[Vol-dev] Timeszones

Dear developers, I noticed that Volatility displays dates and times in up to three different timezones: 1. UTC (e.g. pslist, sockets, and the corresponding scanner modules) 2. local time of the system under examination (e.g. datetime, ident commands) 3. local time of the examiner's workstation (when using ctime() for formatting) I usually prefer UTC, especially when I have to consolidate timelines across systems that are distributed across different timezones. Using the local time may be a good choice when dealing with less-technical people. So, I don't think there's a "best" option and propose to let the user decide about the timezone that best suits his/her needs. The handling (and output format) should be consistent to avoid any misinterpretation and confusion. In order to provide a consistent interface to users and programmers, I propose to add functions to the framework (or to modify existing functions, respectively): - to switch between the three options in a consistent way (i.e. add an option to the standard parser) - to read timestamps in all applicable formats (mostly KSYSTEM_TIME, but also LARGE_INTEGER with bit shifting) from buffers and address spaces (see forensics/win32/datetime.py) - to produce the timestamp in an easy to read, unambiguous, and sortable format (preferably in accordance with ISO 8601) Before I start with coding, I want to hear your opinion on this. I appreciate any comments. Thanks! Andreas