Re: [sleuthkit-users] mactime output help
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] mactime output help
|
From: Willi B. <wil...@gm...> - 2012-05-07 17:59:56
|
Hi Raed, The timeline entry you highlighted is for the birth timestamp of the file "/home/ABC"; however, the Ext3 filesystem does not track the creation (or "birth") timestamp for files and directories. So, the Sleuthkit has included a timestamp entry with the default date of the Unix epoch (January 1, 1970 GMT). You can tell what type of timestamp you are looking at by reviewing the third column: each character is a flag, and if set, it is one of "macb" for "modified", "accessed", "changed", or "birthed". Here, it is just "...b" so we know it is a birth timestamp only. During my analyses of Ext3 filesystems, I ignore birth timestamps because they are meaningless. Willi On Mon, May 7, 2012 at 1:34 PM, Raed Abusanad <rae...@ho...> wrote: > Hello, > > I am new to SluethKit. > I have been analysing an image of flash disk. The disk was running debian > linux. The home directory is a separate partition and its ext3 within the > same disk. > I created a *mactime *timeline using the following commands for the /home > partition: > > *fls -o XXXXX -m /home -r image.dd > body.txt* > *ils -o XXXXX -m image.dd >> body.txt* > *mactime -d -b body.txt > time.txt* > > My question is: > Some entries, lets say file *ABC* in the time.txt lines appear with the > date Dec 12, 1969 and further down the same file *ABC* appears with a > proper date. > > e.g. > Wed Dec 31 1969 11:00:00 5102 ...b r/rrw-r--r-- 1000 1000 > 7818 /home/ABC > > What does this mean in terms of analysis? why date is changes? > > Thanks > > *Raed* > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > |
