The easiest way to do this is to make a timeline using 'mactime', but
make the comma delimited format. You can do this in Autopsy and then
import the comma delimited format into Excel (or something).
brian
frman3 wrote:
> I am looking for a way to either:
> 1) list MFT entries based on the "Last MFT modification Time field" or
> 2) export all of a disks MFT entries to a file that I can import into a
> database program and manipulate myself (So I can sort by MFT modification
> time).
>
> At worst I suppose I could write a script to run istat for each entry,
> export the results to a file which I could then parse the results. But the
> output does not seem to lend itself to easy importing to a database. Is
> there an easier way, or has someone else done this?
>
> Forgive me if the answer was easily available if I just knew which keywords
> to google. I am experienced with disk editing tools, but trying to make the
> plunge to the more powerful features in The Sleuthkit and still learning
> where to look for answers.
|
