Agreed, At the on disk level I'm pretty sure NTFS uses GMT (UTC) 100% of the time.
OTOH, fat32 always uses localtime, so that may be the confusion factor. Greg On 2/13/07, Jamie Gordon <[EMAIL PROTECTED]> wrote:
I thought that files times on NTFS volumes were always stored as UTC? At least, that's what I read: http://msdn2.microsoft.com/en-us/library/ms724290.aspx Windows being able to display the time as a local time I would expect to be purely a FileTimeToLocalFileTime() call away. Jamie Gordon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 11 February 2007 14:02 To: [email protected] Subject: file's last acces time on NFTS with Windows XP Hello everybody, a while ago, while analysing some files inside HDDs with the NTFS file system I came across something odd: the day time of the files written into the disks by Windows Xp was in GMT format even though the bios time was set on the local time (which in my case is CEST). I noticed that, just because I was trying to check which file were "touched" by the system during its right shutdown sequence. Here is my question: why is it that in other systems with the same O.S. but, for example, with a different language, the files were created, modified and accessed, applying a time stamp in accordance with the bios settings? On few occasions, I noticed that Windows Xp operative system, checks the correct fuse and automatically writes the time stamps using the GMT fuse instead of the Local Time. And even if you check it every time in the same Windows System, it will display the time stamp in the local time format. NOT in GMT. It's very important for me to know why this occurs especially for forensic investigations. Any ideas? Thanks to all. Stefano Bizzarri
-- Greg Freemyer The Norcross Group Forensics for the 21st Century
