Be a Better Detective #3

ExFAT Creation Timezone Code

Author

Husam Shbib
July 05, 2025

Hello Everyone. It is Husam! Thank you for being part of this journey. Let’s try to be better cybersecurity & digital forensics warriors EVERY SINGLE DAY *_^

These series of posts are real-world challenges/mistakes faced/made by digital forensic practitioners. Try to solve them yourself and sharpen your investigative skills ^_^

Who Am I? Husam is just a guy who loves solving cyber-crime mysteries.
~ Sherlock Holmes by Day - Lupin by Night.

Do not forget to add my email ID to the whitelist, to not be received it in the spam folder and miss the issue!

Below, there are some training providers’ links that I think their content would be an added value to you, so check them out :) Let’s keep learning.

The Scenario:

A senior developer at a tech company has recently resigned.

A week after their departure, the company notices that one competitor has released a product with similar code, user interface and design patterns to a confidential internal tool still in development.

The company suspected that the resigned developer exfiltrated source code and provided it to the competitor.

They requested to do a digital forensic investigation on the employee’s laptop, which was imaged immediately after their resignation.

You followed the digital forensic best practices and procedures and reached the analysis phase.

During your examination, you stumbled upon a file named “project_bak.zip”.

Upon opening it, you discovered that it contained parts of the tool’s source code - and you thought that it might be an indicator of intellectual property theft.

You decided to determine the exact creation time of this zipped file, where the file system contained the file was ExFAT.

Since you were not familiar with the ExFAT and its structure, you looked up some information and knew how to identify the creation timestamp along with the creation timezone code, as the developer was traveling a lot with the work laptop for external organizational projects with flexible schedule.

Knowing such details would help in knowing if the file had been created before the employee's final official logoff or not.

After parsing the file system’s directory entries, you were able to find the relevant details to the project_bak.zip file:

Creation timestamp: 0xC97A0153, Timezone offset: 0xE2

You decoded this to mean: 01-August-2021 15:22:18 UTC+10, where the employee left the same day at 09:15:00 UTC+7

This finding was important as it showed that the file was created several hours after the employee had officially left the organization. You were relieved.. However, no one touched this laptop after the employee’s resignation, so how the file was created at that time?!

You were thinking to review the CCTVs to check if really no one opened the laptop in the storage room or not..

Here is the task: Is this wrong or not? Why? If so, what would you have done differently instead? Put you answer in the comment section, so I can review it for you.

𝐁𝐞 𝐚 𝐁𝐞𝐭𝐭𝐞𝐫 𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐯𝐞. 🕵
Hope such content opened your eyes and make you more aware in such cases.

💡By the way, if you liked such challenges and topics, you would definitely like my digital forensics coaching program, where we go through a full computer forensic case A-Z with peer review insights and hands-on guidance.

Cya till the next week ~Hoxed

You can find me on other social medias here.

Thank you for reading this post, hope it was useful!

I can help you further with:

1️⃣ Cybersecurity Investigation Projects
2️⃣ Digital Forensic Coaching
3️⃣ LinkedIn Cybersecurity Companies Branding

Click here, so we can talk!

Here are some amazing partners’ platforms to learn from, click on the one you are mostly interested in:

Note: These are affiliate links to companies I work with and I believe their content would be valuable to you. Using them helps support my content.

Reply

or to participate.