`mactime` outputs timestamp as localtime if `-y` was not specified

[janstarke]

sleuthkit/tools/timeline/mactime.base

Line 560 in 7867797

localtime($time);

For incident response, especially in a global context, it is important to have comparable timestamps. If I run mactime somewhere in Europe on a certain sample, I should get the same results as my colleague in the US does, but this is not the case as long -y was not specified as parameter. But, If I do not want the ISO format, but want to work with UTC, there's not good way to do it.

More important, if you're doing an analysis which lasts some days, and you're entering or leaving the daylight saving time during that analysis, even your own results will not be consistent.

I suggest one of the following solution:

1. mactime should always output times in UTC, independent of the format
2. There should be a parameter which allows one to specify the intended output timezone explicitly

In addition, the behaviour of -z feels strange. For example, I have a line with the timestamp 1630321428, which matches to Monday, 2021-08-30 11:03:48. My local time is UTC+0200. When I run mactime with -z Europe/Berlin (which is UTC+0200, also), I get Monday, 2021-08-30 13:03:48, which is unexpected, because I told mactime that the bodyfile is in localtime, so there should be no change at all.

[joachimmetz]

Related issue regarding behavior of -z #2423

[janstarke]

fixed by #2532