herodot 1.0

herodot is a tool that parses the timeline of filesystem activity created by mactime and adds human readable descriptions to it (e.g.: this file has been created). It also understands that later changes of some MAC tags hide earlier changes.

Usage:

Use this tool like that:

$ ./herodot < timeline.txt > interpreted_timeline.txt

Examples:

When the output of mactime says:

Wed Jun 15 2005 17:21:24 1024 m.c d/drwxr-xr-x root root 293340 /lib/tls/i686
herodot will say:

Wed Jun 15 2005 17:21:24 1024 m.c d/drwxr-xr-x root root 293340 /lib/tls/i686 (m.c) (subdirectory or file created in this directory)

It is because herodot knows that changing of m and c time tags of some directory without changing its a time means that some subdirectory or file has been created in this directory.

When the output of mactime says:

Mon Nov 07 2005 21:11:18 5 m.c -/-rw-r--r-- 0 0 15 katalog/dir_1/dir_1_1/fil_2.txt
Mon Nov 07 2005 21:11:20 5 .a. -/-rw-r--r-- 0 0 15 katalog/dir_1/dir_1_1/fil_2.txt
herodot will say:

Mon Nov 07 2005 21:11:20 5 .a. -/-rw-r--r-- 0 0 15 katalog/dir_1/dir_1_1/fil_2.txt (.a.) (reading from this file)
Mon Nov 07 2005 21:11:18 5 m.c -/-rw-r--r-- 0 0 15 katalog/dir_1/dir_1_1/fil_2.txt (m?c) (this file created) (writing to this file)

As you can see, the lines in herodot's output are in oposite order the newest events come the first. Ok, that's not so much important side effect. Th important thing is that if the a tag was changed in some moment, we can not be sure if it was changed or not before that moment so in every older event of that file the tag a will be marked as ? (quotation mark).

Product's homepage