search

orlikoski / CDQR

The Cold Disk Quick Response (CDQR) tool is a fast and easy to use forensic artifact parsing tool that works on disk images, mounted drives and extracted artifacts from Windows, Linux, MacOS, and Android devices
GNU General Public License v3.0
330 stars 51 forks source link

Ran and Completed, but unable to open 2GB .csv file #3

Closed DFIR-Zach closed 8 years ago

DFIR-Zach commented 8 years ago

The process completed, but the 2GB SUPERTimeline .csv file will not display any data...Am I doing something wrong?

DFIR-Zach commented 8 years ago

So I'm guessing I cannot open the file because it is too large... Do you know of a easy way to reduce the supertimeline it creates and only have a csv that contains a certain date range? The 2GB csv timeline it creates is unable to open and when I went to import the data into the SANS Color Timeline, I was only able to copy in a portion of the data because it is so huge.

Also, random question about the date ranges in the timeline output...Why am I seeing years prior to 1970, such as 1906, 1601, 1831, and 1830?

orlikoski commented 8 years ago

The purpose of the Reports folder was to help break the file up into smaller chunks. Have you checked the reports found in the Reports folder?

I would recommend using grep to isolate date ranges out of the SuperTimeLine.

There are many reasons that those dates could show up and the are too varied and situation specific to be able to give an accurate answer. That said, start by identifying what parser provided that data and research what the date and time fields mean for that entry.

On Fri, Apr 22, 2016, 1:44 PM Zach notifications@github.com wrote:

So I'm guessing I cannot open the file because it is too large... Do you know of a easy way to reduce the supertimeline it creates and only have a csv that contains a certain date range? The 2GB csv timeline it creates is unable to open and when I went to import the data into the SANS Color Timeline https://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline-template-for-log2timeline-output-files, I was only able to copy in a portion of the data because it is so huge.

Also, random question about the date ranges in the timeline output...Why am I seeing years prior to 1970, such as 1906, 1601, 1831, and 1830?

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/rough007/CDQR/issues/3#issuecomment-213565428

DFIR-Zach commented 8 years ago

The reports folder is good if you know exactly what you are looking for, but seeing the context around the particular times is much easier done when all the information is in one file.

orlikoski commented 8 years ago

One way to make it easier to find the things you're looking for is to sort on column P, "format" in either the SuperTimeLine or the Reports. This gives you the ability to sort by parser name and should greatly speed up your ability find what you're looking for.