• 0Shopping Cart
Digital Detective
  • Home
  • Corporate
    • About Us
      • Executive Team
      • Our Clients
      • Testimonials
    • News and Events
      • Latest News
      • Press Release
    • Legal
      • Privacy Policy
      • Cookie Policy
      • Returns Policy
  • Products
    • Forensic Software
      • NetAnalysis®
      • HstEx®
      • Blade®
    • Downloads
      • Evaluation Request
      • Free Digital Forensic Tools
    • Product Documentation
      • NetAnalysis® Documentation
      • HstEx® Documentation
      • Blade® Documentation
  • Careers
  • Support
    • Knowledge Base
    • Support Portal
    • Digital Forensics Forum
  • Store
    • Forensic Software
    • View Shopping Cart
  • Blog
  • Contact Us
  • Search
  • Menu Menu

Manual Identification of Suspect Computer Time Zone

Digital Forensics, Digital Foresnsic Software, Forensic Analysis, Forensic Investigations, Learning Digital Forensics, NetAnalysis®, Tutorial
View of earth showing text 'Manual Timezone Identification'

Introduction to Time Zone Identification

In a digital forensic examination, establishing which Time Zone the system had been set to should one of the first examination tasks.  If this information is not established at an early stage and taken into account, the validity of Date/Time evidence may be brought into question.  Not only is this true for the examination of Browser History and related artefacts, it is also important when examining file system metadata.

I also believe this is something every examiner should be able to do manually, as opposed to relying on point and click or script forensics.  Whilst point and click certainly has a place and software tools can greatly increase the efficiency of the examination process, digital forensic practitioners need to possess the skills and ability to verify the results.

Some Date/Time values stored in binary files are affected by the Time Zone setting of the original suspect computer and many digital forensic applications can alter the representation of these dates by the Time Zone setting of the forensic workstation.

This becomes particularly complicated when the suspect computer was set to an incorrect Time Zone and the computer clock was set to correspond to the Local Time Zone.  Many of the Date/Time stamps store the data as UTC values.  In such circumstances, the Operating System (or application) has to convert the value from Local time to UTC.

Case Example

This was demonstrated in a case I was asked to review a number of years ago.  A computer had been seized as part of an investigation into abusive images of children.  The police had examined the computer correctly and the individual involved had been charged with offences under the Protection of Children Act 1978.

A defence expert examined the forensic image from the computer had declared in his report that the police had tampered with the evidence and alleged that they were responsible for the illegal material as the Date/Time stamps show the material was created on the disk some four hours after it had been seized by police.

My initial examination revealed that the defence expert had not established the Time Zone settings for the system nor had he taken them into account during his examination and subsequent report.  If he had, he would have seen that the system was incorrectly set to Pacific Time and not GMT.  As far as the Operating System was concerned, the system was in Pacific Time and added 8 hours to the Local times to convert them to UTC.  This resulted in the Date/Time stamps being 8 hours in advance of the correct time.

When the defence expert stated the computer had illegal material written to the disk after the system was seized, it was in fact that this had happened some 4 hours prior to the warrant being executed at the home of the suspect.

Establishing the Current Time Zone

To establish the Time Zone setting for a Microsoft Windows system, the forensic examiner can examine the SYSTEM registry hive.  To do this, you need to establish which ControlSet was active when the computer was seized.

Time_Zone_Registry_Key

Figure 1

There you will find 4 keys detailing the Current, Default, Failed and LastKnownGood control sets.  The current control set in the screen below is set to 3.  You can also see the there are three ControlSets numbered 001 to 003.

Registry_Current_Control_Set

Figure 2

Now that this current control set has been identified, we can navigate to that location in the registry and calculate the different values as stored.  In this case, the Time Zone settings are stored here:

ControlSet003

Figure 3

The Time Zone Information for this Control Set is shown in Figure 4.

TimeZoneInformation_Registry

Figure 4

The keys are explained below.  Please note that the bias settings are stored in minutes as a signed integer.  The bias is the difference, in minutes, between UTC and local time.  All translations between UTC and local time are based on the following formula:

TimeZone_Formula

Figure 5

ActiveTimeBias

This value is the current time difference from UTC in minutes, regardless of whether daylight saving is in effect or not. It is this value that helps establish the current Time Zone settings. Using the formula above, take this value and add it to local time to get the UTC value.

Bias

This value is the normal Time difference from UTC in minutes. This value is the number of minutes that would need to be added to a local time to return it to a UTC value. This value will identify the Master Time Zone (Standard Time).

StandardBias

This value is added to the value of the Bias member to form the bias used during standard time. In most time zones the value of this member is zero.

DaylightBias

This value specifies a bias value to be used during local time translations that occur during daylight time. This value is added to the value of the Bias member to form the bias used during daylight time. In most time zones the value of this member is –60.

DaylightName

The Operating System uses this name during daylight saving months to display the current time Zone setting.

DaylightStart

Binary data in SYSTEMTIME structure used to identify the date/time that Daylight Saving will commence in this time zone.

StandardName

The Operating System uses this name during daylight saving months to display the current time zone setting.

StandardStart

Binary data in SYSTEMTIME format used to identify the date/time that Standard Time will commence in this time zone.

DisableAutoDaylightTimeSet

This will only be visible if the setting to automatically adjust clock for daylight saving has been switched OFF.

Calculating Signed Integer Bias Values

Within digital systems, all data, whether they be numbers or characters are represented by strings of binary digits. A problem arises when you want to store negative numbers.

Over the years, hardware designers have developed three different schemes for representing negative numbers: sign and magnitude, ones complement, and twos complement. The most common method for storing negative numbers is twos complement. With this method, the Most Significant Bit (MSB) is used to store the sign.

If the MSB is set, then this represents a NEGATIVE number. This method affords natural arithmetic with no special rules. To represent a negative number in twos complement notation the process is simple:

• Decide upon the number of bits (n)
• Find the binary representation of the +ve value in n-bits
• Flip all the bits (change 1 to 0 and vice versa)
• Add 1

Figure 5 below shows the binary representation of the positive number 5.

Positive_Binary_Number

Figure 5

To represent this as a negative number (using 8 bits) then the procedure above is followed.  Flip the bits as shown above and add one as shown in Figure 6.

Negative_Binary_Number

Figure 6

This method makes it extremely easy to add positive and negative numbers together.  For example:

Binary_Addition

Figure 7

It also makes it extremely easy to convert between positive and negative numbers:

Converting_Binary_Numbers

Figure 8

ActiveTimeBias

If we look once again at the ActiveTimeBias in Figure 9, you will see a signed hexadecimal value.  This can be calculated using twos complement.

Singed_Value

Figure 9

This value is stored in hexadecimal as a 32 bit value, so to work out the value it will need to be converted to binary.  Ignore the fact that on this occasion, the registry editor is showing the decimal value (4294967236) next to it; this is purely because the registry editor does not realise the value has been stored as a signed integer.

The twos complement calculation is as follows:

Singed_Integer

Convert this to binary:

Calc2

The MSB is set so we know that the above value will be negative.  The next stage is to flip all the bits.  This involves changing 1 to 0 and vice versa.  This can be achieved quickly using the logical NOT function on a scientific calculator.  You must ensure that it is set to deal with the correct number of bits.

Calc3

Add 1 bit to the value above

Calc4

And then convert that value back to decimal, remembering that we are dealing with a negative number:

Calc5

TimeZone_Note

Daylight Saving / Standard Time Start Dates

Looking at Figure 10 below, you can see two keys entitled DaylightStart and StandardStart.  They hold encoded data showing the exact commencement date/time of Daylight Saving and Standard Time.   To establish when daylight saving starts and ends, both keys will need to be decoded.

Registry_DaylightStart

Figure 10

SYSTEMTIME Structure

This data is stored in a common structure called SYTEMTIME. This structure specifies a date and time, using individual members for the month, day, year, weekday, hour, minute, second, and millisecond.

SYSTEMTIME_STRUCTURE

Figure 11

The data in DalylightStart is as follows:

Daylight_Start

Figure 12

Bytes 0 & 1 (0x0000 ) refer to the year from a 1900 time base.  This is only required if the change is year specific and will normally be zero.

Bytes 2 & 3 (0x0003 ) refer to the month, in this case March.

Bytes 4 & 5 (0x0005) refer to the week (starts at 1 and 5 means last).  In this case the last week.

Bytes 6 & 7 (0x0001) refer to the Hour.  In this case it is 0100 Hours.

Bytes 8 & 9 (0x0000) refer to the Minutes.  In this case it is Zero minutes.

