source: releases/1.0.0/bin/reglookup-timeline @ 289

Last change on this file since 289 was 170, checked in by tim, 15 years ago

merged Tobias Mueller's patch with some changes
updated version number

  • Property svn:executable set to *
  • Property svn:keywords set to Id
File size: 1.4 KB
Line 
1#!/bin/sh
2
3# This script is a wrapper for reglookup, and reads one or more registry
4# files to produce an MTIME sorted output.  This is helpful when building
5# timelines for investigations.
6#
7# Copyright (C) 2005-2007,2010 Timothy D. Morgan
8#
9# This program is free software; you can redistribute it and/or modify
10# it under the terms of the GNU General Public License as published by
11# the Free Software Foundation; version 2 of the License.
12#
13# This program is distributed in the hope that it will be useful,
14# but WITHOUT ANY WARRANTY; without even the implied warranty of
15# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16# GNU General Public License for more details.
17#
18# You should have received a copy of the GNU General Public License
19# along with this program; if not, write to the Free Software
20# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. 
21#
22# $Id: reglookup-timeline 170 2010-03-06 04:40:25Z tim $
23
24
25usage()
26{
27  echo "Usage: $0 [-H] [-V] <REGISTRY_FILE> [<REGISTRY_FILE> ...]" 1>&2
28  echo "   -H  Omit header line" 1>&2
29  echo "   -V  Include values with parent timestamps" 1>&2
30}
31
32if [ $# -eq 0 ]; then
33  usage
34  echo "ERROR: requires at least one parameter" 1>&2
35  exit 1
36fi
37
38PRINT_HEADER=true
39if [ "$1" = "-H" ]; then
40  PRINT_HEADER=false
41  shift
42fi
43
44OPTS='-t KEY'
45if [ "$1" = "-V" ]; then
46  OPTS='-i'
47  shift
48fi
49
50if [ "$PRINT_HEADER" = "true" ]; then
51  echo "MTIME,FILE,PATH"
52fi
53
54for F in $@; do
55  reglookup $OPTS -H "$F" | awk -F',' '{ printf "%s,'"$F"',%s\n",$4,$1; }'
56done | sort
Note: See TracBrowser for help on using the repository browser.