Artifact Age Filtering
- Overview
- CLI Flags
- Relative Time Syntax
- Use Cases
- Integration with Other Features
- Combined Forensic Workflow
- Performance Considerations
- Timestamp Source
- Platform Support
- Limitations
- Troubleshooting
- Security Considerations
- See Also
Time-based filtering to focus on recent activity and reduce collection scope for large systems.
Overview
The age filtering feature allows you to include or exclude files based on their modification timestamps. This is particularly useful for:
- Incident Response: Focus on files modified during a specific time window
- Recent Activity: Analyze only recently changed files (last 7 days, 30 days, etc.)
- Performance: Reduce scope on large systems with millions of files
- Timeline Narrowing: Focus analysis on relevant time periods
CLI Flags
--modified-after <TIMESTAMP>
Include only files modified after the specified timestamp.
Format Options:
- ISO 8601:
2024-01-15T10:30:00Z - Date only:
2024-01-15 - Relative:
7d(7 days ago),30d(30 days ago),1h(1 hour ago)
Examples:
# Files modified in last 7 days
sus /evidence --modified-after 7d
# Files modified after specific date
sus /evidence --modified-after 2024-01-15
# Files modified after specific timestamp
sus /evidence --modified-after 2024-01-15T10:30:00Z
--modified-before <TIMESTAMP>
Include only files modified before the specified timestamp.
Format Options:
- Same as
--modified-after
Examples:
# Files modified before specific date
sus /evidence --modified-before 2024-02-01
# Files modified before 30 days ago (older files)
sus /evidence --modified-before 30d
Combined Usage
Both flags can be used together to define a time window:
# Files modified between Jan 15 and Feb 1, 2024
sus /evidence --modified-after 2024-01-15 --modified-before 2024-02-01
# Files modified in the last 7 days but not today
sus /evidence --modified-after 7d --modified-before 1d
# Recent activity window (7-30 days ago)
sus /evidence --modified-after 30d --modified-before 7d
Relative Time Syntax
Relative timestamps are calculated from the current time:
| Suffix | Meaning | Example | Description |
|---|---|---|---|
h | Hours | 24h | 24 hours ago |
d | Days | 7d | 7 days ago |
w | Weeks | 2w | 2 weeks ago (14 days) |
m | Months | 3m | 3 months ago (≈90 days) |
y | Years | 1y | 1 year ago (365 days) |
Examples:
# Last 24 hours
sus /path --modified-after 24h
# Last week
sus /path --modified-after 1w
# Last month
sus /path --modified-after 1m
# Last year
sus /path --modified-after 1y
Use Cases
Incident Response
Focus on files modified during the incident timeframe:
sus /compromised-system \
--modified-after 2024-01-13 \
--modified-before 2024-01-27 \
--target KAPE_Triage \
--collect \
--generate-timeline json
Recent Malware Analysis
Analyze only recently modified executables:
# Check for new executables in last 7 days
sus /system \
--modified-after 7d \
--profile profiles/base/malware.toml \
--include-path-globs "*.exe" \
--include-path-globs "*.dll" \
--triage-report
Performance Optimization
Reduce scope on large systems:
# Only analyze recently active files on large share
sus /large-file-server \
--modified-after 30d \
--profile profiles/composite/security-audit.toml
Pre/Post Activity Comparison
Compare file changes before and after a specific event:
# Before the update (files older than 7 days)
sus /system --modified-before 7d --output-dir ./before
# After the update (files modified in last 7 days)
sus /system --modified-after 7d --output-dir ./after
Integration with Other Features
With Artifact Collection
sus /evidence \
--modified-after 2024-01-15 \
--collect \
--output-dir ./investigation
With Timeline Generation
sus /evidence \
--modified-after 7d \
--generate-timeline csv \
--timeline-output recent_activity.csv
With Registry Parsing
sus /windows/system32/config \
--modified-after 30d \
--parse-registry \
--registry-output recent_registry.csv
With Event Log Parsing
sus /windows/system32/winevt \
--modified-after 2024-01-15 \
--parse-evtx \
--evtx-summary
With Triage Scoring
sus /evidence \
--modified-after 7d \
--triage-report \
--triage-min-score 70 \
--collect
Combined Forensic Workflow
Complete forensic analysis focused on recent activity:
sus /evidence \
--modified-after 2024-01-15T00:00:00Z \
--modified-before 2024-01-22T23:59:59Z \
--target KAPE_Triage \
--collect \
--system-snapshot \
--generate-timeline json \
--parse-registry \
--parse-evtx \
--triage-report \
--web-ui
Performance Considerations
Impact
