First of all, thanks for your answer.
I already know a lot of things you are speaking about but my problem
is quite different:
I don't want to know in which way time-stamp Windows writes on NTFS
filesystem, but I would like to know why in such case it doesn't
happen. I said that only in one case I see time-stamp's files in UTC
format. Every other time, always in local time. I say again that the
checks were done using Linux O.S. and It doesn't know when files were
accessed, modified or created. It only reads metadata written in the
MFTs. Here is the test I've done:
1 PC Laptop Fujitsu Siemens Stylistic ST5020 with Windows Xp Tablet
Edition Sp2 - English;
1 PC Laptop Acer TM 351 TE with Windows 2000 Professional Sp4 - Italian;
1 PC Desktop with Windows Vista Ultimate - English;
Every PC Bios were setted according to Local Time.
Into all PCs were created a new folder on the root of system partition.
After that PCs were rebooted using a linux distro.
At the end of linux startup sequence, I mounted the partition of the
disk in which I've just created the new folder and checked its time
stamp.
Only in the first case I saw the time stamp in the GMT/UTC format. In
the second and third case, the time stamp was in Local Time. Why?
What is the reason?
The command I execute to show last access time of a file/folder was
"ls -lut filename";
I've tried with Knoppix, Debian (Sarge, Etch), Ubuntu (Dapper, Edgy,
Feisty) (yes, I know that these all comes from Debian but at that
time I haven't other distros to use). Always the same results.
Stefano Bizzarri
On Tue, February 13, 2007 18:56, Robertson, Seth (JSC-IM) wrote:
Jaime's right: even with the same operating system, a discrepancy
in the
time displayed might be caused by... * the file system: NTFS stores
in UTC while FAT stores in
local time * OR the tool you're using--even two products made by
the same company
may treat the timestamps differently: Forensic Toolkit
automatically adjusts UTC timestamps before
displaying them according to the time zone the evidence was
recovered from (by default, the
timezone of your forensics workstation) and for daylight savings,
while FTK Imager always displays
the raw UTC timestamps.
Don't forget that when you're working with raw UTC timestamps that
daylight savings time might be a second factor: http://
webexhibits.org/daylightsaving/b.html
Seth Robertson
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of Jamie Gordon
Sent: Tuesday, February 13, 2007 3:50 AM
To: [email protected]
Subject: RE: file's last acces time on NFTS with Windows XP
I thought that files times on NTFS volumes were always stored as
UTC? At
least, that's what I read: http://msdn2.microsoft.com/en-us/library/
ms724290.aspx
Windows being able to display the time as a local time I would
expect to
be purely a FileTimeToLocalFileTime() call away.
Jamie Gordon
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]
Sent: 11 February 2007 14:02
To: [email protected]
Subject: file's last acces time on NFTS with Windows XP
Hello everybody,
a while ago, while analysing some files inside HDDs with the NTFS
file system I came across
something odd: the day time of the files written into the disks by
Windows Xp was in GMT format
even though the bios time was set on the local time (which in my
case is CEST).
I noticed that, just because I was trying to check which file were
"touched" by the system during its right shutdown sequence. Here is my
question: why is it that in other systems with the same O.S. but, for
example, with a different language, the files were created, modified
and accessed, applying a time stamp in accordance with the bios
settings? On few occasions, I
noticed that Windows Xp operative system, checks the correct fuse
and automatically writes the
time stamps using the GMT fuse instead of the Local Time. And even
if you check it every time in
the same Windows System, it will display the time stamp in the
local time format. NOT in GMT. It's
very important for me to know why this occurs especially for
forensic investigations.
Any ideas?
Thanks to all.
Stefano Bizzarri
