sleuthkit icon indicating copy to clipboard operation
sleuthkit copied to clipboard
verified publisher icon sleuthkit

`mactime` outputs timestamp as localtime if `-y` was not specified

Open janstarke opened this issue 4 years ago • 2 comments

https://github.com/sleuthkit/sleuthkit/blob/7867797649f68edb46c14fe95c1fa10a4d058bc6/tools/timeline/mactime.base#L560

For incident response, especially in a global context, it is important to have comparable timestamps. If I run mactime somewhere in Europe on a certain sample, I should get the same results as my colleague in the US does, but this is not the case as long -y was not specified as parameter. But, If I do not want the ISO format, but want to work with UTC, there's not good way to do it.

More important, if you're doing an analysis which lasts some days, and you're entering or leaving the daylight saving time during that analysis, even your own results will not be consistent.

I suggest one of the following solution:

  1. mactime should always output times in UTC, independent of the format
  2. There should be a parameter which allows one to specify the intended output timezone explicitly

In addition, the behaviour of -z feels strange. For example, I have a line with the timestamp 1630321428, which matches to Monday, 2021-08-30 11:03:48. My local time is UTC+0200. When I run mactime with -z Europe/Berlin (which is UTC+0200, also), I get Monday, 2021-08-30 13:03:48, which is unexpected, because I told mactime that the bodyfile is in localtime, so there should be no change at all.

janstarke avatar Sep 01 '21 17:09 janstarke

Related issue regarding behavior of -z https://github.com/sleuthkit/sleuthkit/issues/2423

joachimmetz avatar Sep 02 '21 04:09 joachimmetz

fixed by #2532

janstarke avatar Sep 02 '21 15:09 janstarke