|

»

»

»

sleuthkit-users

Sanity check plese (Vista NTFS timestamps)

View: New views

4 Messages — Rating Filter: Alert me

	Sanity check plese (Vista NTFS timestamps) by Angus Marshall :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm suffering from brain fade or something at the moment I have a file which shows MAC times which are near-identical under File-Properties in Vista Created : Jan 6 2009 8:09:19 a.m. Modified : Jan 6 2009 8:09:20 a.m. Accessed : Jan 6 2009 8:09:20 a.m. Autopsy2.21 with SK 3.0.1, however gives the following : Written : 2009-01-05 19:09:20 (PST) Accessed : 2009-01-05 19:09:20 (PST) Changed : 2009-01-30 17:24:54 (PST) Created : 2009-01-06 07:09:19 (PST) BIOS clock is 12 hours adrift and TZ is set to PST even though the machine is based in the UK. Any thoughts on this ? I don't believe Vista's report completely anyway because I know someone has "had a look" at the machine without following correct process. ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	BUG! Re: Sanity check please (Vista NTFS timestamps) by Angus Marshall :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I've just loaded another copy of the case into Autopsy and left out the TZ and clock skew data. I now get consistent timestampes for the written, accessed and created fields. On that basis, I think there is a bug somewhere and that the clock skew is not being correctly deducted from the Created time, even though the timezone adjustment is being applied. Time to get out the pencil and paper.... On 16 Sep 2009, at 13:02, Mark McKinnon wrote: > Hi Angus, > > I know Vista has the last accessed time off by default could this be > what you are seeing? > > Just a thought. > > Kind Regards. > > Mark > > > > Angus Marshall wrote: >> I'm suffering from brain fade or something at the moment >> >> I have a file which shows MAC times which are near-identical under >> File-Properties in Vista >> Created : Jan 6 2009 8:09:19 a.m. >> Modified : Jan 6 2009 8:09:20 a.m. >> Accessed : Jan 6 2009 8:09:20 a.m. >> >> Autopsy2.21 with SK 3.0.1, however gives the following : >> >> Written : 2009-01-05 19:09:20 (PST) >> Accessed : 2009-01-05 19:09:20 (PST) >> Changed : 2009-01-30 17:24:54 (PST) >> Created : 2009-01-06 07:09:19 (PST) >> >> BIOS clock is 12 hours adrift and TZ is set to PST even though the >> machine >> is based in the UK. >> >> Any thoughts on this ? >> >> I don't believe Vista's report completely anyway because I know >> someone >> has "had a look" at the machine without following correct process. >> >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry® Developer Conference in SF, >> CA >> is the only developer event you need to attend this year. Jumpstart >> your >> developing skills, take BlackBerry mobile applications to market >> and stay ahead of the curve. Join us from November 9-12, 2009. >> Register now! >> http://p.sf.net/sfu/devconf >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	Re: BUG! Re: Sanity check please (Vista NTFS timestamps) by Brian Carrier-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi Angus, I just did a test on an NTFS image here and the "-s" clock skew calculation works correctly, so I don't know how to explain what you are seeing. If you still have the image, I would be interested in the results from the following: run 'istat' on the file specifying the clock skew: istat -s 43200 IMG MFTNUM and then with clock skew and timezone: istat -s 43200 -z PST8PDT IMG MFTNUM Do these look correct? thanks, brian On Sep 16, 2009, at 9:42 AM, Angus Marshall wrote: > I've just loaded another copy of the case into Autopsy and left out > the TZ and clock skew data. I now get consistent timestampes for the > written, accessed and created fields. > > On that basis, I think there is a bug somewhere and that the clock > skew is not being correctly deducted from the Created time, even > though the timezone adjustment is being applied. Time to get out the > pencil and paper.... > > On 16 Sep 2009, at 13:02, Mark McKinnon wrote: > >> Hi Angus, >> >> I know Vista has the last accessed time off by default could this be >> what you are seeing? >> >> Just a thought. >> >> Kind Regards. >> >> Mark >> >> >> >> Angus Marshall wrote: >>> I'm suffering from brain fade or something at the moment >>> >>> I have a file which shows MAC times which are near-identical under >>> File-Properties in Vista >>> Created : Jan 6 2009 8:09:19 a.m. >>> Modified : Jan 6 2009 8:09:20 a.m. >>> Accessed : Jan 6 2009 8:09:20 a.m. >>> >>> Autopsy2.21 with SK 3.0.1, however gives the following : >>> >>> Written : 2009-01-05 19:09:20 (PST) >>> Accessed : 2009-01-05 19:09:20 (PST) >>> Changed : 2009-01-30 17:24:54 (PST) >>> Created : 2009-01-06 07:09:19 (PST) >>> >>> BIOS clock is 12 hours adrift and TZ is set to PST even though the >>> machine >>> is based in the UK. >>> >>> Any thoughts on this ? >>> >>> I don't believe Vista's report completely anyway because I know >>> someone >>> has "had a look" at the machine without following correct process. >>> >>> >>> ------------------------------------------------------------------------------ >>> Come build with us! The BlackBerry® Developer Conference in SF, >>> CA >>> is the only developer event you need to attend this year. Jumpstart >>> your >>> developing skills, take BlackBerry mobile applications to market >>> and stay ahead of the curve. Join us from November 9-12, 2009. >>> Register now! >>> http://p.sf.net/sfu/devconf >>> _______________________________________________ >>> sleuthkit-users mailing list >>> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >>> http://www.sleuthkit.org >>> >>> > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart > your > developing skills, take BlackBerry mobile applications to market and > stay > ahead of the curve. Join us from November 9-12, 2009. Register > now! > http://p.sf.net/sfu/devconf > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org
	SFDumper 2.1 by Nanni Bassetti :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message We brought out the SFDumper 2.1, now finally all the problems on the file names and filtering by extension have been resolved. Try it: http://sfdumper.sourceforge.net/ Thanks ;-) ------------------------------------------------------------- Dr. Nanni Bassetti http://www.nannibassetti.com/ CFI - http://www.cfitaly.net INDAGINI DIGITALI - http://www.lulu.com/content/1356430 Selective File Dumper - http://sfdumper.sourceforge.net/ -- Io utilizzo la versione gratuita di SPAMfighter. Siamo una comunità di 6 milioni di utenti che combattono lo spam. Sino ad ora ha rimosso 71110 mail spam. Gli utenti paganti non hanno questo messaggio nelle loro email . Prova gratuitamente SPAMfighter qui:http://www.spamfighter.com/lit ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org