mactime(1)

1MACTIME(1)                  General Commands Manual                 MACTIME(1)
2
3
4

NAME

6       mactime - Create an ASCII time line of file activity
7

SYNOPSIS

9       mactime  [-b body ] [-g group file ] [-p password file ] [-i (day|hour)
10       index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]
11

DESCRIPTION

13       mactime creates an ASCII time line of file activity based on  the  body
14       file specified by '-b' or from STDIN.  The time line is written to STD‐
15       OUT.  The body file must be in the time machine format that is  created
16       by 'ils -m', 'fls -m', or the mac-robber tool.
17
18

ARGUMENTS

20       -b body
21              Specify  the  location of a body file.  This file must be gener‐
22              ated by a tool such as 'fls -m' or 'ils -m'.   The  'mac-robber'
23              and 'grave-robber' tools can also be used to generate the file.
24
25       -g group file
26              Specify  the  location  of the group file.  mactime will display
27              the group name instead of the GID if this is given.
28
29       -p password file
30              Specify the location of the passwd file.  mactime  will  display
31              the user name instead of the UID of this is given.
32
33       -i day|hour index file
34              Specify  the  location  of an index file to write to.  The first
35              argument specifies the granularity, either an hourly summary  or
36              daily.  If the ´-d´ flag is given, then the summary will be sep‐
37              arated by a ',' to import into a spread sheet.
38
39       -d     Display timeline and index  files  in  comma  delimited  format.
40              This  is used to import the data into a spread sheet for presen‐
41              tations or graphs.
42
43       -h     Display header info about  the  session  including  time  range,
44              input source, and passwd or group files.
45
46       -V     Display version to STDOUT.
47
48       -m     The month is given as a number instead of name.
49
50       -y     The date range is given with the year first.
51
52       -z TIME_ZONE
53              The  timezone  from  where  the data was collected.  The name of
54              this argument is system  dependent  (examples  include  EST5EDT,
55              GMT+1).
56
57       DATE_RANGE
58              The range of dates to make the time line for.  The standard for‐
59              mat is yyyy-mm-dd for a starting date and no ending date. For an
60              ending date, use yyyy-mm-dd..yyyy-mm-dd.
61
62

LICENSE

64       The changes from mactime in TCT and mac-daddy are distributed under the
65       Common Public License, found in the cpl1.0.txt file in the  The  Sleuth
66       Kit licenses directory.
67
68

HISTORY

70       A version of mactime first appeared in The Coroner's Toolkit (TCT) (Dan
71       Farmer) and later mac-daddy (Rob Lee).
72
73

AUTHOR

75       Brian Carrier <carrier at sleuthkit dot org>
76
77       Send documentation updates to <doc-updates at sleuthkit dot org>
78
79
80
81                                                                    MACTIME(1)