search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.29k stars 586 forks source link

ExFAT timestamp issues #7886

Open RuneN007 opened 3 months ago

RuneN007 commented 3 months ago

Dear developers,

Thank you for creating open source software. To improve Autopsy, I would like to inform you about my findings when it comes to exFAT.

The implementation of exFAT does not support the UTCOffset fields in the File Directory Entry. I assume this also is the case for Sleuthkit.

In exFAT the timestamps Created, Last Modified, and Last Access must be connected to the corresponding UTCOffset fields. In addition, the Created10msIncrement and the LastModified10msIncrement fields allow a granularity of 10 ms for the Created and the Last Modifed timestamps instead of 2 seconds. All these must be taken into consideration when showing the time in a human readable format.

In my research I can see that Autopsy uses the same approach for FAT32 and exFAT, assuming both is using local time (which means the timezone must be selected by the investigator). This assumption is incorrect for exFAT whenever the msb (most significant bit) is set for the UTCOffset fields. If the msb is not set, the UTC offset is not in use meaning the timestamp will be localtime without knowing the UTC offset. It is also necessary to support different UTC offset values for the same File Directory Entry.

Read more about the exFAT issues here: https://doi.org/10.1016/j.fsidi.2022.301476

I hope the information can be used to improve Autopsy/Sleuthkit.

Kind Regards

Rune Nordvik

joachimmetz commented 1 month ago

Possible related issue https://github.com/sleuthkit/sleuthkit/issues/2670