I’m working on the The Case of the Stolen Szechuan Sauce CTF and notice that the timestamps for extracted content like web history and shellbags are showing the incorrect times. Every other tool shows the relevant history artifacts at 03:23:41 UTC but Autopsy shows it at 07:23:41 UTC. I tried adding the image using the timezone in its SYSTEM\ControlSet001\Control\TimeSoneInformation\TimeZoneKeyName registry value, PST8PDT, and then again at UTC. Either way it still shows the history as 07:23:41 UTC.
See below to see Browsing history view compared with Autopsy
-----------------------------------
Strangely though, the filesystem timestamps that I see Autopsy are the exact same as those I see in other tools. E.g. a file creation timestamp in shown in Autopsy is the same as what I see in other tools. This means that timezones are not being processed/displayed consistent between different artifacts.
One thing I’m curious about is if Autopsy is being affected by my laptop’s timezone. The host laptop where I’m running Autopsy system is currently at UTC-04:00 (before anyone says anything, I know this is bad practice. I do practice CTFs from my laptops that I use for day-to-day work. Real case-work is run from a server that is set to UTC).
Has anyone encountered something like this?
@Mark_McKinnon or @Eugene_Livis , have either of you seen this before?
For further testing I added the same image 3 times, selecting a different timezone each time:
I ran the recent activity ingest module on each. The timestamps for things like Web History were the same for each system.
Next I’m going to try changing my system time to UTC to see what affect that has.
Ok. I think I’ve confirmed that the host computer’s timezone at the time that Autopsy case was opened, affects the displayed times for certain artifacts.
I did the following:
-Changed laptop timezone to UTC
-Closed Autopsy
-Opened Autopsy and the same CTF case
-Added the same image again
-Ran recent activity ingest module
The web history timestamps for that last run were consistent with what I see using other tools.
@Mark_McKinnon /@Eugene_Livis , if you would like me to submit a bug report on https://github.com/sleuthkit/autopsy/issues please let me know.
@honor_the_data I have no seen this before but I can’t say that I have paid much attention to time stamps. I will create a bug report in our internal bug tracking system, that gets a lot more visibility. I can’t make any promises when it will be addressed though. What data source are you using?
Hi @honor_the_data, sorry for the late reply. Yes I have seen this behavior and I actually put a fix in for one small area store windows install date as gmt by markmckinnon · Pull Request #6973 · sleuthkit/autopsy · GitHub. What you are describing is correct that if a timezone is not specified then it will default to the machines timezone, this happens quite a bit in recent activity where dates are being converted from date/time format to unix epoch time. I am in the process of finding the areas and will be working with @Eugene_Livis to get tickets put into the internal tracking system so that this issue does not get lost. You are more then welcome to submit the bg as well.
Well there you go - happy ending! More or less 
That’s great to hear. Thanks @Mark_McKinnon !
