tsk_gettimes numbers, what do they mean?

europa · February 13, 2020, 7:05pm

Im working with the tsk_gettimes: TSK_GETTIMES(1) manual page

When I run the program I get a bunch of diffrent numbers, but what are the numbers? And why are there to entries, one with ($FILE_NAME) in it?

tsk_gettimes -m pc.001 > C:\Users\user\Documents\meta_data.txt

ceb929b86bfc92fe24d40d3637636a97|vol3/Users/sofia/Pictures/10-lazy-and-lecherous-last-minute-halloween-costumes.w654.jpeg ($FILE_NAME)|96890-48-5|r/rrwxrwxrwx|0|0|190|1580064246|1580064246|1580064246|1580064246

ceb929b86bfc92fe24d40d3637636a97|vol3/Users/sofia/Pictures/10-lazy-and-lecherous-last-minute-halloween-costumes.w654.jpeg|96890-128-4|r/rrwxrwxrwx|0|0|58087|1580064279|1580064246|1580064247|1580064246

I guess that this is what it is so far:

ceb929b86bfc92fe24d40d3637636a97 = md5 sum of content of file
vol3/Users/sofia/Pictures/10-lazy-and-lecherous-last-minute-halloween-costumes.w654.jpeg = volume, path, file name
96890-48-5= inode
r/rrwxrwxrwx = permissions
0 = ?
0 = ?
58087 = ?
1580064279 = Created ?
1580064246 = Modified?
1580064247= ?
1580064246 = ?

apriestman · February 13, 2020, 7:13pm

From fs_name.c:

0 = uid
0 = gid
58087 = size
1580064279 = atime
1580064246 = mtime
1580064247= ctime
1580064246 = crtime

The FILE_NAME part I assume means it’s an NTFS file name attribute.
https://flatcap.org/linux-ntfs/ntfs/attributes/file_name.html

Topic		Replies	Views
Orignal Filename Autopsy Help	4	1906	April 13, 2021
Section 6 - Hash Lookup Lab Autopsy Help	7	622	June 10, 2020
Section 10 LAb Question 4 Online Training	2	728	April 13, 2020
Section 6 Lab Quiz Online Training	21	2940	May 8, 2020
String search with an NTFS partition The Sleuth Kit Help	2	1342	November 30, 2019

tsk_gettimes numbers, what do they mean?

Related Topics