[Vol-dev] Timeszones

[Jesse Kornblum]

I favor UTC time stamps for everything, but I do like to see the  
system's time zone (and thus the local time) at least once.

On Jul 6, 2009, at 8:15 AM, Andreas Schuster wrote:

> Dear developers,
>
> I noticed that Volatility displays dates and times in up to three  
> different timezones:
> 1. UTC (e.g. pslist, sockets, and the corresponding scanner modules)
> 2. local time of the system under examination (e.g. datetime, ident  
> commands)
> 3. local time of the examiner's workstation (when using ctime() for  
> formatting)
>
> I usually prefer UTC, especially when I have to consolidate  
> timelines across systems that are distributed across different  
> timezones. Using the local time may be a good choice when dealing  
> with less-technical people.
>
> So, I don't think there's a "best" option and propose to let the  
> user decide about the timezone that best suits his/her needs. The  
> handling (and output format) should be consistent to avoid any  
> misinterpretation and confusion.
>
> In order to provide a consistent interface to users and programmers,  
> I propose to add functions to the framework (or to modify existing  
> functions, respectively):
> - to switch between the three options in a consistent way (i.e. add  
> an option to the standard parser)
> - to read timestamps in all applicable formats (mostly KSYSTEM_TIME,  
> but also LARGE_INTEGER with bit shifting) from buffers and address  
> spaces (see forensics/win32/datetime.py)
> - to produce the timestamp in an easy to read, unambiguous, and  
> sortable format (preferably in accordance with ISO 8601)
>
> Before I start with coding, I want to hear your opinion on this. I  
> appreciate any comments.
>
> Thanks!
> Andreas
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-dev

-- 
Jesse
research at jessekornblum.com