Using FLS

This post details the steps on using FLS.exe and mactime.pl in Windows to get the MACB timings for files on an image.

There are some prerequisites to get or install, see links at the bottom for download URLs:

1. Perl
2. Python
3. fls.exe and mactime.pl
4. FTK Imager
5. Timeline Explorer

 

1) Mount image using FTK Imager, let’s say in M:

2) Launch cmd or powershell with admin rights

3) cd to the folder location containing fls.exe and mactime.pl

4) fls.exe -r -m M: \\.\M: >outputbodyfile

• -r for recursive
• -m for mactime/bodyfile format
• \\.\M: is the target drive

5) mactime.pl -z Singapore -d -b outputbodyfile > output.csv

• -z to set timezone
• -d for display time in CSV format
• -b to specify location of body file

6) Load output.csv in Timeline Explorer

 

Get Perl here [download ActivePerl]:

http://www.perl.org/get.html#win32

Get Python here [download 2.7.xx version]:

https://www.python.org/downloads/windows/

Get fls.exe & mactime.pl here:

https://www.sleuthkit.org/sleuthkit/download.php

Get FTK Imager Lite here:

http://marketing.accessdata.com/e/46432/ftkimagerlite3-1-1-download/3w1gdf/1200589364

Get Timeline Explorer here:

https://ericzimmerman.github.io/#!index.md

 

Information gathered from the following sites:

1. http://thedigitalstandard.blogspot.com/2010/03/creating-timeline-of-live-windows.html
2. http://www.sleuthkit.org/sleuthkit/man/fls.html
3. http://www.sleuthkit.org/sleuthkit/man/mactime.html
4. https://www.thoughtco.com/how-to-install-and-run-perl-2641103