QuickView Plus 2017...
 
Notifications
Clear all

QuickView Plus 2017 time format issue UTC vs GMT

11 Posts
4 Users
0 Likes
1,020 Views
rhall47
(@rhall47)
Posts: 42
Eminent Member
Topic starter
 

Hello,

I'm currently working a case where the suspects email is at the centre of the investigation. We have used Aid4Mail to extract MSG files from the suspects Microsoft Outlook Mailbox to replicate the structure of the suspects mailbox.

All seems to be going well except that when we use QuickView Plus 2017 to view and capture the metadata and various attachments associated with the emails the date and time is displayed in UTC format and not GMT as we would like.

I appreciate that QuickView Plus is not altering the data but it is displaying the time in UTC format which conflicts with the time shown in Microsoft Outlook. I have raised the issue with Avanstar but they say that the time format used is not configurable.

Have any of you encountered a similar problem and could suggest an alternative viewer. I love the product otherwise but my clients are unhappy with having to explain the difference and why the time is displayed differently.

Any suggestions gratefully received.

Richard

 
Posted : 20/01/2018 4:54 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I believe there are quite a few viewers for .msg files, but maybe you want/need something more *like* this?

http//filecats.co.uk/metadata-extended-document-properties-15/microsoft-outlook-msg-files/

jaclaz

 
Posted : 20/01/2018 5:41 pm
rhall47
(@rhall47)
Posts: 42
Eminent Member
Topic starter
 

Hi Jaclaz,

That's very useful and it will go along way to resolving the issue thank you. I'm reading the UTC should not be shown different to GMT according to a conversion site. Will try the software again on another platform in case its a pc related issue.

Thanks again Jacaz

 
Posted : 20/01/2018 6:18 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm reading the UTC should not be shown different to GMT according to a conversion site.

I am not sure to understand, GMT is a time zone, UTC is not, it is a standard, in UK they can be usually exchanged because the base date is actually GMT (in the original meaning of Greenwich Mean Time), BUT there its the Daylight Saving Time issue
https://www.timeanddate.com/time/gmt-utc-time.html

jaclaz

 
Posted : 20/01/2018 6:30 pm
rhall47
(@rhall47)
Posts: 42
Eminent Member
Topic starter
 

Hi Jacaz,

Many thanks for that, i'm quickly coming to that conclusion myself. I think that the problem is actually with the machine its on rather than the software.

I will let you know how I get on.

Kind regards

Richard

 
Posted : 20/01/2018 6:48 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Have any of you encountered a similar problem and could suggest an alternative viewer. I love the product otherwise but my clients are unhappy with having to explain the difference and why the time is displayed differently.

When i have encountered problems, i made a copy of the DD image, made a VMDK file referring to the DD file, cracked the pw, booted it in VMWare workstaion and took a look around from the users perspective. Beats any viewer you'll ever find.

Usually refereed to as "liveview".

 
Posted : 20/01/2018 7:47 pm
rhall47
(@rhall47)
Posts: 42
Eminent Member
Topic starter
 

Thanks MDCR for your suggestion. I think the time scale we are working to in this instance would be an issue doing that right now.

More generally, I have done some research and I have discovered that there is no difference between UTC and GMT. The program Quick View Plus 2017 is representing the time incorrectly. I have used other metadata viewers and the actual time recorded again the MSG files is as displayed when you view the email in Microsoft Outlook.

So to summarise Quick View Plus 2017 is misinterpreting the time stamp. The program is not altering the data of course but it is displaying the time incorrectly.

Thanks to you all for contributing to the conversation. I very much appreciate your input.

Richard

 
Posted : 21/01/2018 1:36 pm
rhall47
(@rhall47)
Posts: 42
Eminent Member
Topic starter
 

Hi All,

I have had the following response from Avanstar in response to my query regarding the time displayed in the QuickView Plus 2017 program.

"Quick View Plus 2017 does display all times as is listed in the file as UTC. Without any modification or alteration for Daylight Savings time or other factors.
It does this uniformly across all files.
Microsoft Outlook adjusts all times in the file according to the system local time and settings.
"

So it would seem that all dates and times are shown in UTC which will differ to what is being displayed in Microsoft Outlook because it takes in to account daylight savings time (in the UK +1 hour for summer time etc) and other factors.

So I assume then we would need to include a statement in our examination report that explains the use of UTC and how times are calculated.

Has anyone else incurred this kind of issue?

Kind regards

Richard

 
Posted : 23/01/2018 10:59 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Sure, it is perfectly "normal" and "common", as said the computer keeps time along a "standard", the UTC.

Then *any* "normal" program/tool (not forensic ones) will convert the UTC standard to the local timezone (at the moment), as set in the OS Control Panel (or similar).

The UK is normally in the timezone GMT, but when DST is in force it "moves" (virtually) to GMT+1, as per the already given link, or - if you prefer - the time zone changes to BST
https://www.timeanddate.com/time/zones/bst

There are tens of converters (online/offline) to make this calculation (if needed).

BUT basically in your case for all dates within the DST in effect time frame (you will need to check for the year(s) in question) you need to add one hour.

Example
UTC (or Zulu) Time 1315.12 -> UK local time WITHOUT DST-> GMT time zone Time 1315.12
UTC (or Zulu) Time 1315.12 -> UK local time WITH DST-> GMT+1 time zone Time 1415.12

You need to check by date if DST was in effect or not by date, using a table like
https://www.timeanddate.com/time/zone/uk/london

jaclaz

Edit corrected a few typos here and there.

 
Posted : 23/01/2018 4:51 pm
gungora
(@gungora)
Posts: 33
Eminent Member
 

So it would seem that all dates and times are shown in UTC which will differ to what is being displayed in Microsoft Outlook because it takes in to account daylight savings time (in the UK +1 hour for summer time etc) and other factors.

If you look at the underlying MAPI properties, you will find that timestamps are stored in UTC in an Outlook/Exchange environment. For instance, the MSDN documentation for PidTagClientSubmitTime (i.e., sent date) indicates that it "[c]ontains the current time, in UTC, when the email message is submitted."

https://msdn.microsoft.com/en-us/library/ee219374(v=exchg.80).aspx

When an item is displayed in Outlook, the timestamp is normalized to the local time of the displaying computer using the Windows global time zone database. Here is some info and an example on how time zone normalization works in Outlook

https://support.microsoft.com/en-us/help/2642044/how-time-zone-normalization-works-in-microsoft-outlook

When viewing messages in Outlook, if you change the time zone of the local computer, you should see that the time that Outlook displays in its user interface will change as well due to time zone normalization. So, if you switched your review computer's time zone to UTC without daylight savings time, you should see that the timestamps displayed by Outlook are in UTC. Based on the developer's statement, this should match what QuickView shows you.

So I assume then we would need to include a statement in our examination report that explains the use of UTC and how times are calculated.

If your report contains timestamps, I think you should include a statement that indicates the time zone of the timestamps anyway. Some applications store timestamps with a time zone offset (e.g., 2014-08-11T113215-0400). In those cases, it is often preferable to include the time zone offset of each time stamp as it can be used to establish the time zone settings of the local computer where the file was created/modified/accessed, etc.

 
Posted : 23/01/2018 7:32 pm
Page 1 / 2
Share: