Hi, I have a question regarding Agent Ransack, the -ma flag, and timezones. I'd test this myself, but I'm reluctant to change the timezone on my PC.

Consider the following timeline:

    2:40  2:50  4:00  4:10

At point 1, local time 2:40pm, I edit and save a file F1.

10 minutes later, at point 2, local time 2:50pm, I edit and save a file F2.

10 minutes later, at point 3, daylight savings time kicks in, and the PC's clock automatically jumps forwards one hour; ie. directly from local time 2:59:59pm, to local time 4:00:00pm.

Finally, 10 minutes later, at point 4, local time (now) 4:10pm, I run Agent Ransack to find all files modified since 2:45PM, ie. -ma "YYYY-MM-DD 02:45:00 PM" (replacing YYYY-MM-DD with the relevant date).

My question is, exactly where on the timeline shown, will Agent Ransack start searching from? Will it find the change to file F2, or will it miss that change because the time has now jumped forwards by one hour?

There are some obvious related questions such as, what happens when daylight savings jumps backwards, what happens when you change the PC's current timezone manually, and so on. Hopefully you can clarify all this in one answer.

PS. With NTFS filesystem. Would it be different with FAT?

Thanks in anticipation,

File times for files don't change when the clocks change and the time used to compare against files will be that for the local user at the time the search is started. The easiest way to see the time value for a file is to run a simple search and look at the Modified column.

If a file was changed at 1:15am, the clocks went forward at 2am and Agent Ransack was run at 3:30am Agent Ransack would still 'see' the file as modified at 1:15am because the local time of the file wouldn't have been changed although the current time had changed.

NTFS actually stores file times as UTC times (Coordinated Universal Time) and then uses the user's settings to adjust to local time. FAT stores the actual local time. More information here:


