LITIGATION SUPPORT TIP OF THE NIGHT

In his blog post of June 17, 2020, the great Craig Ball discussed how to determine the precise time that a gmail message was sent by reviewing the original code of the message. This can help clear up confusion caused by email threads between people in different time zones. Here's a rundown of how to do this.

1. In an email message sent from a gmail account, select the drop-down menu by clicking on the three dots to the right of the message's header, and then select 'Show original'.

2. This will open the raw code for the message. Review the code for references to a timestamp. You should be able to find these by searching for the tag, "t=". The value following this tag measures the number of 100 nanosecond intervals between the precise time the message was sent and midnight on January 1, 1601. Windows uses this arbitrary date (or the date of the first full century since the adoption of the Gregorian calendar) as a yardstick. In this example we find the number, '1594755105' used as a time code.

3. On the site of Dan's Tools, there is an epoch timestamp converter. When the number 1594755105 is entered it gives the precise time of July 14, 2020, 19:31:45 UTC.

Windows creates a separate Recycle Bin for each user. A reference to a Recycle Bin for a local drive should appear in all caps. E.g., "C:\$RECYCLE.BIN". A Recycle Bin for an external drive should be in lower case.

Inside a Recycle Bin you may find files which begin with either '$I' or '$R'. A file beginning with '$I' will contain data about a file that has been deleted. When examined in a hex editor, this kind of '$I' file will show the following information:

1. the first 8 alphanumeric characters list the header for the file.

2. alphanumeric characters 8 thru 15 indicate the file size.

3. alphanumeric characters 16 thru 23 shows the date and time the file was deleted.

4. alphanumeric characters 24 thru 27 indicate the length of the file name.

5. From the 28 position onwards, the file lists the file name and path.

A file beginning with $R will contain the actual content of a file.

In earlier versions of Windows (such as XP) a file named, 'INFO2' was used to track which files the Recycle Bin contained.

Prefetch files stored at C:\Windows\Prefetch can be analyzed to show which programs have been run on a Windows computer. Eric Zimmerman's opensource forensic tools include Prefetch Parser, available for download here.

Open command prompt in admin mode and change the directory to the one in which you've unzipped the executable file, 'PECmd.exe'. Run a line of code like this:

PECmd.exe -d C:\Windows\Prefetch --csv c:\temp

This points to the path where Windows 10 contains prefetch files, and then directs the creation of .csv files in a new directory. In a test of the tool tonight it generated two .csv files One file contains detailed information on each application run on the PC - how many times each has been run, and when the last time each was run.

A second file provides a simpler timeline: