Looking for program/script to carve out dates from a file

I don't think carving works quite like this.

With data carving patterns are looked for. For instance a JPEG will always start 0xff 0xd8 0xff and the either 0xe0 or 0xe1. These bytes are then normally at the start of a sector, and other parameters can then be checked to reduce false positives. ie we have a unique string, typically in a defined location.

For FAT date this is just a 4 byte number 2 bytes for date and 2 for time. Almost any time value is valid, and many date values are valid. There may be no fixed location for these values, and so no way to find them.

The only hope you might have is to look for FAT directory structures. These do have a pattern, and repeat on 0x20 byte boundaries. If lucky, sequence will start with a '. ' '.. ' pair of entries, but due to fragmentation, this not always the case.

My CnW software does have a mode to scan a disk for any FAT directory entry, but does have a 5% false positive hit rate. The log would then have the file dates which might help you. You could mount the pagefile.sys file as a drive, but searching in this case would assume data is sector aligned.

re datacarving some clarification.
In this case the date itself is what you would be carving not FAT directory entries.
Think of a grep/regex search but for dates.

With carving/searching dates the program would probably need a range which it would use to figure out the range of possible bytes which would be a valid date.
e.g time is from 0000 - 2359 , anything out of this range would be invalid. of course search for a specific range of time (e.g. 0300-0400) would help further.

Now I can remember seeing such a program for download somewhere about 5 yrs ago. can't remember if it was just an exe or some sort of script.

Cheers,

I don't know of a specific tool or product, but it should be pretty trivial to write this in Perl or Python…

RevEnge will search for a date (in one or more of about 50 formats) that is within a specific range. It won't carve per se but you can point it at a file select DOS dates and a date range and it will stop at each DOS date that is within your specified date range.

There is a demo version here

http//sandersonforensics.com/forum/content.php?119-RevEnge

Paul

I am sure Rev Enge will do what it says on the box, but how successful it does depend on the rest of data in the file. If you any form of compressed / binary /random information, you will end up with a large number of false positives.

Your best success will only be if you can define a data and time range very closely. At a guess, I would think that over 75% of numbers would be valid date and times. From you 'spec' you will not be helped by byte alignment. If you have a precise date then only one 16 bit number in 64K possible numbers will be valid, and you will start finding possible data.

RevEnge will search for a date (in one or more of about 50 formats) that is within a specific range. It won't carve per se but you can point it at a file select DOS dates and a date range and it will stop at each DOS date that is within your specified date range.

Impressive product. Will have to try it out to see if it fits.

There is always Harlan's option of writing a python script if I need the extra flexibility a programming language provides. (sorry Perl found Python easier to learn)

I am sure Rev Enge will do what it says on the box, but how successful it does depend on the rest of data in the file. If you any form of compressed / binary /random information, you will end up with a large number of false positives.

Your best success will only be if you can define a data and time range very closely. At a guess, I would think that over 75% of numbers would be valid date and times. From you 'spec' you will not be helped by byte alignment. If you have a precise date then only one 16 bit number in 64K possible numbers will be valid, and you will start finding possible data.

Not all of the 64K possible numbers expressed in 32 bits will be a valid date for instance there are enough bits to represent 16 possible months so 25% of any random values can be excluded, the bit formatted spec for a dos date allows for up to 32 hours in a day so some of these can be excluded….

The success rate of any program when looking for DOS dates will be the same, providing it skips invalid dates correctly - if you can narrow down your date range you can skip invalid dates.

On truely random data RevEnge will show a valid DOS date on about 50% of the data. But as DOS allows for 128 years (1980 to 2107) if you can specify a date range of say 2000-2013 then this will drop to a matching date on one byte in about 20, i.e. 5% of dates matching. If you can specify a particular year then you are down to about 1 in 200… Of course most data is not random so your mileage may vary.

If you are looking for a date in a directory entry (so you can code a decision as whether a date may be valid based on surrounding data) then this is a different problem and tools other then RevEnge may do a better job. The DOS date format is not just used in the FAT file system though, its often found on tapes (some of which, for instance, use word swapped DOS dates - which is why RevEnge supports these also).

RevEnge does of course work better for dates such as 64 bit files times, but at the end of the day if you are looking at DOS dates then your problem is what it is.

Writing a program/script will give you exactly the same collisions as using a program such as RevEnge. Where writing a script will always win is when you have an inkling of what some of the surrounding data is likely to be - if you know that the previous byte for a date that you are interested in will always be zero then you can code for this. Although that said writing a script in my mind always wins (above a pre designed tool) because it makes you think a bit more about the data, but then not everyone programs and not every one has the time to write and debug a script such as this.

More info on different time stamps here

http//sandersonforensics.com/forum/content.php?131-A-brief-history-of-time-stamps

FYI I found what that program was which I was searching for.

it's "FDTE - File Date time Extractor" from "www.digital-detective.co.uk"

" This utility has been designed as a forensic research tool. It is important that you understand what the utility is actually showing you.

Embedded within many file types are numerous hidden date & times. They are in a variety of formats. Date and time analysis can be the pivotal point in any forensic examination, so it is important that investigators understand how the date & times are stored and how to identify them.

This software hunts through binary files 'sniffing out' hidden, embedded 64 bit date & times. This type of stored date is very popular in many Microsoft applications. Microsoft Word & Excel Applications store many different date & times. Word documents have Created Date & Time, Printed Date & Time, Modified Date & Time, Accessed Date etc. "

http//www.digital-detective.co.uk/freetools/fdte.asp (wayback machine)

Extract's a different date format than I remembered, although would still be interested in a copy of this.
Does anyone know where I can find it ?

You can get it from Craigs web site www.digital-detective.co.uk its a very good tool but you need to cut and paste each date into it.