[sleuthkit-users] Possible Suggestion for timeline creation in future versions of Autopsy
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Possible Suggestion for timeline creation in future versions of Autopsy
|
From: Surago J. <su...@sj...> - 2005-02-15 06:31:07
|
Hi all, Whilst using Autopsy, and testing with a couple different suspect images, I have found that now and again I am often running several commands from the command line to help the investigation process. One process I often complete as part of an investigation is to create a timeline of files and folders that start with a '.' (dot). I was thinking that an additional option in the 'Create Timeline' feature of Autopsy could allow an extra step to be run that would run grep to limit the timeline to certain details.. For example, I run the following command to get a timeline of all '.' (dot) folders and files... grep '\/\.' flsdatafile > fls-dotfiles.dat It would be useful if on the 'Create Timeline' form, if the user could click a button (Similar to the pre-defined search options, on the search form) in order to create various useful timelines. Another example would be to create a timeline of only the 'dev' folders. If this could be templated in some way, then maybe people could place/upload their own search options/template on the sleuthkit website, as whilst each investigation differs from each other, there is still some common ground. =20 In the case of the dot files, it currently appears to be a common practice of intruders to utilise files and folders starting with a dot. Obviously, as time progresses and development on the rootkit side of things and the forensic side of things this practice may become rare as it is an easy method for identifying possible suspect files and folders. Just an idea I thought would help improve Autopsy's usability. Cheers=20 Surago |
