RE: file's last acces time on NFTS with Windows XP Feb 13 2007 09:49AM
Jamie Gordon (jamie des co uk)

I thought that files times on NTFS volumes were always stored as UTC? At
least, that's what I read:

Windows being able to display the time as a local time I would expect to
be purely a FileTimeToLocalFileTime() call away.

Jamie Gordon

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of stefano.bizzarri (at) gmail (dot) com [email concealed]
Sent: 11 February 2007 14:02
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: file's last acces time on NFTS with Windows XP

Hello everybody,
a while ago, while analysing some files inside HDDs with the NTFS file
system I came across something odd: the day time of the files written
into the disks by Windows Xp was in GMT format even though the bios time
was set on the local time (which in my case is CEST).

I noticed that, just because I was trying to check which file were
"touched" by the system during its right shutdown sequence. Here is my
question: why is it that in other systems with the same O.S. but, for
example, with a different language, the files were created, modified

and accessed, applying a time stamp in accordance with the bios
settings? On few occasions, I noticed that Windows Xp operative system,
checks the correct fuse and automatically writes the time stamps using
the GMT fuse instead of the Local Time. And even if you check it every
time in

the same Windows System, it will display the time stamp in the local
time format. NOT in GMT.
It's very important for me to know why this occurs especially for
forensic investigations.

Any ideas?

Thanks to all.

Stefano Bizzarri

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus