The following applies only to MAC times created or modified between the effective dates for old and new Daylight Savings Times. Any MAC dates not created or modified between the old and new DST effective dates will always display correctly in FTK.

Before 2007, Daylight Savings Time went into effect at 2:00 AM on the first Sunday in April, and went out of effect at 2:00 AM on the last Sunday in October.

Beginning in 2007, DST goes into effect at 2:00 AM on the second Sunday in March (March 11, 2007) and goes out of effect at 2:00 AM on the first Sunday in November (November 4, 2007).

The tables below show the different effects of examining FAT or NTFS volumes that did or did not have the DST patch from Microsoft applied to the acquired volume, as well as the effects of the forensic exam machine having or not having the patch applied, and the forensic examiner using the local machine settings or the Display Time Zone function in FTK to view the evidence.

Please note that the first table is for FTK versions 1.70 and higher. The second table is for FTK versions 1.62 and lower.

The screenshots on the linking pages illustrate the possible discrepancies that may occur in FTK given the scenarios from the table above. The files from the FAT32 partition in the screenshots have a true creation time of 6:44 PM to 6:45 PM. The files from the NTFS partition in the screenshots have a true creation time of 9:08 AM to 9:10 AM.

The files named Before mar 07, After Mar 07, before oct 07, and After nov 07 were created outside of the affected date range and will always show correct timestamps in FTK. The files named between mar 07 and between oct 07 were created between the former and current effective dates for DST and FTK will give the display discrepancies as noted in the table above.