weyne/kaliwiki
1
0
Fork 0
mirror of https://github.com/mubix/kaliwiki.git synced 2025-10-29 16:59:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
kaliwiki/tools/mactime-sleuthkit.md
Stefan Molls 788305a83e Added forensics section
2014-04-23 10:38:32 -05:00

63 lines
2.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# mactime-sleuthkit
Notes
-------
mactime - Create an ASCII time line of file activity
Help Text
-------
```
SYNOPSIS
mactime [-b body ] [-g group file ] [-p password file ] [-i (day|hour) index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]
DESCRIPTION
mactime creates an ASCII time line of file activity based on the body file specified by '-b' or from STDIN. The time line is written to STDOUT. The body file must be in the time machine format
that is created by 'ils -m', 'fls -m', or the mac-robber tool.
ARGUMENTS
-b body
Specify the location of a body file. This file must be generated by a tool such as 'fls -m'
or 'ils -m'.
The 'mac-robber' and 'grave-robber' tools can also be used to generate the file.
-g group file
Specify the location of the group file. mactime will display the group name instead
of the GID if this is given.
-p password file
Specify the location of the passwd file. mactime will display the user name instead
of the UID of this is given.
-i day|hour index file
Specify the location of an index file to write to. The first argument specifies the
granularity, either an hourly summary or daily. If the ´-d´ flag is given, then the summary
will be separated by a ',' to import into a spread sheet.
-d Display timeline and index files in comma delimited format. This is used to
import the data into a spread sheet for presentations or graphs.
-h Display header info about the session including time range, input source,
and passwd or group files.
-V Display version to STDOUT.
-m The month is given as a number instead of name.
-y The date range is given with the year first.
-z TIME_ZONE
The timezone from where the data was collected. The name of this argument is system
dependent (examples include EST5EDT, GMT+1).
DATE_RANGE
The range of dates to make the time line for. The standard format is yyyy-mm-dd
for a starting date and no ending date. For an ending date, use yyyy-mm-dd..yyyy-mm-dd.
```
Example Usage
-------
Links
-------
[1] http://wiki.sleuthkit.org/index.php?title=Mactime
Reference in New Issue View Git Blame Copy Permalink