Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   9211 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

TSK_GETTIMES(1)						       TSK_GETTIMES(1)

NAME
       tsk_gettimes - Collect MAC times from a disk image into a body file.

SYNOPSIS
       tsk_gettimes  [-vV] [ -f fstype ] [ -i imgtype ] [ -b dev_sector_size ]
       [ -z zone ] [ -s seconds ] image [images]

DESCRIPTION
       tsk_gettimes examines each of the file systems  in  a  disk  image  and
       returns	the  data  about  them in the MACtime body format (the same as
       running 'fls -m' on each file system).  The output of this can be  used
       as  input  to  mactime to make a timeline of file activity. The data is
       printed to STDOUT, which can then be redirected to a file.

       The arguments are as follows:

       -v     verbose output to stderr

       -V     Print version

       -f fstype
	      Specify the file system type.  Use '-f list' to  list  the  sup‐
	      ported  file  system types.  If not given, autodetection methods
	      are used.

       -i imgtype
	      The format of the image file, such as raw.   Use	'-i  list'  to
	      list  the	 supported types.  If not given, autodetection methods
	      are used.

       -b dev_sector_size
	      The size (in bytes)  of  the  device  sectors.   If  not	given,
	      autodetection methods are used.

       -o sector_offset
	      Sector  offset  for a volume to recover (recovers only that vol‐
	      ume) If not given, will attempt to recover all volumes in	 image
	      and save them to different folders.

       -s seconds
	      The  time	 skew of the original system in seconds.  For example,
	      if the original system was 100 seconds slow, this value would be
	      -100.

       -z zone
	      The  ASCII  string of the time zone of the original system.  For
	      example, EST or GMT.  These strings  must	 be  defined  by  your
	      operating system and may vary.

       image [images]
	      The  disk or partition image to read, whose format is given with
	      '-i'.  Multiple image file names can be given if	the  image  is
	      split  into multiple segments.  If only one image file is given,
	      and its name is the first in a sequence (e.g., as	 indicated  by
	      ending  in  '.001'),  subsequent image segments will be included
	      automatically.

EXAMPLES
       To collect data about image image.dd:

	    # tsk_gettimes ./image.dd > body.txt

AUTHOR
       Brian Carrier <carrier at sleuthkit dot org>

       Send documentation updates to <doc-updates at sleuthkit dot org>

							       TSK_GETTIMES(1)

Vote for polarhome