Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page

Was this helpful?

  1. Windows Forensics

Security Patch/KB Install Date

How to determine installation time of a specific security patch/update/KB package based on registry key values.

PreviousPsExec and NTUSER dataNextInspecting RPM/DEB packages

Last updated 2 years ago

Was this helpful?

There may be times when you need to determine when a security update was installed. This is obviously a lot easier if you had access to a live machine to run live queries (see for PowerShell queries) however that's not always possible. You may only have a limited logical collection, triage collection (collected by CyLR/UAC etc), or are working from a limited backup.

Installed security packages are located at the following location;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages

Each key references a specific package

Keys may contain the following values;

  • SelfUpdate (0 for manual updates, 1 for automatic updates)

  • InstallTimeHigh

  • InstallTimeLow

  • InstallUser (SID of the user who installed the package)

Even though the key "Package_8_for_KB4033393~..." contains a corresponding 'last write timestamp' of 2022-07-14 01:47:25 (UTC), I wanted to validate this against the values within the key itself based on the InstallTimeHigh and InstallTimeLow timestamps.

I found a BigFix article which referenced the following formula used to calculate the corresponding timestamp.

Timestamp = InstallTimeHigh * 2^32 + InstallTimeLow

2 ^ 32 is 4294967296

In the above example, our formula would look like this;

Timestamp = (30971683 * 4294967296) + 2864280153

Timestamp = (133022365587079168) + 2864280153

Timestamp = 133022368451359321

Converter:

Note: if you mount the SOFTWARE hive on another machine and export the key/value as a text file, the corresponding date/timestamp will be adjusted for the host machine's local time.

❗
❗
https://www.epochconverter.com/ldap
here