[Vol-dev] Timeszones
Andreas Schuster
a.schuster at yendor.net
Mon Jul 6 07:15:04 CDT 2009
Dear developers,
I noticed that Volatility displays dates and times in up to three different
timezones:
1. UTC (e.g. pslist, sockets, and the corresponding scanner modules)
2. local time of the system under examination (e.g. datetime, ident
commands)
3. local time of the examiner's workstation (when using ctime() for
formatting)
I usually prefer UTC, especially when I have to consolidate timelines
across systems that are distributed across different timezones. Using the
local time may be a good choice when dealing with less-technical people.
So, I don't think there's a "best" option and propose to let the user
decide about the timezone that best suits his/her needs. The handling (and
output format) should be consistent to avoid any misinterpretation and
confusion.
In order to provide a consistent interface to users and programmers, I
propose to add functions to the framework (or to modify existing functions,
respectively):
- to switch between the three options in a consistent way (i.e. add an
option to the standard parser)
- to read timestamps in all applicable formats (mostly KSYSTEM_TIME, but
also LARGE_INTEGER with bit shifting) from buffers and address spaces (see
forensics/win32/datetime.py)
- to produce the timestamp in an easy to read, unambiguous, and sortable
format (preferably in accordance with ISO 8601)
Before I start with coding, I want to hear your opinion on this. I
appreciate any comments.
Thanks!
Andreas
More information about the Vol-dev
mailing list