mactime - an mtime, atime, and ctime reporter

mactime [ -DfhlnRsty [ -d directory ] [ -g group ] [ -p passwd ] [ -u user ] [ -b bodyfile ] time1 [ -time2 ]

mactime is a program that attempts to determine what files were accessed or modified within a given time frame. The information is either calculated on the fly (with the -d flag) or taken from an already calculated database; see the program grave-robber)

Format of the time is typically month/date/year - e.g. 4/5/2009. It requires a full four digit year, and the date must be after 1/1/1970.

Time2 is a date that should be after time1; it makes the program look for dates in this range.

-b file

use this file as an alternate "body" file (the file that has all the information about the file system), instead of what is configured in coroner.cf.

-d

directory. Scans and reports on this directory instead of using the existing database; e.g. does NOT use the existing body database file.

-D

debugging flag. Lots and lots of output. You don't want this!

-f filename

flag files listed in file as a different color (HTML only).

-g group

uses an alternate group file for printing groups.

-h

emit some simple HTML stuff rather than plain ASCII text.

-l

takes "last" output, sort of, as a time. Last looks like:

zen ttyp2 random.trouble.o Sat Mar 21 16:24 - 11:43 (19:19)

This program wants everything from the date on; in this case, the: "Sat Mar 21 16:24 - 11:43 (19:19)" bit. Note that it calculates the time the user was on from the parenthesized time, not the time after the "-", which doesn't do multiple days, etc. very well. It doesn't understand certain things like "still logged in":

zen ftp 208.197.253.142 Sun Mar 22 13:49 still logged in

And other valid last entries from last(1).

-n

takes normal "date" output, which looks something like: "Tue Apr 7 17:20:43 PDT 1998"

-p passwd

uses an alternate password file for printing uids.

-R

recursively go through subdirectories (only useful with the -d flag)

-s

flag SUID/SGID files as a different color (HTML only).

-t

output in time machine format

-y

Print year first to avoid euro/US data ambiguity - normally stuff is MM/DD/YYYY, this does YYYY/MM/DD.

-u user

flag files owned by user as a different color (HTML only).

coroner.cf - some global TCT defaults and configuration details (is perl executable code).

grave-robber(1), stat(2V)

Distributed under the details found in the COPYRIGHT file found in the root directory of The Coroner's Toolkit.

dan farmer
zen@fish.com
EarthLink