Re: [sleuthkit-users] Tsk_loaddb timezone?
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Tsk_loaddb timezone?
|
From: Luís F. N. <lfc...@gm...> - 2016-08-25 20:56:12
|
I've done some tests with two real life FAT32 images and I think the timestamps are being incorreclty decoded by tsk_loaddb. It seems to use local timezone, UTC-3 here at São Paulo, and to store UTC timestamps in the generated sqlite for most files. The problem is with timestamps in daylight saving periods. For example, Windows shows 07:00 and tsk_loaddb stores 10:00 for a file not in daylight saving time, it is ok. But for a file in daylight saving time, Windows shows 08:00 and tsk_loaddb stores 09:00 when it should store 10:00 UTC. FTKImager shows 07:00 for that file. I think timestamps are stored in FAT FS without daylight saving conversions, as I decoded with a hex viewer. I think Windows does the conversion on demand (+1 hour) when it displays the files in Explorer. But I think tsk is considering that timestamps are stored in FAT FS with daylight saving calculations, what I think is not the case. That explains the difference of only 1hour between Windows and loaddb, when it should be 2hours for a file in daylight saving period on a system at UTC-3 (UTC-2 with daylight saving). I observed tsk_loaddb lacks -z option to configure timezone, but that option is present in fls, ifind, istat, tsk_gettimes.... I've ported -z option to tsk_loaddb and run it with -z BRT3 (without daylight saving) to force it to not do daylight saving calculations, that produced the expected output in sqlite. Luis 2016-08-25 15:33 GMT-03:00 Ketil Froyn <ke...@fr...>: > I think it uses local timezone. I reported this issue in Autopsy where > FAT timestamps are interpreted as a local timezone, and I'll assume > that tsk_loaddb would have done the same: > > https://github.com/sleuthkit/autopsy/issues/1687 > > It should be fairly straightforward to test, though. Create a small > sample image with dd and mkfs -t fat, mount it loopback, create some > files, and finally run tsk_loaddb on the resulting image file to > compare tsk's file dates with the ones you set. > > On 24 August 2016 at 21:38, Luís Filipe Nassif <lfc...@gm...> > wrote: > > Hi, > > > > Anyone knows the answer? Does tsk_loaddb use UTC ou local timezone to > > interpret FAT FS dates? > > > > Thanks, > > Luis > > > > > > 2016-06-17 13:11 GMT-03:00 Luís Filipe Nassif <lfc...@gm...>: > >> > >> Hi, > >> > >> What timezone does tskloaddb use for fat file systems? It is possible to > >> configure it like Java bindings addimageprocess? > >> > >> Thank you, > >> Luis > > > > > > > > ------------------------------------------------------------ > ------------------ > > > > _______________________________________________ > > sleuthkit-users mailing list > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > > > > -- > -Ketil > |
