I am working on digital forensic investigation case (not a real one obviously) and I have a raw image (.dd) from a Windows (NTFS) partition. I have to find out when a specific file was created.
To that end I am trying to find the correct timezone that is used on the system.
What I have done so far is use Autopsy to export the registry system file (\system32\config\system), since that is where that piece of information is stored.
But I can't figure out how to read that file. Regedit won't work, since it expects a .reg file. Is there a way to read the registry system file?
EDIT:
So I tried using regedit. But it give me an error. Error loading hive. That's all it's saying.
Best Answer
There should be no need to determine the configured time zone, if your goal is simply to get the file creation time.
NTFS stores file timestamps in UTC. UTC, in turn, has the nice property of being monotonically increasing, and convertible to any known time zone simply by adding or subtracting the time zone offset for the subject's geographical and political location at the time (which you would need to establish through other means).
Also note that any time zone configuration value that you extract from the registry will almost certainly show the currently configured (as of the time of the disk image) time zone, not the time zone configured at the time the file was created. Unless Windows keeps some sort of history of time zone settings, the latter won't be obtainable through the operating system's facilities, including deep digging through the registry.
Just present the file and state that file system metadata for the file in question indicates that when it was created, the computer's real-time clock was set to such-and-such UTC. You can also state that at that time, other evidence links the subject to a certain location, and present that evidence separately. That would establish the subject's location at the time, in turn establishing a reasonable local time zone for the subject at the time, which would allow you to state that in that location at that UTC time, local time was so-and-so.
If your role is simply in digital forensics, I would suggest that you simply present the UTC time as recorded in the file system metadata, and let someone else make any interpretation.
Do note however that any competent attorney would likely quickly point out that file system metadata timestamps do not imply that the file action indicated took place at that specific real-world time. The computer's real-time clock could have been set to literally any value within its valid range at the time the file action took place, and that arbitrary value would be recorded in the file system metadata.