I feel like this is a dumb question but I've been doing the same tedious process for every investigation I work on. Is there a way to get the directory listing with all timestamps in the format that Autopsy does via the web browser? Right now I select all, copy to a text editor in plain text format and then I have to copy that into my spreadsheet. It's really tedious and time consuming but this is the best format for use in my reports. I know there are other 3rd party tools out there but that just makes it even more tedious because I usually browse in Autopsy or FTK imager so I would then have to browse in ANOTHER tool to make exports if I used a 3rd party tool. I know forensics is all about different tools that do certain tasks best but if I could simplify this process it would make my report creation a lot easier.
Thanks
You can do this with FTK Imager…the dir listing will give you the MAC times. Or you can use fls.exe from the TSK tools (same site as Autopsy) to get the MACB times.
You can do this with FTK Imager…the dir listing will give you the MAC times. Or you can use fls.exe from the TSK tools (same site as Autopsy) to get the MACB times.
The "export directory listing" option is disabled in my FTK Imager. Does this require the purchase of a license/dongle?
The "export directory listing" option is disabled in my FTK Imager. Does this require the purchase of a license/dongle?
There is no additional license required. What type of evidence do you have loaded?
The "export directory listing" option is disabled in my FTK Imager. Does this require the purchase of a license/dongle?
There is no additional license required. What type of evidence do you have loaded?
Just an image of an NTFS formatted drive. Trying to export directory listings of various folders.
Just noticed it allows me to export only when highlighting the partition or the volume name… but not individual folders. That is weird. I dont need the directory listing of the entire drive.
Just ran an export of the entire drive in FTK imager for giggles. Looks like crap. Can't use that output format. I need it broken down exactly how autopsy displays it in its web interface. FTK outputs 1 gigantic file and can only do so from the top level. Is autopsy using fls on the backend to output the view that I see in the web browser? There's got to be something easier.
What I'd like is a spreadsheet showing the current folder/path on the top and then listing the files within that dir below… with colums for filename, size, created, modified and accessed.
dj_chiro,
Sorry to hear that didn't work for you…I think things would have been easier if you'd listed your requirements earlier.
So you can't import the data into a spreadsheet? I had a similar issue, so I wrote some code to re-arrange the output to meet my needs.
Thanks for the suggestions. It's my fault for not being specific. I think for now I will continue to copy/paste the data from the Autopsy web page and into a blank spreadsheet. This does require the deleting of some columns which adds to the extra work. Maybe when I have some more time (yeah right) I can figure out a more automated solution.
It's really not that hard…but if that's the way you want to do it, it's your engagement/work. Good luck.