source: trunk/doc/reglookup-timeline.1.docbook @ 235

Last change on this file since 235 was 119, checked in by tim, 16 years ago

adding reglookup-recover man page

  • Property svn:keywords set to Id
File size: 4.0 KB
RevLine 
[64]1<?xml version="1.0" encoding="UTF-8"?>
2<refentry id='reglookup-timeline.1'>
3  <!--  $Id: reglookup-timeline.1.docbook 119 2008-08-09 05:55:45Z tim $ -->
4  <refmeta>
5    <refentrytitle>reglookup-timeline</refentrytitle>
6    <manvolnum>1</manvolnum>
7    <refmiscinfo class="sectdesc">File Conversion Utilities</refmiscinfo>
8  </refmeta>
9  <refnamediv id='name'>
10    <refname>reglookup-timeline</refname>
[119]11    <refpurpose>Windows NT+ registry MTIME timeline generator</refpurpose>
[64]12  </refnamediv>
13
14  <refsect1 id='synopsis'>
15    <title>SYNOPSIS</title>
16    <para>
17      <command>
[91]18        reglookup-timeline [<replaceable>-H</replaceable>]
19                            <replaceable>registry-file</replaceable>
[64]20                           [<replaceable>registry-file</replaceable> ...]
21      </command>
22    </para>
23  </refsect1>
24
25  <refsect1 id='description'>
26    <title>DESCRIPTION</title>
27    <para>
28      This script is a wrapper for <command>reglookup(1)</command>, and reads
29      one or more registry
[119]30      files to produce an MTIME-sorted output.  This is helpful when building
[64]31      timelines for forensic investigations.
32    </para>
33  </refsect1>
34
35  <refsect1 id='parameters'>
36    <title>PARAMETERS</title>
37    <para>
38      <command>reglookup-timeline</command> accepts one or more registry file
39      names.  All of the provided registries will be parsed using
[91]40      <command>reglookup(1)</command>.  The <command>-H</command> option may be
41      used to omit the header line.
[64]42    </para>
43  </refsect1>
44
45  <refsect1 id='output'>
46    <title>OUTPUT</title>
47    <para>
48      <command>reglookup-timeline</command> generates a comma-separated
49      values (CSV) compatible format to stdout.  While the output of
50      <command>reglookup-timeline</command> and <command>reglookup(1)</command>
51      differ in the columns returned, the base format is the same. 
52    </para>
53    <para>
54      Currently, <command>reglookup-timeline</command> returns three columns:
55      MTIME, FILE, and PATH.  Only rows representing registry keys are returned,
56      since MTIMEs are not stored for values.  The FILE column indicates which
57      registry file (provided as an argument) the key came from.  Finally, the
58      PATH field contains the full registry path to the key.  Records are
59      returned sorted in ascending order based on the MTIME column.
60    </para>
61  </refsect1>
62
63  <refsect1 id='bugs'>
64    <title>BUGS</title>
65    <para>
66      This script is new, and as such it's interface may change significantly
67      over the next few revisions.  In particular, additional command line
68      options will likely be added, and the output of the script may be altered
69      in minor ways.
70    </para>
71    <para>
72      It is very difficult to find documentation on what precise operations
73      cause the MTIMEs to be updated.  Basic experimentation indicates that
74      a key's stamp is updated anytime an immediate sub-value or sub-key is
75      created, renamed, deleted, or it's value is modified.  If this MTIME
76      data is critical to an investigation, any conclusions should be
[87]77      validated through experimentation in a controlled lab environment.
[64]78    </para>
79    <para>
80      This software should be considered unstable at this time.
81    </para>
82  </refsect1>
83
84  <refsect1 id='credits'>
85    <title>CREDITS</title>
86    <para>
87      This script was written by Timothy D. Morgan based on suggestions
88      from Uwe Danz.
89    </para>
90    <para>
91      Please see source code for a full list of copyrights.
92    </para>
93  </refsect1>
94
95  <refsect1 id='license'>
96    <title>LICENSE</title>
97    <para>
98      Please see the file "LICENSE" included with this software
99      distribution.
100    </para>
[119]101    <para>
[64]102      This program is distributed in the hope that it will be useful,
103      but WITHOUT ANY WARRANTY; without even the implied warranty of
104      MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
[119]105      GNU General Public License version 3 for more details.
[64]106    </para>
107  </refsect1>
108
109  <refsect1 id='seealso'>
110    <title>SEE ALSO</title>
111    <para>
[119]112      reglookup(1) reglookup-recover(1)
[64]113    </para>
114  </refsect1>
115</refentry>
Note: See TracBrowser for help on using the repository browser.