Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Whiznot
New Today: 0
New Yesterday: 2
Overall: 29660

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Software to search an FTK Lite Mounted drive with keyword
 How much can be found?
 Computer Forensic in responding to Data Breach issues
 A bunch of numbers about digital evidences collection
 Computer forensic issue

Computer Forensics World Forums


Pages Served
We received
59460713
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Windows 7 time zone information
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Windows 7 time zone information

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
al_g
Newbie
Newbie


Joined: Feb 12, 2014
Posts: 2

PostPosted: Wed Feb 12, 2014 4:51 pm    Post subject: Windows 7 time zone information Reply with quote

First off, I am a student taking an online computer forensics class. The professor has a habit of not getting back to us on questions until the week is nearly over so I'm hoping to reach out to this community for some help.

The task I have is to discover and document the time zone setting using EnCase 7. The image we were given was running Windows 7 SP1. I have processed the image and viewed the file structure on Windows\System32\config\SYSTEM . According to our directions the ActiveTimeBias key under System\ControlSet001\TimeZoneInformation should contain a hex value which is the offset in minutes from UTC. This key contains the value 20,FE,FF,FF which when I convert to decimal is a very large number. I know that the TimeZoneKeyName contains the actual time zone name and in this case it is listed as China Standard Time. On the off chance google could help I searched for the hex value and did find 20,FE,FF,FF listed as the value for several time zones including China Standard Time.

So at this point I am confident that I identified the right time zone, but what I can't figure out is the ActiveTimeBias to collaborate the TimeZoneKeyName. We also are supposed to document how we determined the value and all the documents I can find at Microsoft say that the hex value is the offset in minutes.

I found some information at http :// kb . digital-detective . co . uk/display/NetAnalysis1/ActiveTimeBias on converting the hex value but I didn't get the expected decimal value of 480 by following the steps.

I was also curious to look at my PC's registry and in the live registry I found the hex value 0x000001a4 (420) which fits with the Mountain time zone being -7 UTC.

What I'm looking for is even some clues as to how to properly read the ActiveTimeBias since it doesn't match the documentation nor my PC.

Moderator Note: Direct links are not allowed.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Feb 12, 2014 9:45 pm    Post subject: Reply with quote

Are you using Craig's dcode tool "http://www.digital-detective.co.uk/freetools/decode.asp"?
Back to top
View user's profile
al_g
Newbie
Newbie


Joined: Feb 12, 2014
Posts: 2

PostPosted: Thu Feb 13, 2014 1:34 am    Post subject: Reply with quote

Haven't heard of that tool. I'm using EnCase, a generic hex to binary calculator and a 1's complement calculator.

After sleeping on the problem over night I came up with the idea of switching my PC's time to China and looking at the registry value. This gave me a very interesting value, FF,FF,FE,20. What I immediately noticed is that it is the reverse of the value on the processed image, 20,FE,FF,FF . When I did the conversion to binary, saw the MSB set to 1 and did a 1's complement calculation and conversion to decimal I got the expected value of 480. So at this point I'm so tantalizing close, but still seem to be missing something.

Now my question is why is the value stored in reverse order of what I was expecting and saw on a live registry?
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 241

PostPosted: Fri Feb 14, 2014 6:06 am    Post subject: Re: Windows 7 time zone information Reply with quote

al_g wrote:
According to our directions the ActiveTimeBias key under System\ControlSet001\TimeZoneInformation should contain a hex value which is the offset in minutes from UTC.


It's often useful to go to Microsoft for additional information. The msdn.microsoft.com site contains much information related to software development, and internal information on Windows.

Quote:
This key contains the value 20,FE,FF,FF ...


That's not how I use the term 'value', but you might know what you are doing. (Though your second question indicates that you don't.)

You're dealing with computer information here. You must ensure you don't misinterpret it in any way. The key you cite contains a REG_DWORD. You have to know what that means. You also need to pay special attention to two questions: what is the endianness of the data you're looking at? and, is it signed or unsigned?

Here'sd some additional info. I'm in an UTC+1 timezone according to the Windows clock.
My ActiveTimeBias is 0xffffffc4 (according to RegEdit), and 'C4 FF FF FF', if I use the regedit binary viewer.
Back to top
View user's profile
sledger
Newbie
Newbie


Joined: Aug 26, 2014
Posts: 1

PostPosted: Tue Aug 26, 2014 11:16 pm    Post subject: 20 FE FF FF Reply with quote

I know this is an old subject but I came across the question unanswered whilst looking for something else. I hope this is of use to someone else.

The value you find in the registry 0 x20 FE FF FF is a negative number in little endian.

I researched this ages ago, you can manually convert it and its a long explanation, but!

If you use windows calc in programmer mode,

SELECT HEX type in FF FF FF FF FF FF FE 20 and then

SELECT DECIMAL, you will get -480. thats the time zone offset. :
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.