SYNOPSIS
mactime [-b body ] [-g group file ] [-p password file ] [-i (day|hour)
index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]
DESCRIPTION
mactime creates an ASCII time line of file activity based on the body
file specified by '-b' or from STDIN. The time line is written to STD-
OUT. The body file must be in the time machine format that is created
by 'ils -m', 'fls -m', or the mac-robber tool.
ARGUMENTS
-b body
Specify the location of a body file. This file must be gener-
ated by a tool such as 'fls -m' or 'ils -m'. The 'mac-robber'
and 'grave-robber' tools can also be used to generate the file.
-g group file
Specify the location of the group file. mactime will display
the group name instead of the GID if this is given.
-p password file
Specify the location of the passwd file. mactime will display
the user name instead of the UID of this is given.
-i day|hour index file
Specify the location of an index file to write to. The first
argument specifies the granularity, either an hourly summary or
daily. If the '-d' flag is given, then the summary will be
seperated by a ',' to import into a spread sheet.
-d Display timeline and index files in comma delimited format.
This is used to import the data into a spread sheet for presen-
tations or graphs.
-h Display header info about the session including time range,
input source, and passwd or group files.
-V Display version to STDOUT.
-m The month is given as a number instead of name.
-y The date range is given with the year first.
-z TIME_ZONE
The timezone from where the data was collected. The name of
this argument is system dependent (examples include EST5EDT,
GMT+1).
DATE_RANGE
The range of dates to make the time line for. The standard for-
mat is yyyy-mm-dd for a starting date and no ending date. For an
ending date, use yyyy-mm-dd..yyyy-mm-dd.
AUTHOR
Brian Carrier <carrier at sleuthkit dot org>
Send documentation updates to <doc-updates at sleuthkit dot org>
|
