We can use PowerShell to give us a range of FileTime values for a particular date range that will allow us to search the evidence for artifacts that we might not even realize yet, but stores the time stamp in its structure.
PS C:\> (Get-Date -Date "2014-10-14T00:00:00").ToFileTime()
130577364000000000
PS C:\> (Get-Date -Date "2014-10-14T23:59:59").ToFileTime()
130578227990000000
PS C:\> [convert]::tostring((Get-Date -Date "2014-10-14T23:59:59").ToFileTime(),16)
1cfe834debe7180
PS C:\> [convert]::tostring((Get-Date -Date "2014-10-14T00:00:00").ToFileTime(),16)
1cfe76bb4ed4800
So, now that we know a time stamp range, we can reverse the time stamps to little endian, if needed, and locate values matching the range.
The image below is just a sample of a simple regular expression based search for a pattern matching a time range.
Also, get date and time by entering the fileTime value:
PS > Get-Date 129442497539436142
or
PS > [datetime]::FromFileTime("129442497539436142")
No comments:
Post a Comment