Compensating for Time Zone Offsets

As mentioned in Chapter 7, “Windows Filesystems,” the NTFS filesystem stores time stamps in UTC (Universal Time), which is also Greenwich Mean Time (GMT). When time is displayed to the user, it is displayed in the local time based on the time zone offset on the computer. When a local time is stored on the computer, the difference between local time and UTC is computed, and the time is stored in UTC. The local time zone offset is determined by settings in the registry. If you want to examine the machine within the context of its local time, you need to know what those settings are. The time zone offset information is stored in the TimeZoneInformation key. Here’s the full path:

HKLM\SYSTEM\CurrentControlSet\Control\ ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.