Timestamp Information and Commands for Forensic Analysis

When conducting a forensic analysis of Windows Operating Systems it is extremely important for the analyst to have an understanding of the various time formats present within the Windows OS.  Since many examinations come down to the time stamps on various artifacts, the analyst should be able to describe and explain the various time stamp protocols if asked to do so during testimony.  In many instances, analysts have failed to adequately explain the “when” of when a file was created or modified or accessed because of the lack of knowledge regarding the time format of the file.This short document provides an overview of the various time formats present in many Windows Operating Systems to assist in the identification and explanation of the time stamps located during timeline analysis or some other part of a forensic analysis.First, the analyst must understand that time stamps can be recorded in a variety of ways, including UTC or local system time.  Many forensic tools on the market today do a fantastic job of translating these time stamps for you, but as with any aspect of forensics, the analysts should be knowledgeable of the underlying theory and practice of how the forensic software goes about translating the time stamps.  There is nothing more embarrassing than providing testimony during a trial and being asked a question that you can not answer!  I have seen and heard of many defense attorneys utilizing time stamps as a favorite venue from which to attack the “expert” testimony of a forensic analyst.There are not many formats; however, it is extremely important to know the basics and to be able to research any questions you might come across during an analysis.  This short article will provide some websites to assist you in this research and to, hopefully, broaden your educational attainment.So to the time formats!Proprietary SoftwareFirst, many computers have installed numerous different types of programs.  Many of these post-factory installations utilize their own time formatting.  Anti-virus programs, for example, are known to utilize their own time formats and to carry that formatting over into their logs.  If you come across a piece of software installed on a system and a question arises regarding the time format, then go to that company's web site and look for a document detailing the software's' operation.64-bit FILETIME formatThis format is one of the most frequently found in Windows OS.  This format maintains the number of 100-nanoseconds intervals since midnight on January 1, 1601, in accordance with the Universal Coordinated Time (UTC).  64-bit FILENAME formatting is used throughout a variety of Windows system files, including several found in the Registry.  As a side note, UTC is synonymous with Greenwich Mean Time (GMT).  You can learn more about this time formatting by visiting https://msdn.microsoft.com/en-us/library/ms724284.SYSTEMTIME FormatThis format utilizes year, month, day of the week, day, hour, minute, second and millisecond, all in that order to record their time stamps.  These times are then converted to UTC utilizing the local computer's time zone and daylight savings settings.  You might find this formatting in Windows XP and 2003 .job files and it has been carried over to some Registry values on Windows Vista and 7.  You can learn more about this time format at https://msdn.microsoft.com/en-us/library/ms724950.32-bit Unix FormatThat is correct, you could see a Unix style time formatting scheme on a Windows system.  This format records time as the number of seconds since midnight on January 1, 1970, again relative to the UTC time zone.  Windows 2000, XP and 2003 have this format in several event log records.  You can learn more about this format at https://msdn.microsoft.com/en-us/library/aa363646.String FormatThis is one that you really can’t miss if you come across it during a forensic analysis.  It is in the standard format of 12/03/2016 6:45 PM.  You can find these formats recorded in local system time after taking the UTC time stamp and applying the correct conversion to local time using the time zone and daylight savings settings, which are located in the Registry for that system.  IIS web servers logs are also maintained in a similar format, but they include a comma between the date and time entries.  IIS also records the time stamps in UTC format.DOSDate FormatDOSDate formatting is a 32-bit format, with the first 16 bits holding the date and the last 16 bits holding the time.  This type of time format is found in shell items, which are found in Jump lists (Windows 7 & 8), Windows shortcut files and a range of different Registry data.  You can learn more about this time format at https://msdn.microsoft.com/en-us/library/ms724274.There are a number of tools and code that can assist you in translating these various time stamps format into a common format to help with your analysis.  Below are some common Windows time format type commands to assist you in your analysis.These commands are used with system time:GetSystemTimeRetrieves the current system date and time in UTC format.GetSystemTimeAdjustmentDetermines whether the system is applying periodic time adjustments to its time-of-day clock.GetTimeFormatFormats a system time as a time string for a specified locale.NtQuerySystemTimeReturns the system time.RtlLocalTimeToSystemTimeConverts the specified local time to system time.RtlTimeToSecondsSince1970Converts the specified system time to the number of seconds since the first second of January 1, 1970.SetSystemTimeSets the current system time and date.SetSystemTimeAdjustmentEnables or disables periodic time adjustments to the system's time-of-day clock.SystemTimeToFileTimeConverts a system time to a file time.SystemTimeToTzSpecificLocalTimeConverts a UTC time to a specified time zone's corresponding local time.TzSpecificLocalTimeToSystemTimeConverts a local time to a UTC time.These commands are used with local time:EnumDynamicTimeZoneInformationEnumerates dynamic daylight saving time information entries stored in the registry.FileTimeToLocalFileTimeConverts a UTC file time to a local file time.GetDynamicTimeZoneInformationRetrieves the current time zone and dynamic daylight saving time settings.GetDynamicTimeZoneInformationEffectiveYearsRetrieves a range, expressed in years, for which a DYNAMIC_TIME_ZONE_INFORMATION has valid entries.GetLocalTimeRetrieves the current local date and time.GetTimeZoneInformationRetrieves the current time zone settings.GetTimeZoneInformationForYearRetrieves the time zone settings for the specified year and time zone.RtlLocalTimeToSystemTimeConverts the specified local time to system time.SetDynamicTimeZoneInformationSets the current time zone and dynamic daylight saving time settings.SetLocalTimeSets the current local time and date.SetTimeZoneInformationSets the current time zone settings.SystemTimeToTzSpecificLocalTimeConverts a UTC time to a specified time zone's corresponding local time.SystemTimeToTzSpecificLocalTimeExConverts a UTC time with dynamic daylight saving time settings to a specified time zone's corresponding local time.TzSpecificLocalTimeToSystemTimeConverts a local time to a UTC time.TzSpecificLocalTimeToSystemTimeExConverts a local time with dynamic daylight saving time settings to UTC time.Commands for File Time:CompareFileTimeCompares two file times.FileTimeToLocalFileTimeConverts a UTC file time to a local file time.FileTimeToSystemTimeConverts a file time to system time format.GetFileTimeRetrieves the date and time that the specified file or directory was created, last accessed, and last modified.GetSystemTimeAsFileTimeRetrieves the current system date and time in UTC format.LocalFileTimeToFileTimeConverts a local file time to a file time based on UTC.SetFileTimeSets the date and time that the specified file or directory was created, last accessed, or last modified.SystemTimeToFileTimeConverts a system time to a file time.As a forensic analyst, you should have an understanding of these different time format options.  It doesn't necessarily mean you need an exhaustive knowledge, but you should know how to research them, distinguish among them and to be able to explain to them if necessary, to your investigation.  Go forth, learn, and prosper!