Sunday, February 6, 2011

Custom FILETIME DateClass to display millisecond granularity

A few months ago, I had the pleasure to go and teach two classes in Australia. During that visit, I met a very talented examiner named Brian Jones who had been learning the EnScript programming language for awhile, but had already excelled and created some great EnScripts and came up with some great ideas on using the power of EnScript.

Brian recently emailed me to comment on the recent post I made about the Windows FILETIME and the ability to see when a file's time stamp may have been manipulated. Brian shared a library that he wrote that displays an entries timestamp in millisecond granularity as well as displays the time stamps that's in the filename attribute, which are not shown by default by most forensic tools. Looking at the timestamps in the filename attribute and comparing them with what is recorded in the standard information attribute can provide lots of clues as to what has happened to that particular object (file or folder).

Brian has agreed to share his library with anyone else who is interested and I have to say he has done an excellent job. His documentation is superb! If you play around with EnScript, I highly suggest you load this library up and test it out. Even if you dont know how to program, there are simple examples in the documentation that you could try with very little effort.

The link to download the library is here.

Great Thanks to Brian Jones. If you have questions, comments or just want to say thanks, please email him at jone2bri (at) gmail (dot) com.

Here is his documentation and explanation of what the library does.



SEEBDateClass





SEEBDateClass encapsulates a date-time value. This class
represents time to a precision of seconds.

The time zone bias is set to the system's time zone bias. The GetString() method adjusts time with the bias before returning the string.


SEEBDateClass Enumeration OffsetOptions  [Top]

Name

Value

Description

NOBIAS

0

Controls the offset
values of the GetString() method(s)



NOBIAS – No Bias (UTC 0.00)

DSTADJ - Adjust time for DST.
LOCAL –
Time Zone set to examiner machine.

DSTADJ

1






LOCAL


2







SEEBDateClass Enumeration ShowOptions  [Top]

Name

Value

Description

LONGDATE

0

Controls the
output of the GetString() method(s)



LONGDATE -  02/09/2009 16:44:21

TEXTDATE -  Wednesday, 2
September 2009, 16:44:21.
SORTDATE –
02/09/09 16:44:21.

TEXTDATE

1






SHORTDATE


2





SEEBDateClass Enumeration EntryDateOptions  [Top]

Name

Value

Description

CREATED

80

Controls the
output of the EntryDate(entry, date_offset)
method. Returns the date of entry created etc. FNA = “File Name Attribute”
Time/date stamps – not shown in windows / EnCase.

CREATED –
entry created date.
WRITTEN –
entry last written.








WRITTEN

88






MFTMODIFIED


96






ACCESSED

114

MFTMODIFIED
– entries mft entry modified.
ACCESSED –
entry last accessed

FNACREATED,
FNAWRITTEN, FNAMFTMODIFIED, FNAACCESSED –
File Name
Attribute time/ date value – possible indicators of when file actually
created written on specific partition / system.






FNACREATED

184













FNAWRITTEN


192

FNAMFTMODIFIEDCREATED

200

FNAACCESSED

208







SEEBDateClass Enumeration AccuracyOptions  [Top]

Name

Value

Description

MINUTE

0

Controls the
accuracy of the Compare Functions(s)






SECOND

1






MILLISECOND


2





SEEBDateClass Methods  [Top]


Name

Return Type

Declaration

Description



SEEBDateClass


SEEBDateClass ()

Construct
default SEEBDate value. Year = 1601, month = 1, day
= 1, hour = 0,  minute = 0, second
= 0,
Millisecond = 0.



SEEBDateClass


SEEBDateClass (ulong value)

Construct SEEBDate value from 64 bit time / date stamp.



SEEBDateClass


SEEBDateClass (SEEBDateClass date)

Copy
Constructor.



SEEBDateClass


SEEBDateClass (uint day , uint month, uint yr, uint hr, uint min, uint sec, uint ms = 0)

Construct SEEBDate value from individual values. i.e. day, month,
year etc



SEEBDateClass


SEEBDateClass (DateClass date)

Construct SEEBDate value from EnCase Date
Class.



GetString


Const GetString(EntryClass entry
= null, uint offset_options
= SEEBDateClass::DSTADJbool display_bias
= true, uint show_options
= SEEBDateClass::LONGDATE, bool
hour24 = true , bool display_ms
= false)

Converts the
date to the string format.
Arguments:
Entry – EntryClass object or null.
Offset_optionsOffsetOptions
Enum value.
Display_bias – display the bias i.e.
UTC(+10.00).
Show_optionsShowOptions
Enum value.
Hour24 –
24 hour time or not (12 hr)
Display_ms – display milliseconds or not.

Time zone settings obtained  from the volume the entry is on
– otherwise UTC( 0.00)
Get String() = all default values.



GetString


const GetString (int bias_value, bool display_bias = true, uint show_options
= SEEBDateClass::LONGDATE, bool
hour24 = true, bool display_ms
= false)

Converts the
date to the string format using specified bias.
Arguments:
Bias_value – bias entered manually. i.e -10
Display_bias – display the bias.
Show_optionsShowOptions
Enum value.
Hour24 –
24 hour time or not (12 hr)
Display_ms – display milliseconds or not.





EnCaseString


String

static EnCaseString(EntryClass
entry, uint offset_options
= SEEBDateClass::DSTADJbool display_bias
= true, uint show_options
= SEEBDateClass::LONGDATE, bool
hour24 = true , bool display_ms
= false)

Converts the
date to the string format using the EnCase “Modify
time zone settings” to set the timezone for each
volume.
Arguments:
Entry – EntryClass object.
Offset_optionsOffsetOptions
Enum value.
Display_bias – display the bias.
Show_optionsShowOptions
Enum value.
Hour24 –
24 hour time or not (12 hr)
Display_ms – display milliseconds or not.




