±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34187
New Yesterday: 1 Visitors: 141

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

How to check all timestamps of file

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3 
  

Re: How to check all timestamps of file

Post Posted: Sat Jan 14, 2017 2:13 pm

- thefuf


The kernel is pulling GUIDs from a cache.

Another good thing to know. Smile

The 3rd of january might well be the date of last boot.

The last 6005 and 6009 events in System Events are dated 03/01/2017 20:22,43 (and since I am GMT+1 it would make more or less sense).

- thefuf

Can you reboot the operating system and repeat your actions?


No, I cannot reboot right now (this system is usually on 24/7), but I will repeat the test next time I reboot.

In any case the Object_ID continues to be not a "time stamp", but more like a "data point".

jaclaz

P.S.: If you know of a decoder for these values, I would still be interested in it as the two mentioned online ones provide a different time:
www.famkruithof.net/uuid/uuidgen
Tuesday, January 3, 2017 7:31:26 PM GMT
vs:
www.mahonri.info/cgi/uuid.cgi
Tue Jan 3 14:31:26 2017 (+0.562504 seconds)
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: How to check all timestamps of file

Post Posted: Sat Jan 14, 2017 10:14 pm

Thank you very much for this thread Smile

The www.ietf.org/rfc/rfc4122.txt has some really valuable details Smile

I know some of my tools will get nice updates soon Smile
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: How to check all timestamps of file

Post Posted: Sat Jan 14, 2017 11:09 pm

Good. Smile

In the meantime found out that UUID is a "common" command under Linux and uuid -d can decode V1 UUID's (I expected to find tens of windows32 ports of equivalent programs, but couldn't find easily one).

Anyway, there is one here:
soft.rubypdf.com/softw...-ossp-uuid
There is also the source.

that seemingly works fine:
uuid -d 37D54FD4-D1EB-11E6-B0C6-001FC6BB76CE
encode: STR: 37d54fd4-d1eb-11e6-b0c6-001fc6bb76ce
SIV: 74215118170733981956579217386954782414
decode: variant: DCE 1.1, ISO/IEC 11578:1996
version: 1 (time and node based)
content: time: 2017-01-03 19:31:26.562504.4 UTC
clock: 12486 (usually random)
node: 00:1f:c6:bb:76:ce (global unicast)

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: How to check all timestamps of file

Post Posted: Sat Jan 14, 2017 11:21 pm

You can work out the timestamp part on Windows with powershell like;
(Get-Date 15/10/1582).AddDays(137021739104999239/864000000000)

The 137021739104999239 is the 60 bit timestamp off the guid, output presented in UTC.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: How to check all timestamps of file

Post Posted: Sun Jan 15, 2017 9:35 am

- joakims
You can work out the timestamp part on Windows with powershell like;
(Get-Date 15/10/1582).AddDays(137021739104999239/864000000000)

The 137021739104999239 is the 60 bit timestamp off the guid, output presented in UTC.

Sure Smile .

And without Powershell, you can use a "normal" NT time decoder such as Decode:
www.digital-detective....ree-tools/
or - better - Timelord:
computerforensics.pars...melord.htm
together with "plain" calculator.

Get the relevant part from:
37D54FD4-D1EB-11E6-B0C6-001FC6BB76CE
37D54FD4-D1EB-11E6
make it a BIG Endian hex number:
11E6D1EB37D54FD4
remove the leading 1:
01E6D1EB37D54FD4
subtract from it:
146BF33E42C000<- this is (17+30+31+365*18+5)=6653 days expressed in 100 nanoseconds, i.e. multiplied by (60 * 60 * 24) and by (1000*1000*10) per RFC 4122
obtain:
01D265F7F9928FD4
use either Timelord or Decode to obtain:
2017-01-03 19.31.26.5625044
or
mar, 03 gennaio 2017 19.31.26 UTC

As a side-side note, and JFYI Wink , not all RFC's are to be taken seriously Shocked , RFC 2324:
tools.ietf.org/html/rfc2324
and its extension RFC 7168:
tools.ietf.org/html/rfc7168
must be taken with a grain of salt ...
More here, including the evil bit experiment:
blog.benjojo.co.uk/pos...orld-usage

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 3 of 3
Go to page Previous  1, 2, 3