Time Decoder Tab
The components on this page conform to the
following rules:
- Those labels in green represent details
of results that are within the boundaries set in the preferences dialogue
box.
- Those labels in red represent details of
results that are outside the boundaries set in the preferences dialogue box.
- Those labels in white are values that you
can change.
- Those labels in grey represent times that
could not be calculated for one reason or another.
What This Tab Does:
This tab allows a forensic analyst to cut and
paste hexadecimal or text values he or she has found and decode their actual
value.
How to use this tab:
- Set the boundary dates you wish to show as
valid dates in the Preferences dialogue box:
- Having found a series of hex byte values
or a text string that you know or suspect to be a date value, copy the
values to the clipboard and paste them into the 'Hex Characters/Value To Be
decoded' control. It does not matter that the string you copy contains white
space characters, these will be stripped.
- Choose the type of interpretation:
- Hex Little Endian - Requires
Hexadecimal characters (upper or lower case) in Little Endian format
(e.g. Intel) where the low end byte is to the left.
- Hex Big Endian - Requires Hexadecimal
characters in Big Endian format (e.g. Motorola) where the low end byte
is to the right
- FAT - Requires Hexadecimal characters
in a mixed format (see FAT times).
- Text - Usually requires a text string
of numbers only. The one exception is 'Filetime Text (Lo:Hi)' which
requires two such strings separated by any none-numeric character. White
space is not stripped when interpreting this value.
- Set the time zone offset to apply (if
required)
- Hit the 'Calculate' button:
In this example a series of 8 bytes has been
interpreted as Hex, little Endian (a value of 2). Two results are in green and
one in red because the boundary dates were not adjusted from the default. The
rest of the results are invalid because they don't expect an 8 byte Hexadecimal
as a value.
The Results Fields
Currently TimeLord will decode the following
time values:
- Filetime (NTFS Time)
- Filetime Text (lo:Hi)
- FAT ms + Time + Date
- FAT Time + Date
- FAT Date Only
- IE(FAT) Date + Time
- 32 bit time_t (Unix Time)
- 64 bit time_t (Unix Time)
- time_t Text (sec's)
- Unix Epoch (microsec's)
- Unix Epoch (millisec's)
- Unix Epoch (days)
- HFS and HFS+ Time
- Java Time