Are there any Sleuth Kit tools to get a folders created datetime based on its path + name or inode?
Have you looked at istat? Pass the meta-data entry (MFT entry, inode, etc) to istat and it returns information including times. Here’s an example using MFT entry 65 (a user’s home directory) on an NTFS file system:
$ istat -o 2048 NTFS_Pract_2017.raw 65
MFT Entry Header Values:
Entry: 65 Sequence: 1
$LogFile Sequence Number: 0
Allocated Directory
Links: 1
$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 0 ()
Created: 2017-05-01 08:57:25.502897800 (EDT)
File Modified: 2017-05-01 09:12:47.963572700 (EDT)
MFT Modified: 2017-05-01 09:12:47.963572700 (EDT)
Accessed: 2017-05-01 09:18:32.678650900 (EDT)
$FILE_NAME Attribute Values:
Flags: Directory, Archive
Name: AlbertE
Parent MFT Entry: 64 Sequence: 1
Allocated Size: 0 Actual Size: 0
Created: 2017-05-01 08:57:25.502897800 (EDT)
File Modified: 2017-05-01 08:57:25.502897800 (EDT)
MFT Modified: 2017-05-01 08:57:25.502897800 (EDT)
Accessed: 2017-05-01 08:57:25.502897800 (EDT)
Attributes:
Type: $STANDARD_INFORMATION (16-0) Name: N/A Resident size: 48
Type: $FILE_NAME (48-3) Name: N/A Resident size: 80
Type: $SECURITY_DESCRIPTOR (80-1) Name: N/A Resident size: 80
Type: $INDEX_ROOT (144-2) Name: $I30 Resident size: 56
Type: $INDEX_ALLOCATION (160-5) Name: $I30 Non-Resident size: 4096 init_size: 4096
108613
Type: $BITMAP (176-4) Name: $I30 Resident size: 8
Hope this helps.
Thanks! Just the answer I was looking for.