Difference between pages "MAC times" and "Libsmraw"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Tools)
 
Line 1: Line 1:
The term '''MAC times''' refers to the timestamps of the latest ''modification'' (mtime) or last written time, ''access'' (atime) or ''change'' (ctime) of a certain file.
+
{{Infobox_Software |
 +
  name = libsmraw |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Disk imaging}} |
 +
  license = {{LGPL}} |
 +
  website = [https://code.google.com/p/libsmraw/ code.google.com/p/libsmraw/] |
 +
}}
  
[[Unix]] systems maintain the historical interpretation of ''ctime'' as the time when certain file metadata, not its contents, were last changed, such as the file's permissions or owner (e.g. 'This files metadata was changed on 05/05/02 12:15pm').
+
The '''libsmraw''' package contains a library and applications to read and write (split) RAW storage media bitstream copies.
 +
Libsmraw contains supports for multiple (split) RAW naming schemes.
  
[[Windows]] systems are the only systems that use ''birth'' (btime) or creation (crtime) time (e.g. 'This file was created on 05/05/02 12:15pm'). Hence MACB; Modification, Access, Change and Birth.
+
== History ==
  
In [[NTFS]] each file has a time stamp for 'Create', 'Modify', 'Access', and 'Entry Modified'. The latter refers to the time when the MFT entry itself was modified. These four values are commonly abbreviated as the 'MACE' values.
+
Libsmraw was created by [[Joachim Metz]] in 2010, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
 +
Libsmraw is a rewrite of earlier work for the proof-of-concept multi-threaded imager: GNOME Forensic Imager.
  
Other file systems like [[HFS+|HFS]] include different timestamps like e.g. a backup time.
+
== Tools ==
 +
The '''libsmraw''' package contains the following tools:
 +
* '''smrawmount''', which FUSE mounts (split) RAW image files.
  
== Time resolution ==
+
The '''libsmraw''' package also contains the following bindings:
When dealing with MAC times it's important to know and understand the concept of time resolution.
+
* '''pysmraw''', bindings for Python (libsmraw 20140621 or later).
  
On [[FAT]] file system (in Windows NT):
+
== Examples ==
* the creation time has a resolution of 10 milliseconds,
+
* the last written time has a resolution of 2 seconds,
+
* and the access time has a resolution of 1 day.
+
  
On NTFS, access time has a resolution of 1 hour [http://msdn.microsoft.com/en-us/library/ms724284.aspx].
+
FUSE mounting a split RAW image (libsmraw 20110916 or later)
 +
<pre>
 +
smrawmount image.raw.000 mount_point
 +
</pre>
  
== Access Time Update ==
+
Or:
On various operating systems the update of the access time can be disabled. This means when a file is accessed the atime in the corresponding file system entry is not updated.
+
 
+
=== [[Windows]] ===
+
 
+
In Windows the access time behavior is controlled by the registry key:
+
 
<pre>
 
<pre>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
+
smrawmount image.raw.??? mount_point
 
</pre>
 
</pre>
  
Where a value of ''1'' indicates the access time update being disabled.
+
== Also See ==
 
+
[[Raw_Image_Format | RAW Image format]]
This is the default setting as for [[Windows]] Vista.
+
 
+
=== [[Linux]] ===
+
 
+
In Linux the ''noatime'' mount option indicates the access time update should be disabled.
+
 
+
== See Also ==
+
 
+
* [[Timestomp]]
+
  
 
== External Links ==
 
== External Links ==
  
* [http://en.wikipedia.org/wiki/MAC_times Wikipedia: MAC times]
+
* [https://code.google.com/p/libsmraw/ Project site]
* [http://www.drdobbs.com/what-are-mactimes/184404275 What Are MACtimes?], by Dan Farmer, Oct 2000
+
 
+
=== NTFS ===
+
* [http://www.winguides.com/registry/display.php/50/ Disable the NTFS Last Access Time Stamp]
+
* [http://support.microsoft.com/kb/299648 Microsoft KB 299648: Description of NTFS date and time stamps for files and folders]
+

Revision as of 07:46, 21 June 2014

libsmraw
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: code.google.com/p/libsmraw/

The libsmraw package contains a library and applications to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes.

History

Libsmraw was created by Joachim Metz in 2010, while working for Hoffmann Investigations. Libsmraw is a rewrite of earlier work for the proof-of-concept multi-threaded imager: GNOME Forensic Imager.

Tools

The libsmraw package contains the following tools:

  • smrawmount, which FUSE mounts (split) RAW image files.

The libsmraw package also contains the following bindings:

  • pysmraw, bindings for Python (libsmraw 20140621 or later).

Examples

FUSE mounting a split RAW image (libsmraw 20110916 or later)

smrawmount image.raw.000 mount_point

Or:

smrawmount image.raw.??? mount_point

Also See

RAW Image format

External Links