Full file system extraction - Timestamps are updated to extraction time #4
Assignees
Comments
|
Hi, thank you for letting me know. I'm going to take a peak into how pymobiledevice handles timestamps during the extraction. |
|
@Lou511 Could you also tell me the commercial tools you used so I can test as well? Thanks again |
|
Hi Jack. No problem. I used Cellebrite PA and Axiom. Let me know if you
want me to send you screenshots.
…On Wed, May 6, 2020 at 12:25 PM Jack Farley ***@***.***> wrote:
@Lou511 <https://github.com/Lou511> Could you also tell me the commercial
tools you used so I can test as well? Thanks again
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADFINU4QFY4CBRQR6CGNNMLRQGFQBANCNFSM4MYV6LJQ>
.
|
|
Screenshots would be great. And both tools are showing the same timestamps? I'm digging through the code and I do see some possible fixes |
|
I think I may add support for AFF4 which will have much more support for preserving timestamps... (Jessica Hyde suggested AFF4) Changing directories modified timestamps is a bit weird on Python since the folders aren't in a container, but files may be easier to make the timestamps preserved |
|
Let me pull up the test data in both tools, and respond with the timestamps
in front of me. I'll send you those screenshots, though.
…On Wed, May 6, 2020 at 12:48 PM Jack Farley ***@***.***> wrote:
Screenshots would be great. And both tools are showing the same timestamps?
I'm digging through the code and I do see some possible fixes
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADFINU2G7GZZQR73AQEFRSDRQGIGRANCNFSM4MYV6LJQ>
.
|
|
Interesting. I have been searching for a container that will preserve
timestamps. Thing is, I had an issue with ACQUIRE preserving timestamps.
It seems there is an issue with timestamps for FFS extractions (only
modified timestamps were showing), and for logical extractions, as well
(all timestamps for directories were being updated, but not for files). In
addition, the timestamp issue seemed to only affect the Media directory -
thought, this was my only area of focus in the first place. Not sure if
other directories were being affected.
I tried pulling data from my test device using tar, and encountered issues
for FFS extractions - only the modified timestamps were showing. I don't
know how Cellebrite used to do it - I believe they used to
preserve timestamps using .tar.
…On Wed, May 6, 2020 at 12:59 PM Jack Farley ***@***.***> wrote:
I think I may add support for AFF4 which will have much more support for
preserving timestamps... (Jessica Hyde suggested AFF4) Changing directories
modified timestamps is a bit weird on Python since the folders aren't in a
container.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADFINU6N4GXIMO34VQRO6SLRQGJO3ANCNFSM4MYV6LJQ>
.
|
|
Hi Jack. Sorry for the delay. Attached are two screenshots showing the
timestamps I mentioned. Axiom does show additional columns showing true
timestamps.
…On Wed, May 6, 2020 at 12:59 PM Jack Farley ***@***.***> wrote:
I think I may add support for AFF4 which will have much more support for
preserving timestamps... (Jessica Hyde suggested AFF4) Changing directories
modified timestamps is a bit weird on Python since the folders aren't in a
container.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#4 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADFINU6N4GXIMO34VQRO6SLRQGJO3ANCNFSM4MYV6LJQ>
.
|
|
Hi again, just updated the code to change the modify times on both windows and linux, and on Windows the birth time is set as the creation time |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
HI Jack. I used MEAT to perform a full file system extraction on an iPhone 7 Plus. I am using Checkra1n for my JB. I processed the extraction using two commercial tools. It looks like timestamps for certain directories and files are set to the time I extracted the data. For example, directories and files under the Media category have all timestamps set to yesterday, when I did the extraction. Time stamps for records pulled from databases, like KnowledgeC or call logs, are not updated to extraction time. Please let me know what other information I can provide about this issue, to help resolve it.
The text was updated successfully, but these errors were encountered: