Forums
Main Category
General (Technical,...
Number String?
 
Notifications
Clear all

Number String?

 
Page 2 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by azrael 4 years ago
15 Posts
6 Users
6 Reactions
3,237 Views
RSS
Thomas
 Thomas
(@thomas)
Trusted Member
Joined: 19 years ago
Posts: 59
18/03/2021 10:10 pm  

Compliments !!!


   
ReplyQuote
 Kossuth
(@kossuth)
Eminent Member
Joined: 7 years ago
Posts: 22
Topic starter 19/03/2021 3:12 pm  

@azrael

Thanks a lot! Those timestamps do correlate to the activity we are looking at. That is very complicated; I'm extremely impressed that you decoded that, I never would have figured that out.

Thanks everyone for taking the time to look at this, I appreciate it. 

Is this a standard format for recording timestamps?


   
ReplyQuote
azrael
 azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
21/03/2021 12:18 pm  
Posted by: @kossuth

Those timestamps do correlate to the activity we are looking at.

Yay ! Glad that it worked ! 

Posted by: @kossuth

Is this a standard format for recording timestamps?

Well, yes and no. Seeing it written like your example - absolutely not standard. I'm guessing someone somewhere has done some data manipulation and it's converted the HEX to decimal as part of that.

However, the date format itself is a normal Microsoft one and is the normal way that NTFS stores file date and time information. If you look in Brian Carrier's excellent "File System Forensic Analysis" it's in Chapter 13 ( in my copy, page 360 ):

CARRIER, B. (2005). File system forensic analysis. Boston, Mass, Addison-Wesley.

The four time values* are stored as the number of one hundred nanoseconds since January 1, 1601 UTC. The same time fields also exist in the $FILE_NAME attributes, but these are the ones that Windows displays when you view the properties of a file, and these are the ones that are updated.

* The time values are: Creation Time, File Altered Time, MFT Altered Time and File Accessed Time.

It's the little-endian-ness of them that's so flipping confuddling though so unless you're looking directly at the HEX of the MFT regularly, you're not exactly going to come across them written like this often.

 


   
trewmte reacted
ReplyQuote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
22/03/2021 11:24 am  

I would like to add a bit to Azrael final response.  I agree that somebody has tried to change the Hex data to decimal, and hence thrown in much confusion.  In particular the negative numbers.

 

It is much easier if when looking at data you try and think in Hex first.  Patterns are often much easier to see with 8 hex bytes, rather than a string of decimal numbers.  Computers and data are almost always based on 8/16/32/64 etc bit numbers, and not 10 based numbers.

 

Think in Hex and many things will be clearer


   
azrael reacted
ReplyQuote
azrael
 azrael
(@azrael)
Honorable Member
Joined: 19 years ago
Posts: 656
22/03/2021 12:04 pm  
Posted by: @mscotgrove

Think in Hex and many things will be clearer

I think you need to start printing t-shirts 😉


   
ReplyQuote
Page 2 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: