The purpose of this script is to assist the examiner to visualize the paths of relevant target files within a Mac OS X Time Machine volume.

Before running the script the examiner must first blue-check the files in the volume that are of interest. It is advisable to tag those files first so as to avoid losing the selection by inadvertently switching views.

When the script runs it will write the selected files into a nominated logical evidence file (LEF) using the same paths as would be observed were the Time Machine volume to be viewed under Mac OS X. The examiner has the option of filtering the output, so, for instance, it's possible to select all of the pictures within the Time Machine volume but only write those pictures to the LEF is they contain the string '\Users\' somewhere in their path.

Only one Time Machine volume can be processed at a time. If the examiner selects files from more than one volume the script will raise an error. Every file of interest must be selected even if it is a hard-linked duplicate: the script won't find duplicates automatically - it would take too long.

It's important to bear in mind that re-creating the structure of a Time Machine backup can be time consuming and take a substantial amount of disk-space. Not only that, but because many files will exist in more than one backup, the resultant LEF will usually contain far more files than were actually selected by the examiner. This notwithstanding, the use of hash-values within the internal LEF structure will ensure that only one copy of a duplicate file is actually stored.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training