Bit of an odd one, vssver2, time_t and DWORD
-
Excuse any ignorance im just a lowely .NET programmer and have very little c++ experience :-D So i'm trying to disect vssver2.scc files for forensic purposes (don't ask :| ) and have found some information. mainly from here: http://alinconstantin.dtdns.net/WebDocs/SCC/VssVerScc.htm[^] Towards the bottom of this page it gives some hint as to the structure of this file:
A vssver.scc file is composed of 3 sections:
\* a FileHeader section of 32 bytes size struct FileHeader { DWORD dwSignature; /\* 0x00011234 \*/ BYTE\[16\] arrDatabaseGuid; /\* a GUID identifying the VSS database associated with the vssver2.scc file \*/ DWORD dwChecksum; /\* a checksum of the vssver2.scc file \*/ DWORD dwProjectID; /\* the number identifying the project from VSS database accociated with the vssver2.scc files \*/ DWORD dwFileEntries; /\* the number of file entries stored in the vssver2.scc file and following this structure \*/ } \* a number of FileEntry sections, each of them 16 bytes, one entry per each file tracked by the vssver2.scc file struct FileEntry { DWORD dwFileID; /\* the number identifying the file in the VSS database that is tracked by this vssver.scc file \*/ DWORD dwFileChecksum; /\* the file's checksum \*/ DWORD dwFileTimestamp; /\* a file timestamp \*/ DWORD dwFileVersion; /\* the version of the file from the VSS database that you have locally \*/ } \* a FileNames section in the end of the file that contains o The null-terminated project name associated with this vssver2.scc file o A list of null-terminated file names that have entries in the FileEntry sectionI have writeen a small c# app to read this information and I just wanted to check a few things. 1) is a DWORD is akin to a uint in .NET? In code using a
BinaryReaderI haveuint myint = BitConverter.ToUInt32(reader.ReadBytes(4) ,0);- does that look right? 2) I was assuming that the fielddwFileTimestampwould be a c++ time_t so I had the codeDateTime dt = new DateTime(1970,1,1).AddSeconds(dwFileTi -
Excuse any ignorance im just a lowely .NET programmer and have very little c++ experience :-D So i'm trying to disect vssver2.scc files for forensic purposes (don't ask :| ) and have found some information. mainly from here: http://alinconstantin.dtdns.net/WebDocs/SCC/VssVerScc.htm[^] Towards the bottom of this page it gives some hint as to the structure of this file:
A vssver.scc file is composed of 3 sections:
\* a FileHeader section of 32 bytes size struct FileHeader { DWORD dwSignature; /\* 0x00011234 \*/ BYTE\[16\] arrDatabaseGuid; /\* a GUID identifying the VSS database associated with the vssver2.scc file \*/ DWORD dwChecksum; /\* a checksum of the vssver2.scc file \*/ DWORD dwProjectID; /\* the number identifying the project from VSS database accociated with the vssver2.scc files \*/ DWORD dwFileEntries; /\* the number of file entries stored in the vssver2.scc file and following this structure \*/ } \* a number of FileEntry sections, each of them 16 bytes, one entry per each file tracked by the vssver2.scc file struct FileEntry { DWORD dwFileID; /\* the number identifying the file in the VSS database that is tracked by this vssver.scc file \*/ DWORD dwFileChecksum; /\* the file's checksum \*/ DWORD dwFileTimestamp; /\* a file timestamp \*/ DWORD dwFileVersion; /\* the version of the file from the VSS database that you have locally \*/ } \* a FileNames section in the end of the file that contains o The null-terminated project name associated with this vssver2.scc file o A list of null-terminated file names that have entries in the FileEntry sectionI have writeen a small c# app to read this information and I just wanted to check a few things. 1) is a DWORD is akin to a uint in .NET? In code using a
BinaryReaderI haveuint myint = BitConverter.ToUInt32(reader.ReadBytes(4) ,0);- does that look right? 2) I was assuming that the fielddwFileTimestampwould be a c++ time_t so I had the codeDateTime dt = new DateTime(1970,1,1).AddSeconds(dwFileTiHi Jamie,
J4amieC wrote:
- is a DWORD is akin to a uint in .NET? In code using a BinaryReader I have uint myint = BitConverter.ToUInt32(reader.ReadBytes(4) ,0); - does that look right?
