tag:blogger.com,1999:blog-9518042.post8152001189254084809..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: It's about time...Unknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-64481097688438135682017-05-25T21:24:23.898-05:002017-05-25T21:24:23.898-05:00Hi Harlan, gotta say I love your work.
I have a q...Hi Harlan, gotta say I love your work.<br /><br />I have a question regarding SYSTEMTIME. I've looked at the Microsoft C version of a way to convert the value to a human-readable format, but I'm wondering in your research of the topic you've actually come across the actual 'algorithm' if you will. I'm creating a Timestamp decoder in python for Linux (and Windows I guess), since no decent tool exists to convert multiple types.<br /><br />I'm trying to learn how this conversion actually takes place so I can then find a way to complete that in Python. Any chance you're able to provide some insight?Anonymoushttps://www.blogger.com/profile/04379476938789133818noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-7669593742356324282009-11-16T10:18:58.573-05:002009-11-16T10:18:58.573-05:00You obviously took a lot of time to think of a nam...<i>You obviously took a lot of time to think of a name?</i><br /><br />Wow, you're going to bust my chops over something like a name, and not even sign your posts? Wow.<br /><br />Thanks for sharing the link. Maybe the reason you feel that I've "shrouded it in mystery" may be due to the fact that I hadn't yet found that link. I don't see you taking the same sort of tact (or lack thereof) with others who've posted similarly. <br /><br />Also, if you're going take to me to task about other locations where this structure can be found, why are you then "shrouding" those locations in mystery? <br /><br />Some of us post this stuff...I guess part of that is putting up with anonymous folks with bad attitudes.<br /><br />Thanks again for you input.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-29363585206194166612009-11-16T09:48:01.233-05:002009-11-16T09:48:01.233-05:00Harlan,
You obviously took a lot of time to thin...Harlan, <br /><br />You obviously took a lot of time to think of a name? Why use one which is almost identical to an existing tool performing the same type of conversion?<br /><br />The timestamp structure you are describing is a SYSTEMTIME date/time structure. It is not a 128bit timestamp but a collection of 16 bit values in a 128 bit structure. I am not sure why you have shrouded this in mystery and not actually explained this? In fact, anyone with a calculator can work it out without using a tool. As we can see from your example, the first two bytes D907 is 0x07D9 or 2009 in decimal. The rest isn’t complicated.<br /><br />http://msdn.microsoft.com/en-us/library/ms724950(VS.85).aspx<br /><br />I also disagree with what you are saying about the SYSTEMTIME structure not appearing in the registry until Vista? I remember this structure in Windows 2000. It is also the format Microsoft uses to store standard and daylight date/time values as part of the TIME_ZONE_INFORMATION structure and can easily be found in XP.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-27250562055134998352009-11-14T13:52:20.374-05:002009-11-14T13:52:20.374-05:00Why? DCode doesn't give me the Unix epoch tim...Why? DCode doesn't give me the Unix epoch time, and it doesn't appear to handle the 128-bit times that I need decoded.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-92018004095030432142009-11-14T11:34:07.946-05:002009-11-14T11:34:07.946-05:00You should try dcode: http://www.digital-detective...You should try dcode: http://www.digital-detective.co.uk/freetools/decode.aspAnonymousnoreply@blogger.com