So I was analyzing some bookmark files and noticed the volume creation time didn't make sense. The time was too old.
If you're at all familiar with Bookmark files you should know there are resource properties embedded inside them.
The particular property resource value that was throwing me off was NSURLVolumeCreationDateKey.
According to the Apple Developer documentation a NSURLVolumeCreationDateKey is a:
Key for the volume’s creation date, returned as an NSDate object, or NULL if it cannot be determined (read-only).
Simple enough. It should represent the creation time of the volume.
What didn't make sense was the creation date returned was August 2008 and that couldn't be right. My VM isn't that old.
NSURLVolumeCreationDateKey = "2008-08-22 14:48:36"
Some digging turned up a file called, preformattedHFSVolume.vmdk.
/Applications/VMware\ Fusion.app/Contents/Resources/preformattedHFSVolume.vmdk
When building Mac VM via VMWare Fusion, it appears VMWare uses a pre-formatted HFS+ volume.
If you open the preformattedHFSVolume.vmdk in a hex editor and search for, H+ or HFSJ you should see the following volume header.
Now if we take the hex and convert it into human readable format you get.
>>> print mactimeConvert(0xC4D48244)
2008-08-22 14:48:36
So if you ever wondered why you see this timestamp in your volume header, now you know.
Nothing earth shattering, but neat.
Enjoy!