Re: [sleuthkit-users] Timeline generation when given the mactime file

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Brian,

Thank you for your response.
I just wanted to generate the graphical representation of timeline when
given only the body file obtained from fls or mactime file. And when I
click on the bar, I'd like to see the list of files that were accessed,
modified, etc. in the given day corresponding to that bar with information
taken only from mactime file. It's because I remotely run fls (or
mac-robber) and mactime on machines as a security incident response and
then I'd like to visualize the file activity. I can only have the body file
a mactime file, because making image of 1 TB disk and transmitting it over
the network is probably not very good idea.

What information are required to be stored into database? Could it be
somehow fooled e.g. by manually storing empty objects or something like
that? Or can it be solved by writing a module? And do you know when the
version 3.1.1 is planned to be released? And will it offer higher level of
zooming e.g. hours/minutes/seconds? Because in current version, I can only
zoom to the "day level" at most.

Thank you very much.

Adam

2014-08-21 4:06 GMT+02:00 Brian Carrier <ca...@sl...>:

> Hi Adam,
>
> The body file that autopsy internally makes is not a proper body file.  It
> uses one of the columns to store the file's object ID, which is from the
> Autopsy database.  If you put a proper body file in there, then Autopsy
> won't be happy because it will want the object ID.
>
> The 3.1.1 release will have an entirely new timeline feature.   Are you
> filtering out certain information in the body file? The new timeline has
> filtering built into it - if that will help.
>
> brian
>
>
>
> On Aug 20, 2014, at 7:55 AM, Adam Mariš <mar...@gm...> wrote:
>
> > Hello,
> >
> > I have a question regarding the generation of timeline. I'm using
> Autopsy 3.1.0_Beta2 on Windows. I have the body file and mactime file
> generated by other means and I'd like to use Autopsy just for generating
> the timeline when given only those files. I already fooled Autopsy just to
> parse the given mactime file by storing the mactime file in the directory
> of the corresponding case. Graph was drawn nicely, but information about
> the files in Table view were missing. These information are clearly not
> taken only from those files, however it would be nice to have such
> functionality that takes only mactime file as input and generates the
> timeline with some reduced information in Table view. Is it possible to do
> something like that in Autopsy? Or is it possible to write some module that
> would offer such functionality? Or do you know about any other simple
> application that offers such functionality?
> >
> > Thank you very much,
> >
> > Adam
> >
> ------------------------------------------------------------------------------
> > Slashdot TV.
> > Video for Nerds.  Stuff that matters.
> > http://tv.slashdot.org/_______________________________________________
> > sleuthkit-users mailing list
> > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> > http://www.sleuthkit.org
>
>