Hello. Without getting into specifics, would anyone be able to identify what the string of numbers at the end of the following file paths represent? The data is coming from a PC in Europe. Any help is appreciated. Thank you.
Â
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||1778112188:30624963
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||540650256:30631156
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||-1684227636:30638004
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||-1750867081:30638004
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||-705445358:30644856
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||-576257078:30649297
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||1307581271:30654936
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||-1428127345:30665545
As Windows doesn't allow the pipe character to be part of a file name I assume these file names are all mocked up (or maybe they are from a Linux / Unix machine, but unlikely if the path is c:\users...)?
Maybe getting into specifics would help!
Are they really text files? What's in them? Do they have the NTFS Alternate Data Streams Zone.Identifier to tell you where the file came from? Does the browser have a history entry mentioning the files? etc.. etc...
@passmark. As for not getting into specifics I just meant that its an active case and didn't want to divulge too much information.Â
Unfortunately, I don't even have access to the rest of the data. A text file was shared with me asking for interpretation, these were an excerpt. I was just hoping that these were some sort of time stamp that someone would recognize. Thanks for taking the time to look at it though.
To me this Looks like a character delimited file with pipe as the delimiter. I'm guessing that you've sanitised this to test.txt throughout and that the file names different in the original source.
The second part of the number is constantly incrementing - so it could be a timestamp as you say, the first part looks wildly inconsistent to me both in magnitude and sign.
Can you give us more of a clue ?
Â
Hello. Without getting into specifics, would anyone be able to identify what the string of numbers at the end of the following file paths represent? The data is coming from a PC in Europe. Any help is appreciated. Thank you.
Â
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||1778112188:30624963
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||540650256:30631156
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||-1684227636:30638004
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||-1750867081:30638004
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||-705445358:30644856
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||-576257078:30649297
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||1307581271:30654936
C:\Users\xxxxxxx\Downloads\test.txt|test.txt|||-1428127345:30665545
not some coordinates by some chance?
As Passmark says, these strings are probably from a Linux/Unix system. The closest I can find is that the numbers are calculations of rotations or trajectory of an object. I've used https://www.epochconverter.com/ ,where the current Unix epoch time is 1616014906. The second number seems to be the number of seconds in (almost) a year. For example the first is 30624963, which is 354 days, 10 hours, 56 minutes and 3 seconds... However, this doesn't explain the negative numbers... (and maybe I am completely off...)
As Passmark says, these strings are probably from a Linux/Unix system.Â
It isn't likely, as neither Linux nor any other Unix would support a pipe as part of a file name without it being escaped.
A text file was shared with me asking for interpretation, these were an excerpt.
It seems to me to be more likely - as I said - that it's a CSV (delimited file) file using | as a delimiter.
not some coordinates by some chance?
I thought that might be the case too, but couldn't figure out how to convert them to something sensible ...
OK - I've either cracked it, or I've discovered a very interesting coincidence 😉
They are time stamps - just recorded in a nightmare fashion. They are Windows FILETIME stamps which are a 64bit integer that represents the number of 100-nanosecond intervals since January 1st, 1601[1]. As discussed in that reference they are stored as high and low order parts of the file time - and that's what you see here high and low order bytes separated by a ":"
e.g.
1778112188:30624963
To convert these into something usable - first take them back to two's compliment hex[2]:
69FBD6BC:01D34CC3
Concatenate them in the right order[3]:
01D34CC369FBD6BC
Convert back to decimal[4]:
131533216304322236
And then convert to a real date[5]:
Tuesday, October 24, 2017 12:27:10pm
I ran this process through for the first four and got the following dates and times:
Tue, 24 Oct 2017 12:27:10 +0000 Fri, 24 Nov 2017 07:16:19 +0000 Thu, 28 Dec 2017 08:19:40 +0000 Thu, 28 Dec 2017 08:26:43 +0000
This seems pretty consistent to me as a logical chain of file downloads (which is what the directory implies these things are ...)Â
However, without additional knowledge I genuinely have no idea if it is just a complete coincidence, or a meaningful discovery.
Please let me know how accurate this may be - I've happily allowed this to distract me from things that I should have been doing, it would be good to know if it worked 😉
All the Best,
Azrael
--
1. https://kb.digital-detective.net/display/BF/FILETIME+Timestamp+and+Structure
2. https://www.rapidtables.com/convert/number/decimal-to-hex.html
3. I just did this in Excel with =CONCAT(cell2,cell1)
4. https://www.rapidtables.com/convert/number/hex-to-decimal.html
5. https://www.silisoftware.com/tools/date.php - choose filetime as format
Â
On the coordinates something along these lines
Yeah, that works.
And I would _love_ a case from one of those locations 😀
Would definitely need a site visit !