Age filtering happens early in the file traversal process, providing significant performance benefits:
- Reduced I/O: Files outside the time window are skipped before content analysis
- Lower Memory: Fewer files loaded into memory
- Faster Analysis: Only relevant files are processed
- Smaller Database: Analysis database contains only filtered files
Benchmarks
Typical performance improvements on large datasets:
| Dataset Size | Time Window | Files Analyzed | Time Saved |
|---|---|---|---|
| 1M files | Last 7 days | ~50K (5%) | ~95% faster |
| 5M files | Last 30 days | ~500K (10%) | ~90% faster |
| 10M files | Last 24 hours | ~10K (0.1%) | ~99% faster |
Best Practices
- Use Relative Times: Easier to specify and understand
- Combine with Path Globs: Further reduce scope
- Start Narrow: Begin with short time windows, expand if needed
- Monitor Output: Check filtered file count to ensure not too restrictive
Timestamp Source
The age filter uses the file's modification timestamp (mtime) from filesystem metadata:
-
Modified Time: When file content was last changed
-
Not Access Time: Access time is not used (often disabled on modern systems)
-
Not Creation Time: Creation time varies by platform and is less reliable
-
Example:
# Explicit UTC
sus /evidence --modified-after 2024-01-15T10:30:00Z
# Local time (midnight)
sus /evidence --modified-after 2024-01-15
# Relative to now (always clear)
sus /evidence --modified-after 7d
Platform Support
| Platform | Modification Time | Notes |
|---|---|---|
| Linux | ✅ Full support | Standard st_mtime |
| macOS | ✅ Full support | Standard st_mtime |
| Windows | ✅ Full support | NTFS modification time |
Limitations
Timestamp Manipulation
Attackers can modify file timestamps to evade detection:
# Modified timestamps may not be trustworthy in adversarial environments
# Use in combination with other indicators
sus /evidence \
--modified-after 7d \
--parse-registry \
--parse-evtx \
--triage-report
Mitigation: Cross-reference with:
- Event log timestamps
- Registry artifact timestamps
- File system journal data
- Timeline analysis
Archive Files
Modification time for archive members is from extraction, not original modification:
# Archives expanded to temporary directories may have recent mtimes
# even though contained files are old
Workaround: Use separate analysis for archives vs. filesystem
Timezone Considerations
All timestamps are interpreted in local system time:
- ISO 8601 timestamps with
Zsuffix are UTC - Date-only formats assume local midnight
- Relative times calculate from current local time
Example:
# Explicit UTC
sus /evidence --modified-after 2024-01-15T10:30:00Z
# Local time (midnight)
sus /evidence --modified-after 2024-01-15
# Relative to now (always clear)
sus /evidence --modified-after 7d
Troubleshooting
No Files Found
If filtering returns zero files:
- Check timestamp format: Ensure correct ISO 8601 or relative format
- Verify time window: May be too restrictive
- Check timezone: Ensure UTC vs local time is correct
- List verbose: Use
-vto see which files are being filtered
# Debug mode to see filtering
sus /path --modified-after 7d -vv
Too Many Files
If filtering returns too many files:
- Narrow time window: Reduce the time range
- Add path globs: Combine with
--include-path-globs - Use other filters: Combine with
--max-file-size - Check relative calc: Verify relative timestamps are calculating correctly
Security Considerations
Timestamp Trust
Do not rely solely on modification timestamps for security decisions:
- Timestamps can be easily modified by attackers
- System clock skew can affect relative time calculations
- Some filesystems have limited timestamp precision
Recommendation: Use age filtering for performance and convenience, not as a security control.
Forensic Integrity
When collecting evidence:
# Always preserve original timestamps
sus /evidence \
--modified-after 2024-01-15 \
--collect \
--system-snapshot \
--generate-timeline json
The --collect flag preserves original file metadata in the manifest, including the original modification time.
See Also
- Timeline Generation - View files on a timeline
- Artifact Collection - Preserve filtered files
- Triage Scoring - Prioritize recent changes
- System Snapshot - Capture system state at analysis time
# Compromise detected on 2024-01-20, analyse week before and after
sus /compromised-system \
--modified-after 2024-01-13 \
--modified-before 2024-01-27 \
--target KAPE_Triage \
--collect \
--generate-timeline json