tsk_gettimes(1)

1TSK_GETTIMES(1)             General Commands Manual            TSK_GETTIMES(1)
2
3
4

NAME

6       tsk_gettimes - Collect MAC times from a disk image into a body file.
7

SYNOPSIS

9       tsk_gettimes  [-vV] [ -f fstype ] [ -i imgtype ] [ -b dev_sector_size ]
10       [ -z zone ] [ -s seconds ] image [images]
11

DESCRIPTION

13       tsk_gettimes examines each of the file systems  in  a  disk  image  and
14       returns  the  data  about  them in the MACtime body format (the same as
15       running 'fls -m' on each file system).  The output of this can be  used
16       as  input  to  mactime to make a timeline of file activity. The data is
17       printed to STDOUT, which can then be redirected to a file.
18
19       The arguments are as follows:
20
21       -v     verbose output to stderr
22
23       -V     Print version
24
25       -f fstype
26              Specify the file system type.  Use '-f list' to  list  the  sup‐
27              ported  file  system types.  If not given, autodetection methods
28              are used.
29
30       -i imgtype
31              The format of the image file, such as raw.   Use  '-i  list'  to
32              list  the  supported types.  If not given, autodetection methods
33              are used.
34
35       -b dev_sector_size
36              The size (in bytes)  of  the  device  sectors.   If  not  given,
37              autodetection methods are used.
38
39       -o sector_offset
40              Sector  offset  for a volume to recover (recovers only that vol‐
41              ume) If not given, will attempt to recover all volumes in  image
42              and save them to different folders.
43
44       -s seconds
45              The  time  skew of the original system in seconds.  For example,
46              if the original system was 100 seconds slow, this value would be
47              -100.
48
49       -z zone
50              The  ASCII  string of the time zone of the original system.  For
51              example, EST or GMT.  These strings  must  be  defined  by  your
52              operating system and may vary.
53
54       image [images]
55              The  disk or partition image to read, whose format is given with
56              '-i'.  Multiple image file names can be given if  the  image  is
57              split  into multiple segments.  If only one image file is given,
58              and its name is the first in a sequence (e.g., as  indicated  by
59              ending  in  '.001'),  subsequent image segments will be included
60              automatically.
61
62

EXAMPLES

64       To collect data about image image.dd:
65
66            # tsk_gettimes ./image.dd > body.txt
67
68

AUTHOR

70       Brian Carrier <carrier at sleuthkit dot org>
71
72       Send documentation updates to <doc-updates at sleuthkit dot org>
73
74
75
76
77                                                               TSK_GETTIMES(1)