Re: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z
|
From: Brian C. <ca...@sl...> - 2015-05-06 14:57:13
|
It means TSK doesn’t know a real time value. Either it has been zeroed out on disk or the OS never set it (we’ve seen lots of media cards and such where the phone or other portable device doesn’t set all of the times). > On May 5, 2015, at 10:27 PM, W. Walker Sampson <wal...@ic...> wrote: > > Hi everyone, > > I’ve been working with mactime timelines across several floppy disk images (in FAT12) and have come upon events with a timestamp of 0000-00-00T00:00:00Z. Some of these events have a single notation (such as ‘c’, ’m’, etc.), others have all four entries marked (‘macb’). > > What does a timestamp of 0000-00-00T00:00:00Z mean? Is this a false positive (not an event at all), or simply an event logged without a time by an OS (and if so, have others seen this)? I understand that blank time entries mean that the event shares the time with previous event - is a zeroed out timestamp the equivalent of that? > > - fls command to get body file: fls -m -i raw [image] > - mactime command for timeline: mactime -b [timeline.txt] -d -y > > Many thanks, > > Walker > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
