Provided by: sleuthkit_3.2.3-2.2_amd64 bug

NAME

       mactime - Create an ASCII time line of file activity

SYNOPSIS

       mactime  [-b  body  ]  [-g  group  file  ] [-p password file ] [-i (day|hour) index file ]
       [-dhmVy] [-z TIME_ZONE ] [DATE_RANGE]

DESCRIPTION

       mactime creates an ASCII time line of file activity based on the body  file  specified  by
       '-b'  or  from  STDIN.   The time line is written to STDOUT.  The body file must be in the
       time machine format that is created by 'ils -m', 'fls -m', or the mac-robber tool.

ARGUMENTS

       -b body
              Specify the location of a body file.  This file must be generated by a tool such as
              'fls  -m'  or 'ils -m'.  The 'mac-robber' and 'grave-robber' tools can also be used
              to generate the file.

       -g group file
              Specify the location of the group  file.   mactime  will  display  the  group  name
              instead of the GID if this is given.

       -p password file
              Specify  the  location  of  the  passwd  file.   mactime will display the user name
              instead of the UID of this is given.

       -i day|hour index file
              Specify the location of an index file to write to.  The  first  argument  specifies
              the  granularity,  either  an  hourly summary or daily.  If the ´-d´ flag is given,
              then the summary will be separated by a ',' to import into a spread sheet.

       -d     Display timeline and index files in comma delimited format.  This is used to import
              the data into a spread sheet for presentations or graphs.

       -h     Display  header  info  about  the  session  including time range, input source, and
              passwd or group files.

       -V     Display version to STDOUT.

       -m     The month is given as a number instead of name.

       -y     The date range is given with the year first.

       -z TIME_ZONE
              The timezone from where the data was collected.   The  name  of  this  argument  is
              system dependent (examples include EST5EDT, GMT+1).

       DATE_RANGE
              The  range  of  dates to make the time line for.  The standard format is yyyy-mm-dd
              for a starting date and no ending date. For an ending date,  use  yyyy-mm-dd..yyyy-
              mm-dd.

LICENSE

       The  changes  from  mactime  in  TCT and mac-daddy are distributed under the Common Public
       License, found in the cpl1.0.txt file in the The Sleuth Kit licenses directory.

HISTORY

       A version of mactime first appeared in The Coroner's Toolkit (TCT) (Dan Farmer) and  later
       mac-daddy (Rob Lee).

AUTHOR

       Brian Carrier <carrier at sleuthkit dot org>

       Send documentation updates to <doc-updates at sleuthkit dot org>

                                                                                       MACTIME(1)