Re: [sleuthkit-users] Timeline with Autopsy 3.05

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi, Brian, 

Thanks for getting back to me. 

Yes, I've been in touch with Adam for the past couple of days (as a matter of fact, currently am), he's mostly helpful and I got to understand the way Timeline currently works (ie from the entire file system). 

I guess building it on a subset could represent sthg useful for quite a few Autopsy users in the future as I'm probably not the only one trying to narrow down a (far too large) investigation field with a user friendly GUI interface, a la google earth. 

Is the Autopsy release you plan to get out tomorrow the full fledge 3.0.6? 

Thanks again for your time and attention, really appreciated, 

Best, 

Hervé 

----- Mail original -----

De: "Brian Carrier" <ca...@sl...> 
À: hl...@fr... 
Cc: sle...@li... 
Envoyé: Lundi 17 Juin 2013 22:19:23 
Objet: Re: [sleuthkit-users] Timeline with Autopsy 3.05 

Hello, 

When you make a timeline, it is for all of the file system. We could make that a feature in the future to only build it on a subset, but currently it is the entire thing. 

Adam just added a fix to help with the memory problem. He made one on his 500GB drive, so maybe that fix will help. My plan is to get the TSK release out today and Autopsy out tomorrow. 

On Jun 16, 2013, at 2:24 AM, hl...@fr... wrote: 

> Hi, 
> 
> Further to my previous question (Timeline tool working fine on a 2 Gb .dd image but not working on a 500 Gb image), I have tried several things, hoping to achieve some results, to no avail (so far), hence this new post. 
> 
> I have noticed that, "when it works", Timeline generates two text files, the second one, a far larger one (4 times or more larger) has the -MACTIME suffix in its name. This xxx-MACTIME (text) file has a first line that's consistent with what I could read on the various tutorials, reading "Date, Size, Type, Mode, UID, GID, Meta, File Name). 
> 
> The other text file generated doesn't have that line. 
> 
> When it doesn't work, there's only one texte file generated, in my case, a 68 Mb file, regardless of the directory I select for running Timeline on. 
> 
> And that's my point. 
> I figured by reducing the size of the directories/files to analyze, Timeline would eventually accept to "do the job" and I tried that logic, in incremental steps, until I selected a fairly small directory. The only difference was that running Timeline on it was faster, but it still created a 67Mb (single) text file (no -MACTIME suffix), and didn't trigger the Graphical mode representation. 
> 
> I realize Timeline is still in beta, but could one tell me what's wrong in my logic (ie selecting one single, smaller, directory to run Timeline on, as opposed to doing it on the complete image) ? 
> 
> Is there a trick that I didn't grasp in the selection mode ? So far, it's as if the size of the complete image ruled out any possibility to run Timeline, regardless of the size of the directory that's selected for running it. 
> 
> I guess I really need that function to work on the "Users" directory ! 
> 
> Any help will be highly appreciated. 
> 
> Best (and happy Father's day if we're in synch on that on both sides of the pond). 
> 
> Hervé 
> ------------------------------------------------------------------------------ 
> This SF.net email is sponsored by Windows: 
> 
> Build for Windows Store. 
> 
> http://p.sf.net/sfu/windows-dev2dev_______________________________________________ 
> sleuthkit-users mailing list 
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users 
> http://www.sleuthkit.org 