Re: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z

[Terry O. <twj...@ho...>]

I won't promise I am correct, but I seem to recall that the directory entries in FAT have changed over time.  The only support I can find is http://www.oldlinux.org/Linux.old/distributions/cnix/FAT.pdf, which says that the only time tracked is last changed.  Later, they added created and modified.
So, maybe this is what is going on?

Terry Olson

Digital Forensic Analyst

Nebraska State Patrol
Technical Crimes/ICAC

> From: wal...@ic...
> Date: Tue, 5 May 2015 20:27:52 -0600
> To: sle...@li...
> Subject: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z
> 
> Hi everyone,
> 
> I’ve been working with mactime timelines across several floppy disk images (in FAT12) and have come upon events with a timestamp of 0000-00-00T00:00:00Z. Some of these events have a single notation (such as ‘c’, ’m’, etc.), others have all four entries marked (‘macb’). 
> 
> What does a timestamp of 0000-00-00T00:00:00Z mean? Is this a false positive (not an event at all), or simply an event logged without a time by an OS (and if so, have others seen this)? I understand that blank time entries mean that the event shares the time with previous event - is a zeroed out timestamp the equivalent of that?
> 
>  - fls command to get body file: fls -m -i raw [image]
>  - mactime command for timeline: mactime -b [timeline.txt] -d -y
> 
> Many thanks,
> 
> Walker
> 
> 
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud 
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org