homepage
Open menu
Go one level top
  • Train and Certify
    • Overview
    • Get Started in Cyber
    • Courses
    • GIAC Certifications
    • Training Roadmap
    • OnDemand
    • Live Training
    • Summits
    • Cyber Ranges
    • College Degrees & Certificates
    • Scholarship Academies
    • NICE Framework
    • Specials
  • Manage Your Team
    • Overview
    • Group Purchasing
    • Why Work with SANS
    • Build Your Team
    • Hire Cyber Talent
    • Team Development
    • Private Training
    • Security Awareness Training
    • Leadership Training
    • Industries
  • Resources
    • Overview
    • Internet Storm Center
    • White Papers
    • Webcasts
    • Tools
    • Newsletters
    • Blog
    • Podcasts
    • Posters & Cheat Sheets
    • Summit Presentations
    • Security Policy Project
  • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Digital Forensics & Incident Response
    • Industrial Control Systems
    • Cyber Security Leadership
    • Offensive Operations
  • Get Involved
    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    • About SANS
    • Our Founder
    • Instructors
    • Mission
    • Diversity
    • Awards
    • Contact
    • Frequently Asked Questions
    • Customer Reviews
    • Press
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. exFAT File System Time Zone Concerns
Jeff Hamm

exFAT File System Time Zone Concerns

July 19, 2010

exFAT Time Zone Concerns

The exFAT file system tracks the time zone offset of all MAC time's stored for the respective file. The file system uses 32-bit time stamps (and another byte tracking 10ms increments). Additionally, all time stamps are recorded to the file system as local machine time while applying a time zone offset that is also stored when a file is changed/modified/accessed. The implications of this include being able to track removable media across several time zones without the need for the system they were used in. (For a more detailed look at the exFAT file system, see Robert Shullich's paper on SANS Computer Forensics Resources).

exFAT stores time zone offsets in a one byte value. Vista SP1 (the first desktop release of exFAT) did NOT utilize the time zone byte. In this case, the time zone bytes will be 0x00. Since the OS needs to know whether or not to read the time zone offset, the first bit (the high bit) will be a 0 to indicate time zone offset should not be applied or a 1 to indicate that the time zone offset is to be applied. The low seven bits can then be signed to ascertain a 15 minute interval time zone offset. Examples follow below.

To illustrate the time zone offset and to demonstrate differences in how a file will be displayed to a user between Windows and EnCase, I started with a thumb drive formatted in exFAT. The drive did have data on it prior to my test that I simply deleted. You'll see remnants of this in the screen captures from EnCase. It does not affect this test, however. The formatting setup sized sectors at 512 bytes and clusters at 64 sectors per cluster. The cluster heap starts at sector 384 (cluster 2), and the root directory is in physical sector 512 (cluster 4).

No logical files were on the volume when I started. As I said, some data was deleted so EnCase does pick it up.

001.jpg

My machine was already set to EDT (UTC -4 hours). I created an empty text file on the device by right clicking and choosing, "New Text Document". All files were created this way, and nothing was added to the content — this was just a test of the time zones after all. I then reset my time zone to UTC and created the next file.

002.jpg

This file was created the same way and was saved as UTC.txt. A windows refresh was not performed. All of the times from earlier files will be displayed with the previous time zone. When I was done adding files, I did a screen refresh. You'll see that Windows converted all dates and times using the time zone offset.

003.jpg

A file was added with a positive offset — UTC +1 hour — to illustrate how the signed integer works. It's named "Berlin Time".

004.jpg

Kathmandu was selected because the time zone is in a 15 minute increment — and this is and example of why the time zone byte in exFAT must accommodate 15 minute intervals.

005.jpg

I changed my machine back to EDT and refreshed the window. All times line up to when the files were created and applied the proper time zone offset.

0061.jpg

In this shot, a few things are going on. Let's start with the time zone stuff first. Windows displays all the times as UTC with the exFAT stored time zone applied. The EnCase shot shows all times by applying ONLY the local machine time.

  • Example 1: Berlin Time : Modified Date : 10:06 AM Windows : 16:06 PM EnCase
  • Example 2: EDT (UTC -4hrs) : Modified Date : 10:04 AM Windows : 10:04 AM EnCase
  • Example 3: Kathmandu : Modified Date : 10:07 AM Windows : 19:51 PM EnCase
  • Example 4: UTC : Modified Date : 10:05 AM Windows : 14:05 PM EnCase
0071.jpg

Looking at the time zone offset value stored, it is 0x88. Break this into it's binary value:

1 0 0 0 : 1 0 0 0

Time zone is turned on. Bit 1 = 1. Sign the additional 7 bits:

x -64 32 16 : 8 4 2 1

So the value is 8. Since these are 15 minute increments, multiply 8 x 15 to get 120. 120 is equal to 2 hours. The time zone offset is therefore UTC+2 hrs. (I left day light time turned on — that accounts for the additional hour (UTC+2 instead of the expected UTC+1)

008.jpg


Looking at the time zone offset value stored, it is 0xF0. Break this into it's binary value:

1 1 1 1 : 0 0 0 0

Time zone is turned on. Bit 1 = 1. Sign the additional 7 bits:

x -64 32 16 : 8 4 2 1

So the value is -16 (-64 + 32 + 16). Since these are 15 minute increments, multiply -16 x 15 to get -240. Negative 240 is equal to -4 hours. The time zone offset is therefore UTC-4 hrs.

