Brute-forcing dates & times in binary data

It’s common when exploring a new file format or Windows registry key to look for dates and times. Lots of binary structures encode dates and times which are essential to parse out.

Windows 10 has been exceptional at releasing ‘new’ data formats - especially in the registry where many of these new configuration settings are stored. Some great work has been done by the DFIR community to locate, parse and understand these new structures. For example, @gazambelli came across this interesting registry key back in June:

Of course, there are good open source and commercial tools which can explore binary and pull out possible dates and times. For registry analysis Eric Zimmerman’s Registry Explorer has a ‘data interpreter’, and for general binary structures X-Ways automatically highlights possible dates and times.

However, in an effort to learn Python, I’ve created a short script which will brute-force binary data looking for valid dates and times, according to a specified year. It’s simple to use and can give a quick indication if there is anything worth following up.

The usage is: ./ <filename> <year>.

Below, I’m looking for possible dates and times in a carved event log from a memory capture:

$ python3 single_event_log_carved.bin 2018 Test binary data for possible valid date/time formats. Version 0.1

Windows little-endian FILETIME records (in UTC) matching the year 2018 as follows:
Offset: 0x10    Date: 2018-03-18 11:15:00
Offset: 0x82    Date: 2018-03-18 11:15:00
Offset: 0x92    Date: 2018-03-07 08:43:03
Offset: 0x93    Date: 2018-03-07 08:43:03

Of course, you still have to use your brain. It won’t account for false positives but it might point you in the right direction. At this point, the script will look for Windows little endian FILETIME records in binary data (such as registry keys), although I’ll look to expand parsers in time and add a date range functionality.

If you have any suggestions, comments or questions, please send me an email on [email protected] or via Twitter at @mattnotmax. Thanks for reading!
Registry Explorer
Date Decode