Environment

• How did you install GRR? Docker image
• What GRR version are you running?: 3.4.2.4
• What operating system does the GRR server run on? Linux
• What operating system does the affected GRR client run on, if applicable? Windows

Describe the issue
I have tried the new flow TimelineFlow with the Root path set to C:\. Then, I download the body file using:

from grr_response_proto.api import timeline_pb2
grrapi.Client('C.0123456789abcdef').Flow('12345678') \
    .GetCollectedTimeline(fmt=timeline_pb2.ApiGetCollectedTimelineArgs.BODY) \
    .WriteToFile('/tmp/out.body')

The file is downloaded correctly, however, when checking the results, the birth timestamp of all the entries is always 0. For instance:

0|C:\Windows\Temp\example.txt|281474976751798|-rw-rw-rw-|0|0|442880|1608209068|1536996526|1536996526|0

Additional context

To be sure and test that there is nothing wrong with the target machine I have generated the body file and timeline by downloading directly de MFT and everything is correct.

@alexgumo7 - thanks for reporting! @panhania is this a known issue?

Yes, looks like we don't export the birth time in the BODY output (since it was implemented before the support for collecting it was implemented). Will fix it soon.

This has been resolved in 2abc05a.

It will be part of the next release. If you don't want to wait, you can also install GRR from the source.