Re: [sleuthkit-users] two directory entries for same deleted file in FAT16
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] two directory entries for same deleted file in FAT16
|
From: Brian C. <ca...@sl...> - 2005-03-02 13:21:50
|
On Mar 1, 2005, at 7:27 AM, Alan wrote: > Hello Brian, Thanks for the reply. > > I just want to say you have done something invaluable for the infosec > community by writing the tsk and autopsy tools, and contributing them > open-source. Thanks. > One little suggestion. When tsk/autopsy is creating the timeline from > a FAT image, it sets the a-time to 00:00. When looking at this for the > first time, I was mystified. Was the system left on overnight and > somehow Windows touches all the files at midnight? It wasn't until I > read the FAT spec that it turned out there is no field for the a-time, > just the a-date. There is really no a-time information at all. > > One could argue that putting the 00:00 time could compromise something > if opposing counsel says, hey this timeline says the file was accessed > at midnight and my client isn't at the office at midnight. Of course > you could explain that as I did above. But if I were to create my own > timeline I would denote the a-date with a-time unknown. Unfortunately, that makes the program much more complex if I were to include all of the different special cases for each file system. Plus, where would the entries go in the timeline? The current behavior for each file system is described in the docs/skins_* files and the fat file has a note about timezones and last access times. I guess one simple solution would be to replace the 00:00:00 time with something like 0-:--:-- so that it always sorts to the top of the list, but is more obvious that it is not a real time. brian |
