Hacking Notes
  • Ports & Enumeration
  • Antivirus Evasion
    • AMSI bypass
    • Macros / VBA
    • ETW bypass
    • EDR Evasion
    • EXE Packers
    • Powershell process-injection
    • Shellter
    • Payload generation
  • Port Forwarding
    • SSH
    • NetSH
    • Tools
    • Chisel
    • Meterpreter
  • Cloud
  • Word List Creation
  • Active Directory
    • Domain Enumeration
    • Domain Trusts
    • Domain Mapping
    • discretionary access control list (DACL)
      • ForceChangePassword
      • AddKeyLinkCredential
      • GenericWrite/ GenericAll
      • WriteOwner
      • GPO Exploitation
    • MS SQL
    • gMSA
    • Exchange
    • Group Exploitation
    • Domain Exploitation
    • Kerberos Attacks
    • SCCM
    • NTDS dumping
    • Impacket
    • ADCS exploitation
      • ESC 1
      • ESC4
      • ESC7
    • Privilege Escalation
      • Windows
        • System Enumeration
        • Credentials enumeration
        • Unsecure Service Path
        • Unsecure Path security
        • Misconfigured Reg
        • DLL Hijacking
        • Privilege enumeration
          • Tools
        • Vulnerable Apps
        • UAC Bypass
        • Service Enumeration
      • Unix
        • Linux Enumeration
        • Insecure File Permissions
        • Linux Escalate
        • Restricted shell escape
    • LAPS
  • Cloud
    • Azure
      • Tools
        • AzureCli - AZ
        • AzureCli - PowerShell
        • AzureAD
        • MicroBurst
        • SkyArk
        • PowerZure
        • BlueMap
        • AzureHound
        • BARK
        • GraphRunner
      • User attacks
        • CredMaster
        • TrevorSpray
      • o365
    • G-Cloud
    • Enumeration
      • AWS Cli
        • AWS Cli
      • Pacu
      • Organizational Trust
  • Web Application
    • Info
    • Log Poisoning / PHP Wrapping
    • HTTP Request Smuggling
    • Client Side Desync
    • Enumeration
    • Databases
    • SQL Injection
      • WAF Bypass
    • WebSocket
    • File Inclusion
    • Brute forcing
    • Cross Site Scripting (XSS)
  • Cracking
    • Hashcat
    • John The Ripper
    • Wireless
  • Wireless
    • Tools
    • WPS
    • WEP
    • WPA/ WPA-2/ WPA-3
    • WPA-Enterprise
    • PMKID
    • Captive Portal
  • DFIR
    • Forensics
      • Plaso
      • Microsoft
      • Windows
        • Anti-Forensics
        • Microsoft Forensics
          • ShimCache/ AppCompatCache
          • Defender
          • PowerShell / CMD
          • Registry
          • AmCache
          • Zone.Identifiers ADS
          • RecentFileCache
          • Prefetch
          • Lnk
          • Jumplist / RecentFiles
          • Shellbags
          • BAM/ DAM
          • SRUM
          • NTFS
          • EVTX
            • Security logs
            • WMI-Activity Operations
              • PowerShell/WinRM Operational
            • Task Scheduler
            • RDP Activity
            • Lateral Movement
          • hunting
          • Recycle Bin
          • Scheduled Tasks
        • o365
          • Mailbox Rules
      • Timeline Analysis
      • Forensics Tooling
        • Log2Timline / Plaso
        • Quarantine extraction
        • Scanning
          • Signature Scanning
          • AV Scanning
        • Logon Tracer
        • TimeSketch
        • Bulk_Extractor
        • FLS & Mactime
        • Manual Forensics
        • FTK
        • BulkExtractor & BulkExtractor-Rec
      • Linux
      • Azure
      • Active Directory
      • AnyDesk
    • Memory Analysis
      • Windows
        • Memory Acquisition
        • Code Injection
        • Rootkits
        • Rootkits
        • WMI/ PowerShell
        • Persistence & Lateral movement
        • Memory Acquisition
        • Baseliner
        • Identifying Code injection
        • Rookits
        • Process Objects
      • Tooling
        • Strings, bstrings and grep
        • Volatility
          • VolWeb
          • Memory Baseliner
        • MemProcFS
          • Code Injection
    • ReverseEngineering
    • Mobile
  • Networking
    • Radio
    • Vlans & Wired networking
    • Network Access Control
    • IPV6
    • Wireless
      • cracking
      • Aircrack-ng
      • WEP
      • WPA/ WPA2
      • WPA Enterprise
      • WPS
    • Bluetooth
  • Misc
    • Shells
      • WinRM / PowerShell
      • WinRM
      • Msfconsole
      • WinRM// PowerShell
      • Socat
      • Python
      • Netcat
      • PHP
      • Upgrade Shells
      • PowerCat
    • Buffer Overflow
      • General Information
      • Exploiting BufferOverflow
        • Find the Offset
        • Build the Exploit
        • Identifiy The BufferOverflow Character
        • Identify BadChars
        • Find the Jump Point
        • Generate Payload
        • Create Padding
    • Powershell
      • Quick Commands
      • Powershell Lateral Movement
    • Random Bits
    • Phishing
    • Coding
      • C#
    • Git
  • Command & Control
    • Meterpreter
    • Droppers
    • CobaltStrike
      • teamserver
      • Payload generation
        • Stagers
        • AV/EDR Bypass
          • Obfuscation
          • Sandbox Evasion
          • Win32 API
          • EDR Evasion
          • Encrypters
      • Listeners
      • Malleable Profiles
      • Initial Acces / Aggressors
      • Beacon Object Files (BOF)
      • Cheatsheet
    • Lateral Movement
    • Persistence
      • Low Priv User
      • High Priv User
  • Mobile App Testing
    • IOS
Powered by GitBook
On this page
  • FLS
  • mactime
Edit on GitHub
  1. DFIR
  2. Forensics
  3. Forensics Tooling

FLS & Mactime

PreviousBulk_ExtractorNextManual Forensics

Last updated 11 months ago

FLS

fls is a part of the sleuth autopsy kit - designed to extract filename and metadata information for files. there are three different types of data to collect:

  1. allocated files - normally active files. one would see when performing directory listing

  2. deleted files - unallocated files whose name structures exist. sometime metadata of deleted files can contain full path info

  3. orphaned file represent data from unallocated metadata structures where parent folder is not longer available

-d # display deleted entries only 
-r # recure
-p # display full path 
-m # display in toimeline bodyfile format 
-s <sec> # timeskew of system in seconds 

fls -r -m C: D:/cases/cdrive.e01 > D:/cases/cdrive/out.bodyfile

mactime

takes a bodyfile (from either fls or ) and parses into format that can be analysed:

-b # bodyfile location
-y # dates are displayed in ISO 8601 format
-z # specify time zone 
-d # comma-delimited format 

mactime [options] -d -b <bodyfile> -z <timezone> > timeline.csv

MFTECmd