- Currently has mixed usefulness. There are many times when there is so much happening that useful info is drowned out. By limiting directory scope it might become more useful.
- Only takes into account last modified times, since that is the only accurate time stamp I have access to. Might be interesting to use this with a mature Time Machine backup.
- Files disappear from the tree after not being touched after some time. As files only get touched once (see number 2) files disappear.
- Hidden files are not shown as I forgot
find *doesn't list them by default.
- Most of the time line is prior to install of the OS. The "Some Forensics User" doesn't actually do anything until 1:14:34. At that point so much is happening that #1 above comes into play.
One of my recent labs for my Unix Forensics class, was dissecting an OS X Time Machine backup. A requirement of the report was to create a timeline of file changes on the system. The image was given to us in a tar.gz at the file system level. This destroys all but the modified time stamps. Regardless, I created a video time line of the time machine backup. This is built using the open source project Gourse and the log was created a basic shell script (also embedded below). A few things of note: