A timestamp conversion / decoding reference list.
This is a reference for timestamp conversion. There are good free tools for decoding time stamps such as DCode, but nothing open source that I've found. Also, while many parsing guides explain how to parse relevant timestamps to the artifact being discussed, I don't know of any central reference list for timestamp conversion. This wiki will attempt to fill this void. THIS IS A WORK IN PROGRESS and will hopefully be increasingly expanding.
All timestamps will be listed in the Timestamp Reference Table, and the "Parsing" column will contain a link to the specific parsing guide for that type of timestamp (if available). All attempts have been made to ensure that data is accurate, and references are cited whenever possible. However, it is possible that this list could be wrong. If you identify any errors or omissions, please contact me!
Since Unix/POSIX time is essentially the standard timestamp and is supported by most programming languages and the date command line utility on all ‘nix systems, strategies for parsing other types of timestamps will often focus on converting them to a Unix timestamp, whereby it can easily be decoded using the strategies supplied in that reference.
Currently all parsing strategies convert to examiner's system's local time. Examples could be shown for how to convert timestamps into other time zones (including UTC/GMT), but this can easily be learned by referencing man pages for relevant commands or by Googling for date/time functions within given programming languages. The main purpose of this page is to show how to convert the timestamps, not to teach specific date/time functions within multiple programming languages (this is beyond the scope of this page).
When viewing examples of each timestamp, it should be kept in mind that different artifacts display these timestamps in different formats, namely hexadecimal and decimal (but possibly also binary). For instance, the example for the Windows FILETIME structure is given in hexadecimal: CD4E55C301CC485A (Fri, 22 July 2011 10:33:31 UTC), but this could also be expressed as 14793856121995806810 (decimal), or as 1100110101001110010101011100001100000001110011000100100000000000 (binary). Keep this in mind when decoding timestamps and adjust the value accordingly.
Just like the issues caused by Y2K due to most software storing year as only two decimal digits, so also the Unix timestamp is facing its end-of-life as we know it due to its 32-bit limitation. Unix time, as explained in the reference table below, is a 32-bit integer containing a date expressed in the number of seconds since 01/01/1970 00:00:00 UTC. On exactly 01/19/2038 03:14:07 UTC, an integer overflow will occur as the number stored will exceed 231 − 1 (the largest number that can be stored in a signed 32-bit integer). This will cause all timestamps stored in Unix time to report that is is 1901 rather than 2038 (see a visualization of this here). Because of the limitation of 32-bit timestamps, most timestamps now use 64-bit integers to store time and date information.
Most programming languages can easily work with standard Unix timestamps, and Linux and Unix have the native date command which makes it easy to convert Unix timestamps to human-readable date/time on the command line.
Converting PRTime isn't very difficult because it shares the same epoch as standard Unix time (midnight GMT/UTC on January 1, 1970). To convert PRTime into Unix time, divide the PRTime by one million (1000000) and drop any decimal places, then you will have a Unix timestamp.