Encoded Time Stamps Search
Another Computer Forensic case and another success… so why I am writing about it? Well.. during analysis process I used kind new evidence searching technique (It’s a little big to say new, but I haven’t heard about it earlier and I think in some situation it can be useful).
- Time Formats in CF
Task was to find any trace of known file on NTFS system.
Standard solution is to make hash compare analysis then keyword search, mft, recycle bin and time line analysis, all this has given no success in this case.
I decided to search unallocated space with encoded date and time values…. Bingo! several hits found, and some of them identified as part of evidence I was looking…. now how it worked:
Operation systems saves time stamps in different formats: Unix time format is number of seconds since 00:00 1 Jan 1970
Example date and time: 2010-10-05 10:04:20
Unix: 32 bit hex value (Little Endian) : 24 F8 AA 4C
Unix epoch: 1286273060
In Microsoft Windows there are several time formats The FILETIME format is the number of 100-nanosecond intervals, since 00:00 1 Jan, 1601 (UTC/GMT).
Windows 64 bit Hex value (Little Endian): 00 AA 7F AD 76 64 CB 01
Filetime Text: 2910824960:30106740
On Fat file systems we can find also different time formats:.
MS-DOS Fat Time + Date: 8A 50 45 3D
MS-DOS Fat Date: 45 3D
There is much more Time formats depending on file system or even specific application (e.g. java time format).
To prepare for Encoded Time Stamp Search we have to
- specify most possible to find time format
- specify dates and times
- encode it in selected time formats
- create GREP expressions (optional, depending on search software will be used)
Fortunately we don’t have to encode time manually two suitable programs we can use are DCode from www.digital-detective.co.uk and The Time Lord by Paul Tew
Category Article Computer forensics posts, tutorial
