Stefano, As far as I know "ls -lut" is going to be affected by the timezone, etc. Definitely not a forensic tool.
If you want to test from Linux try "date -u -r filename" That should provide you the UTC time of the last modification of the file. Greg On 2/15/07, Stefano Bizzarri <[EMAIL PROTECTED]> wrote:
First of all, thanks for your answer. I already know a lot of things you are speaking about but my problem is quite different: I don't want to know in which way time-stamp Windows writes on NTFS filesystem, but I would like to know why in such case it doesn't happen. I said that only in one case I see time-stamp's files in UTC format. Every other time, always in local time. I say again that the checks were done using Linux O.S. and It doesn't know when files were accessed, modified or created. It only reads metadata written in the MFTs. Here is the test I've done: 1 PC Laptop Fujitsu Siemens Stylistic ST5020 with Windows Xp Tablet Edition Sp2 - English; 1 PC Laptop Acer TM 351 TE with Windows 2000 Professional Sp4 - Italian; 1 PC Desktop with Windows Vista Ultimate - English; Every PC Bios were setted according to Local Time. Into all PCs were created a new folder on the root of system partition. After that PCs were rebooted using a linux distro. At the end of linux startup sequence, I mounted the partition of the disk in which I've just created the new folder and checked its time stamp. Only in the first case I saw the time stamp in the GMT/UTC format. In the second and third case, the time stamp was in Local Time. Why? What is the reason? The command I execute to show last access time of a file/folder was "ls -lut filename"; I've tried with Knoppix, Debian (Sarge, Etch), Ubuntu (Dapper, Edgy, Feisty) (yes, I know that these all comes from Debian but at that time I haven't other distros to use). Always the same results. Stefano Bizzarri On Tue, February 13, 2007 18:56, Robertson, Seth (JSC-IM) wrote: > Jaime's right: even with the same operating system, a discrepancy > in the > time displayed might be caused by... * the file system: NTFS stores > in UTC while FAT stores in > local time * OR the tool you're using--even two products made by > the same company > may treat the timestamps differently: Forensic Toolkit > automatically adjusts UTC timestamps before > displaying them according to the time zone the evidence was > recovered from (by default, the > timezone of your forensics workstation) and for daylight savings, > while FTK Imager always displays > the raw UTC timestamps. > > Don't forget that when you're working with raw UTC timestamps that > daylight savings time might be a second factor: http:// > webexhibits.org/daylightsaving/b.html > > > Seth Robertson > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Jamie Gordon > Sent: Tuesday, February 13, 2007 3:50 AM > To: [email protected] > Subject: RE: file's last acces time on NFTS with Windows XP > > > > I thought that files times on NTFS volumes were always stored as > UTC? At > least, that's what I read: http://msdn2.microsoft.com/en-us/library/ > ms724290.aspx > > > Windows being able to display the time as a local time I would > expect to > be purely a FileTimeToLocalFileTime() call away. > > Jamie Gordon > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of [EMAIL PROTECTED] > Sent: 11 February 2007 14:02 > To: [email protected] > Subject: file's last acces time on NFTS with Windows XP > > > Hello everybody, > a while ago, while analysing some files inside HDDs with the NTFS > file system I came across > something odd: the day time of the files written into the disks by > Windows Xp was in GMT format > even though the bios time was set on the local time (which in my > case is CEST). > > I noticed that, just because I was trying to check which file were > "touched" by the system during its right shutdown sequence. Here is my > question: why is it that in other systems with the same O.S. but, for > example, with a different language, the files were created, modified > > and accessed, applying a time stamp in accordance with the bios > settings? On few occasions, I > noticed that Windows Xp operative system, checks the correct fuse > and automatically writes the > time stamps using the GMT fuse instead of the Local Time. And even > if you check it every time in > > the same Windows System, it will display the time stamp in the > local time format. NOT in GMT. It's > very important for me to know why this occurs especially for > forensic investigations. > > Any ideas? > > > Thanks to all. > > > > Stefano Bizzarri > >
-- Greg Freemyer The Norcross Group Forensics for the 21st Century
