Forensics timeline

One of my recent labs for my Unix Forensics class, was dissecting an OS X Time Machine backup. A requirement of the report was to create a timeline of file changes on the system. The image was given to us in a tar.gz at the file system level. This destroys all but the modified time stamps. Regardless, I created a video time line of the time machine backup. This is built using the open source project Gourse and the log was created a basic shell script (also embedded below). A few things of note: 

  1. Currently has mixed usefulness. There are many times when there is so much happening that useful info is drowned out. By limiting directory scope it might become more useful. 
  2. Only takes into account last modified times, since that is the only accurate time stamp I have access to. Might be interesting to use this with a mature Time Machine backup.
  3. Files disappear from the tree after not being touched after some time. As files only get touched once (see number 2) files disappear.
  4. Hidden files are not shown as I forgot find * doesn't list them by default.
  5. Most of the time line is prior to install of the OS. The "Some Forensics User" doesn't actually do anything until 1:14:34. At that point so much is happening that #1 above comes into play.

1 comment: