[sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z
|
From: W. W. S. <wal...@ic...> - 2015-05-06 02:28:01
|
Hi everyone, I’ve been working with mactime timelines across several floppy disk images (in FAT12) and have come upon events with a timestamp of 0000-00-00T00:00:00Z. Some of these events have a single notation (such as ‘c’, ’m’, etc.), others have all four entries marked (‘macb’). What does a timestamp of 0000-00-00T00:00:00Z mean? Is this a false positive (not an event at all), or simply an event logged without a time by an OS (and if so, have others seen this)? I understand that blank time entries mean that the event shares the time with previous event - is a zeroed out timestamp the equivalent of that? - fls command to get body file: fls -m -i raw [image] - mactime command for timeline: mactime -b [timeline.txt] -d -y Many thanks, Walker |
