internet-explorer-9local-storagetimestampcomputer-forensics

Interpreting IE9 ltime & htime localStorage timestamps


Here is some sample XML from an IE9 localStorage file:

<root>
  <item name="1264474612:page_insights:latestversion" 
  value="6"
  ltime="1024039440" 
  htime="30244985" />
</root>

I am trying to figure out how to interpret these kinds of records, including the ltime and htime values. I've figured out from research that it has to do with IE9 localStorage and comes from %userprofile%\AppData\Local\Microsoft\Internet Explorer\DOMStore\.

Any help is appreciated.


Solution

  • The ltime and htime is part of a 64-bit time value where one is the lower and the other is the higher 32-bit value.

    Two most commonly used 64-bit time formats are 64-bit version of Unix (POSIX) time and Windows FILETIME (64-bit only).

    Using both ltime and htime, to get the 64-bit value, each must be converted to hexadecimal first.

    ltime = 1024039440 (decimal) = 0x3d099a10 (hexadecimal)
    htime =   30244985 (decimal) = 0x01cd8079 (hexadecimal)
    
    value = (htime x 0x100000000) + ltime
          = (0x01cd8079 x 0x100000000) + 0x3d099a10
          = 0x01cd807900000000 + 0x3d099a10
          = 0x01cd80793d099a10 (hexadecimal)
          = 129901222467050000 (decimal)
    

    If the above result is calculated using FILETIME and POSIX format, the FILETIME time would be 2012-08-22, 08:17:26.705, while POSIX time would be 4116407840-06-22, 09:53:20. So, it's more likely that the FILETIME format is used for the timestamp since the POSIX time would go way past current year (2012).