Hi all just thought I'd start up a discussion topic here on how you would go about finding the MAC (modified, accessed & created) time stamps of every file on a users computer in command prompt.
I am aware that this is possible through EnCase FTK and the similar but I have been trying to develop a system that could be used during incident response.
So far the most successful commands found are
(Do not include ""'s)
Linux console - "du -a ."
This produces a full list off all files and the directory they are found in
Windows Command Prompt - C\>"dir /on /b /s >G\list.txt"
This produces a listed log file of every file and its location on the system, the only problem with these commands is that when run ALL accessed times on the computer are changed S Which obviously isn't good news if you were working with evidence.
Hope you find these commands useful, any input/feedback gladly received
I ran your command on my Windows system, removing the /s…
C\>dir /on /b
.rnd
AUTOEXEC.BAT
CONFIG.SYS
DELL
Documents and Settings
hpfr5550.log
hpfr5550.xml
My Documents.lnk
Perl
ProDiscover
Program Files
responderlog.txt
Symbols
temp
WINDOWS
Doesn't show MAC times. This is because the '/b' switch lists everything in bare format.
I prefer Perl for this…works extremely well, and you won't change the last access time…and I can manipulate the output to look anyway I want.
I ran your command on my Windows system, removing the /s…
C\>dir /on /b
.rnd
AUTOEXEC.BAT
CONFIG.SYS
DELL
Documents and Settings
hpfr5550.log
hpfr5550.xml
My Documents.lnk
Perl
ProDiscover
Program Files
responderlog.txt
Symbols
temp
WINDOWSDoesn't show MAC times. This is because the '/b' switch lists everything in bare format.
I prefer Perl for this…works extremely well, and you won't change the last access time…and I can manipulate the output to look anyway I want.
I knew it didn't show mac times, sorry if I wasn't very clear.
I'm trying to work out a command that will show me all mac times this is my progress so far. Have you got any suggestions?
On Windows systems, I'm not sure that you're going to find a single command…you'd have to use three 'dir' commands, each showing a different (M, A, or C) time.
That's why I said that I like to use Perl. I can write the script, burn Perl and the script to a CD or thumb drive (or 'compile' the script into an EXE) and run it. I use the stat() function to grab things like the MAC times and size.