[sleuthkit-users] Understanding timeline of FAT12 - Help with Autopsy
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Understanding timeline of FAT12 - Help with Autopsy
|
From: Roberto <ra...@ne...> - 2007-06-16 18:23:10
|
Hello, First of all, excuse me for my poor and wrong english. I'm new to = Autopsy: I'm analyzing a .img file of a FAT12 partition and I'm trying = to figure out how must I read the timeline. The partition contains only few deleted directories and files. There's a kind of *division* in timeline's output: I firstly can see a = starting date with "00:00:00" as time and all deleted files and = directories marked as "a" (and I've understood that FAT only records the = last access date and not the time, ok); then, at the and of these lines, = I can see the same deleted files and directories (but not in the same = order) marked as "m" and "c". The date is the same (because it seems = that all events were happened in the same day) but the time = progressively changes (1st file: 12:30:01; 2nd file: 12:30:22; 3rd file: = 12:31:10; and so on...) showing the timeline of events.=20 Well, I can't understand some things: 1) Since all files/dirs were deleted, are the marks "c" and "m" that = show the moment of erasing operation or what? I can't understand the = mark "c" that in FAT means "created" since I'm supposing that files/dirs = were already created before the erasing operation. 2) I can't uderstand the mark "m" that means "modified" and makes sense = only under Unix file system. Autopsy helpfile says that FAT has these = times: "written", "accessed" and "created". But timeline's output = doesn't show any "w" mark and just "m" instead: should I consider it as = the same of "writen" for FAT? If yes, since the files/dirs were deleted, = does "m" mean that they were deleted? Or maybe "c" and "m" toghether = mean that, as I've supposed above? 3) If that shows the erasing moment of these files/dirs, than I can't = understand the absurdity of the events sequence: since I see entries = like a dir erased on 12:40:00 and its subdir erased about one minute = later.. at 12:40:59.. how is it possible? The same thing with files: = first I see a dir erased (well, if "m" and "c" mean erased) than, some = minutes later i see the contained files erased... Can please someone help me to understand the timeline's output for a = FAT12 partition? Maybe my questions are quite stupids but I'm very new = to Autopsy and timelines. I hope I was able to correctly explain my doubts, if necessary I can = send the timeline's output. Thank you in advance for your kind help! |