ExFAT timestamp issues

[RuneN007]

Dear developers,

Thank you for creating open source software. To improve Autopsy, I would like to inform you about my findings when it comes to exFAT.

The implementation of exFAT does not support the UTCOffset fields in the File Directory Entry. I assume this also is the case for Sleuthkit.

In exFAT the timestamps Created, Last Modified, and Last Access must be connected to the corresponding UTCOffset fields. In addition, the Created10msIncrement and the LastModified10msIncrement fields allow a granularity of 10 ms for the Created and the Last Modifed timestamps instead of 2 seconds. All these must be taken into consideration when showing the time in a human readable format.

In my research I can see that Autopsy uses the same approach for FAT32 and exFAT, assuming both is using local time (which means the timezone must be selected by the investigator). This assumption is incorrect for exFAT whenever the msb (most significant bit) is set for the UTCOffset fields. If the msb is not set, the UTC offset is not in use meaning the timestamp will be localtime without knowing the UTC offset. It is also necessary to support different UTC offset values for the same File Directory Entry.

Read more about the exFAT issues here: https://doi.org/10.1016/j.fsidi.2022.301476

I hope the information can be used to improve Autopsy/Sleuthkit.

Kind Regards

Rune Nordvik

[joachimmetz]

Possible related issue sleuthkit/sleuthkit#2670