'Re: [sleuthkit-users] mactime'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sleuthkit-users
Subject:    Re: [sleuthkit-users] mactime
From:       Brian Carrier <carrier () sleuthkit ! org>
Date:       2009-08-18 18:21:13
Message-ID: EB6EEAD0-5C16-4F6C-9155-F8A56101E0F4 () sleuthkit ! org
[Download RAW message or body]


On Jul 29, 2009, at 12:16 PM, Lehr, John wrote:

> Good Morning,
>
> I’ve got a case where keyword searching led me to an installed  
> keylogger.  I’m trying to determine how it became installed on this  
> computer, and part of my analysis includes file date/time stamp  
> examination.  I have created a body file with ‘fls –m’ and can  
> create timelines with ‘mactime’, but I don’t know how to have  
> ‘mactime’ sort based on crtime rather than mtime, for example.  I  
> don’t see this discussed in the man page or the wiki, but I think  
> autopsy can do this?
>
> Can someone give me pointers on how to create timelines sorted on a  
> mac time I specify?

Hi John,

The output is sorted by all of the times, so the question seems to be  
how to only show some of the times.  Currently, there is not a feature  
to do this. You could develop a grep expression or do some other  
filtering from the comma delimited output.

brian



>
> Thanks,
> John
>
> PS, the fun thing about this case is that it looks like the computer  
> owner installed this program on his own machine (firefox history  
> shows the download/purchase link as well as some trouble shooting  
> when the app crashed), and the key logger caught the owner in  
> activity that helps my case.  Sort of shot himself in the foot, it  
> appears!
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org


------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic