Re: [sleuthkit-users] NTFS $FILE_NAME timeline?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] NTFS $FILE_NAME timeline?
|
From: Brian C. <ca...@sl...> - 2006-02-23 04:08:41
|
On Feb 22, 2006, at 3:11 AM, Patrick Forsberg wrote: > Hi there. > > I have a question (and possibly a feature request for fls) > > I've been analyzing a couple of NTFS file systems where the MFT > MAC-times haven't been enough to get a good timeline, whereas > looking at > the $FILE_NAME MAC-times have. Unfortunately I cannot find a way of > generating a timeline for $FILE_NAME attributes so I had to write a > rather slow script using istat on every MFT entry. Is there another > way > or possibly a chance of getting added functionality to sleuthkit. I've had something to this effect in mind for a while. My initial solution would be to print two lines for each file in the 'ils' output, which defines the body file before the timeline is made. One line would be for STANDARD_INFO and the other would be for FILE_NAME. It's doable, but I was concerned that it would cause great confusion because there would be two m-times, two a-times, and two c-times for each file. It would need to be an option for special cases like you experienced. brian |
