Sandfly always shows UTC time as all events reported by Sandfly are in UTC. You can view the local/UTC time by clicking on the timezone icon in the clock.

Sandfly UTC Time

Sandfly UTC Time

IDEA: UTC Time and Sandfly

UTC time is used for all timestamps generated by Sandfly during forensic investigations and along with any threats detected. Using UTC time avoids timezone problems from systems scattered across various regions.

NOTE: Local System Time Used for File, Directory, and Process Timestamps

It is important to note that for file, directory, and other timestamps that Sandfly collects from a remote host they will be in the local timezone of the system, not UTC time, unless your systems all are running UTC.

For instance, if Sandfly fingerprints a suspicious file and shows you the results, the file creation, modification, and access times will be the remote host's timezone and are not UTC corrected by Sandfly.

The reason for this is to not alter what the remote system shows happening locally when you go to investigate.

By giving you local system time for suspicious files, directories, and processes you can simply go to the affected host and and not have to worry about correcting for timezones for suspicious activity you are trying to track down on that host.

Previous Article:

Next Article: