FLS & Mactime

FLS

fls is a part of the sleuth autopsy kit - designed to extract filename and metadata information for files. there are three different types of data to collect:

allocated files - normally active files. one would see when performing directory listing
deleted files - unallocated files whose name structures exist. sometime metadata of deleted files can contain full path info
orphaned file represent data from unallocated metadata structures where parent folder is not longer available

-d # display deleted entries only 
-r # recure
-p # display full path 
-m # display in toimeline bodyfile format 
-s <sec> # timeskew of system in seconds 

fls -r -m C: D:/cases/cdrive.e01 > D:/cases/cdrive/out.bodyfile

mactime

takes a bodyfile (from either fls or MFTECmd) and parses into format that can be analysed:

-b # bodyfile location
-y # dates are displayed in ISO 8601 format
-z # specify time zone 
-d # comma-delimited format 

mactime [options] -d -b <bodyfile> -z <timezone> > timeline.csv

PreviousBulk_Extractor NextManual Forensics

Last updated 1 year ago