sleuthkit-users

[sleuthkit-users] timeline

[Geert V. A. <gee...@pa...>]

Dear list,

after creating a timelime with sleuthkit, I get app 700 files with the
same date-time stamp. It's on a FAT32 volume and all the files have an
"a" (accessed) timestamp. Most of the files belong to a game, and a few
system files (dll's, vga driver, ...) are in between it.

The timestamp is Fri Jul 29 2005 00:00:00 after the 700 files, the next
entry is Fri Jul 29 2005 19:35:46 and from there the files have
timestamps who are more "logic", I mean they have 1 or 2 second intervals.

Could it be a backup or antivirus prog that accessed all these files,
700 in one second just seems a lot.

Does anyone has a better explanation ?

Thanks in advance,

Geert VAN ACKER

Re: [sleuthkit-users] timeline

[Chuck <chu...@gm...>]

On 9/29/05, Geert VAN ACKER <gee...@pa...> wrote:
> after creating a timelime with sleuthkit, I get app 700 files with the
> same date-time stamp. It's on a FAT32 volume and all the files have an
> "a" (accessed) timestamp. Most of the files belong to a game, and a few
> system files (dll's, vga driver, ...) are in between it.
>
> The timestamp is Fri Jul 29 2005 00:00:00 after the 700 files, the next
> entry is Fri Jul 29 2005 19:35:46 and from there the files have
> timestamps who are more "logic", I mean they have 1 or 2 second intervals=
.

I believe FAT only stores the date of last access, not the time, so
sleuthkit just puts them all at midnight.

Chuck