Alpha Software Mobile Development Tools:   Alpha Anywhere    |   Alpha TransForm subscribe to our YouTube Channel  Follow Us on LinkedIn  Follow Us on Twitter  Follow Us on Facebook

Announcement

Collapse

The Alpha Software Forum Participation Guidelines

The Alpha Software Forum is a free forum created for Alpha Software Developer Community to ask for help, exchange ideas, and share solutions. Alpha Software strives to create an environment where all members of the community can feel safe to participate. In order to ensure the Alpha Software Forum is a place where all feel welcome, forum participants are expected to behave as follows:
  • Be professional in your conduct
  • Be kind to others
  • Be constructive when giving feedback
  • Be open to new ideas and suggestions
  • Stay on topic


Be sure all comments and threads you post are respectful. Posts that contain any of the following content will be considered a violation of your agreement as a member of the Alpha Software Forum Community and will be moderated:
  • Spam.
  • Vulgar language.
  • Quotes from private conversations without permission, including pricing and other sales related discussions.
  • Personal attacks, insults, or subtle put-downs.
  • Harassment, bullying, threatening, mocking, shaming, or deriding anyone.
  • Sexist, racist, homophobic, transphobic, ableist, or otherwise discriminatory jokes and language.
  • Sexually explicit or violent material, links, or language.
  • Pirated, hacked, or copyright-infringing material.
  • Encouraging of others to engage in the above behaviors.


If a thread or post is found to contain any of the content outlined above, a moderator may choose to take one of the following actions:
  • Remove the Post or Thread - the content is removed from the forum.
  • Place the User in Moderation - all posts and new threads must be approved by a moderator before they are posted.
  • Temporarily Ban the User - user is banned from forum for a period of time.
  • Permanently Ban the User - user is permanently banned from the forum.


Moderators may also rename posts and threads if they are too generic or do not property reflect the content.

Moderators may move threads if they have been posted in the incorrect forum.

Threads/Posts questioning specific moderator decisions or actions (such as "why was a user banned?") are not allowed and will be removed.

The owners of Alpha Software Corporation (Forum Owner) reserve the right to remove, edit, move, or close any thread for any reason; or ban any forum member without notice, reason, or explanation.

Community members are encouraged to click the "Report Post" icon in the lower left of a given post if they feel the post is in violation of the rules. This will alert the Moderators to take a look.

Alpha Software Corporation may amend the guidelines from time to time and may also vary the procedures it sets out where appropriate in a particular case. Your agreement to comply with the guidelines will be deemed agreement to any changes to it.



Bonus TIPS for Successful Posting

Try a Search First
It is highly recommended that a Search be done on your topic before posting, as many questions have been answered in prior posts. As with any search engine, the shorter the search term, the more "hits" will be returned, but the more specific the search term is, the greater the relevance of those "hits". Searching for "table" might well return every message on the board while "tablesum" would greatly restrict the number of messages returned.

When you do post
First, make sure you are posting your question in the correct forum. For example, if you post an issue regarding Desktop applications on the Mobile & Browser Applications board , not only will your question not be seen by the appropriate audience, it may also be removed or relocated.

The more detail you provide about your problem or question, the more likely someone is to understand your request and be able to help. A sample database with a minimum of records (and its support files, zipped together) will make it much easier to diagnose issues with your application. Screen shots of error messages are especially helpful.

When explaining how to reproduce your problem, please be as detailed as possible. Describe every step, click-by-click and keypress-by-keypress. Otherwise when others try to duplicate your problem, they may do something slightly different and end up with different results.

A note about attachments
You may only attach one file to each message. Attachment file size is limited to 2MB. If you need to include several files, you may do so by zipping them into a single archive.

If you forgot to attach your files to your post, please do NOT create a new thread. Instead, reply to your original message and attach the file there.

When attaching screen shots, it is best to attach an image file (.BMP, .JPG, .GIF, .PNG, etc.) or a zip file of several images, as opposed to a Word document containing the screen shots. Because Word documents are prone to viruses, many message board users will not open your Word file, therefore limiting their ability to help you.

Similarly, if you are uploading a zipped archive, you should simply create a .ZIP file and not a self-extracting .EXE as many users will not run your EXE file.
See more
See less

GUID interpretation...

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    GUID interpretation...

    Any GUID wizards here? Specifically, I'd like to know if anyone has developed an A5 method to extract the time value encoded in a GUID for display in standard time?

    Thanks much...


    Chjop
    Jerry Hatchett

    CERTIFIED COMPUTER EXAMINER
    LICENSED PRIVATE INVESTIGATOR


    Digital Forensics & E-Discovery

    Red Forensic
    Houston, TX

    #2
    Re: GUID interpretation...

