Custom FILETIME DateClass to display millisecond granularity
A few months ago, I had the pleasure to go and teach two classes in Australia. During that visit, I met a very talented examiner named Brian Jones who had been learning the EnScript programming language for awhile, but had already excelled and created some great EnScripts and came up with some great ideas on using the power of EnScript.
Brian recently emailed me to comment on the recent post I made about the Windows FILETIME and the ability to see when a file's time stamp may have been manipulated. Brian shared a library that he wrote that displays an entries timestamp in millisecond granularity as well as displays the time stamps that's in the filename attribute, which are not shown by default by most forensic tools. Looking at the timestamps in the filename attribute and comparing them with what is recorded in the standard information attribute can provide lots of clues as to what has happened to that particular object (file or folder).
Brian has agreed to share his library with anyone else who is interested and I have to say he has done an excellent job. His documentation is superb! If you play around with EnScript, I highly suggest you load this library up and test it out. Even if you dont know how to program, there are simple examples in the documentation that you could try with very little effort.
The link to download the library is here.
Great Thanks to Brian Jones. If you have questions, comments or just want to say thanks, please email him at jone2bri (at) gmail (dot) com.
Here is his documentation and explanation of what the library does.
Brian recently emailed me to comment on the recent post I made about the Windows FILETIME and the ability to see when a file's time stamp may have been manipulated. Brian shared a library that he wrote that displays an entries timestamp in millisecond granularity as well as displays the time stamps that's in the filename attribute, which are not shown by default by most forensic tools. Looking at the timestamps in the filename attribute and comparing them with what is recorded in the standard information attribute can provide lots of clues as to what has happened to that particular object (file or folder).
Brian has agreed to share his library with anyone else who is interested and I have to say he has done an excellent job. His documentation is superb! If you play around with EnScript, I highly suggest you load this library up and test it out. Even if you dont know how to program, there are simple examples in the documentation that you could try with very little effort.
The link to download the library is here.
Great Thanks to Brian Jones. If you have questions, comments or just want to say thanks, please email him at jone2bri (at) gmail (dot) com.
Here is his documentation and explanation of what the library does.
SEEBDateClass | |
SEEBDateClass encapsulates a date-time value. This class
represents time to a precision of seconds.
The time zone bias is set to the system's time zone bias. The GetString() method adjusts time with the bias before returning the string.
represents time to a precision of seconds.
The time zone bias is set to the system's time zone bias. The GetString() method adjusts time with the bias before returning the string.
Name | Value | Description |
NOBIAS | 0 | Controls the offset values of the GetString() method(s) NOBIAS – No Bias (UTC 0.00) DSTADJ - Adjust time for DST. LOCAL – Time Zone set to examiner machine. |
DSTADJ | 1 | |
LOCAL | 2 |
Name | Value | Description |
LONGDATE | 0 | Controls the output of the GetString() method(s) LONGDATE - 02/09/2009 16:44:21 TEXTDATE - Wednesday, 2 September 2009, 16:44:21. SORTDATE – 02/09/09 16:44:21. |
TEXTDATE | 1 | |
SHORTDATE | 2 |
Name | Value | Description |
CREATED | 80 | Controls the output of the EntryDate(entry, date_offset) method. Returns the date of entry created etc. FNA = “File Name Attribute” Time/date stamps – not shown in windows / EnCase. CREATED – entry created date. WRITTEN – entry last written. |
WRITTEN | 88 | |
MFTMODIFIED | 96 | |
ACCESSED | 114 | MFTMODIFIED – entries mft entry modified. ACCESSED – entry last accessed FNACREATED, FNAWRITTEN, FNAMFTMODIFIED, FNAACCESSED – File Name Attribute time/ date value – possible indicators of when file actually created written on specific partition / system. |
FNACREATED | 184 | |
FNAWRITTEN | 192 | |
FNAMFTMODIFIEDCREATED | 200 | |
FNAACCESSED | 208 |
Name | Value | Description |
MINUTE | 0 | Controls the accuracy of the Compare Functions(s) |
SECOND | 1 | |
MILLISECOND | 2 |
Name | Return Type | Declaration | Description | |
SEEBDateClass | SEEBDateClass () | Construct default SEEBDate value. Year = 1601, month = 1, day = 1, hour = 0, minute = 0, second = 0, Millisecond = 0. | ||
SEEBDateClass | SEEBDateClass (ulong value) | Construct SEEBDate value from 64 bit time / date stamp. | ||
SEEBDateClass | SEEBDateClass (SEEBDateClass date) | Copy Constructor. | ||
SEEBDateClass | SEEBDateClass (uint day , uint month, uint yr, uint hr, uint min, uint sec, uint ms = 0) | Construct SEEBDate value from individual values. i.e. day, month, year etc | ||
SEEBDateClass | SEEBDateClass (DateClass date) | Construct SEEBDate value from EnCase Date Class. | ||
GetString | Const GetString(EntryClass entry = null, uint offset_options = SEEBDateClass::DSTADJ, bool display_bias = true, uint show_options = SEEBDateClass::LONGDATE, bool hour24 = true , bool display_ms = false) | Converts the date to the string format. Arguments: Entry – EntryClass object or null. Offset_options – OffsetOptions Enum value. Display_bias – display the bias i.e. UTC(+10.00). Show_options – ShowOptions Enum value. Hour24 – 24 hour time or not (12 hr) Display_ms – display milliseconds or not. Time zone settings obtained from the volume the entry is on – otherwise UTC( 0.00) Get String() = all default values. | ||
GetString | const GetString (int bias_value, bool display_bias = true, uint show_options = SEEBDateClass::LONGDATE, bool hour24 = true, bool display_ms = false) | Converts the date to the string format using specified bias. Arguments: Bias_value – bias entered manually. i.e -10 Display_bias – display the bias. Show_options – ShowOptions Enum value. Hour24 – 24 hour time or not (12 hr) Display_ms – display milliseconds or not. | ||
EnCaseString | String | static EnCaseString(EntryClass entry, uint offset_options = SEEBDateClass::DSTADJ, bool display_bias = true, uint show_options = SEEBDateClass::LONGDATE, bool hour24 = true , bool display_ms = false) | Converts the date to the string format using the EnCase “Modify time zone settings” to set the timezone for each volume. Arguments: Entry – EntryClass object. Offset_options – OffsetOptions Enum value. Display_bias – display the bias. Show_options – ShowOptions Enum value. Hour24 – 24 hour time or not (12 hr) Display_ms – display milliseconds or not. | |
GetTimeZoneBias | int | static GetTimeZoneBias () | Returns the local time zone offset in seconds | |
Year | int | const Year () | Year value in 4 digit format (1601..2038) | |
Month | uint | const Month () | Month value (1..12) | |
Day | uint | const Day() | Day value ( 1...31 ) | |
Hour | uint | const Hour () | Hour value (0..23) | |
Minute | uint | const Minute () | Minute value (0..59) | |
Second | uint | const Second () | Second value (0..59) | |
Millisecond | uint | const Millisecond() | Millisecond value (0…999) | |
Ticks | long | const Ticks() | Total number of ticks | |
DayOfWeek | uint | const DayOfWeek() | Day of week value ( 0=Sunday…6) | |
DayOfWeekString | String | const DayOfWeekString() | Day of week as string. | |
String | const MonthString() | Month value as string (January…December) | ||
TotalSeconds | ulong | const TotalSeconds() | Total seconds from 1/1/1601 | |
EqualTo | bool | EqualTo (SEEBDateClass value) | Returns true if == value. | |
LessThan | bool | LessThan (SEEBDateClass value) | Returns true if < value | |
GreaterThan | bool | GreaterThan(SEEBDateClass value) | Returns true if > value. | |
IsLeapYear | bool | static IsLeapYear (uint year) | Returns true if year is a leap year. | |
InRange | bool | static InRange (SEEBDateClass Value, SEEBDateClass min, SEEBDateClass max, , uint accuracy_options = SEEBDateClass::SECOND) | Value must be between min and max, inclusive with accuracy = SECOND or MILLISECOND only.. | |
IsValid | bool | const IsValid () | Returns true if the value is valid date. | |
EntryDate | SEEBDateClass | EntryDate(EntryClass entry, uint entrydate_options = SEEBDateClass::CREATED) | Converts the entry date to SEEBDateClass. Arguments: Entry – EntryClass object to obtain dates from mft directly. Entrydate_options – EntryDateOptions Enum.. | |
Null | void | Null() | Allows creation of null date. 0/0/0 00:00:00. | |
GetBias | double | static GetBias(EntryClass entry = null) | Returns entries bias value. If null entry - function returns default time zone setting if only one timezone - or 0.. | |
DstOffset | int | static DstOffset(EntryClass entry = null) | Returns the entries DST offset.. | |
ReadWinDate | bool | ReadWinDate (FileClass file) | Construct SEEBDate value from 64 bit time / date stamp. Arguments: file – FileClass object. | |
ReadUnixDate | bool | ReadUnixDate (FileClass file) | Construct SEEBDate value from 32 bit (C / Unix) time / date stamp. Arguments: file – FileClass object. | |
UnixDate | double | UnixDate(ulong value) | Construct SEEBDate value from 32 bit (C / Unix) time / date stamp. Arguments: value | |
DateToMilliseconds | ulong | static DateToMilliseconds(SEEBDateClass date) | Covert a SEEBDate into total milliseconds for comparisons. | |
Now | void | Now () | Sets the value to the current system date and time | |
Set | void | Set(uint day , uint month, uint yr, uint hr, uint min, uint sec, uint ms = 0) | Sets the date directly. | |
Compare | int | Compare (const SEEBDateClass &Value, uint accuracy_options = SEEBDateClass::SECOND) | Returns < 0 if value is lexically less than, 0 if equal, > 0 if greater. Arguments: Value – SEEBDateClass object. Accuracy_options – accuracy_options enum value i.e. second, minute, millisecond.. | |
TimeSpanString | String | static TimeSpanString (SEEBDateClass date1, SEEBDateClass date2) | The time span between two dates in days + hours + minutes + seconds. | |
TimeSpan | ulong | static TimeSpan (SEEBDateClass date1, SEEBDateClass date2) | The time span between two dates in seconds |
/* Example - Prints todays date and time */ class MainClass { void Main() { SEEBDateClass date(); date.Now(); Console.WriteLine("Today's date is " + date.DayOfWeekString() + " " + date.MonthString() + " " + date.Day() + ", " + date.Year()); Console.WriteLine("Current Time In Los Angeles:" + date.GetString(-8)); Console.WriteLine("Current Time In New York:" + date.GetString(-5)); Console.WriteLine("Current Time In Moscow:" + date.GetString(3)); Console.WriteLine("Current System Time:" + date.Now()); } } |
3 comments:
Great post - thank you. I'll be making much use of this library. Hopefully Guidance will add something like this library to their own API.
I've had a bee in my bonnet for some time that forensic software rarely allows you to display the full time. You don't need this functionality in many cases the nearest second is fine but just once in a while it is nice to see the full granularity that NTFS records. It's one of the functions I included in Timelord:
(http://computerforensics.parsonage.co.uk/timelord/timelord.htm)
Binarybod...
I wrote this class to address some of the issues with the EnCase DateClass.
I often use TimeLord to verify my results for jobs and used it to verify values for SEEBDateClass.... Its a very useful application.
I hope people get some use with this class.
Regards
BJ
Lance, Menz's MFTRipper Pro has provided the NTFS time stamps to the millisecond since 2007. He also said you are in his Forensic 300 list.
Thom
Post a Comment