...
Microsoft Internet Explorer Daily INDEX.DAT FILETIME Timestamp | |
0x08 | Last Visited Timestamp in LOCAL time |
0x10 | Last Visited Timestamp in UTC |
NetAnalysis Representation for Daily INDEX.DAT | |
Last Visited [UTC] | Unaltered UTC Timestamp from record offset 0x10 |
Last Visited [Local] | Unaltered Local Timestamp from record offset 0x08 |
Establishing the Time Zone ActiveBias
As the URL record contains a UTC and Local timestamp, it is possible to establish the Time Zone ActiveBias by calculating the time difference between both timestamps.
We discussed in a previous article how to manually establish the system Time Zone settings.
The calculated ActiveBias information is represented in NetAnalysis by the ActiveBias column as shown in figure 2:
Figure 2
NetAnalysis further uses this information to confirm the selected Time Zone is correct.
| Warning |
|---|
If the Time Zone ActiveBias is in conflict with the Time Zone setting in NetAnalysis, the resulting timestamps may not be represented accurately. |
The calculated ActiveBias is logged to the Audit Log as shown in Figure 3:
Figure 3
If NetAnalysis detects that the Time Zone settings for the forensic investigation are not correct, a warning dialogue will be shown immediately after the data has been imported.
Figure 4 shows the warning dialogue:
Figure 4
| Tip |
|---|
Examination of the ActiveBias column will show which entries are in conflict with the Time Zone Settings. |