This tool (download) parses the timeline of filesystem activity created by mactime and adds human readable descriptions to it (like: this file has been created). It also understands that later changes of some mac tag hides earlier changes.
When the output of mactime says:
Wed Jun 15 2005 17:21:24 1024 m.c d/drwxr-xr-x root root 293340 /lib/tls/i686
herodot will say:
Wed Jun 15 2005 17:21:24 1024 m.c d/drwxr-xr-x root root 293340 /lib/tls/i686 (m.c) (subdirectory or file created in this directory)
It is because herodot knows that changing of m and c time tags of some directory without changing its a time means that some subdirectory or file has been created in this directory.
When the output of mactime says:
Mon Nov 07 2005 21:11:18 5 m.c -/-rw-r--r-- 0 0 15 katalog/dir_1/dir_1_1/fil_2.txt Mon Nov 07 2005 21:11:20 5 .a. -/-rw-r--r-- 0 0 15 katalog/dir_1/dir_1_1/fil_2.txtherodot will say:
Mon Nov 07 2005 21:11:20 5 .a. -/-rw-r--r-- 0 0 15 katalog/dir_1/dir_1_1/fil_2.txt (.a.) (reading from this file) Mon Nov 07 2005 21:11:18 5 m.c -/-rw-r--r-- 0 0 15 katalog/dir_1/dir_1_1/fil_2.txt (m?c) (this file created) (writing to this file)
As you can see, the lines in herodot's output are in oposite order – the newest events come the first. Ok, that's not so much important side effect. Th important thing is that if the a tag was changed in some moment, we can not be sure if it was changed or not before that moment – so in every older event of that file the tag a will be marked as ? (quotation mark).
Questions, comments: contact me