Re: [sleuthkit-users] export all mft entries

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

The easiest way to do this is to make a timeline using 'mactime', but 
make the comma delimited format.  You can do this in Autopsy and then 
import the comma delimited format into Excel (or something).

brian

frman3 wrote:
> I am looking for a way to either:
> 1) list MFT entries based on the "Last MFT modification Time field" or
> 2) export all of a disks MFT entries to a file that I can import into a
> database program and manipulate myself (So I can sort by MFT modification
> time).
> 
> At worst I suppose I could write a script to run istat for each entry,
> export the results to a file which I could then parse the results.  But the
> output does not seem to lend itself to easy importing to a database.  Is
> there an easier way, or has someone else done this?
> 
> Forgive me if the answer was easily available if I just knew which keywords
> to google.  I am experienced with disk editing tools, but trying to make the
> plunge to the more powerful features in The Sleuthkit  and still learning
> where to look for answers.