writerkeith wrote:
Can I correctly conclude that it is reasonable to consider that timestamps on some files between March 11, 2007 and April 2, 2007 could be off by one hour?
Not on the grounds you have provided.
NTFS file system timestamps are always UTC (or, to be correct, UTC without leap seconds), and so are not affected by DST issues. Quite a lot of other timestamps (in system logs, etc) are also kept in UTC format, so the same goes for them.
Any logs kept in local time, however, such as some browser history, are places where there may be problems.
If the relevant hard disks volumes use the FAT file system, however, it's another thing: FAT logs all file timestamps in local time, and so the effects you mention would be present.
And if you are looking at CDs in ISO-9660 format, it could easily go for them as well, as it's never been strictly defined which time zone they should use. It would depend on the CD burning software.
Also ... as it seems that EnCase has been used ...
EnCase time zone interpretation is a nice little problem of its own: in some cases, the analyst just lets EnCase go ahead and deduce the correct timezone adjustment to apply to UTC timestamps. Usually, it gets it right, but there are situations when it doesn't. (This could be one of them -- as the system appears to be misconfigured to start with). And of course, there are situations when an uninformed analyst manually selects a timezone that 'looks like' the expected one, but which has different DST rules. Double-checking that the right time-zone configuration has been applied is important.
If EnCase has been misconfigured, for whatever reason, it will show the wrong timestamp translations. And if EnCase's timestamp translation need to be compared with 'real' local timestamps (i.e. time information from somewhere else and that follow the real DST rules), things can get confusing.
The TimeZone information you provide is (I'm fairly certain) how the examined system was configured -- that is, what time would a local user see. The next question is how EnCase is configured -- what time does the analyst see? The same thing as the local user, or something slightly different, or even wildly different?
↧