Re: [sleuthkit-users] Timeline generation when given the mactime file

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Adam,

The body file that autopsy internally makes is not a proper body file.  It uses one of the columns to store the file's object ID, which is from the Autopsy database.  If you put a proper body file in there, then Autopsy won't be happy because it will want the object ID.

The 3.1.1 release will have an entirely new timeline feature.   Are you filtering out certain information in the body file? The new timeline has filtering built into it - if that will help.

brian

On Aug 20, 2014, at 7:55 AM, Adam Mariš <mar...@gm...> wrote:

> Hello,
> 
> I have a question regarding the generation of timeline. I'm using Autopsy 3.1.0_Beta2 on Windows. I have the body file and mactime file generated by other means and I'd like to use Autopsy just for generating the timeline when given only those files. I already fooled Autopsy just to parse the given mactime file by storing the mactime file in the directory of the corresponding case. Graph was drawn nicely, but information about the files in Table view were missing. These information are clearly not taken only from those files, however it would be nice to have such functionality that takes only mactime file as input and generates the timeline with some reduced information in Table view. Is it possible to do something like that in Autopsy? Or is it possible to write some module that would offer such functionality? Or do you know about any other simple application that offers such functionality?
> 
> Thank you very much,
> 
> Adam
> ------------------------------------------------------------------------------
> Slashdot TV.  
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org