First…download and install the Sleuth Kit for Windows. For ease of use, I put mine in the root of C:\. From the command line, run, “fls –m ‘C:/’ –f ntfs –r \\.\C: > “path_to_output_file””. My example looks like this…
The “-m” option tells FLS to make the output in BODYFILE format, which is what we are going to need in the next step.
The ‘C:/’ option tells FLS to put that identifier in the output file. This means that when you view the output, it will look like the full path to each file is C:\. This can be anything…C:, D:, E:, /, your_mom, whatever…just know that EVERY file will look like it is stored in THIS volume.
The –f ntfs…well…duh…means filesystem type is ntfs. You can run “fls –t list” for a full listing of supported file system types.
-r \\.\C: means recursively search through the physical drive, volume C:\.
Finally, the > is used to send the output to a file of your choosing. I simply called this “bodyfile”.
I have a 250GB HDD on my laptop, roughly 50 of which is being used. The FLS command took roughly two minutes to run, and the output file was about 11MB. Also, I sent my output to the desktop. If you send your output to an external storage device, or to a network share, you may see that it takes a bit more time to run.
Once your FLS command completes, you can run mactime to turn your bodyfile into something a bit more user friendly. To do this, run, “mactime –d –b
This step is very quick, and should finish in just a few seconds. Once it’s finished, you can either open it with a spreadsheet (MS Excel, OpenOffice Calc, etc) or you can parse it with command line utils like grep, or you can use a text based utility like textpad to parse it.
Here is an example of my .csv when I opened it with MS Excel…
As you can see, my output shows the day, month, date, time, the size, what happened to the file at that time M = Modified, A = Accessed, C = MFT Modified (Changed), B = Created (Birthed). I found this nice table on the Sleuth Kit wiki that describes MAC meaning by filesystem… (You can see the full breakdown about mactime output here).
The next field is Unix permissions…yes even though my timeline is from my Windows XP NTFS filesystem, permissions are still displayed in Unix format. The separations begin with the first character being either an r = regular file, or a d = directory. The next nine letters are either r = read, w = write, or e = execute. The separation are in groups of three…the first three are assigned to the owner of the file, the second three are assigned to the owner’s group, and the third are assigned to everyone else.
The next two sections are User ID and Group ID. Both are 0s, so I have hidden them both. The next group is Inode or Metadata address in NTFS. The last column is the full path to the file.
So from my example above, it pretty clearly shows that I installed Wireshark on January 27th, 2010 at around 11:18pm.
Also, now that you have your timeline, you can also use any search terms you want such as specific days, certain paths, or specific applications.
This is great stuff and can (and should) easily be incorporated into any investigation.