It’s common when exploring a new file format or Windows registry key to look for dates and times. Lots of binary structures encode dates and times which are essential to parse out.
Windows 10 has been exceptional at releasing ‘new’ data formats - especially in the registry where many of these new configuration settings are stored. Some great work has been done by the DFIR community to locate, parse and understand these new structures. For example, @gazambelli came across this interesting registry key back in June:
The registry key HKCU\Software\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$$windows.data.taskflow.shellactivities\Current on Win10 contains a lot of user activity. I wonder if those repeating hex values may be timestamps. Any help? #DFIR pic.twitter.com/pwCgZibdjS
— Gabriele Zambelli (@gazambelli) June 8, 2018
Of course, there are good open source and commercial tools which can explore binary and pull out possible dates and times. For registry analysis Eric Zimmerman’s Registry Explorer has a ‘data interpreter’, and for general binary structures X-Ways automatically highlights possible dates and times.
However, in an effort to learn Python, I’ve created a short script which will brute-force binary data looking for valid dates and times, according to a specified year. It’s simple to use and can give a quick indication if there is anything worth following up.
The usage is: ./bruteforce_dt.py <filename> <year>.
Below, I’m looking for possible dates and times in a carved event log from a memory capture:
$ python3 bruteforce_dt.py single_event_log_carved.bin 2018
bruteforce_dt.py: Test binary data for possible valid date/time formats. Version 0.1
Windows little-endian FILETIME records (in UTC) matching the year 2018 as follows:
Offset: 0x10 Date: 2018-03-18 11:15:00
Offset: 0x82 Date: 2018-03-18 11:15:00
Offset: 0x92 Date: 2018-03-07 08:43:03
Offset: 0x93 Date: 2018-03-07 08:43:03Of course, you still have to use your brain. It won’t account for false positives but it might point you in the right direction. At this point, the script will look for Windows little endian FILETIME records in binary data (such as registry keys), although I’ll look to expand parsers in time and add a date range functionality.
If you have any suggestions, comments or questions, please send me an email on [email protected] or via Twitter at @mattnotmax. Thanks for reading!