< Back
ConvertTo-ForensicTimeline
Post
NAME ConvertTo-ForensicTimeline
SYNOPSIS
Converts an object to a ForensicTimeline object.
SYNTAX
ConvertTo-ForensicTimeline [-InputObject] <PSObject> [<CommonParameters>]
DESCRIPTION
The ConvertTo-ForensicTimeline cmdlet gets a PowerForensic object and formats it as a common ForensicTimeline
object.
You can use this cmdlet to make the output consistent with the output of the Invoke-ForensicTimeline cmdlet.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-InputObject <PSObject>
Object to be converted to a ForensicTimeline object.
Required? true
Position? 0
Default value
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.Management.Automation.PSObject
OUTPUTS
PowerForensics.Formats.ForensicTimeline
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-FileRecord 24212 | ConvertTo-ForensicTimeline
Date : 8/22/2013 3:35:48 AM
ActivityType : M...
Source : MFT
SourceType :
User :
FileName : C:\\Windows\\notepad.exe
Description : [208896] C:\\Windows\\notepad.exe
Date : 8/22/2013 3:35:49 AM
ActivityType : .A.B
Source : MFT
SourceType :
User :
FileName : C:\\Windows\\notepad.exe
Description : [208896] C:\\Windows\\notepad.exe
Date : 9/10/2014 2:45:22 AM
ActivityType : ..C.
Source : MFT
SourceType :
User :
FileName : C:\\Windows\\notepad.exe
Description : [208896] C:\\Windows\\notepad.exe
This command uses ConvertTo-ForensicTimeline to convert a FileRecord object to multiple ForensicTimeline objects.
The cmdlet creates a ForensicTimeline object for each unique timestamp.
RELATED LINKS
SYNOPSIS
Converts an object to a ForensicTimeline object.
SYNTAX
ConvertTo-ForensicTimeline [-InputObject] <PSObject> [<CommonParameters>]
DESCRIPTION
The ConvertTo-ForensicTimeline cmdlet gets a PowerForensic object and formats it as a common ForensicTimeline
object.
You can use this cmdlet to make the output consistent with the output of the Invoke-ForensicTimeline cmdlet.
Except as noted, the cmdlets in the PowerForensics module require the permissions of a member of the
Administrators group on the computer. To run them, start Windows PowerShell with the 'Run as administrator' option.
PARAMETERS
-InputObject <PSObject>
Object to be converted to a ForensicTimeline object.
Required? true
Position? 0
Default value
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
System.Management.Automation.PSObject
OUTPUTS
PowerForensics.Formats.ForensicTimeline
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-FileRecord 24212 | ConvertTo-ForensicTimeline
Date : 8/22/2013 3:35:48 AM
ActivityType : M...
Source : MFT
SourceType :
User :
FileName : C:\\Windows\\notepad.exe
Description : [208896] C:\\Windows\\notepad.exe
Date : 8/22/2013 3:35:49 AM
ActivityType : .A.B
Source : MFT
SourceType :
User :
FileName : C:\\Windows\\notepad.exe
Description : [208896] C:\\Windows\\notepad.exe
Date : 9/10/2014 2:45:22 AM
ActivityType : ..C.
Source : MFT
SourceType :
User :
FileName : C:\\Windows\\notepad.exe
Description : [208896] C:\\Windows\\notepad.exe
This command uses ConvertTo-ForensicTimeline to convert a FileRecord object to multiple ForensicTimeline objects.
The cmdlet creates a ForensicTimeline object for each unique timestamp.
RELATED LINKS