Dear all,
I've got a folder with a copy of a Windows system taken from a disk, with user directories and programs (it's really a cut&paste copy, not a forensics copy… roll ) which maintains file modification times (creation and access been tampered with in the copy). I can easily run log2timeline on that folder with something like log2timeline -f winxp ./c-drive -w c-l2t.csv and it correctly parses metadata in files (evt, reg, exif, etc…) creating a partial supertimeline. What's missing is the file timestamps, such as modification, access and creation time, since there's no MFT table (I've been given a folder…).
Anyone knows a quick solution to that problem? I've tried to create a listing by means of FTK Imager (it's not an easy task, it works only in particular conditions…) and pass it to log2timeline with the parser "-f ftk_dirlisting" but something doesn't work and the output is 0 size. Basically, I wish to create a timeline of files starting from a folder containing the files, not a disk (so no fls -o 63 diskimage.dd etc… is possible either).
Thanks for your help!
Paolo
Pakim,
You could create a bodyfile from log2timeline using the mactime output module, then run the Sleuth Kit's fls against the your directory (appending the results to the bodyfile created from log2timeline). After you have both outputs in the same file, you can use mactime to convert the bodyfile to a CSV so that you can easily read it or open in Excel, etc..
HTH
Thanks for your help,
but the problem - as far as I can see - is the input module… I've got a folder with some files in it. I want to create simple timeline (macb) entries for the files in that folder, leaving out the other files on the disk. I might use the MFT of the disk the folder resides on, by filtering out the other hundreds of thousands of files… but it seems a complex way of operating.
I'd like an input module which parses a folder and extract macb times from the files in that folder, just like you can obtain by means of FTK Imager listing function. Once I get the .csv or .bodyfile containing those files, I'll merge it with the log2timeline pass over all the files and obtain a supertimeline.
I hope I've cleared out things… it's a weird situation but I think it's not that uncommon to meet…
KR
Paolo
You could create a bodyfile from log2timeline using the mactime output module, then run the Sleuth Kit's fls against the your directory (appending the results to the bodyfile created from log2timeline). After you have both outputs in the same file, you can use mactime to convert the bodyfile to a CSV so that you can easily read it or open in Excel, etc..
HTH
Using Sleuthkit can gather MACB times from a folder recursively. I am doing this from memory, so forgive any inaccuracies, you'll get the idea. (I am assuming you are using Linux, such as within SIFT Workstation)
fls -r <hard drive> | grep <folder name>
That will give you the folders inode number
fls -r -m <folder> <hard drive> <inode> > <bodyfile>
and then use mactime to create your timeline.
The problem I see is that if this was a copy and paste operation, can you really believe the timestamps?
I'd like an input module which parses a folder and extract macb times from the files in that folder, just like you can obtain by means of FTK Imager listing function. Once I get the .csv or .bodyfile containing those files, I'll merge it with the log2timeline pass over all the files and obtain a supertimeline.
I'm not sure exactly why the FTK Imager dir_listing input module isn't working for you, but you should be able to do this with fls. You'll need the inode number (or MFT record number) of the directory that contains your files. If you specify the directory, fls should not process any other files other than what is contained within the specified directory. You'll just want to make sure you use the "-r" flag as twjolson mentioned to get any subfolders and files.
What's missing is the file timestamps, such as modification, access and creation time, since there's no MFT table (I've been given a folder…).
If there's no MFT then there's no timestamps.
Is this folder on a live system? What's the OS and filesystem of this live system?
I guess I don't understand where this copied/pasted folder resides. I presume it resides on some sort of filesystem.
Suppose someone takes a suspect hard drive, connects it through w/b, copies the folders (Windows, Users, Program Files, etc…) on an external HD or DB/DVD. Some macb times will be of course useless, but you would like to make a supertimeline out of it all the same, because at least the modify timestamp is intact. You run log2timeline on the folder and you get a good supertimeline made with metadata, but what you are missing is file timestamps.
So there's no MFT but some timestamps are still there, depending on the OS the files have been saved to. They might also be zipped, if the OS is small enough (say for example WinXP with few sw).
I think that the fls solution with the inode may work, I still have to try, but it relies on the MFT of the disk which is hosting the files, even if those files were not originally indexed by that MFT.
If there's no MFT then there's no timestamps.
Is this folder on a live system? What's the OS and filesystem of this live system?
I guess I don't understand where this copied/pasted folder resides. I presume it resides on some sort of filesystem.