GetTimeZoneBias

int

static GetTimeZoneBias
()

Returns the
local time zone offset in seconds



Year

int

const Year ()

Year value in 4
digit format (1601..2038)




Month

uint

const Month ()

Month value
(1..12)



Day

uint

const Day()

Day value (
1...31 )



Hour

uint

const Hour ()

Hour value
(0..23)



Minute

uint

const Minute ()

Minute value (0..59)



Second

uint

const Second ()

Second value
(0..59)



Millisecond

uint

const Millisecond()

Millisecond
value (0…999)



Ticks

long

const Ticks()

Total number of
ticks



DayOfWeek

uint

const DayOfWeek()

Day of week
value ( 0=Sunday…6)



DayOfWeekString

String

const DayOfWeekString()

Day of week as
string.



MonthString

String

const MonthString()

Month value as
string (January…December)



TotalSeconds

ulong

const TotalSeconds()

Total seconds
from 1/1/1601



EqualTo

bool

 EqualTo (SEEBDateClass value)

Returns true if
== value.



LessThan

bool

LessThan (SEEBDateClass value)

Returns true
if  < value



GreaterThan

bool

GreaterThan(SEEBDateClass value)

Returns true if
> value.



IsLeapYear

bool

static IsLeapYear (uint year)

Returns true if
year is a leap year.



InRange

bool

static InRange (SEEBDateClass Value, SEEBDateClass
min, SEEBDateClass
max, , uint
accuracy_options = SEEBDateClass::SECOND)

Value must be
between min and max, inclusive with accuracy = SECOND or MILLISECOND only..



IsValid

bool

const IsValid ()

Returns true if
the value is valid date.


EntryDate

SEEBDateClass

EntryDate(EntryClass
entry, uint entrydate_options
= SEEBDateClass::CREATED)

Converts the entry
date to SEEBDateClass.
Arguments:
Entry – EntryClass object to obtain dates from mft directly.
Entrydate_optionsEntryDateOptions
Enum..


Null

void

Null()

Allows creation
of null date. 0/0/0 00:00:00.


GetBias

double

static GetBias(EntryClass
entry = null)

Returns entries
bias value.
If null
entry  - function returns default
time zone setting if only one timezone -  or 0..


DstOffset

int

static DstOffset(EntryClass
entry = null)

Returns the
entries DST offset..


ReadWinDate

bool

ReadWinDate (FileClass file)

Construct SEEBDate value from 64 bit time / date stamp.
Arguments:
file – FileClass object.



ReadUnixDate

bool

ReadUnixDate (FileClass file)

Construct SEEBDate value from 32 bit (C / Unix) time / date stamp.
Arguments:
file – FileClass object.



UnixDate

double

UnixDate(ulong value)

Construct SEEBDate value from 32 bit (C / Unix) time / date stamp.
Arguments:
value


DateToMilliseconds

ulong

static DateToMilliseconds(SEEBDateClass date)

Covert a SEEBDate into total milliseconds for comparisons.


Now

void

Now ()

Sets the value
to the current system date and time


Set


void

Set(uint day , uint month, uint yr, uint hr, uint min, uint sec, uint ms = 0)

Sets the date
directly.


Compare

int

Compare (const SEEBDateClass &Value, uint accuracy_options = SEEBDateClass::SECOND)

Returns < 0
if value is lexically less than, 0 if equal, > 0 if greater.
Arguments:
Value – SEEBDateClass object.
Accuracy_optionsaccuracy_options
enum value i.e. second, minute, millisecond..


TimeSpanString

String

static TimeSpanString (SEEBDateClass
date1, SEEBDateClass date2)

The time span
between two dates in days + hours + minutes + seconds.


TimeSpan

ulong

static TimeSpan (SEEBDateClass date1, SEEBDateClass date2)

The time span
between two dates in  seconds



/*

Example - Prints todays date and time

*/

class MainClass {

  void Main() {

    SEEBDateClass date();

    date.Now();

    Console.WriteLine("Today's date is " + date.DayOfWeekString() + " " +

                       date.MonthString() + " " + date.Day() + ", " + date.Year());

    Console.WriteLine("Current Time In Los Angeles:" + date.GetString(-8));

    Console.WriteLine("Current Time In New York:" + date.GetString(-5));

    Console.WriteLine("Current Time In Moscow:" + date.GetString(3));

    Console.WriteLine("Current System Time:" + date.Now());

  }

}

3 comments:

Binarybod Monday, 07 February, 2011  

Great post - thank you. I'll be making much use of this library. Hopefully Guidance will add something like this library to their own API.

I've had a bee in my bonnet for some time that forensic software rarely allows you to display the full time. You don't need this functionality in many cases the nearest second is fine but just once in a while it is nice to see the full granularity that NTFS records. It's one of the functions I included in Timelord:
(http://computerforensics.parsonage.co.uk/timelord/timelord.htm)

BJ Wednesday, 09 February, 2011  

Binarybod...

I wrote this class to address some of the issues with the EnCase DateClass.

I often use TimeLord to verify my results for jobs and used it to verify values for SEEBDateClass.... Its a very useful application.

I hope people get some use with this class.

Regards
BJ

Anonymous Wednesday, 16 February, 2011  

Lance, Menz's MFTRipper Pro has provided the NTFS time stamps to the millisecond since 2007. He also said you are in his Forensic 300 list.

Thom

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles