Forensics
RE: file's last acces time on NFTS with Windows XP Feb 13 2007 09:49AM
Jamie Gordon (jamie des co uk) (3 replies)
RE: file's last acces time on NFTS with Windows XP Feb 13 2007 05:56PM
Robertson, Seth (JSC-IM) (Seth Robertson-1 nasa gov) (1 replies)
RE: file's last acces time on NFTS with Windows XP Feb 15 2007 11:15PM
Stefano Bizzarri (stefano bizzarri gmail com) (1 replies)
Re: file's last acces time on NFTS with Windows XP Feb 20 2007 12:15AM
Greg Freemyer (greg freemyer gmail com)
Re: file's last acces time on NFTS with Windows XP Feb 13 2007 04:18PM
Robert Reed (rreed567 earthlink net)
Re: file's last acces time on NFTS with Windows XP Feb 13 2007 02:08PM
Greg Freemyer (greg freemyer gmail com)
Agreed,

At the on disk level I'm pretty sure NTFS uses GMT (UTC) 100% of the time.

OTOH, fat32 always uses localtime, so that may be the confusion factor.

Greg

On 2/13/07, Jamie Gordon <jamie (at) des.co (dot) uk [email concealed]> wrote:
>
> I thought that files times on NTFS volumes were always stored as UTC? At
> least, that's what I read:
> http://msdn2.microsoft.com/en-us/library/ms724290.aspx
>
> Windows being able to display the time as a local time I would expect to
> be purely a FileTimeToLocalFileTime() call away.
>
> Jamie Gordon
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of stefano.bizzarri (at) gmail (dot) com [email concealed]
> Sent: 11 February 2007 14:02
> To: forensics (at) securityfocus (dot) com [email concealed]
> Subject: file's last acces time on NFTS with Windows XP
>
> Hello everybody,
> a while ago, while analysing some files inside HDDs with the NTFS file
> system I came across something odd: the day time of the files written
> into the disks by Windows Xp was in GMT format even though the bios time
> was set on the local time (which in my case is CEST).
>
> I noticed that, just because I was trying to check which file were
> "touched" by the system during its right shutdown sequence. Here is my
> question: why is it that in other systems with the same O.S. but, for
> example, with a different language, the files were created, modified
>
> and accessed, applying a time stamp in accordance with the bios
> settings? On few occasions, I noticed that Windows Xp operative system,
> checks the correct fuse and automatically writes the time stamps using
> the GMT fuse instead of the Local Time. And even if you check it every
> time in
>
> the same Windows System, it will display the time stamp in the local
> time format. NOT in GMT.
> It's very important for me to know why this occurs especially for
> forensic investigations.
>
> Any ideas?
>
> Thanks to all.
>
>
> Stefano Bizzarri
>
>

--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus