MACTIME(1)

NAME

mactime - an mtime, atime, and ctime reporter

SYNOPSIS

mactime  [  -DfhlnRsty [ -d directory ] [ -g group ] [ -p passwd ] [ -u
user ] [ -b bodyfile ] time1 [ -time2 ]

DESCRIPTION

mactime is a program that attempts to determine what files were accessed or modified within a given time frame. The information is either calculated on the fly (with the -d flag) or taken from an already calculated database; see the program grave-robber)

Format of the time is typically month/date/year - e.g. 4/5/2009. It requires a full four digit year, and the date must be after 1/1/1970.

Time2 is a date that should be after time1; it makes the program look for dates in this range.

OPTIONS

-b file use this file as an alternate "body" file (the file that has
all the information about the file system), instead of what is configured in coroner.cf.
-d directory. Scans and reports on this directory instead of
using the existing database; e.g. does NOT use the existing body database file.
-D debugging flag. Lots and lots of output. You don't want this!
-f filename
flag files listed in file as a different color (HTML only).
-g group
uses an alternate group file for printing groups.
-h emit some simple HTML stuff rather than plain ASCII text.
-l takes "last" output, sort of, as a time. Last looks like:

zen ttyp2 random.trouble.o Sat Mar 21 16:24
11:43 (19:19)

This program wants everything from the date on; in this
case, the: "Sat Mar 21 16:24 - 11:43 (19:19)" bit. Note that it calculates the time the user was on from the parenthesized time, not the time after the "-", which doesn't do multiple days, etc. very well. It doesn't understand certain things like "still logged in":

zen ftp 208.197.253.142 Sun Mar 22 13:49
still logged in

And other valid last entries from last(1).
-n takes normal "date" output, which looks something like:
"Tue Apr 7 17:20:43 PDT 1998"
-p passwd
uses an alternate password file for printing uids.
-R recursively go through subdirectories (only useful with the -d
flag)
-s flag SUID/SGID files as a different color (HTML only).
-t output in time machine format
-y Print year first to avoid euro/US data ambiguity - normally
stuff is MM/DD/YYYY, this does YYYY/MM/DD.
-u user flag files owned by user as a different color (HTML only).

FILES

coroner.cf - some global TCT defaults and configuration details (is perl executable code).

SEE ALSO

grave-robber(1), stat(2V)

LICENSE

Distributed under the details found in the COPYRIGHT file found in the root directory of The Coroner's Toolkit.

AUTHOR(S)

dan farmer
zen@fish.com
EarthLink

MACTIME(1)

Copyright © 2010-2025 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout