tag:blogger.com,1999:blog-1264611260322778486.post7658988290983650874..comments2024-01-01T03:51:10.857-05:00Comments on Yogesh Khatri's forensic blog: APFS timestampsYogesh Khatrihttp://www.blogger.com/profile/03726664886311447808noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-1264611260322778486.post-70704689750443656262018-09-18T01:29:35.847-04:002018-09-18T01:29:35.847-04:00Thx, for the reader, I've seen this error in s...Thx, for the reader, I've seen this error in several publications about APFS by now.Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-51258041650605410282018-09-16T21:40:10.045-04:002018-09-16T21:40:10.045-04:00You are correct Joachim. This should be int64, not...You are correct Joachim. This should be int64, not uint64. Thanks for catching that bug (untested use case). I will change all my APFS library code to reflect this.Yogesh Khatrihttps://www.blogger.com/profile/18391374024639697695noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-80339959923111039762018-09-15T08:05:45.318-04:002018-09-15T08:05:45.318-04:00To me it looks more likely the the timestamp is a ...To me it looks more likely the the timestamp is a signed value.<br /><br />```<br />touch -t 194001010000 /Volumes/SingleVolume/myfile.txt<br /><br />-rw-r--r-- 1 user staff 0 Jan 1 1940 myfile.tzt<br />```<br /><br />```<br />printf "0x%x\n" $(( `date -u -d"1940-01-01 00:00:00" +"%s"` * 1000000000 ))<br />0xf2dc649c1c6e0000<br />```<br /><br />```<br />00000000: 02 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 ........ ........<br />00000010: 3a c7 32 1b a1 90 54 15 00 60 b5 eb 55 61 dc f2 :.2...T. .`..Ua..<br />00000020: 01 68 33 1b a1 90 54 15 00 60 b5 eb 55 61 dc f2 .h3...T. .`..Ua..<br />00000030: 00 80 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ........ ........<br />00000040: 01 00 00 00 00 00 00 00 63 00 00 00 63 00 00 00 ........ c...c...<br />00000050: a4 81 00 00 00 00 00 00 00 00 00 00 01 00 10 00 ........ ........<br />00000060: 04 02 0b 00 6d 79 66 69 6c 65 2e 74 78 74 00 00 ....myfi le.txt..<br />00000070: 00 00 00 00 ....<br />```<br /><br />`00 60 b5 eb 55 61 dc f2` matches the calculated value 0xf2dc649c1c6e0000<br />Joachim Metzhttps://www.blogger.com/profile/14169983450780601879noreply@blogger.com