Okay so, I'm so confused here. I need to set the timezone in Encase v7 to match the timezone of the imagine I'm looking at.
I know HOW to find the timezone information in the registry (Used regripper to parse the System registry hive file), but I have no idea how to makes sense of this.
What i'm left with is this.
TimeZoneInformation key
ControlSet001\Control\TimeZoneInformation
LastWrite Time Wed May 14 065557 2008 (UTC)
DaylightName -> GMT Daylight Time
StandardName -> GMT Standard Time
Bias -> 0 (0 hours)
ActiveTimeBias -> -60 (-1 hours)
DaylightBias -> -60 (-1 hours)
TimeZoneKeyName -> N/A
I have no idea how to interpret this. Encase wants the time in UTC. Does this mean the timezone is UTC-1? I'm so lost. Any help is appreciated.
What is it that you do not understand? It's pretty clear to me…
What is it that you do not understand? It's pretty clear to me…
What i'm confused about is, what is the time in UTC? Sorry if it seems like a stupid question, but I have no idea which timezone I am selecting in encase.
Greenwich Mean Time (GMT) is often interchanged or confused with Coordinated Universal Time (UTC). But GMT is a time zone and UTC is a time standard.
Although GMT and UTC practically share the same current time, there is a basic difference between the two
GMT is a time zone officially used in some European and African countries. The time can be displayed using both the 24-hour format (0 - 24) or the 12-hour format (1 - 12 am/pm).
UTC is not a time zone, but a time standard that is the basis for civil time and time zones worldwide. This means that no country or territory officially use UTC asa local time.
UTC, GMT and Daylight Saving Time
Neither UTC nor GMT ever change for Daylight Saving Time (DST). However, some of the countries that use GMT switch to different time zones during their DST period.
For example, the United Kingdom is not on GMT all year, it uses British Summer Time (BST), which is one hour ahead of GMT, during the summer months.
Coordinated Universal Time (UTC) is the basis for civil time today. This 24-hour time standard is kept using highly precise atomic clocks combined with the Earth's rotation.
Craig Wilson has an excellent primer on time.
All translations between UTC and local time are based on the following formula
TimeZone_Formula UTC = LOCAL TIME + BIAS
Bias
This value is the normal Time difference from UTC in minutes. This value is the number of minutes that would need to be added to a local time to return it to a UTC value. This value will identify the Master Time Zone (Standard Time).
ActiveTimeBias
This value is the current time difference from UTC in minutes, regardless of whether daylight saving is in effect or not. It is this value that helps establish the current Time Zone settings. Using the formula above, take this value and add it to local time to get the UTC value.
DaylightBias
This value specifies a bias value to be used during local time translations that occur during daylight time. This value is added to the value of the Bias member to form the bias used during daylight time. In most time zones the value of this member is –60.
What i'm confused about is, what is the time in UTC? Sorry if it seems like a stupid question, but I have no idea which timezone I am selecting in encase.
Kevin, in the interest of full disclosure, I almost always use X-Ways, not EnCase. That said, I don't see this as an EnCase question so much as it's a judgment call.
If the SOP in your agency or the preference of the lead examiner you're working with is to always adjust the timezone, be consistent with that and choose a timezone that corresponds to the -1 time biases you're seeing. Otherwise, if you're comfortable reporting your findings in UTC, you can just leave the EnCase setting as UTC (in other words, no time zone adjustment). Whether it's important to adjust times may depend on the case. Sometimes working directly in UTC is sufficient and may even simplify things.
Any hardcore EnCase users out there should feel free to chime in.
Okay so, I'm so confused here. I need to set the timezone in Encase v7 to match the timezone of the imagine I'm looking at.
As far as I remember, that's something that Encase will do for you in one of standard scripts for processing Windows cases, included with EnCase. SOP is usually to run that script very early in the process. My experience is with v6, though, but while things may have changed in v7, I kind of doubt that it would change very much. (Though sometimes the registry has it wrong … in which case you will have to do this manually …)
If you do change the time zone manually, go by location name, not just by the UTC offset. While two entries with the same UTC offset may be the same, there's also a fair chance that there may be differences in how daylight savings time is applied. That may cause problems if you get it wrong.
In your case, I'd go with '[UTC]' entry that includes the appropriate geographic name (e.g. 'London'), and make sure your report documents that configuration clearly. (Note though, that you will need to think about timestamps anyway. If you have, for example, files that have been restored from a ZIP archive, created in another time zone … what time stamp do they get when they're extracted? Encase may not do the right thing here, so stay alert.)
And in general, I'd recommend registering at the Guidance support portal. That's where most Guidance-specific questions-and-answers are found.
Like Athulin, my experience is with EnCase v6, but the following link is from the Guidance forums (assuming you have an account) and contains the instructions you need to find the timezone within EnCase v7
https://
Bithead - thanks for the pointer to Craig Wilson's article. Haven't seen that before.
Here is an other interesting thing to confuse you.
The registry key TimeZoneName uses nul terminated Unicode strings, and is not wiped of the previous content.
For exampleM·o·u·n·t·a·i·n· ·S·t·a·n·d·a·r·d· ·T·i·m·e···e·······i·m·e··
4D 00 6F 00 75 00 6E 00 74 00 61 00 69 00 6E 00 20 00 53 00 74 00 61 00 6E 00 64 00 61 00 72 00 64 00 20 00 54 00 69 00 6D 00 65 00 00 00 65 00 00 00 00 00 00 00 69 00 6D 00 65 00 00
From the above, you can guess that the time zone was set at least three times (possibly including initial set). If the time zone length is sufficiently different, one can guess what was the previous time zone set as. mrgreen
@bithead Hola tengo un problema, quisiera saber...
TimeZoneInformation key
ControlSet001\Control\TimeZoneInformation
LastWrite Time Thu Jan 1 00:00:00 1970 (UTC)
DaylightName -> Pacific Daylight Time
StandardName -> Pacific Standard Time
Bias -> 480 (8 hours)
ActiveTimeBias -> 480 (8 hours)
en autopsy.. que escoger , estoy en madrid...
no se si debo de escoger
(GMT +8 etc) / gmt-8