mactime

View: New views

2 Messages — Rating Filter: Alert me

mactime

by Lehr, John :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

Some parts of this message have been removed. Learn more about Nabble's security policy.

Good Morning,

I’ve got a case where keyword searching led me to an installed keylogger. I’m trying to determine how it became installed on this computer, and part of my analysis includes file date/time stamp examination. I have created a body file with ‘fls –m’ and can create timelines with ‘mactime’, but I don’t know how to have ‘mactime’ sort based on crtime rather than mtime, for example. I don’t see this discussed in the man page or the wiki, but I think autopsy can do this?

Can someone give me pointers on how to create timelines sorted on a mac time I specify?

Thanks,

John

PS, the fun thing about this case is that it looks like the computer owner installed this program on his own machine (firefox history shows the download/purchase link as well as some trouble shooting when the app crashed), and the key logger caught the owner in activity that helps my case. Sort of shot himself in the foot, it appears!

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org

Re: mactime

by Brian Carrier-2 :: Rate this Message:

Reply to Author | View Threaded | Show Only this Message

On Jul 29, 2009, at 12:16 PM, Lehr, John wrote:

> Good Morning,
>
> I’ve got a case where keyword searching led me to an installed
> keylogger. I’m trying to determine how it became installed on this
> computer, and part of my analysis includes file date/time stamp
> examination. I have created a body file with ‘fls –m’ and can
> create timelines with ‘mactime’, but I don’t know how to have
> ‘mactime’ sort based on crtime rather than mtime, for example. I
> don’t see this discussed in the man page or the wiki, but I think
> autopsy can do this?
>
> Can someone give me pointers on how to create timelines sorted on a
> mac time I specify?

Hi John,

The output is sorted by all of the times, so the question seems to be
how to only show some of the times. Currently, there is not a feature
to do this. You could develop a grep expression or do some other
filtering from the comma delimited output.

brian

>
> Thanks,
> John
>
> PS, the fun thing about this case is that it looks like the computer
> owner installed this program on his own machine (firefox history
> shows the download/purchase link as well as some trouble shooting
> when the app crashed), and the key logger caught the owner in
> activity that helps my case. Sort of shot himself in the foot, it
> appears!
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org