We are going to use the MFTECmd tool developed by Eric Zimmerman to perform a filesystem based timeline.
G:\>MFTECmd.exe -f "<Source>" --body "<Dest>" --bodyf <filename.body> --blf --bdl <Drive>
Tool Details:
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd
Running this command will save the data in a body file at the specified destination location.
Once you have the body - you can use SANS Sift workstation create a timeline out of the bodyfile
mactime -z UTC -y -d -b /test.body 2019-07-23..2019-08-07 > /test-filesystem-timeline.csv
G:\>MFTECmd.exe -f "<Source>" --body "<Dest>" --bodyf <filename.body> --blf --bdl <Drive>
Tool Details:
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd
Running this command will save the data in a body file at the specified destination location.
Once you have the body - you can use SANS Sift workstation create a timeline out of the bodyfile
mactime -z UTC -y -d -b /test.body 2019-07-23..2019-08-07 > /test-filesystem-timeline.csv
You can use another tool called Timeline Explorer to analyze the timeline.
RSS Feed