sleuthkit icon indicating copy to clipboard operation
sleuthkit copied to clipboard
verified publisher icon sleuthkit

exFAT: "fls -l" prints incorrect last access timestamps

Open msuhanov opened this issue 4 years ago • 0 comments

Hello.

$ fls -V
The Sleuth Kit ver 4.11.1

$ istat -V
The Sleuth Kit ver 4.11.1

$ istat -o 2048 exfat_lin_part.raw 390
Directory Entry: 390
Allocated
File Attributes: File, Archive
Size: 4
Name: 1.txt

Directory Entry Times:
Written:	2022-01-19 21:12:28 (MSK)
Accessed:	2022-01-19 21:12:28 (MSK)
Created:	2022-01-19 18:18:20 (MSK)

Sectors:
288 0 0 0 0 0 0 0 

$ fls -rlp -o 2048 exfat_lin_part.raw | grep -w 390
r/r 390:	1.txt	2022-01-19 21:12:28 (MSK)	2022-01-19 00:00:00 (MSK)	0000-00-00 00:00:00 (UTC)	2022-01-19 18:18:20 (MSK)	4	00

The last access timestamp in the istat output: 2022-01-19 21:12:28 (MSK). The same timestamp reported using "fls -l": 2022-01-19 00:00:00 (MSK).

The bug is here: https://github.com/sleuthkit/sleuthkit/blob/cb8603d019068a5f0cda05627f9d0bbd7beb30d3/tsk/fs/fs_name.c#L524 https://github.com/sleuthkit/sleuthkit/blob/f2a2ff627739426ef5ebb4872893611b9cf5e0ee/tsk/fs/tsk_fs.h#L842 https://github.com/sleuthkit/sleuthkit/blob/f2a2ff627739426ef5ebb4872893611b9cf5e0ee/tsk/fs/tsk_fs.h#L802 https://github.com/sleuthkit/sleuthkit/blob/f2a2ff627739426ef5ebb4872893611b9cf5e0ee/tsk/fs/tsk_fs.h#L801

msuhanov avatar Jan 22 '22 21:01 msuhanov