manpagez: man pages & more
man tsk_gettimes(1)

man pages By Section Choose... 123456789ln Alphabetically Choose... ABCDEFGHIJKLMNOPQRSTUVWXYZOther

Other versions of tsk_gettimes Choose... tsk_gettimes-4.12.0

Home | html | info | man

tsk_gettimes(1)                                                tsk_gettimes(1)

NAME

       tsk_gettimes - Collect MAC times from a disk image into a body file.

SYNOPSIS

       tsk_gettimes  [-vV] [ -f fstype ] [ -i imgtype ] [ -b dev_sector_size ]
       [ -z zone ] [ -s seconds ] image [images]

DESCRIPTION

       tsk_gettimes examines each of the file systems  in  a  disk  image  and
       returns  the  data  about  them in the MACtime body format (the same as
       running 'fls -m' on each file system).  The output of this can be  used
       as  input  to  mactime to make a timeline of file activity. The data is
       printed to STDOUT, which can then be redirected to a file.

       The arguments are as follows:

       -v     verbose output to stderr

       -V     Print version

       -f fstype
              Specify the file system type.  Use '-f list' to  list  the  sup-
              ported  file  system types.  If not given, autodetection methods
              are used.

       -i imgtype
              The format of the image file, such as raw.   Use  '-i  list'  to
              list  the  supported types.  If not given, autodetection methods
              are used.

       -b dev_sector_size
              The size (in bytes)  of  the  device  sectors.   If  not  given,
              autodetection methods are used.

       -o sector_offset
              Sector  offset  for a volume to recover (recovers only that vol-
              ume) If not given, will attempt to recover all volumes in  image
              and save them to different folders.

       -s seconds
              The  time  skew of the original system in seconds.  For example,
              if the original system was 100 seconds slow, this value would be
              -100.

       -z zone
              The  ASCII  string of the time zone of the original system.  For
              example, EST or GMT.  These strings  must  be  defined  by  your
              operating system and may vary.

       image [images]
              The  disk or partition image to read, whose format is given with
              '-i'.  Multiple image file names can be given if  the  image  is
              split  into multiple segments.  If only one image file is given,
              and its name is the first in a sequence (e.g., as  indicated  by
              ending  in  '.001'),  subsequent image segments will be included
              automatically.

EXAMPLES

       To collect data about image image.dd:

            # tsk_gettimes ./image.dd > body.txt

AUTHOR

       Brian Carrier <carrier at sleuthkit dot org>

       Send documentation updates to <doc-updates at sleuthkit dot org>




                                                               tsk_gettimes(1)

---

sleuthkit 4.6.5 - Generated Sun Feb 17 10:21:22 CST 2019

© manpagez.com 2000-2026
Individual documents may contain additional copyright information.