[sleuthkit-users] Re: [sleuthkit-developers] Possible Suggestion for timeline creation in future ver
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Re: [sleuthkit-developers] Possible Suggestion for timeline creation in future versions of Autopsy
|
From: Brian C. <ca...@sl...> - 2005-02-16 13:50:38
|
I can add this to the TODO list. The basic concept can be achieved=20 using the file name search in the File Mode, but then you can sort only=20= on one of the times and not a full timeline. brian On Feb 15, 2005, at 1:24 AM, Surago Jones wrote: > Hi all, > > Whilst using Autopsy, and testing with a couple different suspect > images, I have found that now and again I am often running several > commands from the command line to help the investigation process. > > One process I often complete as part of an investigation is to create = a > timeline of files and folders that start with a '.' (dot). I was > thinking that an additional option in the 'Create Timeline' feature of > Autopsy could allow an extra step to be run that would run grep to=20 > limit > the timeline to certain details.. > > For example, I run the following command to get a timeline of all '.' > (dot) folders and files... > > grep '\/\.' flsdatafile > fls-dotfiles.dat > > It would be useful if on the 'Create Timeline' form, if the user could > click a button (Similar to the pre-defined search options, on the=20 > search > form) in order to create various useful timelines. Another example > would be to create a timeline of only the 'dev' folders. > > If this could be templated in some way, then maybe people could > place/upload their own search options/template on the sleuthkit=20 > website, > as whilst each investigation differs from each other, there is still > some common ground. > > In the case of the dot files, it currently appears to be a common > practice of intruders to utilise files and folders starting with a = dot. > Obviously, as time progresses and development on the rootkit side of > things and the forensic side of things this practice may become rare = as > it is an easy method for identifying possible suspect files and=20 > folders. > > Just an idea I thought would help improve Autopsy's usability. > > Cheers > > Surago > > > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real=20 > users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=CCk > _______________________________________________ > sleuthkit-developers mailing list > sle...@li... > https://lists.sourceforge.net/lists/listinfo/sleuthkit-developers |
