search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

utc timestamps #319

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Since we are fixing the --tz option to allow for timestamp conversions, I 
thought I'd make a list of items that are currently output in UTC only:

Processes
Threads
Sockets
Registry Keys
- LastWrite
- UserAssist
- ShimCache
Event Logs
PE Timestamps
MFT Timestamps

I realize that some of these are not enumerated by core plugins yet, but it's 
good to have a list of these items anyway ;-)

Original issue reported on code.google.com by jamie.l...@gmail.com on 30 Jul 2012 at 3:04

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 30 Jul 2012 at 3:05

GoogleCodeExporter commented 9 years ago 
also shellbags (under registry)

Original comment by jamie.l...@gmail.com on 27 Aug 2012 at 11:25

GoogleCodeExporter commented 9 years ago 
Any opinions on whether this is worth doing in time for 2.3?

Original comment by michael.hale@gmail.com on 1 Feb 2013 at 4:28

GoogleCodeExporter commented 9 years ago 
Please take a look at the corrected implementation for UnixTimeStamp:

https://code.google.com/p/volatility/source/browse/branches/scudette/volatility/
plugins/overlays/basic.py#361

This already supports outputting in the required timezone which can be 
specified on the command line. Essentially whenever any timestamp is printed 
out it will be converted to the same timezone (and the offset is also always 
shown). For example by default pslist shows times in UTC:

0x81e61da0 svchost.exe             940    668     13      312      0  False 
2010-10-29 17:08:55+0000 -                       

But when specifying --timezone Australia/Sydney
0x81e61da0 svchost.exe             940    668     13      312      0  False 
2010-10-30 04:08:55+1100 -                       

Posting this code to trunk should be very easy.

Original comment by scude...@gmail.com on 1 Feb 2013 at 9:20

GoogleCodeExporter commented 9 years ago 
Thanks! Gleeda do you want to take a shot at this? It could be useful to your 
timeliner plugin. Also it would be good to incorporate the timezone settings 
for Linux/Mac timestamps. I'll set it as 2.3, but we can vote on if its a 
release blocker or not. I just figured if its fairly easy and doesn't take too 
much time, we might as well do it for 2.3 if we can.

Original comment by michael.hale@gmail.com on 2 Feb 2013 at 6:41

GoogleCodeExporter commented 9 years ago 
sure I can take a stab at it :-)

Original comment by jamie.l...@gmail.com on 2 Feb 2013 at 11:46

GoogleCodeExporter commented 9 years ago 
a partial fix has been committed in revision 3063.  next we'll fix *nix 
timestamps

Original comment by jamie.l...@gmail.com on 6 Feb 2013 at 1:02

GoogleCodeExporter commented 9 years ago 
All nix, mac, and windows timestamps now use --tz

Original comment by michael.hale@gmail.com on 2 Apr 2013 at 2:42