Timestamp Information and Commands for Forensic Analysis

December 12, 2016 | Views: 4455

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

When conducting a forensic analysis of Windows Operating Systems it is extremely important for the analyst to have an understanding of the various time formats present within the Windows OS.  Since many examinations come down to the time stamps on various artifacts, the analyst should be able to describe and explain the various time stamp protocols if asked to do so during testimony.  In many instances, analysts have failed to adequately explain the “when” of when a file was created or modified or accessed because of the lack of knowledge regarding the time format of the file.

This short document provides an overview of the various time formats present in many Windows Operating Systems to assist in the identification and explanation of the time stamps located during timeline analysis or some other part of a forensic analysis.

First, the analyst must understand that time stamps can be recorded in a variety of ways, including UTC or local system time.  Many forensic tools on the market today do a fantastic job of translating these time stamps for you, but as with any aspect of forensics, the analysts should be knowledgeable of the underlying theory and practice of how the forensic software goes about translating the time stamps.  There is nothing more embarrassing than providing testimony during a trial and being asked a question that you can not answer!  I have seen and heard of many defense attorneys utilizing time stamps as a favorite venue from which to attack the “expert” testimony of a forensic analyst.

There are not many formats; however, it is extremely important to know the basics and to be able to research any questions you might come across during an analysis.  This short article will provide some websites to assist you in this research and to, hopefully, broaden your educational attainment.

So to the time formats!

Proprietary Software

First, many computers have installed numerous different types of programs.  Many of these post-factory installations utilize their own time formatting.  Anti-virus programs, for example, are known to utilize their own time formats and to carry that formatting over into their logs.  If you come across a piece of software installed on a system and a question arises regarding the time format, then go to that company’s web site and look for a document detailing the software’s’ operation.

64-bit FILETIME format

This format is one of the most frequently found in Windows OS.  This format maintains the number of 100-nanoseconds intervals since midnight on January 1, 1601, in accordance with the Universal Coordinated Time (UTC).  64-bit FILENAME formatting is used throughout a variety of Windows system files, including several found in the Registry.  As a side note, UTC is synonymous with Greenwich Mean Time (GMT).  You can learn more about this time formatting by visiting http://msdn.microsoft.com/en-us/library/ms724284.

SYSTEMTIME Format

This format utilizes year, month, day of the week, day, hour, minute, second and millisecond, all in that order to record their time stamps.  These times are then converted to UTC utilizing the local computer’s time zone and daylight savings settings.  You might find this formatting in Windows XP and 2003 .job files and it has been carried over to some Registry values on Windows Vista and 7.  You can learn more about this time format at https://msdn.microsoft.com/en-us/library/ms724950.

32-bit Unix Format

That is correct, you could see a Unix style time formatting scheme on a Windows system.  This format records time as the number of seconds since midnight on January 1, 1970, again relative to the UTC time zone.  Windows 2000, XP and 2003 have this format in several event log records.  You can learn more about this format at https://msdn.microsoft.com/en-us/library/aa363646.

String Format

This is one that you really can’t miss if you come across it during a forensic analysis.  It is in the standard format of 12/03/2016 6:45 PM.  You can find these formats recorded in local system time after taking the UTC time stamp and applying the correct conversion to local time using the time zone and daylight savings settings, which are located in the Registry for that system.  IIS web servers logs are also maintained in a similar format, but they include a comma between the date and time entries.  IIS also records the time stamps in UTC format.

DOSDate Format

DOSDate formatting is a 32-bit format, with the first 16 bits holding the date and the last 16 bits holding the time.  This type of time format is found in shell items, which are found in Jump lists (Windows 7 & 8), Windows shortcut files and a range of different Registry data.  You can learn more about this time format at https://msdn.microsoft.com/en-us/library/ms724274.

There are a number of tools and code that can assist you in translating these various time stamps format into a common format to help with your analysis.  Below are some common Windows time format type commands to assist you in your analysis.

These commands are used with system time:

GetSystemTime
Retrieves the current system date and time in UTC format.

GetSystemTimeAdjustment
Determines whether the system is applying periodic time adjustments to its time-of-day clock.

GetTimeFormat
Formats a system time as a time string for a specified locale.

NtQuerySystemTime
Returns the system time.

RtlLocalTimeToSystemTime
Converts the specified local time to system time.

RtlTimeToSecondsSince1970
Converts the specified system time to the number of seconds since the first second of January 1, 1970.

SetSystemTime
Sets the current system time and date.

SetSystemTimeAdjustment
Enables or disables periodic time adjustments to the system’s time-of-day clock.

SystemTimeToFileTime
Converts a system time to a file time.

SystemTimeToTzSpecificLocalTime
Converts a UTC time to a specified time zone’s corresponding local time.

TzSpecificLocalTimeToSystemTime
Converts a local time to a UTC time.

These commands are used with local time:

EnumDynamicTimeZoneInformation
Enumerates dynamic daylight saving time information entries stored in the registry.

FileTimeToLocalFileTime
Converts a UTC file time to a local file time.

GetDynamicTimeZoneInformation
Retrieves the current time zone and dynamic daylight saving time settings.

GetDynamicTimeZoneInformationEffectiveYears
Retrieves a range, expressed in years, for which a DYNAMIC_TIME_ZONE_INFORMATION has valid entries.

GetLocalTime
Retrieves the current local date and time.

GetTimeZoneInformation
Retrieves the current time zone settings.

GetTimeZoneInformationForYear
Retrieves the time zone settings for the specified year and time zone.

RtlLocalTimeToSystemTime
Converts the specified local time to system time.

SetDynamicTimeZoneInformation
Sets the current time zone and dynamic daylight saving time settings.

SetLocalTime
Sets the current local time and date.

SetTimeZoneInformation
Sets the current time zone settings.

SystemTimeToTzSpecificLocalTime
Converts a UTC time to a specified time zone’s corresponding local time.

SystemTimeToTzSpecificLocalTimeEx
Converts a UTC time with dynamic daylight saving time settings to a specified time zone’s corresponding local time.

TzSpecificLocalTimeToSystemTime
Converts a local time to a UTC time.

TzSpecificLocalTimeToSystemTimeEx
Converts a local time with dynamic daylight saving time settings to UTC time.

Commands for File Time:

CompareFileTime
Compares two file times.

FileTimeToLocalFileTime
Converts a UTC file time to a local file time.

FileTimeToSystemTime
Converts a file time to system time format.

GetFileTime
Retrieves the date and time that the specified file or directory was created, last accessed, and last modified.

GetSystemTimeAsFileTime
Retrieves the current system date and time in UTC format.

LocalFileTimeToFileTime
Converts a local file time to a file time based on UTC.

SetFileTime
Sets the date and time that the specified file or directory was created, last accessed, or last modified.

SystemTimeToFileTime
Converts a system time to a file time.

As a forensic analyst, you should have an understanding of these different time format options.  It doesn’t necessarily mean you need an exhaustive knowledge, but you should know how to research them, distinguish among them and to be able to explain to them if necessary, to your investigation.  Go forth, learn, and prosper!

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
3 Comments
  1. This is so helpful

  2. Extremely helpful information. Thanks. Keep it coming.

  3. Thanks for your all shares.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel