[sleuthkit-developers] Generate files reports with more data attributes for each file

[Hoel S. <hoe...@gm...>]

 Hello,

It is my first message on the sleuthkit-developers mailing list, I am also
new to Autopsy / sleuthkit environment in general (I don't even know if I
should post here for what I want). Also I intend to use Autopsy only for
personal purpose on my own data so not really for forensics reasons.

Also, english is not my native language (I am french), so pardon my
mistakes if you find some ;)

I am using Autopsy 4.8.0 on Windows (7 and 10).

So I would like to know if it is possible to generate files reports (in CSV
or text format) for entire NTFS volumes with all the 4 NTFS timestamps
(created,
modified, MFT modified and accessed), for the core files but also for the
corresponding filenames (hardlink). Because each different file name
(hardlink) of an NTFS file has its own set of 4 timestamps and they do not
reflect exactly the core 4 timestamps of the file. Also I would like to
have the possibility to report for each file his MFT entry (ref), parent's
folder ref, record sizes, number of hardlinks, etc. Actually these are the
informations that are displayed in the "File Metadata" of the result tab
for each file.

I didn't find a way to do that in the regular Autopsy interface, for
exemple there are only 3 timestamps reportable (Last Accessed, File
Created, Last Modified). If not possible in regular report I think it might
be possible by doing some custom report module, but I don't know how to do
that also.

I ask this because in my NTFS volumes I classify many files with multiple
hardlinks (per file), and I need to create reports of the folders/files
structures with the maximum of informations about the files themselves and
their individual hardlinks (file names) and the relations between them.

So do you think what I ask is possible and how ? If we must create a report
module for that, can someone help me to do one ?

Thanks in advance,

Regards