'[sleuthkit-users] FAT32 time stamp value "created time (tenths of seconds)"'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sleuthkit-users
Subject:    [sleuthkit-users] FAT32 time stamp value "created time (tenths of seconds)"
From:       Joern Franz <joern.franz () googlemail ! com>
Date:       2012-08-13 7:45:29
Message-ID: 5028B099.7050203 () googlemail ! com
[Download RAW message or body]

Hi @all!

I'm stuck interpreting the "created time (tenths of seconds)" value
inside a FAT32 directory entry. Running istat on a jpg picture gives me:

Directory Entry: 455
Allocated
File Attributes: File, Archive
Size: 1055040
Name: FITZ_R~1.JPG

Directory Entry Times:
Written:        Wed Jan 16 21:23:48 2008
Accessed:       Wed Jun  6 00:00:00 2012
Created:        Wed Jun  6 06:28:34 2012

Looking at the directory entry, referring to this picture, gives me:

46 49 54 5a 5f 52 7e 31  4a 50 47 20 00 64 91 33  |FITZ_R~1JPG .d.3|
c6 40 c6 40 00 00 f8 aa  30 38 27 00 40 19 10 00  |.@.@....08'.@...|

I can decode the values for "Created Time" (Offset 14-15: 0x9133 =
06:28:34 Local) and "Created Day" (Offset 16-17: 0xc640 = 06 June 2012),
but what means the value "Created Time (tenths of seconds)" at Offset
13: 0x64 ?

Decoding 0x64 in decimal gives me the value 100.

A quick look inside of "File System Forensic Analysis" says this value
means "created time (tenths of seconds)" but I don't understand this,
since the seconds seem to be already in the 4byte FAT32 time stamp at
the offset 14 - 17?

Can anybody help me understand this byte and it's value for decoding the
FAT32 time stamp?

I'm running tsk on a fedora 16 x86_64 box, version "The Sleuth Kit ver
3.2.3".

Thanks in advance,
- Joern

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic