Giters

sleuthkit / sleuthkit

The Sleuth Kit® (TSK) is a library and collection of command line digital forensics tools that allow you to investigate volume and file system data. The library can be incorporated into larger digital forensics tools and the command line tools can be directly used to find evidence.

Home Page:http://www.sleuthkit.org/sleuthkit/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

FAT: missing creation time fraction of second in VFAT

joachimmetz opened this issue · comments

commented

Test files created with https://github.com/dfirlabs/fat-specimens tested with e1c80ca

istat -o 128 10.0/fat12.vhd 5
Directory Entry: 5
Allocated
File Attributes: File, Archive
Size: 0
Name: EMPTYF~1

Directory Entry Times:
Written:	2021-06-09 20:11:16 (CEST)
Accessed:	2021-06-09 00:00:00 (CEST)
Created:	2021-06-09 20:11:15 (CEST)

Sectors:

per https://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Directory_entry

Create time, fine resolution: 10 ms units, values from 0 to 199 (since DOS 7.0 with VFAT).

Though the kernel FAT implementation seems to map FAT creation time to inode change time, it does show the fraction of second.

stat fuse/emptyfile 
  File: fuse/emptyfile
  Size: 0         	Blocks: 0          IO Block: 2048   regular empty file
Device: 7,0	Inode: 1409        Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Context: system_u:object_r:dosfs_t:s0
Access: 2021-06-09 00:00:00.000000000 +0200
Modify: 2021-06-09 20:11:16.000000000 +0200
Change: 2021-06-09 20:11:15.340000000 +0200
 Birth: -
commented

Possibly related #2663