Jaime's right: even with the same operating system, a discrepancy in the time displayed might be caused by... * the file system: NTFS stores in UTC while FAT stores in local time * OR the tool you're using--even two products made by the same company may treat the timestamps differently: Forensic Toolkit automatically adjusts UTC timestamps before displaying them according to the time zone the evidence was recovered from (by default, the timezone of your forensics workstation) and for daylight savings, while FTK Imager always displays the raw UTC timestamps.
Don't forget that when you're working with raw UTC timestamps that daylight savings time might be a second factor: http://webexhibits.org/daylightsaving/b.html Seth Robertson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jamie Gordon Sent: Tuesday, February 13, 2007 3:50 AM To: [email protected] Subject: RE: file's last acces time on NFTS with Windows XP I thought that files times on NTFS volumes were always stored as UTC? At least, that's what I read: http://msdn2.microsoft.com/en-us/library/ms724290.aspx Windows being able to display the time as a local time I would expect to be purely a FileTimeToLocalFileTime() call away. Jamie Gordon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 11 February 2007 14:02 To: [email protected] Subject: file's last acces time on NFTS with Windows XP Hello everybody, a while ago, while analysing some files inside HDDs with the NTFS file system I came across something odd: the day time of the files written into the disks by Windows Xp was in GMT format even though the bios time was set on the local time (which in my case is CEST). I noticed that, just because I was trying to check which file were "touched" by the system during its right shutdown sequence. Here is my question: why is it that in other systems with the same O.S. but, for example, with a different language, the files were created, modified and accessed, applying a time stamp in accordance with the bios settings? On few occasions, I noticed that Windows Xp operative system, checks the correct fuse and automatically writes the time stamps using the GMT fuse instead of the Local Time. And even if you check it every time in the same Windows System, it will display the time stamp in the local time format. NOT in GMT. It's very important for me to know why this occurs especially for forensic investigations. Any ideas? Thanks to all. Stefano Bizzarri
