Re: [sleuthkit-users] NTFS $FILE_NAME timeline?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] NTFS $FILE_NAME timeline?
|
From: Patrick F. <for...@ch...> - 2006-02-23 09:43:35
|
Brian Carrier wrote: > I've had something to this effect in mind for a while. My initial > solution would be to print two lines for each file in the 'ils' output, > which defines the body file before the timeline is made. One line would > be for STANDARD_INFO and the other would be for FILE_NAME. It's doable, > but I was concerned that it would cause great confusion because there > would be two m-times, two a-times, and two c-times for each file. It > would need to be an option for special cases like you experienced. Definitely an option. My approach to make the output less confusing was to prepend the file names of $FILE_NAME mac-times with a "*" which at least made the output readable to me. Body example: 0|C:/WINDOWS/system.ini|0|12260-128-3|33279|-/-rwxrwxrwx|1|48|0|0|231|1140016226|1084793695|1140016169|4096|0 0|*C:/WINDOWS/system.ini|0|12260-128-3|33279|-/-rwxrwxrwx|1|48|0|0|231|1084751905|998575105|998575105|4096|0 timeline (sorry if linewrapping makes this unclear) Thu Aug 23 2001 15:58:25 231 m.c -/-rwxrwxrwx 48 0 12260-128-3 *C:/WINDOWS/system.ini Mon May 17 2004 01:58:25 231 .a. -/-rwxrwxrwx 48 0 12260-128-3 *C:/WINDOWS/system.ini Mon May 17 2004 13:34:55 231 m.. -/-rwxrwxrwx 48 0 12260-128-3 C:/WINDOWS/system.ini Wed Feb 15 2006 16:09:29 231 ..c -/-rwxrwxrwx 48 0 12260-128-3 C:/WINDOWS/system.ini Wed Feb 15 2006 16:10:26 231 .a. -/-rwxrwxrwx 48 0 12260-128-3 C:/WINDOWS/system.ini Cheers, /Patrick |
