[Vol-dev] Timeszones

AAron Walters awalters at 4tphi.net
Thu Jul 9 23:33:56 CDT 2009 


Andreas,

I agree that UTC is probably the best option for standardizing time. I 
remember Scudette and I having all kinds of problems with temporal 
information when we were working on the DFRWS Challenge.

At one point, Scudette and I were discussing adding a configuration file 
but a command line option could be an option.

I also think a standardized output format is probably a good idea as well.

This would be an extremely useful endeavor.

Thanks,

AW


On Wed, 8 Jul 2009, Jesse Kornblum wrote:

> I favor UTC time stamps for everything, but I do like to see the system's 
> time zone (and thus the local time) at least once.
>
> On Jul 6, 2009, at 8:15 AM, Andreas Schuster wrote:
>
>> Dear developers,
>> 
>> I noticed that Volatility displays dates and times in up to three different 
>> timezones:
>> 1. UTC (e.g. pslist, sockets, and the corresponding scanner modules)
>> 2. local time of the system under examination (e.g. datetime, ident 
>> commands)
>> 3. local time of the examiner's workstation (when using ctime() for 
>> formatting)
>> 
>> I usually prefer UTC, especially when I have to consolidate timelines 
>> across systems that are distributed across different timezones. Using the 
>> local time may be a good choice when dealing with less-technical people.
>> 
>> So, I don't think there's a "best" option and propose to let the user 
>> decide about the timezone that best suits his/her needs. The handling (and 
>> output format) should be consistent to avoid any misinterpretation and 
>> confusion.
>> 
>> In order to provide a consistent interface to users and programmers, I 
>> propose to add functions to the framework (or to modify existing functions, 
>> respectively):
>> - to switch between the three options in a consistent way (i.e. add an 
>> option to the standard parser)
>> - to read timestamps in all applicable formats (mostly KSYSTEM_TIME, but 
>> also LARGE_INTEGER with bit shifting) from buffers and address spaces (see 
>> forensics/win32/datetime.py)
>> - to produce the timestamp in an easy to read, unambiguous, and sortable 
>> format (preferably in accordance with ISO 8601)
>> 
>> Before I start with coding, I want to hear your opinion on this. I 
>> appreciate any comments.
>> 
>> Thanks!
>> Andreas
>> _______________________________________________
>> Vol-dev mailing list
>> Vol-dev at volatilesystems.com
>> http://lists.volatilesystems.com/mailman/listinfo/vol-dev
>
> -- 
> Jesse
> research at jessekornblum.com
>
>
>
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-dev

More information about the Vol-dev mailing list