Day to day I use windows, encase et al for examinations but I have been trying to improve my knowledge in my spare time, trying to perform analysis using open source and native linux utilities.
First little stumbling block I have come across is converting hex values to date/time stamps. Can anyone suggest a method/s or tool to do this ? Particularly windows type 64 bit values.
Can anyone suggest a method/s or tool to do this ? Particularly windows type 64 bit values.
Paul Tew's TimeLord
Craig Wilson's DCode
Thanks for the suggestions, I tried Dcode, unfortunately I cant get it to run under Wine.
This is a python function from a personal script based in a active state recipe
def conv_time(filetimelow, filetimehigh)
"""
Converts 64-bit integer specifying the number of 100-nanosecond
intervals which have passed since January 1, 1601.
This 64-bit value is split into the two 32 bits stored in the
structure.
http//
"""
# Difference between 1601 and 1970
diff = 116444736000000000L
lowpart = int(unpack('<L', filetimelow)[0])
highpart = int(unpack('<L', filetimehigh)[0])
# We divide by 10million to convert to seconds
return (((long(highpart)<< 32) + long(lowpart)) - diff) / 10000000
The final conversion
seconds = conv_time(filetlo, filethi)
filedeltime = time.asctime(time.gmtime(seconds)) + u' UTC'
The original script list the contents of a windows 7 recycle bin
http//
sorry for my english oops
This is a python function from a personal script based in a active state recipe
Thanks for this, I suspected it might need a python/perl type solution, I'll have to dig out my O'Reilly book
sorry for my english oops
No apologies required
96hz,
Like Sam Raincock, I have a passion for time related forensic issues which is why I wrote TimeLord (which is in dire need of updating). TimeLord is written in C# using Visual Studio and I have been hoping for the day that the Mono team integrate the TimeZoneInfo object into their project and then I can port Timelord into Linux too. Converting NTFS and FAT dates into time_t is not complex as 'neofito' has shown in his/her posting that converts an NTFS 'filetime' to time_t.
I tend to try and preserve the accuracy where I can (time_t is only 1 second whereas filetime is 100 nanoseconds).
If you (or anyone else) want the code to TimeLord then you are welcome - just pm me. I also have routines in C for converting NTFS and all variants of FAT time into ISO 8601 ASCII format in their native and 1 second accuracy variants. These are written in C and will compile under any bog-standard C compiler.
Paul (Tew) - author of Timelord 😉
There is a date converter in Delve on THE FARMER'S BOOT CD that allows the user to input one time value and convert that to any number of time values. Link here http//
And while not necessarily what you're seeking this has some interesting tips that may get you started on developing your own tool to convert;
http//
Cheers!
farmerdude
You can also use datedecoder at http//
It converts most values to their respective date/time values.
The new release will also convert the other way around.
What I've done in the past is use Excel as you can batch convert multiple cells
Convert the Hex to Decimal
BST
=(((E1-(-1*3600))/86400)+25569)
GMT
=(((E1-(0*3600))/86400)+25569)
Use either of the above to convert and chose Date & time for the cells
Hope this helps.
Not used it for a while and I'm sure that was the way to do it.
Si