Re: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z
|
From: W. W. S. <wal...@ic...> - 2015-05-11 16:18:31
|
Thanks Brian and Terry for the info! Terry that paper doesn’t mention directory entries changing over time, but this is my recollection too, and I believe Microsoft support articles indicate as much as well. I don’t think DOS did anything but update last revised/modified times, while variants of Windows updated last accessed and created under differing policies. Thanks again, Walker > On May 6, 2015, at 7:51 PM, Terry Olson <twj...@ho...> wrote: > > I won't promise I am correct, but I seem to recall that the directory entries in FAT have changed over time. The only support I can find is http://www.oldlinux.org/Linux.old/distributions/cnix/FAT.pdf <http://www.oldlinux.org/Linux.old/distributions/cnix/FAT.pdf>, which says that the only time tracked is last changed. Later, they added created and modified. > > So, maybe this is what is going on? > > Terry Olson > Digital Forensic Analyst > Nebraska State Patrol Technical Crimes/ICAC > > > > From: wal...@ic... <mailto:wal...@ic...> > > Date: Tue, 5 May 2015 20:27:52 -0600 > > To: sle...@li... <mailto:sle...@li...> > > Subject: [sleuthkit-users] mactime - meaning of 0000-00-00T00:00:00Z > > > > Hi everyone, > > > > I’ve been working with mactime timelines across several floppy disk images (in FAT12) and have come upon events with a timestamp of 0000-00-00T00:00:00Z. Some of these events have a single notation (such as ‘c’, ’m’, etc.), others have all four entries marked (‘macb’). > > > > What does a timestamp of 0000-00-00T00:00:00Z mean? Is this a false positive (not an event at all), or simply an event logged without a time by an OS (and if so, have others seen this)? I understand that blank time entries mean that the event shares the time with previous event - is a zeroed out timestamp the equivalent of that? > > > > - fls command to get body file: fls -m -i raw [image] > > - mactime command for timeline: mactime -b [timeline.txt] -d -y > > > > Many thanks, > > > > Walker > > > > > > ------------------------------------------------------------------------------ > > One dashboard for servers and applications across Physical-Virtual-Cloud > > Widest out-of-the-box monitoring support with 50+ applications > > Performance metrics, stats and reports that give you Actionable Insights > > Deep dive visibility with transaction tracing using APM Insight. > > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y <http://ad.doubleclick.net/ddm/clk/290420510;117567292;y> > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> > > http://www.sleuthkit.org <http://www.sleuthkit.org/> > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________ <http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________> > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users <https://lists.sourceforge.net/lists/listinfo/sleuthkit-users> > http://www.sleuthkit.org <http://www.sleuthkit.org/> |
