WEBVTT

0:00:03.040000 --> 0:00:06.980000
 In this video, we will continue the
 analysis of the Windows Registry,

0:00:06.980000 --> 0:00:11.580000
 however, this time we will use a different
 tool, a tool called Decode,

0:00:11.580000 --> 0:00:14.000000
 which is from Digital Detective.

0:00:14.000000 --> 0:00:17.160000
 I highly recommend that you use this
 tool as this will prove helpful when

0:00:17.160000 --> 0:00:20.780000
 you encounter and analyze various types
 of data, each of which may use

0:00:20.780000 --> 0:00:24.380000
 a different timestamp format,
 especially in Windows.

0:00:24.380000 --> 0:00:27.860000
 So again, using a tool like this can be
 helpful when analyzing and converting

0:00:27.860000 --> 0:00:31.220000
 timestamps, especially if you do not
 have a commercial tool that does

0:00:31.220000 --> 0:00:33.400000
 this automatically for you.

0:00:33.400000 --> 0:00:36.820000
 In this video, we will be going back
 to Registry Explorer, and I will

0:00:36.820000 --> 0:00:39.360000
 show you how you can determine the installation
 date for a Windows machine

0:00:39.360000 --> 0:00:43.260000
 you may be investigating, in addition
 to that, detecting the time zone

0:00:43.260000 --> 0:00:45.880000
 information as well.

0:00:45.880000 --> 0:00:49.760000
 Knowing the time zone is important,
 as it will help us understand what

0:00:49.760000 --> 0:00:52.960000
 the current time of the machine is,
 as you may be in a different time

0:00:52.960000 --> 0:00:56.500000
 zone or daylight savings
 time, DST is in effect.

0:00:56.500000 --> 0:00:59.820000
 So, this is very important to know,
 especially when you are analyzing

0:00:59.820000 --> 0:01:04.140000
 a machine, and even more so,
 if it is across continents.

0:01:04.140000 --> 0:01:07.880000
 Additionally, knowing time zone information
 will prove useful if you want

0:01:07.880000 --> 0:01:10.280000
 to work in the file
 timeline analysis.

0:01:10.280000 --> 0:01:15.820000
 Let's go ahead and load a project,
 by going to File, Project, and then

0:01:15.820000 --> 0:01:27.400000
 Load. I am looking for
 a file called Hackbox.

0:01:27.400000 --> 0:01:30.940000
 We could use bookmarks here, but what
 I want to do right now is expand

0:01:30.940000 --> 0:01:33.600000
 and select these.

0:01:33.600000 --> 0:01:37.240000
 We need to know what control
 set we are, which is 1.

0:01:37.240000 --> 0:01:42.080000
 So now, we can go to control set 1, expand
 control, and scroll down until

0:01:42.080000 --> 0:01:44.820000
 we find time zone information.

0:01:44.820000 --> 0:01:52.360000
 Details related to the time zone appear,
 like the bias, standard time,

0:01:52.360000 --> 0:01:56.960000
 standard bias, standard start, daylight
 name, daylight bias, daylight

0:01:56.960000 --> 0:01:59.880000
 start, and active time bias.

0:01:59.880000 --> 0:02:04.080000
 All of these give an expiration, in
 addition to the time zone that is

0:02:04.080000 --> 0:02:10.140000
 being used. We can also see if daylight
 savings is an effect or not, and

0:02:10.140000 --> 0:02:14.660000
 here, we can see that it is, as
 well as when it will start.

0:02:14.660000 --> 0:02:21.720000
 If we click on the Values tab, we
 can see that the time zone is PST.

0:02:21.720000 --> 0:02:25.580000
 And, from the bias, we
 can see that it is 480.

0:02:25.580000 --> 0:02:28.760000
 Let's go ahead and bring
 up the calculator.

0:02:28.760000 --> 0:02:35.380000
 If we divide this by
 60, we get 8 hours.

0:02:35.380000 --> 0:02:42.780000
 So, the bias is minus 8, but we need to
 keep in mind that currently, daylight

0:02:42.780000 --> 0:02:45.500000
 savings time is an effect.

0:02:45.500000 --> 0:02:49.800000
 So, the current active time bias is
 40, which means that, if we convert

0:02:49.800000 --> 0:02:53.460000
 this, it comes to 7.

0:02:53.460000 --> 0:03:02.460000
 Since this is a positive value, this
 means that we need to subtract this

0:03:02.460000 --> 0:03:05.500000
 value to get the time in UTC.

0:03:05.500000 --> 0:03:10.000000
 Now that we determine that a DST is
 in effect, and it is minus 7, the

0:03:10.000000 --> 0:03:15.340000
 first thing we will do is add minus
 7 to the Add Bias in Dcode.

0:03:15.340000 --> 0:03:24.960000
 Now, let's find where the installation
 date is found.

0:03:24.960000 --> 0:03:29.020000
 Let's go to software, expand Microsoft
 and scroll down, until we find

0:03:29.020000 --> 0:03:31.440000
 a folder called Windows NT.

0:03:31.440000 --> 0:03:35.240000
 Let's expand that folder and
 click on Current Version.

0:03:35.240000 --> 0:03:36.860000
 And here's our data.

0:03:36.860000 --> 0:03:40.660000
 We could have also used the bookmarks
 to take us here as well.

0:03:40.660000 --> 0:03:43.680000
 But, I wanted to show you that it was
 possible to memorize some of these

0:03:43.680000 --> 0:03:46.180000
 values, especially
 the important ones.

0:03:46.180000 --> 0:03:50.200000
 Here we see the install date value
 and here's the value for it.

0:03:50.200000 --> 0:03:53.660000
 We can also see that
 it's a 32-bit value.

0:03:53.660000 --> 0:04:01.940000
 Let's use the hexadecimal value
 and I will show you another one.

0:04:01.940000 --> 0:04:06.100000
 Going back to Dcode, we can see different
 time formats in the Dcode format

0:04:06.100000 --> 0:04:12.100000
 dropdown. We want to use
 a 32-bit Lillandian.

0:04:12.100000 --> 0:04:17.860000
 So, this is the value that we got.


0:04:17.860000 --> 0:04:20.880000
 Let's go ahead and remove these dashes
 because it does not identify them

0:04:20.880000 --> 0:04:23.840000
 and click on the Dcode button.

0:04:23.840000 --> 0:04:28.100000
 We can see that the system was installed
 on Sunday 23rd of August 2015

0:04:28.100000 --> 0:04:34.300000
 at 23, 52, and 43 seconds, which means
 it was actually installed at 11

0:04:34.300000 --> 0:04:40.740000
.52. So, we have managed to analyze
 and identify the installation date.

0:04:40.740000 --> 0:04:44.720000
 This installation date is installed
 in a 32-bit Unix format.

0:04:44.720000 --> 0:04:48.880000
 We can even use this
 decimal value too.

0:04:48.880000 --> 0:04:52.520000
 We'll just change the Dcode format
 to Unix numeric value and paste the

0:04:52.520000 --> 0:04:57.060000
 information to the value to decode field
 and then click the decode button.

0:04:57.060000 --> 0:05:00.360000
 It gives us the exact same value.

0:05:00.360000 --> 0:05:04.300000
 So, as you can see here, when analyzing
 time, we may be using several

0:05:04.300000 --> 0:05:08.240000
 different time formats, so it's very
 important to know which time format

0:05:08.240000 --> 0:05:14.440000
 you need. You can always use Google
 to search for which time format the

0:05:14.440000 --> 0:05:18.980000
 data structure is using and
 then let decode do the rest.

0:05:18.980000 --> 0:05:22.200000
 You may even find tools that automatically
 do this for you.

0:05:22.200000 --> 0:05:27.220000
 We can also search when the
 system was last shut down.

0:05:27.220000 --> 0:06:16.100000
 Let's check these and see which
 one is the shutdown value.

0:06:16.100000 --> 0:06:19.960000
 So, actually, let's go to bookmarks
 and see if we have a key for it.

0:06:19.960000 --> 0:06:28.340000
 And we do. It is a value, which is
 why we didn't locate it earlier.

0:06:28.340000 --> 0:06:32.360000
 Let's go back. We were unable to find
 it because it was searching for

0:06:32.360000 --> 0:06:34.940000
 a key name rather
 than a value name.

0:06:34.940000 --> 0:06:50.360000
 So, now, if we go to this one,
 we will find the shutdown time.

0:06:50.360000 --> 0:06:53.340000
 We can see that this value
 is not using 32-bit.

0:06:53.340000 --> 0:06:59.680000
 It is using Windows 64-bit hex value,
 which is this one in decode.

0:06:59.680000 --> 0:07:04.600000
 Let's go ahead and copy this value by
 right-clicking and selecting copy

0:07:04.600000 --> 0:07:06.980000
 and then value data.

