Re: [sleuthkit-developers] MacTime Body file format

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

'ils -m' gives the headers for each column, although those are very  
minimal.  Many of the fields are not used by mactime and some aren't  
even filled in by ils or fls.  This layout is from the original TCT  
design and I have thought about changing it... but have never gotten  
around to it.

1: md5
2: name
3: device number
4: Inode number
5: Mode as a number
6: Mode as a string (the human readable version of the previous number)
7: Number of links
8: UID
9: GID
10: size
11: A-time
12: M-time
13: C-time
14: Block size
15: Number of blocks

brian

On Sep 11, 2005, at 10:34 AM, Surago Jones wrote:

> Hi,
>
> I'm just looking at the body file used by MacTime and am wondering  
> what
> the field layout is.  I have checked out the MacTime Source code,
> however my C is very rusty, and I'm not sure what some of the  
> variables
> stand for.
>
> My guess is as follows...
>
> Example Data:
>
> '
> 0|/usr/bin/uptime|0|17088|33133|-/-r-xr-xr-x|1|0|0|0|2836|973693553| 
> 9524
> 52206|973386197|4096|0'
>
> Column1:    0            Assigned to $tmp, so unused??
> Column2:    /usr/bin/uptime    Filename
> Column3:    0            Assigned to $tmp, so unused??
> Column4:    17088            Inode
> Column5:    33133            Assigned to $tmp, so unused??
> Column6:    -/-r-xr-xr-x    Rights for ls listings??
> Column7:    1            Assigned to $tmp, so unused??
> Column8:    0            Think this would be User Owner
> ID??
> Column9:    0            Think this would be Group Owner
> ID??
> Column10:    0            Assigned to $tmp, so unused??
> Column11:    2836            Size of file
> Column12:    973693553        A-Time
> Column13:    952452206        M-Time
> Column14:    973386197        C-Time
> Column15:    4096            Assigned to $tmp, so unused??
> Column16:    0            Assigned to $tmp, so unused??
>
> If anyone can fill me in on what the $tmp columns may represent it  
> would
> be appreciated.  Also what the correct terming of the data  
> contained in
> Column 6 is.
>
> This info I gathered from the source code file mactime.base, I have
> looked at the fls sourcecode however I wasn't able to understand  
> that on
> the very quick glance I had at it. :) (Was mainly looking for comments
> or descriptive variables. :) )