RegistryPlugin.RADAR Timestamp

[Kali0xC]

In the function "public DateTimeOffset GetDateTimeOffset(string timestamp)" on line 60 (within the GitHub view) the "DateTime.FromFileTime()" function is being used. Based on testing and MS documentation (https://learn.microsoft.com/en-us/dotnet/api/system.datetime.fromfiletime?view=net-9.0) this will converts the specified Windows file time to an equivalent local time.

can this please be updated so it will keep the timestamp in UTC?

Thank you

[AndrewRathbun]

@hyuunnn what do you think about this?

[hyuunnn]

It's my mistake. Thank you for finding it. It seems that the local time zone is being applied in the ProfileList, RADAR, WindowsApp and KnownNetworks plugins.

https://github.com/EricZimmerman/RegistryPlugins/blob/5d88ed009f9f8663160548d439633ca39de4276b/RegistryPlugin.ProfileList/ProfileList.cs#L56-L63 https://github.com/EricZimmerman/RegistryPlugins/blob/5d88ed009f9f8663160548d439633ca39de4276b/RegistryPlugin.RADAR/RADAR.cs#L57-L62 https://github.com/EricZimmerman/RegistryPlugins/blob/5d88ed009f9f8663160548d439633ca39de4276b/RegistryPlugin.WindowsApp/WindowsApp.cs#L57-L62 https://github.com/EricZimmerman/RegistryPlugins/commit/38d6d1b126776eb300c7913f098bccfc091dae7a

// before
var dt1 = DateTime.FromFileTime(timestampInt);
return new DateTimeOffset(dt1);

// after
return DateTime.FromFileTime(timestampInt).ToUniversalTime();

[ogmini]

Would it be more "correct" to use FromFileTimeUtc? I might be nitpicking. I'm only noticing because I'm using FromFileTimeUtc in another plugin and want to be consistent.

https://learn.microsoft.com/en-us/dotnet/api/system.datetime.fromfiletimeutc?view=net-9.0

[EricZimmerman]

The function used is fine either way. We assume UTC times in output column names unless it's local then the column name should reflect local