

The '-i' option to 'mactime' creates an index summary file, including how many hits were found per day or hour. Using '-d' with '-i' allows one to easily import data into a spread sheet that can be graphed to spot suspicious behavior.

# mactime -b body.txt -d -i hour data/tl-hour-sum.txt > timeline.txt