by James Habben
I posted earlier about how to enable EnCase to show the timezone for all of the timestamps that it displays. I wanted to follow that up with a post on how that can be accomplished with X-Ways Forensic (XWF) as well.
This is a pretty simple one. Don’t do anything. The default setting already has the timezone offset displayed with times. Well, you have to do one small thing, and that is to expand the column. XWF has it displayed in a slightly greyed color and all you have to do is make the column wider to show it.
I haven’t done extensive testing on this, but it seems that XWF is similar to EnCase in that it takes the timezone setting of the machine your are running on to use inside the case.
To change that setting, use the ‘Options’ menu and select ‘General Options’. In there, you will find a button at the button at the bottom of the window for ‘Display Time zone…’. Click that.
Once you have that window open, choose your timezone and click OK and OK.
Edit: @jarlethorsen on Twitter gave me a couple more ways to change the timezone.
You can set the timezone with a right click at the top of the case tree in the Case Data window on the left of the screen. Choose the ‘Properties…’ option.
On that window, you have two options. Set the timezone for the entire case (orange arrow), or unlock the option (pink arrow) to set the timezone for each evidence file or even for each partition of each evidence file.
If you check the box, then you do another right click > properties on each item you need to change the setting for and you will get this window.
Thanks for reading!
James Habbentags: X-Ways