Notifications

Clear all

timestamp, conversion from hex?

forenz · 2007-08-29T16:51:00Z

I have been investigating records in the event log of a Windows Server 2003 R2, specifically within SecEvent.Evt.I have discovered the hex representing the time generated and time written information for a record.The hex appears as follows d8c5c646-d8c5c646The first d8c5c646 is the time generated, whilst the second is the time written.The problem i have now is converting these into an understandable representation of the time they were created. Can anyone help/point me in the right direction?

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by TeenWolf 15 years ago

19 Posts

7 Users

0 Reactions

4,902 Views

RSS

forenz

(@forenz)

Eminent Member

Joined: 18 years ago

Posts: 47

Topic starter 31/08/2007 4:58 pm

They are 32bit Unix timestamps.

Thanks again, but how did you know that these were 32bit Unix timestamps? there are other decode formats i can set the program to and it will still decode to a date. How did you know which format to trust?

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

31/08/2007 5:05 pm

> how did you know that these were 32bit Unix timestamps?

That comes in part from knowing the structure of the Event Log records.

ReplyQuote

forenz

(@forenz)

Eminent Member

Joined: 18 years ago

Posts: 47

Topic starter 31/08/2007 5:56 pm

Hows that?

I do know the structure of the event log records.

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

31/08/2007 6:25 pm

> Hows that?
>
> I do know the structure of the event log records.

Okay, then…it sounds like you just answered your own question! 😉

Here's some documentation from MS
http//msdn2.microsoft.com/en-gb/library/aa363646.aspx

If you read it, you'll see that the timestamps are both 4-byte values and they meet the definition of "32bit Unix timestamps".

I guess maybe I'm missing something, then…you say that you know the structure and format of the event records, but you're asking "how did you know that these were 32bit Unix timestamps?". I mean, it's right there in the structure documentation.

I must be completely off-base here and completely misunderstanding what you're asking…sorry…

ReplyQuote

forenz

(@forenz)

Eminent Member

Joined: 18 years ago

Posts: 47

Topic starter 31/08/2007 6:36 pm

Its ok

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

01/09/2007 12:01 am

Its ok

What does that mean?

ReplyQuote

kern

(@kern)

Trusted Member

Joined: 20 years ago

Posts: 67

01/09/2007 12:27 am

I must be completely off-base here and completely misunderstanding what you're asking…sorry…

its ok

maybe he's accepting your apology lol

ReplyQuote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

01/09/2007 12:46 am

Maybe…but it might help more if he were to clear up some things…

ReplyQuote

TeenWolf

(@teenwolf)

New Member

Joined: 15 years ago

Posts: 3

04/10/2010 11:59 pm

I wrote a similar program, it decodes various formats, except the program is command line. You can download it at

www.live-forensics.com

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
244 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed