tag:blogger.com,1999:blog-9518042.post754207252125631006..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: More Timeline StuffUnknownnoreply@blogger.comBlogger3125tag:blogger.com,1999:blog-9518042.post-2057444357593277832010-07-08T06:42:35.615-05:002010-07-08T06:42:35.615-05:00Well, I've written 2 scripts to decode the sta...Well, I've written 2 scripts to decode the standard Windows 8 byte date field and the other does UNIX text date/times you find in web pages (I think it is 10 chars). These are the very common for what I do and I think other formats would be easy to add - I'll add them as I need them :) This is the advantage of writing it yourself!<br /><br />You put in the period of interest, start and end, down to the second, it turns these into numbers and it looks for all numbers on the exhibit between these values. Not too tricky in EnScript and it bookmarks the lot so you can quickly dump those in files of no interest leaving you MFTs, EVTs, registry files, live, RPs, VSS and UA. <br /><br />Not my idea originally, it came from Lance's site and I wrote my own version (because his is EnPacked) and extended it. I'd be happy to share the source code - with the usual proviso about test it yourself and no warranty etc.<br /><br />Rgds,<br />JamesAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-86154933674675620172010-07-07T17:26:52.320-05:002010-07-07T17:26:52.320-05:00Wow, I think that would be a rather difficult task...Wow, I think that would be a rather difficult task...<br /><br />First, there are so many date formats that your code would need to be able to handle all of them.<br /><br />Then, you have to keep in mind that not everything will be relevant...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-60539556328197312242010-07-07T14:48:26.892-05:002010-07-07T14:48:26.892-05:00Totally agree. One thing I've found of great v...Totally agree. One thing I've found of great value is a tool (I use EnCase primarily so I wrote mine as an enscript) to search the entire exhibit for date/times (Win and UNIX numeric text) between any 2 specified date/times regardless of where they are - registry, MFT (SIA & FNA), everywhere.<br /><br />Rgds,<br />JamesAnonymousnoreply@blogger.com