Posted: Wed Feb 12, 2014 4:51 pm Post subject: Windows 7 time zone information
First off, I am a student taking an online computer forensics class. The professor has a habit of not getting back to us on questions until the week is nearly over so I'm hoping to reach out to this community for some help.
The task I have is to discover and document the time zone setting using EnCase 7. The image we were given was running Windows 7 SP1. I have processed the image and viewed the file structure on Windows\System32\config\SYSTEM . According to our directions the ActiveTimeBias key under System\ControlSet001\TimeZoneInformation should contain a hex value which is the offset in minutes from UTC. This key contains the value 20,FE,FF,FF which when I convert to decimal is a very large number. I know that the TimeZoneKeyName contains the actual time zone name and in this case it is listed as China Standard Time. On the off chance google could help I searched for the hex value and did find 20,FE,FF,FF listed as the value for several time zones including China Standard Time.
So at this point I am confident that I identified the right time zone, but what I can't figure out is the ActiveTimeBias to collaborate the TimeZoneKeyName. We also are supposed to document how we determined the value and all the documents I can find at Microsoft say that the hex value is the offset in minutes.
I found some information at http :// kb . digital-detective . co . uk/display/NetAnalysis1/ActiveTimeBias on converting the hex value but I didn't get the expected decimal value of 480 by following the steps.
I was also curious to look at my PC's registry and in the live registry I found the hex value 0x000001a4 (420) which fits with the Mountain time zone being -7 UTC.
What I'm looking for is even some clues as to how to properly read the ActiveTimeBias since it doesn't match the documentation nor my PC.
Haven't heard of that tool. I'm using EnCase, a generic hex to binary calculator and a 1's complement calculator.
After sleeping on the problem over night I came up with the idea of switching my PC's time to China and looking at the registry value. This gave me a very interesting value, FF,FF,FE,20. What I immediately noticed is that it is the reverse of the value on the processed image, 20,FE,FF,FF . When I did the conversion to binary, saw the MSB set to 1 and did a 1's complement calculation and conversion to decimal I got the expected value of 480. So at this point I'm so tantalizing close, but still seem to be missing something.
Now my question is why is the value stored in reverse order of what I was expecting and saw on a live registry?
Posted: Fri Feb 14, 2014 6:06 am Post subject: Re: Windows 7 time zone information
According to our directions the ActiveTimeBias key under System\ControlSet001\TimeZoneInformation should contain a hex value which is the offset in minutes from UTC.
It's often useful to go to Microsoft for additional information. The msdn.microsoft.com site contains much information related to software development, and internal information on Windows.
This key contains the value 20,FE,FF,FF ...
That's not how I use the term 'value', but you might know what you are doing. (Though your second question indicates that you don't.)
You're dealing with computer information here. You must ensure you don't misinterpret it in any way. The key you cite contains a REG_DWORD. You have to know what that means. You also need to pay special attention to two questions: what is the endianness of the data you're looking at? and, is it signed or unsigned?
Here'sd some additional info. I'm in an UTC+1 timezone according to the Windows clock.
My ActiveTimeBias is 0xffffffc4 (according to RegEdit), and 'C4 FF FF FF', if I use the regedit binary viewer.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum