Option to show stat times for bodyfile in human-readable format #249
Replies: 2 comments 1 reply
-
|
I see in uac-tests that this may already be in the v3 planning stage (test_get_epoch_date.sh) along with another discussion item I was going to open (password protected .zip export files). If those are verified to v3, I can close the comment (and not make another one). :) |
Beta Was this translation helpful? Give feedback.
-
|
Hi, Concerning the human-readable dates/times in the bodyfile, the plan is not to change the bodyfile format as it is a well known format used by most forensic tools and scripts. I recommend you to use the mactime tool to quickly convert the bodyfile date/time into a human-readable format. Also, the bodyfile is created using the stat tool. stat does not provide a built-in option to show the timestamps in human-readable format. To provide such feature, UAC would need to convert all timestamps using the date command. Just think about a system with 100k entries in the bodyfile. UAC would need to run the date tool 400k times (one for each timestamp) during the acquisition process. This would consume a lot of resources in the target system. |
Beta Was this translation helpful? Give feedback.
-
|
Makes sense, I was just looking at what was writing to bodyfile (was assuming stat_collector.sh) and seeing it using %X|%Y|%Z|%W, if option to change that to %x|%y|%z|%w instead for bodyfile output only. Not a worry! Will use mactime. |
Beta Was this translation helpful? Give feedback.
-
Currently the bodyfile will show atime, mtime, ctime, btime in time since the epoch, due to the usage of %X %Y %Z %W in the stat output on execution. Could an option be added on execution for the bodyfile to use human-readable time/date output instead (eg. use %x %y %z %w)?
Beta Was this translation helpful? Give feedback.
All reactions