Poster of Linux kernelThe best gift for a Linux geek
MACTIME

MACTIME

Section: User Commands (1) Local index Up
 

NAME

mactime - an mtime, atime, and ctime reporter  

SYNOPSIS

mactime [ -DfhlnRsty [ -d directory ] [ -g group ] [ -p passwd ] [ -u user ] [ -b bodyfile ] time1 [ -time2 ]  

DESCRIPTION

mactime is a program that attempts to determine what files were accessed or modified within a given time frame. The information is either calculated on the fly (with the -d flag) or taken from an already calculated database; see the program grave-robber)

Format of the time is typically month/date/year - e.g. 4/5/2009. It requires a full four digit year, and the date must be after 1/1/1970.

Time2 is a date that should be after time1; it makes the program look for dates in this range.

 

OPTIONS

-b file
use this file as an alternate "body" file (the file that has all the information about the file system), instead of what is configured in coroner.cf.

-d
directory. Scans and reports on this directory instead of using the existing database; e.g. does NOT use the existing body database file.

-D
debugging flag. Lots and lots of output. You don't want this!

-f filename
flag files listed in file as a different color (HTML only).

-g group
uses an alternate group file for printing groups.

-h
emit some simple HTML stuff rather than plain ASCII text.

-l
takes "last" output, sort of, as a time. Last looks like:

        zen ttyp2 random.trouble.o Sat Mar 21 16:24 - 11:43 (19:19)

        This program wants everything from the date on; in this case, the:
        "Sat Mar 21 16:24 - 11:43 (19:19)" bit. Note that it calculates
        the time the user was on from the parenthesized time, not the time
        after the "-", which doesn't do multiple days, etc. very well.
        It doesn't understand certain things like "still logged in":

        zen ftp 208.197.253.142 Sun Mar 22 13:49 still logged in

        And other valid last entries from last(1).

-n
takes normal "date" output, which looks something like:         "Tue Apr 7 17:20:43 PDT 1998"

-p passwd
uses an alternate password file for printing uids.

-R
recursively go through subdirectories (only useful with the -d flag)

-s
flag SUID/SGID files as a different color (HTML only).

-t
output in time machine format

-y
Print year first to avoid euro/US data ambiguity - normally stuff is MM/DD/YYYY, this does YYYY/MM/DD.

-u user
flag files owned by user as a different color (HTML only).

 

FILES

coroner.cf - some global TCT defaults and configuration details (is perl executable code).

 

SEE ALSO

grave-robber(1), stat(2V)  

LICENSE

Distributed under the details found in the COPYRIGHT file found in the root directory of The Coroner's Toolkit.  

AUTHOR(S)

dan farmer
zen@fish.com
EarthLink
 

Index

NAME
SYNOPSIS
DESCRIPTION
OPTIONS
FILES
SEE ALSO
LICENSE
AUTHOR(S)
This document was created by man2html, using the manual pages.
Time: 21:14:45 GMT, April 16, 2011