DWORDis anunsigned long.J4amieC wrote:
- I was assuming that the field dwFileTimestamp would be a c++ time_t so I had the code DateTime dt = new DateTime(1970,1,1).AddSeconds(dwFileTimestamp); but this does not produce expected results (dates all over the place from 2064 to 2001). Question is, is there any other usual way that dates/times are stored in c++ ? any weird ones that are not really used any more? Any ideas?
Is there a way you could reverse-store the values (tell what would be stored in the file in the
DWORDfield for a given date)? Or, can you give me an example of the value in the file and the value that you expect? (Or you just have values in the file and don't know what it may correspond to?)It is a crappy thing, but it's life -^ Carlo Pallini
-
Hi Jamie,
J4amieC wrote:
- is a DWORD is akin to a uint in .NET? In code using a BinaryReader I have uint myint = BitConverter.ToUInt32(reader.ReadBytes(4) ,0); - does that look right?
DWORDis anunsigned long.J4amieC wrote:
- I was assuming that the field dwFileTimestamp would be a c++ time_t so I had the code DateTime dt = new DateTime(1970,1,1).AddSeconds(dwFileTimestamp); but this does not produce expected results (dates all over the place from 2064 to 2001). Question is, is there any other usual way that dates/times are stored in c++ ? any weird ones that are not really used any more? Any ideas?
Is there a way you could reverse-store the values (tell what would be stored in the file in the
DWORDfield for a given date)? Or, can you give me an example of the value in the file and the value that you expect? (Or you just have values in the file and don't know what it may correspond to?)It is a crappy thing, but it's life -^ Carlo Pallini
Thanks for your answer Rajesh, sorry its taken me a while to respond I posted this before leaving work last night.
Rajesh R Subramanian wrote:
DWORD is an unsigned long.
In which case wouldnt it need 8 bytes? The documentation I posted said that the DWORD was 4 bytes and certainly
BitConverter.ToUInt64()is looking for 8 bytes. :confused:Rajesh R Subramanian wrote:
Is there a way you could reverse-store the values (tell what would be stored in the file in the DWORD field for a given date)
Im trying that, but unfortunately dont have VSS2005 here so im relying on someone in another contry to do this for me. (Again, don't ask :|)
Rajesh R Subramanian wrote:
Or, can you give me an example of the value in the file and the value that you expect
I have a value
270107399(albeit gotten as auintnot a ulong) which I would expect relates to around Jan/Feb 2006 - however using this number as seconds since 1970-01-01 I get the date as 24/7/78 05:49 :S -
Thanks for your answer Rajesh, sorry its taken me a while to respond I posted this before leaving work last night.
Rajesh R Subramanian wrote:
DWORD is an unsigned long.
In which case wouldnt it need 8 bytes? The documentation I posted said that the DWORD was 4 bytes and certainly
BitConverter.ToUInt64()is looking for 8 bytes. :confused:Rajesh R Subramanian wrote:
Is there a way you could reverse-store the values (tell what would be stored in the file in the DWORD field for a given date)
Im trying that, but unfortunately dont have VSS2005 here so im relying on someone in another contry to do this for me. (Again, don't ask :|)
Rajesh R Subramanian wrote:
Or, can you give me an example of the value in the file and the value that you expect
I have a value
270107399(albeit gotten as auintnot a ulong) which I would expect relates to around Jan/Feb 2006 - however using this number as seconds since 1970-01-01 I get the date as 24/7/78 05:49 :SYou're welcome, Jamie.
J4amieC wrote:
In which case wouldnt it need 8 bytes? The documentation I posted said that the DWORD was 4 bytes and certainly BitConverter.ToUInt64() is looking for 8 bytes.
I'm not sure then why would it be a
DWORD. But I'm sure aDWORDis anunsigned long(consult withWindef.h)J4amieC wrote:
Im trying that, but unfortunately dont have VSS2005 here so im relying on someone in another contry to do this for me.
Did this happen? What were the results?
J4amieC wrote:
I have a value 270107399
With 270107399, I as well am able to get 24 Jul 1978 only. Sorry, I'm not able to be much helpful here with this issue. :)
It is a crappy thing, but it's life -^ Carlo Pallini