[jaclaz]

Well, no, that is a non-explanation.

If the format of syslogs doesn't change there should be no issues (or should it be read as "the system logs don't have the year"? )

If you don't have the year, it is not a "full date" in the forensic sense of the term, and you simply cannot present such a result in a Court.

A statement like "A Netac USB device was connected on May 26, presumably in the year 2019, exactly at 00:51:54 and soon after disconnected, exactly at 00:52:21" won't be good.

If it is technically not possible to retrieve the year, then the whole stuff has very little relevance on itself.

It would be needed to create a complete timeline of the system under investigation and correlate the month, day, time with activities that have an objective timestamp including the year.

[pretty_lorelei]

> or should it be read as "the system logs don't have the year"? That's the case. RFC 3164, which specifies the log format, is the only one usbrip can read, and it doesn't have an option to specify year.

[jaclaz]

Well, then the tool has no actual "forensics" use by itself.

It's a pity, of course, but it can only be a tool to confirm findings that have a "proper" timestamp.

Most probably the log consists of "appended" entries that might mitigate the issue, still it is needed a clear and extended "justification" to the procedure with wich the year is "attributed" to the yearless entry for forensics use.