This information was provided to me by Longshot (Just passing this great information along).
Decoding the DateCreated and DateLastConnected registry values from the registry keys
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}
In Vista and Windows 7
The DateCreated and DateLastConnected are binary values that can be broken up into 4 byte parts, with 1 part left over. Each 4 byte part corresponds to a value of a date. The order of the values are as follows:
Year
Month
Weekday
Day
Hour
Minutes
Seconds
Each of these 4 byte parts is in little endian. Using the following data that was unpacked from binary and converted to hex we get the following translation:
d9070200020018001700140025000001
d907 0200 0200 1800 1700 1400 2500 0001
Year = h4 = d907 = 07d9 = 2009
Month = h4 = 0200 = 0002 = Month {Jan = 1, Feb = 2, etc....}
Weekday = h4 = 0200 = 0020 = Weekday {Sunday = 0, Monday = 1, etc...}
date = h4 = 1800 = 0018 = 24
hour = h4 = 1700 = 0017 = 23
minutes = h4 = 1400 = 0014 = 20
Seconds = h4 = 2500 = 0025 = 37
The Month and Weekday fields have to be converted to their proper Month and weekday name.
which would yield the following:
Date First Connected: Tuesday, 24 February 2009 23:20:37
use strict;
# This is the binary data that would be read from the registry file
my $data = "";
my %month_type = (1 => "January",
2 => "February",
3 => "March",
4 => "April",
5 => "May",
6 => "June",
7 => "July",
8 => "August",
9 => "September",
10 => "October",
11 => "November",
12 => "December");
my %dayofweek_type = (0 => "Sunday",
1 => "Monday",
2 => "Tuesday",
3 => "Wednesday",
4 => "Thursday",
5 => "Friday",
6 => "Saturday");
my ($year, $month, $weekday, $date, $hour, $minute, $second ) = unpack("h4 h4 h4 h4 h4 h4 h4", $data);
#This part converts the year
my $finalyear= hex(reverse $year);
#Now we convert the month
my $monthnumber=hex(reverse $month);
my $finalmonth = $month_type{$monthnumber};
#Now we convert the weekday
my $weekdaynumber=hex(reverse $weekday);
my $finalweekday = $dayofweek_type{$weekdaynumber};
# This converts the date
my $finaldate=hex(reverse $date);
#This converts the hour
my $finalhour=hex(reverse $hour);
#This converts the minute
my $finalminute=hex(reverse $minute);
my $howlongisfinalminute=length($finalminute);
if ($howlongisfinalminute == 1){
$finalminute="0$finalminute";
}
if ($finalminute eq "0"){
$finalminute='00';
}
#This converts the second
my $finalsecond=hex(reverse $second);
my $howlongisfinalsecond=length($finalsecond);
if ($howlongisfinalsecond == 1){
my $finalsecond="0$finalsecond";
}
if ($finalsecond eq "0"){
$finalsecond='00';
}
my $ssidtimestamp= "$finalweekday, $finaldate $finalmonth $finalyear $finalhour:$finalminute:$finalsecond";
if ($n =~ /Created/){
$finaln="Date First Connected:";
} else {
$finaln="Date Last Connected:";
}
print "$finaln $ssidtimestamp\n";
19 comments:
Here's the code I use in the RegRipper plugin I wrote:
sub parseDate128 {
my $date = $_[0];
my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul",
"Aug","Sep","Oct","Nov","Dec");
my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat");
my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date);
$hr = "0".$hr if ($hr < 10);
$min = "0".$min if ($min < 10);
$sec = "0".$sec if ($sec < 10);
my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr;
return $str;
}
Thanks folks, nice!
There is a tool out there that does this as well. It does a few others from what I have seen.
http://www.live-forensics.com/dl/DateDecoder.zip
The last 4 bytes represent thousandths of a second. Range 0 to 3e7h or 0 to 999 decimal.
DateDecoder.exe by the way does not handle the last 4 bytes correctly. DateDecoder.exe is the program in DateDecoder.zip mentioned above.
A great post with on the topic as to how one can decode the that SSID values, using Windows 7 or Vista. Great piece of infomration shared well done....
Discount Steel Buildings
Just in case - that date time structure is called SYSTEMTIME. It's one of the datetime representations (along with FILETIME) you can come across while parsing registry.
Nice Blogging,
UTAH : Utah Web Design http://www.adaptivitypro.com/utah-web-design/
Very good blogging,
Utah SEO Adaptivity Pro premier seo services provider based in Utah.
What a constructive blog! Much more people should do the same! Thank you very much.
Just would like to know does SSID stands for Session ID or some thing else.... ?
Hair Transplant Islamabad
SSID is
service set identifier
I am not very good at math. so I often type the wrong nummber.
SSID values, haven't they got any relationship with WIFI setting or similar... ???
This helped with my
computer forensics work. I was stuck.
Some say it will be hotlink acreage as accomplished website page will be abounding of links (ads) so may be Search Engines won’t like it.
Hey, there's a great deal of helpful information above!
Thanks for sharing the nice pictures. You have done a great work. Every homeowner can benefit from property management services.
THANK YOU!! FOR THIS BLOG!!!
SIFS INDIA
2443, Basement,
Hudson Lane,
Kingsway Camp,
Delhi - 110009
Email: education@sifsindia.com
Website: www.sifs.in
Post a Comment