Forensics
RE: file's last acces time on NFTS with Windows XP Feb 13 2007 09:49AM
Jamie Gordon (jamie des co uk) (3 replies)
RE: file's last acces time on NFTS with Windows XP Feb 13 2007 05:56PM
Robertson, Seth (JSC-IM) (Seth Robertson-1 nasa gov) (1 replies)
RE: file's last acces time on NFTS with Windows XP Feb 15 2007 11:15PM
Stefano Bizzarri (stefano bizzarri gmail com) (1 replies)
Re: file's last acces time on NFTS with Windows XP Feb 20 2007 12:15AM
Greg Freemyer (greg freemyer gmail com)
Re: file's last acces time on NFTS with Windows XP Feb 13 2007 04:18PM
Robert Reed (rreed567 earthlink net)
Jamie Gordon wrote:
> I thought that files times on NTFS volumes were always stored as UTC? At
> least, that's what I read:
> http://msdn2.microsoft.com/en-us/library/ms724290.aspx
>
> Windows being able to display the time as a local time I would expect to
> be purely a FileTimeToLocalFileTime() call away.
>
> Jamie Gordon
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of stefano.bizzarri (at) gmail (dot) com [email concealed]
> Sent: 11 February 2007 14:02
> To: forensics (at) securityfocus (dot) com [email concealed]
> Subject: file's last acces time on NFTS with Windows XP
>
> Hello everybody,
> a while ago, while analysing some files inside HDDs with the NTFS file
> system I came across something odd: the day time of the files written
> into the disks by Windows Xp was in GMT format even though the bios time
> was set on the local time (which in my case is CEST).
>
> I noticed that, just because I was trying to check which file were
> "touched" by the system during its right shutdown sequence. Here is my
> question: why is it that in other systems with the same O.S. but, for
> example, with a different language, the files were created, modified
>
> and accessed, applying a time stamp in accordance with the bios
> settings? On few occasions, I noticed that Windows Xp operative system,
> checks the correct fuse and automatically writes the time stamps using
> the GMT fuse instead of the Local Time. And even if you check it every
> time in
>
> the same Windows System, it will display the time stamp in the local
> time format. NOT in GMT.
> It's very important for me to know why this occurs especially for
> forensic investigations.
>
> Any ideas?
>
> Thanks to all.
>
>
> Stefano Bizzarri
>
>
>
Window file time is a function of which time zone the OS is told it
resides... look in the registry for the time offset... the User may very
well have set the bios to local time and set the operating system to
correspond to GMT times..... This is why you should always look at BIOS
and time offest settings... people do weird things sometimes???

[ reply ]
Re: file's last acces time on NFTS with Windows XP Feb 13 2007 02:08PM
Greg Freemyer (greg freemyer gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus