RAR Times: Local or UTC?

Some reviewers have questioned the claim stated in the Guccifer 2.0 NGP/VAN Metadata Analysis report that the .rar files analyzed in that study recorded file times in local (relative) time.  In short, newer implementations of WinRAR use the “version 5” format and in that format times are recorded as UTC times.  However, the .rar files analyzed in this study use the older version 4 format which records times in “local” (relative) format.

A 4chan user asserted that the analysis was flawed:

Guc-rar-times-4chan

A fellow 4chan user corrected the misunderstanding.

Guc-rar-times-4chan-reply

As background, WinRAR has been around a long time; its file format has changed over time.  In recent releases of WinRAR the default format is version 5.  However, in previous releases, the version 4 format was used.  We can turn to the WinRAR help screen for clarification.

Guc2-RAR-v5-new-features-UTC

To confirm that version 4 .rar files were found in the “NGP VAN” 7zip fie we can consult one of the screenshots from the report.

Guc2-rar-v4-format

Given that the .rar files are all in version 4 format, we can safely assume that the file times recorded in those archives are in local (relative) time, not UTC.

Advertisements

5 thoughts on “RAR Times: Local or UTC?

  1. Comments are closed. They have been open for over a month; hopefully this has given ample opportunity for readers to comment. Responding to comments is worthwhile, but time-consuming; The Forensicator needs to turn his attention to other projects. Thank you everyone who has taken the time to comment.
    — The Forensicator

    Like

  2. How do you support the claim that this was the original download? For example, is it possible that the files were accessed remotely, and THEN the downloaded files were copied onto a drive on a computer on the east coast?

    Like

    1. Please re-submit your comment to the main thread, https://theforensicator.wordpress.com/2017/07/09/guccifer2-metadata-analysis/ and I will reply there. Also, please clarify/extend your current comment. Are you saying, something like DNC -> Romania -> US East Coast? Are you assuming that any of those two links can sustain 23 Mbytes/sec? (note: above, I’m using DNC as origin, Romania as intermediary only because that was G2’s original claim. Use whatever nomenclature you’re comfortable with).

      Like

Comments are closed.