Tuesday, August 25, 2009

Decoding the DateCreated and DateLastConnected SSID values From Vista/Win 7

This information was provided to me by Longshot (Just passing this great information along).

Decoding the DateCreated and DateLastConnected registry values from the registry keys

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}

In Vista and Windows 7

The DateCreated and DateLastConnected are binary values that can be broken up into 4 byte parts, with 1 part left over. Each 4 byte part corresponds to a value of a date. The order of the values are as follows:

Year
Month
Weekday
Day
Hour
Minutes
Seconds

Each of these 4 byte parts is in little endian. Using the following data that was unpacked from binary and converted to hex we get the following translation:

d9070200020018001700140025000001

d907 0200 0200 1800 1700 1400 2500 0001


Year = h4 = d907 = 07d9 = 2009

Month = h4 = 0200 = 0002 = Month {Jan = 1, Feb = 2, etc....}

Weekday = h4 = 0200 = 0020 = Weekday {Sunday = 0, Monday = 1, etc...}

date = h4 = 1800 = 0018 = 24

hour = h4 = 1700 = 0017 = 23

minutes = h4 = 1400 = 0014 = 20

Seconds = h4 = 2500 = 0025 = 37

The Month and Weekday fields have to be converted to their proper Month and weekday name.

which would yield the following:

Date First Connected: Tuesday, 24 February 2009 23:20:37


Here is the perl code to do the above, I only include the $data as a place holder that would need to get data fed to it:


use strict;

# This is the binary data that would be read from the registry file
my $data = "";

my %month_type = (1 => "January",
2 => "February",
3 => "March",
4 => "April",
5 => "May",
6 => "June",
7 => "July",
8 => "August",
9 => "September",
10 => "October",
11 => "November",
12 => "December");

my %dayofweek_type = (0 => "Sunday",
1 => "Monday",
2 => "Tuesday",
3 => "Wednesday",
4 => "Thursday",
5 => "Friday",
6 => "Saturday");


my ($year, $month, $weekday, $date, $hour, $minute, $second ) = unpack("h4 h4 h4 h4 h4 h4 h4", $data);

#This part converts the year
my $finalyear= hex(reverse $year);

#Now we convert the month
my $monthnumber=hex(reverse $month);
my $finalmonth = $month_type{$monthnumber};

#Now we convert the weekday
my $weekdaynumber=hex(reverse $weekday);
my $finalweekday = $dayofweek_type{$weekdaynumber};

# This converts the date
my $finaldate=hex(reverse $date);

#This converts the hour
my $finalhour=hex(reverse $hour);

#This converts the minute
my $finalminute=hex(reverse $minute);
my $howlongisfinalminute=length($finalminute);
if ($howlongisfinalminute == 1){
$finalminute="0$finalminute";
}
if ($finalminute eq "0"){
$finalminute='00';
}

#This converts the second
my $finalsecond=hex(reverse $second);
my $howlongisfinalsecond=length($finalsecond);
if ($howlongisfinalsecond == 1){
my $finalsecond="0$finalsecond";
}
if ($finalsecond eq "0"){
$finalsecond='00';
}

my $ssidtimestamp= "$finalweekday, $finaldate $finalmonth $finalyear $finalhour:$finalminute:$finalsecond";
if ($n =~ /Created/){
$finaln="Date First Connected:";
} else {
$finaln="Date Last Connected:";
}

print "$finaln $ssidtimestamp\n";

19 comments:

Keydet89 said...

Here's the code I use in the RegRipper plugin I wrote:

sub parseDate128 {
my $date = $_[0];
my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul",
"Aug","Sep","Oct","Nov","Dec");
my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat");
my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date);
$hr = "0".$hr if ($hr < 10);
$min = "0".$min if ($min < 10);
$sec = "0".$sec if ($sec < 10);
my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr;
return $str;
}

Andrew H said...

Thanks folks, nice!

Anonymous said...

There is a tool out there that does this as well. It does a few others from what I have seen.

http://www.live-forensics.com/dl/DateDecoder.zip

swkenney said...

The last 4 bytes represent thousandths of a second. Range 0 to 3e7h or 0 to 999 decimal.

swkenney said...

DateDecoder.exe by the way does not handle the last 4 bytes correctly. DateDecoder.exe is the program in DateDecoder.zip mentioned above.

Chloe said...

A great post with on the topic as to how one can decode the that SSID values, using Windows 7 or Vista. Great piece of infomration shared well done....

Discount Steel Buildings

Vasily Kolobkov said...

Just in case - that date time structure is called SYSTEMTIME. It's one of the datetime representations (along with FILETIME) you can come across while parsing registry.

John said...

Nice Blogging,
UTAH : Utah Web Design http://www.adaptivitypro.com/utah-web-design/

John said...

Very good blogging,
Utah SEO Adaptivity Pro premier seo services provider based in Utah.

Web Application Development said...

What a constructive blog! Much more people should do the same! Thank you very much.

jhon said...

Just would like to know does SSID stands for Session ID or some thing else.... ?

Hair Transplant Islamabad

Unknown said...

SSID is
service set identifier

mad men season 4 dvd australia said...

I am not very good at math. so I often type the wrong nummber.

Free SMS said...

SSID values, haven't they got any relationship with WIFI setting or similar... ???

alistair1 said...

This helped with my
computer forensics work. I was stuck.

f4v to youtube said...

Some say it will be hotlink acreage as accomplished website page will be abounding of links (ads) so may be Search Engines won’t like it.

pay per head said...

Hey, there's a great deal of helpful information above!

hermes so black birkin said...

Thanks for sharing the nice pictures. You have done a great work. Every homeowner can benefit from property management services.

SIFS INDIA said...

THANK YOU!! FOR THIS BLOG!!!
SIFS INDIA
2443, Basement,
Hudson Lane,
Kingsway Camp,
Delhi - 110009
Email: education@sifsindia.com

Website: www.sifs.in