Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Addition of the Date Added timestamp in TSK output #696
I would like to have the date added timestamp included in the output of the various TSK tools. I've written a blog about this here. I also documented some of the source code below and a possible solution?
If you reference the struct within TN-1150 you get:
The TSK source is:
There is a newer hfs_format.h. If you look at the extended file info struct you get:
You will see they repurposed some of the bytes. The first 4 bytes are still reserved, but repurposed the next 4 bytes as the date_added timestamp.
Possible TSK struct patch?