MFT store timestone in UTC, user(window explorer) will convert to chosen timezone when display to user.
log2timeline will parse the disk partition and put data in dot.plaso file, using UTC timezone.
When psort.py run againts dot.plaso, it will produce dot.csv file, using UTC timezone.
When data in the csv is push into elasticsearch, elasticsearch will always assume the timezone is UTC,
Then, when kibana display the data through browser, it will convert the timezone base on browser timezone(which is same as user desktop timezone).
But bare in mind, if you query directly to elasticsearch using your own script/tools, the timezone is in UTC.
log2timeline will parse the disk partition and put data in dot.plaso file, using UTC timezone.
When psort.py run againts dot.plaso, it will produce dot.csv file, using UTC timezone.
When data in the csv is push into elasticsearch, elasticsearch will always assume the timezone is UTC,
Then, when kibana display the data through browser, it will convert the timezone base on browser timezone(which is same as user desktop timezone).
But bare in mind, if you query directly to elasticsearch using your own script/tools, the timezone is in UTC.
No comments:
Post a Comment
Terima kasih