tsk_gettimes numbers, what do they mean?

europa · February 13, 2020, 7:05pm

Im working with the tsk_gettimes: TSK_GETTIMES(1) manual page

When I run the program I get a bunch of diffrent numbers, but what are the numbers? And why are there to entries, one with ($FILE_NAME) in it?

tsk_gettimes -m pc.001 > C:\Users\user\Documents\meta_data.txt

ceb929b86bfc92fe24d40d3637636a97|vol3/Users/sofia/Pictures/10-lazy-and-lecherous-last-minute-halloween-costumes.w654.jpeg ($FILE_NAME)|96890-48-5|r/rrwxrwxrwx|0|0|190|1580064246|1580064246|1580064246|1580064246

ceb929b86bfc92fe24d40d3637636a97|vol3/Users/sofia/Pictures/10-lazy-and-lecherous-last-minute-halloween-costumes.w654.jpeg|96890-128-4|r/rrwxrwxrwx|0|0|58087|1580064279|1580064246|1580064247|1580064246

I guess that this is what it is so far:

ceb929b86bfc92fe24d40d3637636a97 = md5 sum of content of file
vol3/Users/sofia/Pictures/10-lazy-and-lecherous-last-minute-halloween-costumes.w654.jpeg = volume, path, file name
96890-48-5= inode
r/rrwxrwxrwx = permissions
0 = ?
0 = ?
58087 = ?
1580064279 = Created ?
1580064246 = Modified?
1580064247= ?
1580064246 = ?

apriestman · February 13, 2020, 7:13pm

From fs_name.c:

0 = uid
0 = gid
58087 = size
1580064279 = atime
1580064246 = mtime
1580064247= ctime
1580064246 = crtime

The FILE_NAME part I assume means it’s an NTFS file name attribute.
https://flatcap.org/linux-ntfs/ntfs/attributes/file_name.html

Topic		Replies	Views
Is it possible to get file information with Sleuth Kit? The Sleuth Kit Help	2	1063	February 11, 2020
Beginner's question: Checking for a manipulated time stamp in a file The Sleuth Kit Help	0	493	March 14, 2022
Is it possible to get Folder created datetime with Sleuth Kit? The Sleuth Kit Help	2	807	February 17, 2020
Decipher "date_added" numbers when Autopsy does not? Autopsy Help	2	443	November 19, 2021
Sleuth Kit to make md5 of all files in a partition The Sleuth Kit Help	2	1014	December 4, 2020

tsk_gettimes numbers, what do they mean?

Related topics