NAME¶

tsk_gettimes - Collect MAC times from a disk image into a body file.

SYNOPSIS¶

tsk_gettimes [-vV] [-i imgtype ] [-b dev_sector_size ] [-z zone ] [-s seconds ] image

DESCRIPTION¶

tsk_gettimes examines each of the file systems in a disk image and returns the data about them in the MACtime body format (the same as running 'fls -m' on each file system). The output of this can be used as input to mactime to make a timeline of file activity. The data is printed to STDOUT, which can then be redirected to a file.

The arguments are as follows:

-v: verbose output to stderr

-V: Print version

-i imgtype: The format of the image file (use '-i list' for supported types) If not given, autodetection methods are used.

-b dev_sector_size: The size (in bytes) of the device sectors If not given, autodetection methods are used.

-s seconds: The time skew of the original system in seconds. For example, if the original system was 100 seconds slow, this value would be -100.

-z zone: The ASCII string of the time zone of the original system. For example, EST or GMT. These strings must be defined by your operating system and may vary.

EXAMPLES¶

To collect data about image image.dd:

# tsk_gettimes ./image.dd > body.txt

AUTHOR¶

Brian Carrier <carrier at sleuthkit dot org>

Send documentation updates to <doc-updates at sleuthkit dot org>

Source file:	tsk_gettimes.1.en.gz (from sleuthkit 3.2.3-2)
Source last updated:	2011-10-14T17:55:29Z
Converted to HTML:	2017-06-07T16:56:00Z