New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Addition of the Date Added timestamp in TSK output #696

ghost opened this Issue Aug 8, 2016 · 0 comments


None yet
0 participants

ghost commented Aug 8, 2016

I would like to have the date added timestamp included in the output of the various TSK tools. I've written a blog about this here. I also documented some of the source code below and a possible solution?

If you reference the struct within TN-1150 you get:

struct ExtendedFileInfo {
  SInt16    reserved1[4];
  UInt16    extendedFinderFlags;
  SInt16    reserved2;
  SInt32    putAwayFolderID;
typedef struct ExtendedFileInfo   ExtendedFileInfo;

The TSK source is:

typedef struct {
    uint8_t res1[8];      /* reserved 1 */
    uint8_t extflags[2];  /* extended finder flags */
    uint8_t res2[2];      /* reserved 2 */
    uint8_t folderid[4];  /* putaway folder id */
} hfs_extendedfileinfo;

There is a newer hfs_format.h. If you look at the extended file info struct you get:

You will see they repurposed some of the bytes. The first 4 bytes are still reserved, but repurposed the next 4 bytes as the date_added timestamp.

struct FndrExtendedFileInfo {
    u_int32_t reserved1;
    u_int32_t date_added;
    u_int16_t extended_flags;
    u_int16_t reserved2;
    u_int32_t reserved3;    
} __attribute__((aligned(2), packed));

Possible TSK struct patch?

typedef struct {
    uint32_t document_id;        /* Not sure?? */
    uint32_t date_added;         /* Date added */
    uint16_t extflags;           /* ext finder flags */
    uint16_t res2;               /* reserved 2 */
    uint32_t write_gen_counter   /* Not sure?? */
} hfs_extendedfileinfo;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment