Retrieval of date/t...
 
Notifications
Clear all

Retrieval of date/time stamp hex error?

2 Posts
2 Users
0 Likes
305 Views
(@shaun091382)
Posts: 13
Active Member
Topic starter
 

Hi I am just starting my forensic course and have already ran into a minor problem. I have the date/time of Friday, August 18 2000 32842pm that Im trying to retrieve from dos Fat32/16 using the hex values 95 7B 12 29 located in bytes 23 through 26. I can retrieve the time but I dont really know how as it does not follow the instructions I was given. Here is what I have can anyone help me on this?

Time stamp
Bits

0-4bits = seconds*2(0-29)
5-10bits = minutes(0-59)
11-15bits = hours(0-23)

Date Stamp

0-4bits = date(1-31)
5-8bits = month(1-12)
9-15bits = year(add total to 1980)

I dont know how I did it without following the model but this is what I have

I reversed Hex values 95 7B to 7B 95(Time)
Binary = 1111 0111 0010 101

Binary to decimal equals=

0-4bits = 1111 = 15
5-10bits = 0111 = 28
11-15bits = 0010101 = 21*2

time is 152842 (32842pm) which I verified to be correct..however why is the time I found correct but is backwards in the model I.E. 11-15bits(hours) should have the 15 and the 0-4bits(seconds)should have 21.

On to my next dilemma the date stamp the hex values are 12 29

So again I reversed them

29 12

Binary = 010100100010010

Date
0-4bits day(1-31)
5-8bits month(1-12)
9-15bits year(add to 1980)

My results (conversion to binary)

0-4bits = 0101 = 5
5-8bits = 0010 = 2
9-15bits = 0010010 = 18

These values are definitely incorrect and I dont know what to do to solve this problem the date should be Friday, August 18, 2000

Now I see that I have the 18 decimal # but its in the wrong areathe 18 should be in the 0-4bits which is for the day. I dont know what I'm doing wrong and need help thanks for your any help that can be provided thanks,

Shaun

 
Posted : 18/12/2005 2:30 am
Alan
 Alan
(@alan)
Posts: 53
Trusted Member
 

Hi shaun091382

If you are using a HEX editor you will proberbly need to reverse the numbers. Intel compatible computers use what is called Little Endian, the lowest byte order is stored first, or lowest in memory or disk. For instance the hex number 1234h would be viewed on disk in raw hex as two bytes 34 12, in that order, the processor expects this condition and automatically handles it correctly.

 
Posted : 21/12/2005 9:28 pm
Share: