Fun with forensic timeline analysis.

Tonight I was working on the Sans SEC508 Forensics day 6 challenge.  For fun I wanted to see if I could easily filter out all timeline entries where the file involved was over a certain size.  The body file was made within Autopsy.  Then I went to the output folder and did my own commands.  

I told mactime to output to csv so the columns I would be putting through awk would be consistent.  Then I fed it through awk with a variable defined for the minimum size I wanted to filter on.  What I get out is all entries after the desired start date where the file size was the minsize or larger.  Handy for looking for someone dropping on their own large tarballs etc to put in rootkits and other fun code.

mactime -d -b body -z CST6CDT 2000-11-07 > timeline.csv

cat timeline.csv | awk -F’,’ -v minsize=”100000000″ ‘{if ($2>=minsize) {printf “%s\n”, $0}}’