Expand description
Linux boot time extraction from kernel timekeeper.
Reads the kernel timekeeper struct (via tk_core symbol) to derive
the system boot epoch. The wall-clock time at dump capture (xtime_sec)
combined with wall_to_monotonic and offs_boot yields the boot time:
boot_epoch = -wall_to_monotonic.tv_sec - (offs_boot / 1_000_000_000)This allows converting process start_time (nanoseconds since boot)
into absolute wall-clock timestamps for DFIR timelining.
Functionsยง
- extract_
boot_ time - Extract boot time from the kernel timekeeper struct.