EnScript® Showcase – EnCase® App Central, Evidence Management and Reporting
Digital Forensics | Sep 10, 2015
Time Zone Prior to Processing
As an examiner it’s critical to determine the time zone settings of hard drives with the Windows OS installed before processing the evidence. Time stamps and other temporally related items usually provide the most damning evidence or the best alibis. Without the proper time zone setting, the former can easily become the latter and then the bad guy walks.
If regional time zone settings are not defined by the user, then by default EnCase implements the examination machine’s regional settings on the case during processing. It’s not a good idea to let EnCase determine the time zone based on the examination machine’s settings. Doing so runs the risk of invalidating evidence because multiple evidence files from multiple computers may have different regional settings, different from one another as well as the examiner’s machine.
What you should do is locate the time zone setting for each device, bookmark these settings, and then manually change each device’s time zone settings under the device menu. The steps involved in properly determining a device’s time zone setting are pedantic, time-consuming, and include navigating the SYSTEM registry hive, combing through ControlSet subfolders, interpreting hex with Little-endian, etc.
Enter the "Time Zone Prior to Processing" EnScript
Instead, you can use this EnScript, created by Guidance’s own Jamey Tubbs (@JameyTubbs), and automatically parse out the proper time zone information for each device. The EnScript then automatically creates a bookmark folder for every device in your case containing time zone information, making this info easy to find and reference.
The one thing the script does not do is make the change within the device settings; you need to complete this final step on each evidence file before processing. I’ll show you how to run the EnScript and then note when and where you must make these changes.
Like most EnScripts on EnCase App Central, this EnScript is simple to run. Select the EnScript option from the toolbar and run Time Zone Prior to Processing. Most EnScripts contain a unique UI or menu but this EnScript automatically runs and its progress can be seen at the bottom right of the screen.
Once complete, a bookmark folder titled Time Zone Information will be created in the tree pane. Within it will be subfolders for each device’s respective time zone information. Selecting the device in the table pane and selecting the ‘report’ tab in the view pane will show you the TimeZoneRegistry Data, here you’ll find the information you’re looking for.
This last step is arguably the most important and must be done manually. The EnScript only gives you the time zone information; it’s up to you to implement it. If you don’t and then process your evidence, you run the risk of reporting incorrect time zone information. And again, bad guy goes free.
To change the device’s time zone setting go to the Evidence, Viewing (Entry) tab. Right-click on the evidence file in the left pane; select Device, Modify Time Zone Settings. Select the proper time zone as noted in the newly created bookmark folder and then process your evidence.
There you have it. One free EnScript developed by one of our long-term trainers can save you time and make sure your evidence is in proper order before processing.