Re: [sleuthkit-users] timelines and NTFS creation time
Brought to you by:
carrier
From: Brian C. <ca...@sl...> - 2008-05-19 12:33:37
|
Hello, sorry for the delay. I just got back from a long vacation w/ out e-mail access. "next release" is the key phrase there. I am currently working on a new major 3.0 release. I'm sure that this will be in that release, but that will probably be a couple of months away. If I do a 2.53 bug fix release, then it will not be part of that release. thanks, brian On May 8, 2008, at 8:38 AM, Robert-Jan Mora wrote: > Hi Brian, > > Can this be in the next release of the sleuthkit? > > Regards, > > RJM. > > Eamonn Saunders wrote: >> >> I also initially thought that 'b' was a good idea but Brian (SS) >> brings up a good point. You could go with 'n' (for "new" or "ntfs"). >> >> FTI: In order to get a timeline containing creation dates I ended >> up making a slight modification to ntfs.c such that it uses crtime >> instead of ctime. Now I've got 2 timelines...one with the MFT >> modified time (ctime) and the other with the NTFS creation time. >> >> Thanks. >> >> ----- Original Message ---- >> From: Brian Smith-Sweeney <ti...@ny...> >> To: Brian Carrier <ca...@sl...> >> Cc: Eamonn Saunders <ea...@ya...>; sleuthkit- >> us...@li... >> Sent: Thursday, April 24, 2008 2:27:03 PM >> Subject: Re: [sleuthkit-users] timelines and NTFS creation time >> >> Brian Carrier wrote: >> > On Apr 24, 2008, at 9:42 AM, Pope wrote: >> >> How about "b"? (for "Born") >> > >> > That's a good idea. >> > >> >> btw, apart from NTFS, is there any other major filesystem storing >> >> more than 3 datetime for each file? >> > >> > ExtX has MAC plus deleted time. HFS has MAC plus created and >> backup >> > time. FAT has created, accessed, and modified (no changed). The >> > easiest solution is to expand the output of fls and ils to >> include a >> > creation time, which would be 0 for Ext and UFS. >> > >> > brian >> > >> If HFS has backup, and you think you're going to want to write >> that in >> eventually, do you want to reserve "b" for that? >> >> >> --------------------------------------------------------------------- >> ---- >> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference >> Don't miss this year's exciting event. There's still time to save >> $100. >> Use priority code J8TL2D2. >> http://ad.doubleclick.net/clk;198757673;13503038;p?http:// >> java.sun.com/javaone >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> Be a better friend, newshound, and know-it-all with Yahoo! Mobile. >> Try it >> now.----------------------------------------------------------------- >> -------- This SF.net email is sponsored by the 2008 JavaOne(SM) >> Conference Don't miss this year's exciting event. There's still >> time to save $100. Use priority code J8TL2D2. http:// >> ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/ >> javaone_______________________________________________ sleuthkit- >> users mailing list https://lists.sourceforge.net/lists/listinfo/ >> sleuthkit-users http://www.sleuthkit.org |