Tips/Tricks and Information I or someone else provides that will help further the knowledge the field of Computer Foresnics and Electronic Discovery.
Decoding the DateCreated and DateLastConnected SSID values From Vista/Win 7
This information was provided to me by Longshot (Just passing this great information along).
Decoding the DateCreated and DateLastConnected registry values from the registry keys
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}
In Vista and Windows 7
The DateCreated and DateLastConnected are binary values that can be broken up into 4 byte parts, with 1 part left over. Each 4 byte part corresponds to a value of a date. The order of the values are as follows:
YearMonthWeekdayDayHourMinutesSeconds
Each of these 4 byte parts is in little endian. Using the following data that was unpacked from binary and converted to hex we get the following translation:
d9070200020018001700140025000001
d907 0200 0200 1800 1700 1400 2500 0001
Year = h4 = d907 = 07d9 = 2009
Month = h4 = 0200 = 0002 = Month {Jan = 1, Feb = 2, etc....}
Weekday = h4 = 0200 = 0020 = Weekday {Sunday = 0, Monday = 1, etc...}
date = h4 = 1800 = 0018 = 24
hour = h4 = 1700 = 0017 = 23
minutes = h4 = 1400 = 0014 = 20
Seconds = h4 = 2500 = 0025 = 37
The Month and Weekday fields have to be converted to their proper Month and weekday name.
which would yield the following:
Date First Connected: Tuesday, 24 February 2009 23:20:37
Here is the perl code to do the above, I only include the $data as a place holder that would need to get data fed to it:
use strict;
# This is the binary data that would be read from the registry filemy $data = "";
my %month_type = (1 => "January",2 => "February",3 => "March",4 => "April",5 => "May",6 => "June",7 => "July",8 => "August",9 => "September",10 => "October",11 => "November",12 => "December");
my %dayofweek_type = (0 => "Sunday",1 => "Monday",2 => "Tuesday",3 => "Wednesday",4 => "Thursday",5 => "Friday",6 => "Saturday");
my ($year, $month, $weekday, $date, $hour, $minute, $second ) = unpack("h4 h4 h4 h4 h4 h4 h4", $data);
#This part converts the yearmy $finalyear= hex(reverse $year);
#Now we convert the monthmy $monthnumber=hex(reverse $month);my $finalmonth = $month_type{$monthnumber};
#Now we convert the weekdaymy $weekdaynumber=hex(reverse $weekday);my $finalweekday = $dayofweek_type{$weekdaynumber};
# This converts the datemy $finaldate=hex(reverse $date);
#This converts the hourmy $finalhour=hex(reverse $hour);
#This converts the minutemy $finalminute=hex(reverse $minute);my $howlongisfinalminute=length($finalminute);if ($howlongisfinalminute == 1){$finalminute="0$finalminute";}if ($finalminute eq "0"){$finalminute='00';}
#This converts the secondmy $finalsecond=hex(reverse $second);my $howlongisfinalsecond=length($finalsecond);if ($howlongisfinalsecond == 1){my $finalsecond="0$finalsecond";}if ($finalsecond eq "0"){$finalsecond='00';}
my $ssidtimestamp= "$finalweekday, $finaldate $finalmonth $finalyear $finalhour:$finalminute:$finalsecond";if ($n =~ /Created/){$finaln="Date First Connected:";} else {$finaln="Date Last Connected:";}
print "$finaln $ssidtimestamp\n";