RVT tools: plot_time.pl, plotting your timelines
RVT comes with a bunch of useful tools, not totally related with the forensic framewok, but too little to be published for themselves.
plot_time.pl, located under the RVT/tools folder of the RVT’s svn repository (check it out), it’s a Perl script that plots bar graphs out of files in which each line contains values, being one of them time. It will be handful to represent values on time, or to count the numbers of lines by period of time. This script needs gnuplot 4.2 or greater on your path. Moreover, it uses the powerful Perl module Date::Manip to parse almost every known date format, and can be installed easily from CPAN or APT (apt-get installlibdate-manip-perl).
plot_time.pl works in two modes: representing values as a function of time (mode 1) and representing count of lines as a function of periods of time (integrates the appearance of values over every period defined).
Mode 1. Let’s be itimeline-02.csv a timeline generated with RVT, and let’s imagine that we want to represent graphically the size of the files, as a function of time, on July 5th 2008. We execute the following command:
perl plot_time.pl -interval=’20080705 + 1 day’ -tf 1 -vf 2 itimeline-02.csv
Where ‘tf’ option marks that the first field is the ‘time field’, and ‘vf’ option establishes that the value to be plotted is the second (file size). The following graph is generated:
plot_time.pl generated graph in Mode 1
Mode 2. This mode is activated with the ‘-sum’ option, and the period is established with ‘-period’ option, with anything that Date::Manip can understand (‘day’, ‘hour’, …). So, executing the following command on the same data:
perl plot_time.pl -interval=’20080705 + 1 day’ -tf 1 -sum -period=’hour’ itimeline-02.csv
generates the following graph:
plot_time.pl generated graph in Mode 2
Also:
- you can pipe your filtered timelines into plot_time.pl ( f.ex.: grep -i ‘myfile.png’ itimeline-02.csv | perl plot_time.pl … )
- plot_time.pl skips comment lines, and also it can skip a number of lines with ‘-skiplines’ option
- plot_time.pl will ignore lines that match a regular expression when option ‘-excluderegexpr’ is used
- see plot_time.pl –help for more info
We are now planning some new features on plot_time.pl, so stay tunned!
