athulin – thank you tremendously for your explanation of endianness. The part that gets me is how it applies in this instance.
The value stored in the registry, I presumed was in little-endian. Since it was obviously on an Intel CPU, being WindowsXP, it is little-endian. So, the script on that website was expecting a big-endian value?
Since basically everything is little-endian these days, I am not clear on why this continues to be an issue so often.
Another shameless plug
http//www.forensicfocus.com/index.php?name=Downloads&d_op=viewdownloaddetails&lid=88
Will convert a bunch of time stamps from the input as you see it in your hex editor. Big-endian/Little-endian is dealt with at the press of a radio button.
Paul
That is an extremely nerdy, and therefore great, name for a timestamp program. Congrats! )
The value stored in the registry, I presumed was in little-endian. Since it was obviously on an Intel CPU, being WindowsXP, it is little-endian. So, the script on that website was expecting a big-endian value?
It was expecting a value. Endianness only applies if the data is parcelled out in chunks, such as bytes or words or whatnot. But behind the endianness there is a value, regardless of how it has been represented. If you feed a value-expecting tool, not a value, but a representation of it … well, GIGO.
You have to know your tools. Just as the toolmaker has to know its user – in this particular case, there was a discontinuity.
If you work in yard, feet and inches, and then suddenly get a metric measurement, all kind of interesting and not-so-interesting things may happen (http// articles cnn com/ 1999-09-30/tech/9909_30_mars.metric.02_1_climate-orbiter-spacecraft-team-metric-system?_s=PMTECH . )
If you expect a DD/MM/YY date, but get a MM/DD/YY date … things may get hairy.
Choose tools to fit your way of working. If you cut and paste timestamps as a series of bytes, use timestamp tools that work on that series of bytes.