NTFS Timestamp Visualizer takes the input from NTFS Timestamp Analyser, which analyses NTFS timestamps and reconstructs the possible histories in terms of operations on files, and creates a tree-based visualization of these histories.
Follow the steps below to install NTFS Timestamp Visualizer:
- Install Python 3.6 or higher
- On Windows, it's recommended to add Python to your path
- Install Graphviz for your platform
- On Windows, place the contents of the zip somewhere, and add this location to your path
- On Linux, use your distributions' package manager to install Graphviz
- OPTIONAL: Create a virtual environment
- Install the packages in the requirements.txt (
pip install -r requirements.txtby default)
NTFS Timestamp Visualizer should now be installed.
The default usage format is:
python timestamp_visualizer.py sample-input.txtThe full usage format is:
python timestamp_visualizer.py [-h] [-o OUTPUT] [-f FILTER] [-d DPI] [-s] [-O ORIGIN_STATES] [-F FORGERY_STATES] [-H HORIZONTAL_SEP] [-V VERTICAL_SEP] inputAdditionally, there are a number of options:
| Option | Form | Description |
|---|---|---|
| Help | -h, --help |
Shows the help menu |
| Output | -o OUTPUT, --output OUTPUT |
Set the output path for the visualisation |
| Filter | -f FILTER, --filter FILTER |
Filter lines based on exact match (only matched results will be included |
| DPI | -d DPI, --dpi DPI |
Set the output DPI for the image to generate (type: integer)(default: 100) |
| SVG output format | -s, --svg |
Set output to SVG format |
| Origin states file | -O, --origin-states |
Set the origin-states configuration file |
| Forgery states file | -F, --forgery-states |
Set the forgery-states configuration file |
| Horizontal seperation | -H, --horizontal-sep |
Specify the horizontal seperation between columns (type: float)(default: 2.0) |
| Vertical seperation | -V, --vertical-sep |
Specify the vertical seperation between rows (type: float)(default: 0.5) |
Default run:
python timestamp_visualizer.py sample-input.txtWith filter:
python timestamp_visualizer.py -f ".\Folder\test2.odt" sample-input.txtThis tool is a part of the following publication:
- Jelle Bouma, Hugo Jonker, Vincent van der Meer, and Eddy Van Den Aker. 2023. Reconstructing Timelines: From NTFS Timestamps to File Histories. In The 18th International Conference on Availability, Reliability and Security (ARES 2023), August 29--September 01, 2023, Benevento, Italy. ACM, New York, NY, USA 9 Pages. https://doi.org/10.1145/3600160.3605027