1MACTIME(1)                  General Commands Manual                 MACTIME(1)
2
3
4

NAME

6       mactime - Create an ASCII time line of file activity
7

SYNOPSIS

9       mactime  [-b body ] [-g group file ] [-p password file ] [-i (day|hour)
10       index file ] [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]
11

DESCRIPTION

13       mactime creates an ASCII time line of file activity based on  the  body
14       file specified by '-b' or from STDIN.  The time line is written to STD‐
15       OUT.  The body file must be in the time machine format that is  created
16       by 'ils -m', 'fls -m', or the mac-robber tool.
17
18

ARGUMENTS

20       -b body
21              Specify  the  location of a body file.  This file must be gener‐
22              ated by a tool such as 'fls -m' or 'ils -m'.   The  'mac-robber'
23              and 'grave-robber' tools can also be used to generate the file.
24
25       -g group file
26              Specify  the  location  of the group file.  mactime will display
27              the group name instead of the GID if this is given.
28
29       -p password file
30              Specify the location of the passwd file.  mactime  will  display
31              the user name instead of the UID of this is given.
32
33       -i day|hour index file
34              Specify  the  location  of an index file to write to.  The first
35              argument specifies the granularity, either an hourly summary  or
36              daily.  If the ´-d´ flag is given, then the summary will be sep‐
37              arated by a ',' to import into a spread sheet.
38
39       -d     Display timeline and index  files  in  comma  delimited  format.
40              This  is used to import the data into a spread sheet for presen‐
41              tations or graphs.
42
43       -h     Display header info about  the  session  including  time  range,
44              input source, and passwd or group files.
45
46       -V     Display version to STDOUT.
47
48       -m     The  month  is  given as a number instead of name (does not work
49              with -y).
50
51       -y     The date is displayed in ISO8601 format.
52
53       -z TIME_ZONE
54              The timezone from where the data was  collected.   The  name  of
55              this  argument  is  system  dependent (examples include EST5EDT,
56              GMT+1).  Does not work with -y.
57
58       -z list
59              List valid timezones.
60
61       DATE_RANGE
62              The range of dates to make the time line for.  The standard for‐
63              mat is yyyy-mm-dd for a starting date and no ending date. For an
64              ending date, use yyyy-mm-dd..yyyy-mm-dd.  Date can contain time,
65              use format yyyy-mm-ddThh:mm:ss for starting and/or ending date.
66
67

LICENSE

69       The changes from mactime in TCT and mac-daddy are distributed under the
70       Common Public License, found in the cpl1.0.txt file in the  The  Sleuth
71       Kit licenses directory.
72
73

HISTORY

75       A version of mactime first appeared in The Coroner's Toolkit (TCT) (Dan
76       Farmer) and later mac-daddy (Rob Lee).
77
78

AUTHOR

80       Brian Carrier <carrier at sleuthkit dot org>
81
82       Send documentation updates to <doc-updates at sleuthkit dot org>
83
84
85
86                                                                    MACTIME(1)
Impressum