Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
MACTIME(1)		    General Commands Manual		    MACTIME(1)

       mactime - Create	an ASCII time line of file activity

       mactime	[-b body ] [-g group file ] [-p	password file ]	[-i (day|hour)
       index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]

       mactime creates an ASCII	time line of file activity based on  the  body
       file specified by '-b' or from STDIN.  The time line is written to STD-
       OUT.  The body file must	be in the time machine format that is  created
       by 'ils -m', 'fls -m', or the mac-robber	tool.

       -b body
	      Specify  the  location of	a body file.  This file	must be	gener-
	      ated by a	tool such as 'fls -m' or 'ils -m'.   The  'mac-robber'
	      and 'grave-robber' tools can also	be used	to generate the	file.

       -g group	file
	      Specify  the  location  of the group file.  mactime will display
	      the group	name instead of	the GID	if this	is given.

       -p password file
	      Specify the location of the passwd file.	mactime	 will  display
	      the user name instead of the UID of this is given.

       -i day|hour index file
	      Specify  the  location  of an index file to write	to.  The first
	      argument specifies the granularity, either an hourly summary  or
	      daily.  If the '-d' flag is given, then the summary will be sep-
	      arated by	a ',' to import	into a spread sheet.

       -d     Display timeline and index  files	 in  comma  delimited  format.
	      This  is used to import the data into a spread sheet for presen-
	      tations or graphs.

       -h     Display header info about	the session including time range,  in-
	      put source, and passwd or	group files.

       -V     Display version to STDOUT.

       -m     The  month  is  given as a number	instead	of name	(does not work
	      with -y).

       -y     The date is displayed in ISO8601 format.

       -z TIME_ZONE
	      The timezone from	where the data was  collected.	 The  name  of
	      this  argument  is  system  dependent (examples include EST5EDT,
	      GMT+1).  Does not	work with -y.

       -z list
	      List valid timezones.

	      The range	of dates to make the time line for.  The standard for-
	      mat is yyyy-mm-dd	for a starting date and	no ending date.	For an
	      ending date, use yyyy-mm-dd..yyyy-mm-dd.	Date can contain time,
	      use format yyyy-mm-ddThh:mm:ss for starting and/or ending	date.

       The changes from	mactime	in TCT and mac-daddy are distributed under the
       Common Public License, found in the cpl1.0.txt file in the  The	Sleuth
       Kit licenses directory.

       A version of mactime first appeared in The Coroner's Toolkit (TCT) (Dan
       Farmer) and later mac-daddy (Rob	Lee).

       Brian Carrier <carrier at sleuthkit dot org>

       Send documentation updates to <doc-updates at sleuthkit dot org>



Want to link to this manual page? Use this URL:

home | help