0:07:06.980000 --> 0:07:12.300000
 Let's paste our value into the value
 to decode field and remove all of

0:07:12.300000 --> 0:07:20.700000
 the dashes. Now, let's click the decode
 button and we can immediately

0:07:20.700000 --> 0:07:25.080000
 see that the last time this was shut down
 was on Saturday 12th of September

0:07:25.080000 --> 0:07:32.300000
 2015. In the same registry, we found
 two different timestamp formats.

0:07:32.300000 --> 0:07:37.840000
 One was using a 64-bit value while the
 other was using a 32-bit Unix value.

0:07:37.840000 --> 0:07:41.700000
 It's important to know the differences
 and when to use the different formats.

0:07:41.700000 --> 0:07:44.940000
 Decode is very helpful
 with these details.

0:07:44.940000 --> 0:07:48.700000
 I want to show you
 another example.

0:07:48.700000 --> 0:07:52.480000
 I already have this file system loaded
 in Winhex and I'd like to see when

0:07:52.480000 --> 0:07:54.880000
 the MFT was added to
 this file system.

0:07:54.880000 --> 0:08:01.780000
 So, let's right-click and select navigation
 and then seek file record.

0:08:01.780000 --> 0:08:09.420000
 Here, we can see that these are the
 timestamps for the MFT file itself.

0:08:09.420000 --> 0:08:13.680000
 Now, let's select and then right-click
 these values and go to edit, copy

0:08:13.680000 --> 0:08:17.420000
-block and finally, hex values.

0:08:17.420000 --> 0:08:20.840000
 Let's go back to decode and paste the
 selection into the value to decode

0:08:20.840000 --> 0:08:25.760000
 field. Please note that these
 are also 64-bit values.

0:08:25.760000 --> 0:08:29.000000
 Additionally, when I acquired the image
 of this file system, it was using

0:08:29.000000 --> 0:08:36.400000
 minus 8 for the bias for the time.


0:08:36.400000 --> 0:08:40.200000
 We also need to update the decode format
 from Big Endian to Little Endian

0:08:40.200000 --> 0:08:44.140000
 and then, let's click
 the decode button.

0:08:44.140000 --> 0:08:48.280000
 We now get Tuesday the
 28th of November 2017.

0:08:48.280000 --> 0:08:54.540000
 If we go back to the values in Winhex
 and hover over them, what do we

0:08:54.540000 --> 0:09:02.620000
 see? We see that it's November 28th
 2017, exactly the same as in decode.

0:09:02.620000 --> 0:09:07.940000
 We also see that it was at 14, 58 and
 33 seconds and then it's minus 8,

0:09:07.940000 --> 0:09:12.320000
 which is the bias that we need to
 add to get the time in UTC format.

0:09:12.320000 --> 0:09:18.420000
 This gives us the creation date for
 the file, which is MFT on this disk.

0:09:18.420000 --> 0:09:24.020000
 And, as we can see here, the NTFS uses
 the window 64-bit timestamp format,

0:09:24.020000 --> 0:09:26.940000
 while other stuff in the
 registry uses 32-bit.

0:09:26.940000 --> 0:09:30.620000
 You really need to be careful when analyzing
 the times, as this is a very

0:09:30.620000 --> 0:09:32.500000
 important thing to consider.

0:09:32.500000 --> 0:09:35.400000
 One of the first things you need to do
 is check the time zone information

0:09:35.400000 --> 0:09:38.820000
 and apply it to any times that you
 will be dealing with, as there may

0:09:38.820000 --> 0:09:40.080000
 be a time shift.

0:09:40.080000 --> 0:09:43.660000
 Or, perhaps when you're analyzing something,
 you find out that it's in

0:09:43.660000 --> 0:09:47.400000
 the future, but then come to realize
 that it really didn't happen in the

0:09:47.400000 --> 0:09:49.940000
 future as you forgot to
 apply the timestamps.

0:09:49.940000 --> 0:09:53.240000
 So please take note of this as it's
 extremely important and a serious

0:09:53.240000 --> 0:09:57.960000
 thing. Decode is a great tool
 from Digital Detective.

0:09:57.960000 --> 0:10:00.540000
 Thank you for providing such an awesome
 tool for the community to use

0:10:00.540000 --> 0:10:05.320000
 freely. I hope that you all find
 this tool beneficial to you too.

0:10:05.320000 --> 0:10:10.220000
 And this concludes our video lesson
 on time decoding using decode.

0:10:10.220000 --> 0:10:11.120000
 Thanks for joining us.