Jamie Gordon wrote:
I thought that files times on NTFS volumes were always stored as UTC? At
least, that's what I read:
http://msdn2.microsoft.com/en-us/library/ms724290.aspx
Windows being able to display the time as a local time I would expect to
be purely a FileTimeToLocalFileTime() call away.
Jamie Gordon
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]
Sent: 11 February 2007 14:02
To: [email protected]
Subject: file's last acces time on NFTS with Windows XP
Hello everybody,
a while ago, while analysing some files inside HDDs with the NTFS file
system I came across something odd: the day time of the files written
into the disks by Windows Xp was in GMT format even though the bios time
was set on the local time (which in my case is CEST).
I noticed that, just because I was trying to check which file were
"touched" by the system during its right shutdown sequence. Here is my
question: why is it that in other systems with the same O.S. but, for
example, with a different language, the files were created, modified
and accessed, applying a time stamp in accordance with the bios
settings? On few occasions, I noticed that Windows Xp operative system,
checks the correct fuse and automatically writes the time stamps using
the GMT fuse instead of the Local Time. And even if you check it every
time in
the same Windows System, it will display the time stamp in the local
time format. NOT in GMT.
It's very important for me to know why this occurs especially for
forensic investigations.
Any ideas?
Thanks to all.
Stefano Bizzarri
Window file time is a function of which time zone the OS is told it
resides... look in the registry for the time offset... the User may very
well have set the bios to local time and set the operating system to
correspond to GMT times..... This is why you should always look at BIOS
and time offest settings... people do weird things sometimes???