Bytes 10 & 11 (0x0000) refer to the Seconds; in this case it is Zero seconds.

Bytes 12 & 13 (0x0000) refer to the Milliseconds, in this case it is Zero milliseconds.

Bytes 14 & 15 (0x0000) refer to the actual Day of the Week (Sunday = 0).  In this case it is Sunday

For our example in Figure 12, Daylight Saving Time (DST) will start on Sunday of the Last Week in March at 0100 Hours.  If we had decoded StandardStart, we would see that DST would end on Sunday of the last week of October at 0200 hours.

Further Reading

  • Time Zone Information Structure
  • Dynamic Time Zone Information Structure
  • FILETIME Structure
  • SYSTEMTIME Structure
4th June 2010/by Craig Wilson
Tags: Date & Time, Tutorial
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on Pinterest
  • Share on LinkedIn
  • Share on Tumblr
  • Share on Vk
  • Share on Reddit
  • Share by Mail
You might also like
DCode Decoding Windows Filetime Hex ValueDigital Detective© DCode™ – Timestamp Decoder
Clock dial showing hands approching 12 o' clock NetAnalysis® Date and Time Fields
NetAnalysis Find PanelDigital Detective© Exporting and Importing Blade® Data Recovery Profiles
NetAnalysis Find PanelDigital Detective© Find Panel Syntax

Categories

Recent Posts

  • DataDump™ – Data Extractor
  • NetAnalysis® v3.3 and HstEx® v5.3 Released
  • NetAnalysis® v3.2 and HstEx® v5.2 Released
  • Forensic Analysis of the Zone.Identifier Stream
  • NetAnalysis® v3.1 Released

Tags

ACPO AOL Big Endian Browser Evidence Byte Order Cache Case Study Change Log Cookies Data Extraction Data Recovery Data Recovery Profiles Date & Time Digital Evidence Discount Dongles Email Recovery Endianness File System Find Panel Free Good Practice Guidelines Hard Disk Head Swap Image Mounting Intelli-Carve Internet Explorer Junction Points Legal Licensing Little Endian Microsoft Windows Mozilla Firefox News NTFS Offer PFC Release Notes Seagate Search Syntax Timestamps Tools Tutorial

About Us

Digital Detective enhances digital forensic science though cutting edge research and development. We offer a range of products and services for digital forensic analysis and advanced data recovery.

Recent Tweets

Exciting news! Our popular #DataDump tool just got even better with the release of v2.1. Download now for free and experience the difference! #freetool #dataextraction digital-detective.ne…

About 3 weeks ago from Digital Detective's Twitter via Twitter Web App

Nothing seems to have changed in the last 13 years. lbc.co.uk/news/polic…

About 2 months ago from Digital Detective's Twitter via Twitter Web App

This has been a lot of work; hope you like it. NetAnalysis® v3.3 and HstEx® v5.3 have been released. Lots of new functionality! digital-detective.ne…

About 3 months ago from Digital Detective's Twitter via Twitter Web App

Her Majesty The Queen Elizabeth II 1926 - 2022 pic.twitter.com/sWSC…

About 5 months ago from Digital Detective's Twitter via Twitter for iPad

Recovery and analysis of MFT resident Zone.Identifier alternate data streams and how they are helpful in a forensic investigation. #DFIR #DigitalForensics #BrowserForensics #FileSystemAnalysis digital-detective.ne…

About a year ago from Digital Detective's Twitter via Twitter Web App

Follow @DigitalDetectiv

Select Language

Translate our site by selecting your language from the option below.

en English
ar Arabiczh-CN Chinese (Simplified)nl Dutchen Englishfr Frenchde Germanit Italianpt Portugueseru Russianes Spanish

Contact Us

Digital Detective Group
Motis Business Centre
Cheriton High Street
Folkestone
KENT, CT19 4QJ
United Kingdom

///courts.endearing.bulbs
+44 (0) 20 3384 3587

Copyright © 2001 - 2023 Digital Detective Group Limited
  • Facebook
  • Twitter
  • Youtube
  • Mail
  • Home
  • Sitemap
  • Corporate
  • Products
  • Store
  • Blog
  • Contact
Scroll to top

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies.

OKLearn more

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visit to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Other cookies

The following cookies are also needed - You can choose if you want to allow them:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy Policy
Accept settingsHide notification only