Contributors - CyberSecurity Malaysia

More documents

Recommendations

Info

12.Figure 9: Interpreting “Active Time Bias”valueFigure 5: View Pane menu listing11. Please refer to Table 1 for further conversion of othertime zone properties.Figure 6: interpreting “Current” value7. Now we know that the control set is 1, we will nownavigate to the following: NTRegistry/$$$PROTO.HIV/ControlSet001/Control/TimeZoneInformation.Time ZonePropertiesActive time BiasBiasDaylight BiasDaylight NameDescriptionThis is the number of minutes offsetfrom GMT for the current timesetting. This is stored as a 32-bitinteger.This is the number of minutes offsetfrom the GMT for the time zonesetting. This is stored as a 32-bitinteger.The number of minutes offset fromthe Bias for DST setting. This isstored as a 32-bit integer.The name in the Unicode of the timezone DST setting.Figure 7: Users’s time zone setting8. This is the folder where the system keeps all the user’stime zone settings.9. Select Active time Bias, highlight the data and rightclick. Select “Bookmark Data” (Figure 8).Daylight Start,Standard StartStandard BiasPlease refer to figure 10. Highlighteither start time in the table Pane.Change the View Pane to Hex view.The number of minutes offset fromthe Bias for the Standard Time. It isusually zero.Standard Name The name of the Unicode ofthe standard time zone setting(Figure 11).Table 1: Time zone properties value formatFigure 8: Interpreting “Active Time Bias”value10. Decode the highlighted data by selecting “32-bitInteger”. This is because the Active Time Bias is beingstored in this type of value. Now, the data have beenconverted to -480 minutes (8 hours offset from GMT)(Figure 9).
The values in the view pane of Figure 10 are interpreted asbelow (in sequence):00 00-padding (0)00 00-month (0)00 00-week (0)00 00-time of day (0)00 00-additional minutes within hour (0)00 00-additional seconds within minutes (0)00 00-miliseconds within the second (0)00 00-day of the week (00 or Sunday)13.Figure 13: Timezone modules insideWindows Initialize Case3. Then go back to the Bookmark “EnScript-Time ZoneInfo” folder. The following is the output generatedas shown in Figure 14.Figure 10: Interpreting Day light start timevalueb) Auto (run EnScript)1. If you wish to obtain time zone info by using EnScript,just double click on the case processor. Fill in theBookmark Folder Name, in this example “EnScript-Time Zone Info” and click next button (Figure 11).Current control set is 001Default control set is 001Failed control set is 000Last Known Good control set is 002Standard time bias is 08:00 hours offset from GMT.Standard Name: Malay Peninsula Standard TimeStandard time is set to change the Standard bias by 0minutes.Standard time is set to change on Sunday of the 0th week ofUnknown, at 00:00 hours.Daylight Name: Malay Peninsula Standard TimeDaylight savings is set to change the Standard bias by 0minutes.Daylight savings time is set to change on Sunday of the 0thweek of Unknown, at 00:00 hours.Active time bias is 08:00 hours offset from GMT.The current time setting is 8:00 hours offset from GMT.The offset must be either added or subtracted from GMTdepending on the time zone locationFigure 14: Time Zone Output GeneratedFigure 11: EnScript-Case processor2. Double click on the windows Initialize Case and selectTime Zone Module ( Figure 12 and 13) and click OK.4. Once we know the time zone setting of the suspect,we can either set examiner’s machine accordingto the suspect time zone (which I will not furtherderive in this article), or use another optionoffered by EnCase Forensic Software to set thetime zone setting for the EnCase Forensic Softwareenvironment.5. The following shows the step on how to set theEnCase Forensic Software environment.6. Go to entries, right click on the physical disk andselect “Modify time zone setting” in (Figure 15).Figure 12: Locating EnScript-CaseInitializersFigure 15: Case Entries Optione-Security | <strong>CyberSecurity</strong> <strong>Malaysia</strong> | Volume 21 - (Q4/2009)
Page 1: Volume 21 - (Q4/2009)“Companies s
Page 4 and 5: 4.MyCERT 4th Quarter 2009 SummaryRe
Page 6 and 7: 6.USB PortA culprit to ICT Security
Page 8 and 9: 8.Specific device setup classes can
Page 10 and 11: 10.ConclusionReferencesUSB removabl
Page 14 and 15: 14.7. A list of time zone propertie
Page 16 and 17: 16.allowing you to specify which da
Page 18: 18.Guide to Motion Compensation (Ph
Page 21 and 22: Graph 1 shows all the satisfied poi
Page 23 and 24: CyberdatingHow to Have Funbut Stay
Page 25 and 26: find them. If anything goes wrong,
Page 27 and 28: 27.What could be the threats to ena
Page 29 and 30: 29.InternetRadio Frequency Identifi
Page 31 and 32: Common Criteria andNational Cyber S
Page 33 and 34: 33.Case Study: US Government Direct
Page 35 and 36: has caused a US$2.25 million fine t
Page 37 and 38: 37.lewat sampai pada penerima ataup
Page 39 and 40: For instance TM, Malaysia’s large

Contributors - CyberSecurity Malaysia

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?