Re: [sleuthkit-users] FAT filesystem timestamp confusion
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] FAT filesystem timestamp confusion
|
From: Brian C. <ca...@sl...> - 2003-04-04 04:15:38
|
> > > I've also noticed a curious behaviopur with FAT12 on the latest sleuthkit
> > > release. Files on a floppy were written to it at 21:45BST, with the
> > > timezone set to GMT0BST, they show as 2:45 tomorrow in the timeline.
> > > (file writes and analysis done on the same machine btw)
> >
> > What does a 'ls' or 'dir' show?
>
> ls gives the correct modification time of 21:45
Are all (W, A, and C) of the times set to 2:45 or just some of them? You can
get all of them via the File Mode in Autopsy. I've seen some FAT images with
a couple of random times that are way off.
If they are all way off, can you send me the parent directory contents (off
list)? This is easily done by finding out the meta data address of the parent
directory (800 for example) and using icat:
# icat -f fat12 img.dd 800 > dir.dat
The only thing in there are the file names, times, and starting cluster.
Nothing sensitive.
brian
|
