Bad TimeStamp On Windows 10

[po0lpy0x0c]

Seems that the Time on FileTime define in utils.go is not right (the date is in the futur o_O)

141 func (v *FileTime) Convert() (sec int64, nsec int64) {
143   nano := int64(10000000)
144   mili := int64(10000)
145   sec = int64(float64(v.Nanoseconds-11644473600*nano) / float64(nano))
146   nsec = (v.Nanoseconds - 11644473600*nano) - sec*mili //==> Not good
147   return
148 }

A quick fix ::

141 func (v *FileTime) Convert() (sec int64, nsec int64) {
142   fmt.Println(v.Nanoseconds)
143   nano := int64(10000000)
144   fix := int64(100)
145   sec = int64(float64(v.Nanoseconds-11644473600*nano) / float64(nano))
146   nsec = ((v.Nanoseconds - 11644473600*nano) - sec*nano)*fix //=>GOOD
147   return
148 }

NB: Just to say a BIG thanks for this library which help us to find bad guy on forensics investigation

[qjerome]

Hi @po0lpy0x0c,

I am sorry, I updated the code to correct this a while ago but forgot to push it in a proper way. I pushed it with git push --tags and forgot to do a git push after :s. So if you fetched by version tag you would have got the good code but not if you would fetch master branch. I am glad this lib helped you, if you are doing Incident Response you might be interested in this project as well https://github.com/0xrawsec/gene.

Cheers,