- Currently has mixed usefulness. There are many times when there is so much happening that useful info is drowned out. By limiting directory scope it might become more useful.
- Only takes into account last modified times, since that is the only accurate time stamp I have access to. Might be interesting to use this with a mature Time Machine backup.
- Files disappear from the tree after not being touched after some time. As files only get touched once (see number 2) files disappear.
- Hidden files are not shown as I forgot
find *
doesn't list them by default. - Most of the time line is prior to install of the OS. The "Some Forensics User" doesn't actually do anything until 1:14:34. At that point so much is happening that #1 above comes into play.
20140429
Forensics timeline
One of my recent labs for my Unix Forensics class, was dissecting an OS X Time Machine backup. A requirement of the report was to create a timeline of file changes on the system. The image was given to us in a tar.gz at the file system level. This destroys all but the modified time stamps. Regardless, I created a video time line of the time machine backup. This is
built using the open source project Gourse and the log was
created a basic shell script (also embedded below).
A few things of note:
Subscribe to:
Post Comments (Atom)
ivory caps
ReplyDeleteivory caps pills
ivory cap
vien uong ivory caps
ivory caps glutathione
viên uống trắng da ivory caps
thuốc ivory caps
ivory capsules
thuốc uống trắng da ivory caps
thuốc trắng da ivory caps
thuốc glutathione