009.jpg


Looking at the time zone offset value stored, it is 0x97. Break this into it's binary value:

1 0 0 1 : 0 1 1 1

Time zone is turned on. Bit 1 = 1. Sign the additional 7 bits:

x -64 32 16 : 8 4 2 1

So the value is -23 (16 + 4 + 2 +1). Since these are 15 minute increments, multiply 23 x 15 to get 345. 345 is equal to 5.75 hours. The time zone offset is therefore UTC+5:45 hrs.

010.jpg

Looking at the time zone offset value stored, it is 0x80. Break this into it's binary value:

1 0 0 0 : 0 0 0 0

Time zone is turned on. Bit 1 = 1. Sign the additional 7 bits:

x -64 32 16 : 8 4 2 1

So the value is 0. Since these are 15 minute increments, multiply 0 x 15 to get 0. 0 is equal to 0 hours. The time zone offset is therefore UTC hrs.

Finally, to illustrate that the time zone codes are relative to both the machine time zone offset and the action taken, I added text to the Berlin file while my machine remained in EDT.

011.jpg

The time zone offset switched to 0xF0 for the modified time zone offset and last accessed time zone offset. The created time zone offset did not change (it remains 0x88). And, from example 2 above, we know that 0xF0 is EDT (UTC-4hrs).

EnCase still uses the local machine offset while Windows uses appropriate TZ offset as stored in the directory entry record for the file.

IMAGE0121.jpg

Additional Considerations 

I want to throw another concern while we're at it. I eluded to this earlier and I'll return to the screenshot which I mentioned had additional issues.

IMAGE013.jpg

Disregard the Windows portion and look at the top where EnCase displays several file names. Many of the files are marked as deleted by the red circle with a slash through it. It should be pointed out that when a directory entry record is marked as AVAILABLE FOR USE (by setting the most significant bit in the first byte of the entry to 0 from 1), this does NOT EXCLUSIVELY mean the file associated with the record has been deleted. It simply means that the directory record is available for use — that could be because the file was deleted.

Look again at the entries — focus on the New Text Document.txt files. These files were created with the right click. They took up a lot of space in the directory entries with their long file name. When I renamed them to UTC.txt, EDT (UTC -4hrs).txt, etcetra, the entries for New Text Documents.txt was marked as available for use. This can — and does happen — when files are manually renamed as well. The old names might point to the same data — or not.

To quickly sum up: to say that all the files marked with the circle and slash by EnCase are deleted would not be true in the case of exFAT.

Jeff Hamm is a Senior Forensic Computer Analyst for Paradigm Solutions and was formerly a Sergeant with the Oakland County Sheriff's Office in Michigan. He is now a full time contractor for a federal digital forensic laboratory where he carries a case load and manages a forensic team including cell phone and media analysts. He has been working media forensics and conducting computer crime investigations since 2001 and he holds the CFCE, EnCE, and ACE.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

Tags:
  • Digital Forensics and Incident Response

Related Content

Blog
Untitled_design-43.png
Digital Forensics and Incident Response, Cybersecurity and IT Essentials, Industrial Control Systems Security, Purple Team, Open-Source Intelligence (OSINT), Penetration Testing and Ethical Hacking, Cyber Defense, Cloud Security, Security Management, Legal, and Audit
December 8, 2021
Good News: SANS Virtual Summits Will Remain FREE for the Community in 2022
They’re virtual. They’re global. They’re free.
Emily Blades
read more
Blog
FOR528_blog.png
Digital Forensics and Incident Response
May 12, 2021
FOR528: Ransomware for Incident Responders - New DFIR Course Coming soon
Learning to thwart the threat of human-operated ransomware once and for all!
Viv_Ross_370x370.png
Viviana Ross
read more
Blog
Blog_teaser_images_(12).png
Digital Forensics and Incident Response, Cloud Security
April 9, 2021
NEW FOR509: Enterprise Cloud Forensics & Incident Response
The new Enterprise Cloud Forensics course brings examiners up to speed with the rapidly changing world of enterprise cloud
Viv_Ross_370x370.png
Viviana Ross
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cyber Security Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kingdom of Saudi Arabia
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia (Slovak Republic)
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe
  • © 2022 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn