-
Notifications
You must be signed in to change notification settings - Fork 583
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ExFAT timestamp issues #7886
Comments
Possible related issue sleuthkit/sleuthkit#2670 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dear developers,
Thank you for creating open source software. To improve Autopsy, I would like to inform you about my findings when it comes to exFAT.
The implementation of exFAT does not support the UTCOffset fields in the File Directory Entry. I assume this also is the case for Sleuthkit.
In exFAT the timestamps Created, Last Modified, and Last Access must be connected to the corresponding UTCOffset fields. In addition, the Created10msIncrement and the LastModified10msIncrement fields allow a granularity of 10 ms for the Created and the Last Modifed timestamps instead of 2 seconds. All these must be taken into consideration when showing the time in a human readable format.
In my research I can see that Autopsy uses the same approach for FAT32 and exFAT, assuming both is using local time (which means the timezone must be selected by the investigator). This assumption is incorrect for exFAT whenever the msb (most significant bit) is set for the UTCOffset fields. If the msb is not set, the UTC offset is not in use meaning the timestamp will be localtime without knowing the UTC offset. It is also necessary to support different UTC offset values for the same File Directory Entry.
Read more about the exFAT issues here: https://doi.org/10.1016/j.fsidi.2022.301476
I hope the information can be used to improve Autopsy/Sleuthkit.
Kind Regards
Rune Nordvik
The text was updated successfully, but these errors were encountered: