Search for Windows 64 bit TIMESTAMPS

The NTFS file system is pretty verbose and redundant. With the introduction of Windows Vista, there is even more file system redundancy with the Volume Shadow Service (VSS). Windows uses a 64 bit timestamp to track most file system events (created, accessed, written, modified). This 8 byte value represents the number of 100-nanosecond intervals that have passed since midnight UTC, January 1, 1601.

There have been many times where I have found myself searching for these Windows timestamps in the various internal files. EnCase and most of the other forensic tools show you the contents of the master file table (MFT), but what if the reference to the file and folder is no longer there?

On several occasions I have found references to files/folders in the $LogFile and unallocated space that were of interest. Most times I found them because I was searching for a specific filename and I uncovered the record or I stumbled across it. In those cases, I found myself trying to craft a GREP expression to then lock onto any other Windows TIMESTAMPS that were for the time frame. As an example, the screenshot below is of an MFT record that is in the $LogFile:



This EnScript basically takes a starting date/time combination and then an ending date/time combination and generates an appropriate GREP search expression for that date range. It then searches any selected (checked) files for that date range and then bookmarks the findings. Because Windows timestamps are very granular and accurate down to a 100 nanosecond interval, exact date/time matching is impossible, but its very close depending on the size of your date range. Smaller date ranges (a couple of days) will be much more accurate than large date ranges (several months).



The option at the bottom allows you to look for consecutive timestamps, i.e. a timestamp matching your date range, followed by another timestamp, not necessarily in your date range. This is if you want to specifically look for orphaned MFT records in unallocated or the $Logfile, since an MFT record has eight timestamps, a group of four consecutive timestamps and then another group of four, then setting this option would only find those types of records.



This EnScript bookmarks any found timestamps and then reads the timestamp and places it in the comment field for sorting purposes. The timestamp in the comment field is GMT and your case settings have no effect on it. If you choose to sweep the timestamp and view it through the bookmark styles, then your case timezone setting applies.



Download here

EnCase EnScript to quickly sort last written timestamps on registry keys

One of the many analysis techniques that I use when looking at compromised computers is to analyze registry keys and the last written date on the various keys. If I have a time frame that I am focusing on based on some other type of artifact, I commonly look at all the registry keys that have a last written date near my target date.

I wrote an EnCase EnScript to mount the registry hives and then dump all the registry keys and their last written dates into a Bookmark Log Record view so I could then sort them, export them, print them or whatever. Commonly I used to just mount the registry hives and then select the "show all" and then sort the files and registry keys at the same time and in the same view. That method is still a valuable one, but I wrote this so I could make bookmarks and separate the registry keys into their own bookmark area for closer analysis.

To use this EnScript, copy to your EnCase EnScript folder and then refresh your EnScript folder in EnCase (if EnCase is currently running). Simply double-click on the EnScript and it will mount the registry hives and dump the data in the bookmark tab, log records subtab.

*Note that the Bookmarks->Log Records tab has a hard-coded column named "Last Accessed", although registry keys only have a last written timestamp. I have populated that column with the last written timestamps.

Download Here