    I don't believe alpha allows you to create a Time-Based Guid. Are you getting this GUID from a SQL and attempting to extract the time?
    If so, you need to show how it was created or at minimum an example of a Time-Based Guid and the rest would be a very simple matter.

    P.S.
    Not a Guid-wizzard.

    Comment


      #3
      Re: GUID interpretation...

      Hi G,

      This is data parsed out from link files on a Windows computer. Link files contain four different GUIDs, all of which contain timestamps that can be forensically valuable. (I'm a digital forensic examiner.)

      I'm researching their exact construction now.

      Thanks...

      Chop
      Jerry Hatchett

      CERTIFIED COMPUTER EXAMINER
      LICENSED PRIVATE INVESTIGATOR


      Digital Forensics & E-Discovery

      Red Forensic
      Houston, TX

      Comment


        #4
        Re: GUID interpretation...

        I am with you, but not all GUID have time-stamp. Can you offer an example of a GUID with the time part and highlight that part?
        I am pretty sure it can be easily extracted once you know it's exact location in the GUID.

        Edited:
        missed the part where you say you are their exact construction now. Awaiting your findings.
        Now off to watch the NBA.
        Last edited by G Gabriel; 06-17-2008, 10:49 PM.

        Comment


          #5
          Re: GUID interpretation...

          Will do, G.
          Jerry Hatchett

          CERTIFIED COMPUTER EXAMINER
          LICENSED PRIVATE INVESTIGATOR


          Digital Forensics & E-Discovery

          Red Forensic
          Houston, TX

          Comment


            #6
            Re: GUID interpretation...

            That Boston-Tanzania basketball game was a lot of fun to watch.

            Comment


              #7
              Re: GUID interpretation...

              I've tried many times to get into basketball but it just doesn't stick. I'll talk football with you all day, however. GO GIANTS!

              Now, back to the GUIDs. Here's an example GUID parsed from a linkfile:

              A6124319-7710-11D6-B63D-00038A000015

              And here's a legend based on what I believe to be accurate info regarding its structure:

              Timestamp expressed as "UTC in 100- nanoseconds midnight 15 October 1582"

              I know that timestamp statement is a bit vague and I'm waiting for clarification of its meaning. My assumption is that it means "the number of 100-nanosecond blocks that have transpired since midnight October 15, 1582," but that could well be wrong. I've posed the question.

              A sequential boot counter


              The MAC of the machine's primary NIC

              My ultimate goal is to be able to read the GUID and populate layouts with a "decoded" GUID that's much more amenable to analysis.

              Again, many thanks for any help!

              Chop
              Jerry Hatchett

              CERTIFIED COMPUTER EXAMINER
              LICENSED PRIVATE INVESTIGATOR


              Digital Forensics & E-Discovery

              Red Forensic
              Houston, TX

              Comment


                #8
                Re: GUID interpretation...

                BUMP.
                Jerry Hatchett

                CERTIFIED COMPUTER EXAMINER
                LICENSED PRIVATE INVESTIGATOR


                Digital Forensics & E-Discovery

                Red Forensic
                Houston, TX

                Comment


                  #9
                  Re: GUID interpretation...

                  Hi Jerry,

                  You have your hands full if what I have read so far by googling your question!!

                  Here is just the first site of many when using "UTC in 100- nanoseconds midnight 15 October 1582" without quotes as the google search words.

                  http://www.rlmueller.net/AccountExpires.htm

                  Here is an exerpt from another which basically tells me you have a decision to make in where to start counting from!

                  I get a different result for the 64-bit CLR System.DateTime. I suppose one reason the Win32 FILETIME starts in 1600 is to avoid the ugly switchover from the Julian to Gregorian calendars in 1582, when ten days were dropped in October. One way to calculate it without resorting to fancy formulas would be to calculate the number of days to 1-Jan-2003: 2000 years * 365.25 days/year in Julian calendar - 10 days dropped in 1582 - 3 days for leap years in Julian calendar that aren't in Gregorian since (1700, 1800, 1900) + 365 days for 2001 + 365 days for 2002 then work backwards to 26-Nov-2002: - 31 days in December - (last) 5 days in November = 731,181 days from 1-Jan-0001 The rest is pretty straightforward. PST is 8 hours behind UTC, so 19:25PST is actually "27:25": 731,181 days * 86,400 sec/day + 27 hours * 3600 sec/hour + 25 mins * 60 sec/min * 10,000,000 hundred-nanosecs/sec = 0x8c4656e:085f8e00 I cross-checked that with both a calendar object and some Julian Day formulas and they matched; but frankly I'm still not 100% sure. At least that obscure calendar knowledge: http://www.tondering.dk/claus/cal/node3.html finally came in handy.
                  Mike
                  __________________________________________
                  It is only when we forget all our learning that we begin to know.
                  It's not what you look at that matters, it's what you see.
                  Henry David Thoreau
                  __________________________________________



                  Comment


                    #10
                    Re: GUID interpretation...

