Link to home
Start Free TrialLog in
Avatar of VMthinker
VMthinker

asked on

How to get MACtimes on Windows via CMD Tools or C# codes

Hi there,

I have a question about finding a method to get the Mactimes as demostrated on The Sleuth Kit which I would be able to get the timeline of a computer. I have downloaded the Windows Version of The Sleuth kit but I can't seem to find the perl program which runs the mactimes. Can someone please show which program it is?

I would also like to ask if its possible retrieving it via C# codes by Windows Registry or any other methods?

Thanks.
Avatar of jkr
jkr
Flag of Germany image
If you are thinking of http://en.wikipedia.org/wiki/MAC_times - that can be done using 'GetFileTime()' (http://msdn.microsoft.com/en-us/library/ms724320(VS.85).aspx), e.g.
FILETIME ftCreationTime;
FILETIME ftLastAccessTime;
FILETIME ftLastWriteTime;

HANDLE hFile = CreateFile(pszFileName,GENERIC_READ,FILE_SHARE_READ,NULL,OPEN_EXISTING,0,NULL);

GetFileTime(&ftCreationTime,&ftLastAccessTime,&ftLastWriteTime);

CloseHandle(hFile);

Open in new window

Avatar of jkr
jkr
Flag of Germany image
BTW, here's an example on how to do that in C#: http://www.csharp-examples.net/file-creation-modification-time/
Avatar of VMthinker
VMthinker

ASKER

Thanks for the reply and information but do you know which tool in The Sleuth Toolkit for windows utilizes the MACtimes function besides fls and ils? I don't think that the above commands suits the solution as I need to analyze all the files within the C drive rather than just 1 file?

Is there any other ways that I can simply analyze all files within a drive and get the MACtimes for all the files?

Thanks again!
Avatar of jkr
jkr
Flag of Germany image
Well, if you need to check multiple files, see http://msdn.microsoft.com/en-us/library/aa365200%28VS.85%29.aspx ("Listing the Files in a Directory") which will allow you to do that.
Avatar of VMthinker
VMthinker

ASKER

Thanks for your replay but the following codes above doesn't seem to grep all files within C:\ drive but only its first sub level. If possible is there any codes which could be used to create a timeline of files?
Thanks.
ASKER CERTIFIED SOLUTION
Avatar of jkr
jkr
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of VMthinker
VMthinker

ASKER

Thanks for your prompt reply, just to check that the above codes are c# right? It looks like C++ to me instead...
Avatar of jkr
jkr
Flag of Germany image
It is C, but you can find a C# equivalent here: http://www.pinvoke.net/default.aspx/kernel32.findfirstfile
Avatar of VMthinker
VMthinker

ASKER

Hi thanks for your reply. It would really help if you could post similar C# codes instead as I have no idea about other programming languages except C#. Sorry for the trouble.
Avatar of jkr
jkr
Flag of Germany image
Well, the C# equivalents are on the pages I linked...
Avatar of VMthinker
VMthinker

ASKER

Thanks for the help.