Notifications
Clear all

One hour difference

7 Posts
3 Users
0 Likes
1,197 Views
 Gius
(@gius)
Posts: 3
New Member
Topic starter
 

Hi,

we made a forensic copy of an HD with FTK Imager in E01 format; we was looking for a file that we found burned on a CD and, in fact, we found the same name file on filesystem with some difference.

The file on filesystem has

File Modification Date/Time 20030101 053912+0100
File Access Date/Time 20180802 193429+0200
File Creation Date/Time 20180802 193429+0200

The one on CD
File Modification Date/Time 20030101 063914+0100
File Access Date/Time 20181023 165955+0200
File Creation Date/Time 20181023 165955+0200

The bit a bit comparison of the files says that they are identical.
The two seconds could be explained with a copy on an USB key to transfer on another PC for burning.
All the files are created, modified and burned in the same time zone.

Some idea about the difference in hour or it's just a strange coincidence?

Thank you!

Gius

 
Posted : 25/04/2020 7:25 pm
(@athulin)
Posts: 1156
Noble Member
 

The two seconds could be explained with a copy on an USB key to transfer on another PC for burning.

That explanation needs more work. Try it for yourself can you do the transfer + create an image in two seconds? Even with practice? I doubt it.

Additionally, it assumes that the two computers are time synched to the second. Are they? (Or is the other PC five seconds behind the first, allowing for 7 seconds to do the same job? (Comparing time on two different computers needs pretty good groundwork, as you generally are comparing two notionally similar, but actually different sets of measurements. Like comparing measurements taken from yardsticks that are not lined up in exactly the same way.)

What file system on the CD? Different file systems have different rules for time stamps. One may have timestamps in UT, only converting to local time when a user views it, another may lock it into a particular time zone on write, and may not not be converted to user local time at all or may do so assuming that some particular DST rules are or are not in force.

If either CD or UDF is involved, you should also have a volume recording/creation time stamp.

But if either of them are involved, CD has file recording time stamp only (at least, that's what the standard says), and UDF has access time, modification time and attribute time. Neither has creation time … so there's a problem with the data you are presenting. Is 'Creation date and time' correct? Local time timestamps are typically recorded with a time zone offset, but without any indication of the actual timezone, and so no way to get at DST adjustments from the medium alone that has to be provided in some other way.

Do you know that that is done correctly? If not, the difference is likely to be 1 hour exactly.

Some idea about the difference in hour or it's just a strange coincidence?

First, strange coincidence with what? You have to have at least another one-hour difference, in a different context before you have a coincidence, and you didn't mention one.

The base time zone offset is a possibility, but if that's the one, you should know if and how it enters the picture. Ascribing it to coincidence is often a euphemism for 'I don't know'. Better to be honest about it, I think.

I'd check if the CD has multiple file systems – some have both ISO 9660 and UDF recorded at the same time. That might give additional light on the question.

 
Posted : 26/04/2020 5:59 am
 Gius
(@gius)
Posts: 3
New Member
Topic starter
 

Hi Athulin,

thank you for your reply.

I said 2 seconds because the 2 seconds resolution of write time in FAT filesystems (https://docs.microsoft.com/en-us/windows/win32/sysinfo/file-times) instead of NTFS 100 ns; so copying on a FAT USB key a file that in NTFS has recorded time greater than 63912.0000001 (but showed 63912) will generate a copy with 63914.

We know that the file we are talking about has been burned on this CD (UDF) in the same timezone so we think that there must be an explanation for that one hour difference.

In the FTK Imager file list the file is shown with 043912 and exporting it has 053912+0100; could it depend on FTK Imager?

Gius

 
Posted : 26/04/2020 8:01 pm
(@athulin)
Posts: 1156
Noble Member
 

I said 2 seconds because the 2 seconds resolution of write time in FAT filesystems (https://docs.microsoft.com/en-us/windows/win32/sysinfo/file-times) instead of NTFS 100 ns; so copying on a FAT USB key a file that in NTFS has recorded time greater than 63912.0000001 (but showed 63912) will generate a copy with 63914.

Well … FAT file creation timestamp has a resolution of hundredths of seconds. Several tools ignore that additional precision, and make it look as if resolution was just 2 seconds. (byte offset 13 in FAT directory entry – very confusingly named and documented by Microsoft, though; see fatgen103.doc for that.)

Not entirely sure if it is useful in this case, but if you need the added detail it is very probably there.

n the FTK Imager file list the file is shown with 043912 and exporting it has 053912+0100; could it depend on FTK Imager?

It could, but I don't know if anyone has tested it. So whether or not it does is a question that needs to be answered. (It can probably be answered by copying pre-timestamped files for the relevant range to USB, and check what happens. The CompForTest project at Sourceforge has a NTFS volume image (NTFSTEST001) with lots of timestamps that probably could be used.)

My protest was mainly about ascribing it to coincidence.

 
Posted : 27/04/2020 6:20 am
 Gius
(@gius)
Posts: 3
New Member
Topic starter
 

Thank you,

I downloaded the images and I'll do some test.

Where could I find the "fatgen103.doc"?

Gius

 
Posted : 27/04/2020 7:23 pm
(@athulin)
Posts: 1156
Noble Member
 

Where could I find the "fatgen103.doc"?

You can find it somewhere on https://www.microsoft.com/en-us/download.

The full title is "Microsoft Extensible Firmware Initiative
FAT32 File System Specification
FAT General Overview of On-Disk Format"

For some weird reason it's a "Hardware White Paper
Designing Hardware for Microsoft® Operating Systems", and that may help making it invisible to anyone looking for software information. And despite the title it also contains information about FAT12 and FAT16.

I think it was part of one of these document collections that Microsoft released to the public some years ago.

Googling for the title seems to works fine – I get it as my top search hit.

 
Posted : 28/04/2020 5:30 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Where could I find the "fatgen103.doc"?

Here (actual copy from MS servers)
http//download.microsoft.com/download/1/6/1/161ba512-40e2-4cc9-843a-923143f3456c/fatgen103.doc

Also, the previous Fatgen102
http//www.fysnet.net/docs/fatgen102.pdf

jaclaz

 
Posted : 28/04/2020 11:02 am
Share: