Blog Archives

Filesystem based timeline

8/8/2019

We are going to use the MFTECmd tool developed by Eric Zimmerman to perform a filesystem based timeline.

G:\>MFTECmd.exe -f "<Source>" --body "<Dest>" --bodyf <filename.body> --blf --bdl <Drive>

Tool Details:
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd

Running this command will save the data in a body file at the specified destination location.

Once you have the body - you can use SANS Sift workstation create a timeline out of the bodyfile

mactime -z UTC -y -d -b /test.body 2019-07-23..2019-08-07 > /test-filesystem-timeline.csv

You can use another tool called Timeline Explorer to analyze the timeline.

Incident Response Forensics

Filesystem based timeline

Archives

Categories