Forensics
RE: file's last acces time on NFTS with Windows XP Feb 13 2007 09:49AM
Jamie Gordon (jamie des co uk) (3 replies)
RE: file's last acces time on NFTS with Windows XP Feb 13 2007 05:56PM
Robertson, Seth (JSC-IM) (Seth Robertson-1 nasa gov) (1 replies)
Jaime's right: even with the same operating system, a discrepancy in the
time displayed might be caused by...
* the file system: NTFS stores in UTC while FAT stores in local time
* OR the tool you're using--even two products made by the same company
may treat the timestamps differently: Forensic Toolkit automatically
adjusts UTC timestamps before displaying them according to the time zone
the evidence was recovered from (by default, the timezone of your
forensics workstation) and for daylight savings, while FTK Imager always
displays the raw UTC timestamps.

Don't forget that when you're working with raw UTC timestamps that
daylight savings time might be a second factor:
http://webexhibits.org/daylightsaving/b.html

Seth Robertson

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Jamie Gordon
Sent: Tuesday, February 13, 2007 3:50 AM
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: RE: file's last acces time on NFTS with Windows XP

I thought that files times on NTFS volumes were always stored as UTC? At
least, that's what I read:
http://msdn2.microsoft.com/en-us/library/ms724290.aspx

Windows being able to display the time as a local time I would expect to
be purely a FileTimeToLocalFileTime() call away.

Jamie Gordon

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of stefano.bizzarri (at) gmail (dot) com [email concealed]
Sent: 11 February 2007 14:02
To: forensics (at) securityfocus (dot) com [email concealed]
Subject: file's last acces time on NFTS with Windows XP

Hello everybody,
a while ago, while analysing some files inside HDDs with the NTFS file
system I came across something odd: the day time of the files written
into the disks by Windows Xp was in GMT format even though the bios time
was set on the local time (which in my case is CEST).

I noticed that, just because I was trying to check which file were
"touched" by the system during its right shutdown sequence. Here is my
question: why is it that in other systems with the same O.S. but, for
example, with a different language, the files were created, modified

and accessed, applying a time stamp in accordance with the bios
settings? On few occasions, I noticed that Windows Xp operative system,
checks the correct fuse and automatically writes the time stamps using
the GMT fuse instead of the Local Time. And even if you check it every
time in

the same Windows System, it will display the time stamp in the local
time format. NOT in GMT.
It's very important for me to know why this occurs especially for
forensic investigations.

Any ideas?

Thanks to all.

Stefano Bizzarri

[ reply ]
RE: file's last acces time on NFTS with Windows XP Feb 15 2007 11:15PM
Stefano Bizzarri (stefano bizzarri gmail com) (1 replies)
Re: file's last acces time on NFTS with Windows XP Feb 20 2007 12:15AM
Greg Freemyer (greg freemyer gmail com)
Re: file's last acces time on NFTS with Windows XP Feb 13 2007 04:18PM
Robert Reed (rreed567 earthlink net)
Re: file's last acces time on NFTS with Windows XP Feb 13 2007 02:08PM
Greg Freemyer (greg freemyer gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus