I am working in FTK and have .htm file in the temporary internet files which has a time/date value, but the record to that htm file in the index.dat file has a time/date value which is 1 hour earlier i.e 132012 for the htm & 122012 the index.dat entry. Both time claim to be UTC.
The drive is formatted as ntfs and the ftk manual claims on ntfs systems date/times are stored as UTC, so why the difference?
The registry timeZone settings are as follows
Standard Start Date Last Sun in Oct at 20000 AM Local
Daylight Start Date Last Sun in March at 10000 AM Local
Daylight Bias -60
Please can someone explain to me why both times claim to be UTC but are different? One appears to have had a daylight bias added to it but which one?
Also how can I tell which files have had Daylight saving applied for the rest of the files in the case?
And which one should I refer to in a report? And what is the normal terminology for referring to times e.g UTC and UTC with time bias.
Sorry to bother everyone but it’s been driving me crazy.
Thanks
The following information might help you a bit.
——–
Depending on local legislation and on the time of the year, your operating system may implement Daylight Saving Time (DST) by adding a bias to your local system clock. This bias is commonly 60 minutes applied during the summer months, but not all regions implement this, not all at the same time and the bias is not necessarily one hour.
Depending on your location, your operating system may apply a time bias to your system clock in order to provide local time. This bias is based on your time zone. Its value should be negative in the western hemisphere and positive in the eastern hemisphere. Function tz A retrieves the time zone bias reported by the operating system.
Coordinated Universal Time
Also known as Zulu time and formerly named Greenwich mean time (GMT), coordinated universal time is the international basis for time keeping. It is officially abbreviated "UTC". Local times around the globe are defined based on UTC by adding to it a time zone bias plus, if locally implemented, a daylight saving time bias. Function utc returns the sum of these two biases the UTC bias.
Thanks Yunus,
So do I understand this correctly?
I have 2 times for the same file.
1. UTC
2. UTC bias
So with my registry time zone setting of
Standard Start Date Last Sun in Oct at 20000 AM Local
Daylight Start Date Last Sun in March at 10000 AM Local
Daylight Bias -60 (I am in the uk)
And my 2 file date / times are
03/08/2008 132012
03/08/2008 122012
Then because my file date is after the last Sunday in March and before the Last Sunday in October then the Daylight Bias is applied?
So, and here it comes….the file time of 03/08/2008 132012 is UTC Daylight Bias…… and 03/08/2008 122012 is UTC?
My problem still remains…..if FTK is giving a time for the temp .htm files as 03/08/2008 132012 and the index.dat file is giving a time of 03/08/2008 122012 how do I know what times are being used for the rest of the files (images, .exe’s, .lnk’s) in the case? i.e whether the times are UTC or UTC bias?
Please can someone help?
Give this thread a read
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1879&postdays=0&postorder=asc&start=10
Thanks I’ve read the post which has helped a lot.
But I now know the FTK is giving me 2 different times relating to the same piece of evidence / event
1. From a temporary Internet file 132012
2. From an index.dat file 122012
Both relating to the same event of visiting a webpage.
With my new understanding I can pin down a time for this. But if I look at another file in FTK in my case how can I tell if it’s UTC or UTC bias?
Sorry if I’m not explaining this properly
Few things you can do -
examine the raw data from the index.dat file and translate the time yourself
use some different tools and see what they say
work from known facts by running tests on your own system and examining that
do some research on the internet all the answers are there
there are more than one time and date records in index.dat files and they translate differently depending on which index.dat file they are in.
H