sleuthkit-users

Re: [sleuthkit-users] Time Zone

[Brian C. <ca...@sl...>]

On 13 Aug 2003 18:50 PDT you wrote:

> Hi All,
> 
> I am troubled in a thyme zone.
> TSK and Autopsy display a different value in the same thyme zone.
> A fls command displays the correct time.
> Autopsy generates a gap for nine hours.
> Do I have a solution method?
> 
> 
> [The Sleuth Kit ver 1.64]
> $ ./fls -8 -l -f ntfs /home/hideaki/evidence/6gtest/RedHat9/images/thinkpad.dd
> 
> r/r 4-128-4:    $AttrDef        2003.08.02 08:33:30 (JST)       2003.08.02 08:33
> :30 (JST)       2003.08.02 08:33:30 (JST)       2560    0       48

Interesting.  I'm going to need some more information.  What 
happens if you run 'fls' with '-z JST'?  What if  you skip the -8? 
What did you enter into the Host configuration for the timezone?  
Enter that with the -z and fls and see what that shows.   Actually, 
which time is correct?  

thanks,
brian

> 
> [autopsy-1.73]
> r / r    $AttrDef    2003.08.01 23:33:30 (JST)    2003.08.01 23:33:30 (JST)    2003.08.01 23:33:30 (JST)    2560    48    0    4-128-4  
> 

Re: [sleuthkit-users] Time Zone

[Brian C. <ca...@sl...>]

On 14 Aug 2003 08:45 PDT you wrote:

> 
> Hideaki Ihara wrote:
> >I am troubled in a thyme zone.
> >TSK and Autopsy display a different value in the same thyme zone.
> >A fls command displays the correct time.
> 
> The similar problem was reported on 8th May,
> 
> <http://sourceforge.net/mailarchive/forum.php?forum_id=10358&max_rows=25&style=flat&viewmonth=200305&viewday=8>
>

This problem is different though because the (JST) is being reported
in the Autopsy times.  If an invalid timezone is entered into Autopsy, 
the time will be reported with (GMT) next to it.  
 
> Brian Carrier wrote:
> >Actually, which time is correct?  
> 
> He says fls shows correct time.

Oh yea, I missed that line :)

> And -8 options is UTF-8 output option made by me, please refer to the
> list-archives which subject is "ntfs.c.patch".

I know.  I'm just trying  simplify the test cases so that we can
reduce the places where an error could occur.

brian

Re: [sleuthkit-users] Time Zone

[Brian C. <ca...@sl...>]

> >Interesting.  I'm going to need some more information.  What 
> >happens if you run 'fls' with '-z JST'?
> 
> This is a result experimentally.
> 
> $ ./fls -z JST -l -f ntfs /home/hideaki/evidence/6gtest/RedHat9/images/thinkpad.dd
> r/r 4-128-4:    $AttrDef        2003.08.01 23:33:30 (JST)       2003.08.01 23:33
> :30 (JST)       2003.08.01 23:33:30 (JST)       2560    0       48
> 
> When I set -z JST, the time becomes incorrect.
> 
> >What did you enter into the Host configuration for the timezone?  
> 
> I set JST as of installation.
> Do I have to install a system in GMT?

Google shows that JST-9 is the appropriate timezone variable.  Try that.  What do you use Takahashi?  

brian

Re: [sleuthkit-users] Time Zone

[TAKAHASHI M. <mo...@ho...>]

Hideaki Ihara wrote:
>I am troubled in a thyme zone.
>TSK and Autopsy display a different value in the same thyme zone.
>A fls command displays the correct time.

The similar problem was reported on 8th May,

<http://sourceforge.net/mailarchive/forum.php?forum_id=10358&max_rows=25&style=flat&viewmonth=200305&viewday=8>

Brian Carrier wrote:
>Actually, which time is correct?  

He says fls shows correct time.
And -8 options is UTF-8 output option made by me, please refer to the
list-archives which subject is "ntfs.c.patch".

-----
TAKAHASHI, Motonobu (monyo)                    mo...@ho...
                                               http://www.monyo.com/

UTF-8 output patch for task-1.60/sleuthkit-1.6x(Re: [sleuthkit-users] Time Zone

[Hideaki I. <hi...@po...>]

Takahashi,

Thank you for help.

He updates "UTF-8 output" patch.
However, a problem of a time zone occurs by an original.


UTF-8 output patch for task-1.60/sleuthkit-1.6x 
http://www.monyo.com/technical/unix/TASK/

This Patch is necessary if you want to use multi-byte character string in Autopsy.

http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/
(It is a Japanese page.)

for Autopsy 1.73 (Perl5.8.0 or later)
http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/autopsy-utf8-8_5.8.patch
for Autopsy 1.73 (Perl5.6.0 or later)
http://www.asahi-net.or.jp/~uu8m-kbys/autopsy/autopsy-utf8-8.patch

-- 
Hideaki Ihara <hi...@po...>
Port139 URL: http://www.port139.co.jp/
Microsoft MVP (Security)
PGP PUBLIC KEY: http://www.port139.co.jp/pgp/

Re: [sleuthkit-users] Time Zone

[Hideaki I. <hi...@po...>]

Brian,

On Thu, 14 Aug 2003 07:46:16 PDT
Brian Carrier <ca...@sl...> wrote:

>> [The Sleuth Kit ver 1.64]
>> $ ./fls -8 -l -f ntfs /home/hideaki/evidence/6gtest/RedHat9/images/thinkpad.dd
>> 
>> r/r 4-128-4:    $AttrDef        2003.08.02 08:33:30 (JST)       2003.08.02 08:33
>> :30 (JST)       2003.08.02 08:33:30 (JST)       2560    0       48
>
>Interesting.  I'm going to need some more information.  What 
>happens if you run 'fls' with '-z JST'?

This is a result experimentally.

$ ./fls -z JST -l -f ntfs /home/hideaki/evidence/6gtest/RedHat9/images/thinkpad.dd
r/r 4-128-4:    $AttrDef        2003.08.01 23:33:30 (JST)       2003.08.01 23:33
:30 (JST)       2003.08.01 23:33:30 (JST)       2560    0       48

When I set -z JST, the time becomes incorrect.

>What did you enter into the Host configuration for the timezone?  

I set JST as of installation.
Do I have to install a system in GMT?

-- 
Hideaki Ihara <hi...@po...>
Port139 URL: http://www.port139.co.jp/
Microsoft MVP (Security)
PGP PUBLIC KEY: http://www.port139.co.jp/pgp/