Ran and Completed, but unable to open 2GB .csv file about cdqr HOT 4 CLOSED

So I'm guessing I cannot open the file because it is too large...
Do you know of a easy way to reduce the supertimeline it creates and only have a csv that contains a certain date range? The 2GB csv timeline it creates is unable to open and when I went to import the data into the SANS Color Timeline, I was only able to copy in a portion of the data because it is so huge.

Also, random question about the date ranges in the timeline output...Why am I seeing years prior to 1970, such as 1906, 1601, 1831, and 1830?

from cdqr.

The purpose of the Reports folder was to help break the file up into
smaller chunks. Have you checked the reports found in the Reports folder?

I would recommend using grep to isolate date ranges out of the
SuperTimeLine.

There are many reasons that those dates could show up and the are too
varied and situation specific to be able to give an accurate answer. That
said, start by identifying what parser provided that data and research what
the date and time fields mean for that entry.

On Fri, Apr 22, 2016, 1:44 PM Zach [email protected] wrote:

So I'm guessing I cannot open the file because it is too large...
Do you know of a easy way to reduce the supertimeline it creates and only
have a csv that contains a certain date range? The 2GB csv timeline it
creates is unable to open and when I went to import the data into the SANS
Color Timeline
https://digital-forensics.sans.org/blog/2012/01/25/digital-forensic-sifting-colorized-super-timeline-template-for-log2timeline-output-files,
I was only able to copy in a portion of the data because it is so huge.

Also, random question about the date ranges in the timeline output...Why
am I seeing years prior to 1970, such as 1906, 1601, 1831, and 1830?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#3 (comment)

from cdqr.

The reports folder is good if you know exactly what you are looking for, but seeing the context around the particular times is much easier done when all the information is in one file.

from cdqr.

One way to make it easier to find the things you're looking for is to sort on column P, "format" in either the SuperTimeLine or the Reports. This gives you the ability to sort by parser name and should greatly speed up your ability find what you're looking for.

from cdqr.