                    Jerry:
                    The linkfile you referenced was created on:
                    Monday, June 3, 2002 4:40:44 pm GMT
                    Last edited by G Gabriel; 06-22-2008, 07:34 PM.

                    Comment


                      #11
                      Re: GUID interpretation...

                      Exactly correct, G! Now, did you happen to create a formula to arrive at that?

                      Originally posted by G Gabriel View Post
                      Jerry:
                      The linkfile you referenced was created on:
                      Monday, June 3, 2002 4:40:44 pm GMT
                      Jerry Hatchett

                      CERTIFIED COMPUTER EXAMINER
                      LICENSED PRIVATE INVESTIGATOR


                      Digital Forensics & E-Discovery

                      Red Forensic
                      Houston, TX

                      Comment


                        #12
                        Re: GUID interpretation...

                        Yes..
                        BUT..
                        It is not worth pursuing, that's the news you do not want to hear.

                        Forensically speaking, GUID is by no means a DNA not even a finger print, not a hair nor a fiber, at best it's the glove that didn't fit and so you must quit and aquit.

                        Why?

                        The reason I was able to extract the date/time from your example is because it was created with V1 GUID. Since the Melisssa virus, that is no longer the case. So, at best you can use that formula for older GUID's.

                        You may say, OK, I will just use it for that.
                        Well, here comes that glove that didn't fit:

                        The formula will tell you when was the GUID created (using GMT) then you have to adjust for the time zone, but what if:
                        1-The computer owner did not have the correct time zone set on the computer (by ignorance)
                        2-Or what if the user intentionally changes the time or time zone?
                        Then the glove won't fit.

                        That said, why bother with GUID? Windows date/time-stamp any file when created. You could see that in the properties of the file.
                        Last edited by G Gabriel; 06-23-2008, 11:38 AM.

                        Comment


                          #13
                          Re: GUID interpretation...

                          Thx, G.

                          In digital forensics, every piece of additional info can sometimes be useful. We regularly do analysis that checks for evidence of clock changes, especially when timeline is critical. By itself, the GUID info may not be definitive, but it may well substantiate (or invalidate) another piece of information. It's about patterns and puzzles.

                          The GUIDs, for example, can help establish the order in which multiple files were opened. A sophisticated user may even be sharp enough to alter MAC metadata, but leave the GUIDs intact. It's all potentially important.

                          Thx MUCH for your help, and if you're willing to share what you did I'd be most grateful!

                          Jerry
                          Jerry Hatchett

                          CERTIFIED COMPUTER EXAMINER
                          LICENSED PRIVATE INVESTIGATOR


                          Digital Forensics & E-Discovery

                          Red Forensic
                          Houston, TX

                          Comment


                            #14
                            Re: GUID interpretation...

                            The formula is very simple:
                            In the example you provided:
                            A6124319-7710-11D6-B63D-00038A000015
                            notice the number 1 after the second dash. This indicates that this GUID was created with V1.

                            If it is, then you could use the expression, otherwise, the expression is useless (you could add an if statment to check for that number).

                            Beynod that, take the 3 digits that come after that number, in this case 1D6 and make them first, take the 4 digits after the first dash and make them second and last take the first 8 digits and make them last. Something like:
                            x=substr(GUID,16,3)+substr(GUID,10,4)+left(GUID,8)
                            That will result in a hexdecimal number representing how many 100-nanoseconds passed since 10/15/1582.
                            First, translate this hexdecimal to decimal using hex_to_dec()
                            now you have the number in decimal. Divided that number by 10,000,000 and now you have the number of seconds since that date. From here it's a simple mathmatics to calculate the date and time.
                            The time you get is GMT. Adjust for the time zone.

                            Comment


                              #15
                              Re: GUID interpretation...


                              That Boston-Tanzania basketball game was a lot of fun to watch.
                              What kind track do they run on in that class, dirt or asphalt??


                              I've tried many times to get into basketball but it just doesn't stick. I'll talk football with you all day, however. GO GIANTS!
                              Watched one a long time ago, but it's not fun. No one spun their wheels or hit the wall. One of the pit stops lasted about 15 minutes, that would lose any race.





                              .
                              Dave Mason
                              [email protected]
                              Skype is dave.mason46

                              Comment

                              Working...
                              X