Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

l2t_csv: output in second precision? #1929

Closed
MariasStory opened this issue Jun 7, 2018 · 4 comments
Closed

l2t_csv: output in second precision? #1929

MariasStory opened this issue Jun 7, 2018 · 4 comments
Assignees
@Onager
Labels
duplicate Duplicate of another issue output Output modules and output process question

Comments

@MariasStory
Copy link

MariasStory commented Jun 7, 2018
edited
Loading

Description of problem:

I don't see microseconds in MFT data while doing psort of plaso file to csv.

Command line and arguments:

psort.py -w output.csv input.plaso

Source data:

From MFT export:
/thumbcache_sr.db","2013-04-30 17:31:06.640667","2013-04-30 17:31:06.640667" ...

In csv file:
04/30/2013,17:31:06,UTC,MACB,FILE,NTFS Content Modification Time,Content Modification Time; Creation Time; Last Access Time; Metadata Modification Time,- /thumbcache_sr.db

Plaso version:

20180528

Operating system Plaso is running on:

linux

Installation method:

  • installed from [l2tbinaries][https://github.com/log2timeline/l2tbinaries] master branch
@MariasStory MariasStory changed the title psort to CSV output missing milliseconds. psort to CSV output missing microseconds. Jun 7, 2018
@Onager
Copy link
Contributor

Onager commented Jun 8, 2018

The dynamic output format, which is the default CSV output format you're referring to here outputs time according to ISO8601, which doesn't support microseconds directly. It does support fractional time values, which we could use to represent values more precise than a second, but this requires some work in dfdatetime.

If you need sub-second precision, you can try the json output modules which have the date in Plaso's internal representation of microseconds since the Unix epoch , or xlsx which uses the native Excel format.

@Onager Onager added the output Output modules and output process label Jun 8, 2018
@Onager Onager self-assigned this Jun 8, 2018
@Onager Onager added the question label Jun 8, 2018
@MariasStory
Copy link
Author

MariasStory commented Jun 9, 2018
edited
Loading

Hi @Onager,
If I am right, the time format is defined in the file l2t_csv.py in line 163:

    time_string = '{0:02d}:{1:02d}:{2:02d}'.format(
        date_use.hour, date_use.minute, date_use.second)

There should be microseconds somewhere.

I guess this will work:

    time_string = '{0:02d}:{1:02d}:{2:02d}.{3:06d}'.format(
        date_use.hour, date_use.minute, date_use.second, date_use.micro_seconds)

Please check it.

@MariasStory
Copy link
Author

Hi, I did some tests and the simple modification of the format string did not work for me.
Someone else have an idea?

@joachimmetz
Copy link
Member

Duplicate of #2132

@joachimmetz joachimmetz marked this as a duplicate of #2132 Jun 10, 2020
@joachimmetz joachimmetz added the duplicate Duplicate of another issue label Jun 10, 2020
@joachimmetz joachimmetz changed the title psort to CSV output missing microseconds. l2t_csv: output in second precision? Feb 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Onager Onager

Labels
duplicate Duplicate of another issue output Output modules and output process question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Onager @joachimmetz @MariasStory