Description  Version  Size  Date
Decode - Forensic Date/Time Decoder  25K
Download the Software    

 

 

This utility was designed to decode the various date/time values found embedded within binary and other file types.  This release now supports the following date/time formats and will allow you to specify the offset from GMT.

  • Windows 64 Bit  (Little Endian) Date & Time

  • Windows 64 Bit  (Big Endian) Date & Time

  • Windows Cookie Format Date & Time

  • Windows Filetime Format Date & Time

  • Unix 32 Bit (Little Endian) Date & Time

  • Unix 32 Bit (Big Endian) Date & Time

  • Unix Numeric Date & Time

  • MAC Absolute Date & Time

  • MS-DOS 32 Bit Date & Time

  • HFS 32 Bit (Little Endian)  Date & Time

  • HFS 32 Bit (Big Endian)  Date & Time

  • HFS+ 32 Bit (Little Endian) Date & Time

  • HFS+ 32 Bit (Big Endian) Date & Time

Date and time values are stored within Windows in various formats. For example, Internet History - index.dat, recycle bin INFO files, windows link files and Microsoft Office documents all contain a 64bit date/time structure. 

 

During a forensic examination, you may need to decode a date or verify the date provided to you by forensic software.  This is where decode comes in.  Decode can take a decimal value or a HEX value and convert it into a date & time in a variety of formats. 

 

It supports Windows 64 bit date & times, Unix Hex 32 bit date & times, Unix decimal date & time values & MS-DOS Format date & times.  Please remember if you wish to do the arithmetic and verify the results, the times are stored in GMT and the hex values are little endian.  i.e. 0x01c02aed3fb1b340 unless otherwise stated.

 

What does a 64bit date & time look like?

Commonly known as "File Time"  If you viewed a 64 bit date & time within your favourite forensic software or a plain old hex editor, it would look like:  40B3B13FED2AC001.  This converts to September 30th 2000 14:46:43 GMT.  Almost all these date & times are stored in GMT so investigators need to translate the findings to their own time zone etc.  Windows NT for example stores all the file date & times as GMT values, converting them according to time zone and daylight saving as appropriate.  The native format for Internet History date & times is GMT.  Many of the date and times for the years 1999, 2000, 2001 and 2002 end in BF01, C001 or C101, C201.

 

What does a Windows Filetime look like?

Often used in the extended header of e-mail.  The example below is from a hotmail message.

 

X-OriginalArrivalTime: FILETIME=[7BCCCEE0:01C39B98]

 

What does a Unix date & time look like?

Unix format date & times appear quite often in binary files and plain text files.  Some are stored in hexadecimal values or as a plain decimal value.  If you viewed a hexadecimal value it would appear like:  9940F039  This converts to October 20th 2000 12:54:49 GMT.  This format can be seen inside Netscape History files.  The decimal format can also be seen stored in many file types.  Netscape 6+ history files store their date & times in the decimal format.  If you viewed a decimal date & time value it would look like:  971815414.  This converts to October 17th 2000 20:43:34 GMT.

 

So what does an MS-DOS date & time look like?

MS-DOS date & time value are also stored in a number of different places.  In FAT12, 16 and 32 volumes, this structure is used to hold the created, accessed and modified date & times for a file.  MS-DOS dates are stored in a 4 Byte structure. The time and date formats are referred to as packed binary because in each case they fit several different binary numbers into a single 16 bit location, simply putting each of those binary numbers into a specified group of adjacent bit locations within that 16 bit word.  For example, in the 32 Byte Directory Entry structure (FAT12, FAT16 and FAT32) the Last Written Date and Time are stored within bytes 22 to 25. In a FAT32 directory entry, the Created Date and Time are stored within bytes 14 to 17 and in a FAT32 directory entry, the Last Accessed Date is stored within bytes 18 and 19 (Note: No Time stored).  If you were to view an MS-DOS date & time value it would look like:  B67A3F28.  This converts to January 31st 2000 15:21:44 GMT.

   

This utility will allow you to take the native hexadecimal or decimal value and convert it to a date & time.  Many forensic software packages actually translate the stored date & times according to the time zone of the analysis computer.  You must be very careful with this because if your analysis computer is analysing a suspect computer that operated in a different time zone (or Daylight Saving value for that matter) then the date and times you see may be completely wrong!  Use 'Decode' to verify the results.

 

 

 

NOTE: This software is provided as is, without any warranties or guarantee.  Digital Detective will not be held responsible for the consequences of its use.  By downloading this software, you agree to the terms and conditions of this licence.  This software MUST NOT be distributed without consent of the author.

 NetAnalysis
Introduction
Feature Overview
Product Screenshots
Download Demo
FAQ
Training
Purchase NetAnalysis
Installing NetAnalysis
Product Support
Home


ESD* US : £100  
 
 
 * Downloadable Version


Home   |   NetAnalysis   |   Free Tools   |   Forums   |   Links   |   Contact