Re: [sleuthkit-users] FAT filesystem timestamp confusion

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Friday 04 Apr 2003 12:10 am, you wrote:
> Angus Marshall <an...@n-...> said:
> > On Thursday 03 Apr 2003 11:29 pm, Brian Carrier wrote:
> The Sleuth Kit (and I would imagine Linux) reads the time from the FAT
> image and translate it into a UNIX time (which is an offset relative to
> GMT).  It then uses the 'localtime' function that translates the UNIX time
> (a big number) to a human readable format.  That function takes the
> timezone and savings time into account and adjusts accordingly.  Therefore,
> that function is changing the time unless the timezone is set to one that
> does not change.

Interesting - OK, I'll tweak the workstation tomorrow so that it's locked into 
GMT and also change the autopsy config to lock that to GMT too. I'll report 
back sometime over the weekend.

> > I've also noticed a curious behaviopur with FAT12 on the latest sleuthkit
> > release. Files on a floppy were written to it at 21:45BST, with the
> > timezone set to GMT0BST, they show as 2:45 tomorrow in the timeline.
> > (file writes and analysis done on the same machine btw)
>
> What does a 'ls' or 'dir' show?

ls gives the correct modification time of 21:45