Daily Blog #403: Sunday Funday 6/24/18 - ExFAT Timestamp Challenge

Hello Reader,
             Thanks to your great submissions last week I had a really tough time picking a winner. In the end the community as a whole has benefited from your research. You will have a five days to try to complete this challenge now that answers are not due till Friday. Send in your answer as you have it and you are allowed to update your submission if you find new information.

ExFAT has been on my mind lately. Let's talk about documentation, expectation and reality in this weeks file system forensics challenge.


The Prize:

$100 Amazon Giftcard

The Rules:

1. You must post your answer before Friday 6/29/18 7PM CST (GMT -5)
2. The most complete answer wins
3. You are allowed to edit your answer after posting
4. If two answers are too similar for one to win, the one with the earlier posting time wins
5. Be specific and be thoughtful 
6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:

ExFAT is documented to have a timezone field to document which timezone a timestamp was populated with. However most tools just see it as FAT and ignore it. For this challenge document for the following operating systems how they populate ExFAT timestamps and which utility will properly show the correct values.

Operating systems:

Windows 7

Windows 10

OSX High Sierre

Ubuntu Linux 16.04

Also Read: Daily Blog #402