Forensics
file's last acces time on NFTS with Windows XP Feb 11 2007 02:02PM
stefano bizzarri gmail com
Hello everybody,
a while ago, while analysing some files inside HDDs with the NTFS file system I came
across something odd: the day time of the files written into the disks by Windows Xp was in
GMT format even though the bios time was set on the local time (which in my case is CEST).

I noticed that, just because I was trying to check which file were "touched" by the
system during its right shutdown sequence. Here is my question: why is it that in other systems
with the same O.S. but, for example, with a different language, the files were created, modified

and accessed, applying a time stamp in accordance with the bios settings? On few occasions, I
noticed that Windows Xp operative system, checks the correct fuse and automatically writes the
time stamps using the GMT fuse instead of the Local Time. And even if you check it every time in

the same Windows System, it will display the time stamp in the local time format. NOT in GMT.
It's very important for me to know why this occurs especially for forensic
investigations.

Any ideas?

Thanks to all.

Stefano Bizzarri

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus