Re: [sleuthkit-users] File List

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

slo - I think I am looking at needing more that just the partitions, but
thanks.

Brian - I am not sure what you mean, but I think Patrick is explaining..

Patrick - Thanks. I will take a look. Not exactly the "format" I was
looking for, but if I can get it into Excel and everything has its own
column, then I can move it around. (Although I was hoping the path and the
filename would be separate - or a separate column with just the filename.)
I will check out your link. Thanks.

On Sun, Feb 22, 2015 at 7:57 PM, Patrick Olsen <
pat...@sy...> wrote:

> You can use fls or tsk_gettimes.
>
> I've also written a few blog posts on using TSK. Hopefully they help out
> some: https://sysforensics.org/?s=The+Sleuth+Kit+Part&searchsubmit=Search
>
> Here are a couple quick examples I did on my mac quickly.
>
> *sudo tsk_gettimes /dev/disk0s3*
>
> *sudo fls -r -m "/" -f hfs /dev/disk0s3*
>
>
> 0|/System/Library/CoreServices/pgpboot.efi|510|r/rrw-r--r--|0|0|1093702|1419478190|1419478190|1419478190|1419478190
>
> 0|/System/Library/CoreServices/pgpcontents.tar|511|r/rrw-r--r--|0|0|4686336|1419478190|1419478190|1419478190|1419478190
>
> 0|/System/Library/CoreServices/PlatformSupport.plist|508|r/rrw-r--r--|0|0|4694|1419478190|1419478190|1419478190|1419478190
>
> 0|/System/Library/CoreServices/SystemVersion.plist|507|r/rr--r--r--|0|0|478|1419478190|1419478190|1419478190|1419478190
> 0|/^^^^HFS+ Private
> Data|18|d/d---------|0|0|0|1392702170|1392702170|1392702170|1392702170
>
> Then you could do:
>
> *sudo fls -r -m "/" -f hfs /dev/disk0s3 |mactime -b*
>
> Xxx Xxx 00 0000 00:00:00  8388608 .ac. r/r--------- 0        0        16
>     /.journal
>                              4096 .ac. r/r--------- 0        0        17
>     /.journal_info_block
> Fri Sep 27 2013 21:56:00     4530 m..b r/rrw-r--r-- 0        0        79
>     /com.apple.recovery.boot/PlatformSupport.plist
> Wed Oct 02 2013 12:01:32     4530 .a.. r/rrw-r--r-- 0        0        79
>     /com.apple.recovery.boot/PlatformSupport.plist
> Sat Oct 05 2013 01:39:23      476 m..b r/rr--r--r-- 0        0        78
>     /com.apple.recovery.boot/SystemVersion.plist
> Sat Oct 05 2013 02:56:19 16538164 m..b r/rrw-r--r-- 0        0        76
>     /com.apple.recovery.boot/kernelcache
> Sat Oct 05 2013 03:05:21 16538164 .a.. r/rrw-r--r-- 0        0        76
>     /com.apple.recovery.boot/kernelcache
> Sat Oct 05 2013 03:06:38 482596302 m..b r/rrw-r--r-- 0        0        77
>       /com.apple.recovery.boot/BaseSystem.dmg
>
> On Sun, Feb 22, 2015 at 10:36 PM, Billy Pronovost <bg...@gm...>
> wrote:
>
>> Hi all...
>>
>> I am still fairly new to Sleuthkit, but I am learning more and more
>> everyday. I am wondering if there is any way to export a file listing (like
>> a csv) containing details like MAC, Filename, extension, ect. The idea here
>> is to be able to include this information in a report.
>>
>> Thanks,
>>
>> Billy
>>
>>
>> ------------------------------------------------------------------------------
>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
>> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
>> with Interactivity, Sharing, Native Excel Exports, App Integration & more
>> Get technology previously reserved for billion-dollar corporations, FREE
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
>> _______________________________________________
>> sleuthkit-users mailing list
>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
>> http://www.sleuthkit.org
>>
>>
>