My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
TimestampConversion  
A timestamp conversion / decoding reference list.
Updated Mar 15, 2012 by digitalo...@gmail.com

Introduction

This is a reference for timestamp conversion. There are good free tools for decoding time stamps such as DCode, but nothing open source that I've found. Also, while many parsing guides explain how to parse relevant timestamps to the artifact being discussed, I don't know of any central reference list for timestamp conversion. This wiki will attempt to fill this void. THIS IS A WORK IN PROGRESS and will hopefully be increasingly expanding.

All timestamps will be listed in the Timestamp Reference Table, and the "Parsing" column will contain a link to the specific parsing guide for that type of timestamp (if available). All attempts have been made to ensure that data is accurate, and references are cited whenever possible. However, it is possible that this list could be wrong. If you identify any errors or omissions, please contact me!

A Note on Parsing

Since Unix/POSIX time is essentially the standard timestamp and is supported by most programming languages and the date command line utility on all ‘nix systems, strategies for parsing other types of timestamps will often focus on converting them to a Unix timestamp, whereby it can easily be decoded using the strategies supplied in that reference.

Currently all parsing strategies convert to examiner's system's local time. Examples could be shown for how to convert timestamps into other time zones (including UTC/GMT), but this can easily be learned by referencing man pages for relevant commands or by Googling for date/time functions within given programming languages. The main purpose of this page is to show how to convert the timestamps, not to teach specific date/time functions within multiple programming languages (this is beyond the scope of this page).

When viewing examples of each timestamp, it should be kept in mind that different artifacts display these timestamps in different formats, namely hexadecimal and decimal (but possibly also binary). For instance, the example for the Windows FILETIME structure is given in hexadecimal: CD4E55C301CC485A (Fri, 22 July 2011 10:33:31 UTC), but this could also be expressed as 14793856121995806810 (decimal), or as 1100110101001110010101011100001100000001110011000100100000000000 (binary). Keep this in mind when decoding timestamps and adjust the value accordingly.

2038 and the Unix Timestamp Dilemma

Just like the issues caused by Y2K due to most software storing year as only two decimal digits, so also the Unix timestamp is facing its end-of-life as we know it due to its 32-bit limitation. Unix time, as explained in the reference table below, is a 32-bit integer containing a date expressed in the number of seconds since 01/01/1970 00:00:00 UTC. On exactly 01/19/2038 03:14:07 UTC, an integer overflow will occur as the number stored will exceed 231 − 1 (the largest number that can be stored in a signed 32-bit integer). This will cause all timestamps stored in Unix time to report that is is 1901 rather than 2038 (see a visualization of this here). Because of the limitation of 32-bit timestamps, most timestamps now use 64-bit integers to store time and date information.

Timestamp Reference Table

Date/Time Format: Where Found: Example: Explanation: Reference: Parsing
Apple Time See "CF Mach Absolute Time" - - - -
CF Mach Absolute Time Mac OS X Operating System artifacts 219216022
(Thu, 13 December 2007 05:20:22 UTC)
32-bit integer, number of seconds since 01/01/2001 00:00:00 UTC http://developer.apple.com/library/mac/...reference.html
http://developer.apple.com/library/mac/#qa/qa1398/_index.html
http://linuxsleuthing.blogspot.com/2011/02/calculating-embedded-os-x-times.html
Coming soon
Firefox Time See "PRTime" - - - -
Google Chrome Time See "Webkit Format" - - - -
Mac Absolute Time See "CF Mach Absolute Time" - - - -
POSIX Time See "Unix Time" - - - -
PRTime Mozilla Firefox SQLite artifacts 1311342171303080
(Fri, 22 Jul 2011 13:42:51 UTC)
64-bit integer, number of microseconds since 01/01/1970 00:00:00 UTC http://developer.mozilla.org/en/PRTime
http://www.firefoxforensics.com/research/prtime.shtml
PRTime Guide
Unix Time Linux, Unix, all over the place! 1311341729
(Fri, 22 Jul 2011 13:35:29 UTC)
32-bit integer, number of seconds since 01/01/1970 00:00:00 UTC http://en.wikipedia.org/wiki/Unix_time
http://www.epochconverter.com
Unix Guide
Webkit Format Google Chrome SQLite databases 12883423549317375
(Sun, 05 April 2009 16:45:49 UTC)
64-bit integer, number of microseconds since 01/01/1601 00:00:00 UTC http://codesearch.google.com/...package=chromium&type=cs&l=419
http://linuxsleuthing.blogspot.com/2011/06/decoding-google-chrome-timestamps-in.html
Coming soon
Windows Standard Win32 Filetime Structure NTFS MFT entries 01CC4A120034F21C
(Sun, 24 July 2011 14:57:26 UTC)
64-bit integer, big endian, number of 100 nanosecond intervals since 01/01/1601 00:00:00 UTC http://www.sandersonforensics.com/files/...stamps.pdf Coming soon
Windows FILETIME (Formatted) Structure Windows Email Headers CD4E55C3:01CC485A
(Fri, 22 July 2011 10:33:31 UTC)
64-bit integer, number of 100 nanosecond intervals since 01/01/1601 00:00:00 UTC. The structure consists of two 32-bit values that combine to form a single 64-bit value. http://support.microsoft.com/kb/188768
http://msdn.microsoft.com/en-us/library/ms724284(v=vs.85).aspx
Coming soon

Parsing Guides

Parsing Unix/POSIX Timestamps

Most programming languages can easily work with standard Unix timestamps, and Linux and Unix have the native date command which makes it easy to convert Unix timestamps to human-readable date/time on the command line.

  • Unix/Linux Command Line: date -d @1311341729
  • Mac Terminal Command Line: date -r 1311341729
  • SQLite Statement: SELECT datetime(1311341729, 'unixepoch', 'localtime')
  • Python: first import time, then run: time.strftime("%a, %d %b %Y %H:%M:%S", time.localtime(1311341729))

Parsing PRTime Timestamps

Converting PRTime isn't very difficult because it shares the same epoch as standard Unix time (midnight GMT/UTC on January 1, 1970). To convert PRTime into Unix time, divide the PRTime by one million (1000000) and drop any decimal places, then you will have a Unix timestamp.

  • SQLite Statement: SELECT datetime(1311342171303080/1000000, 'unixepoch', 'localtime')
  • Python: first import time, then run: time.strftime("%a, %d %b %Y %H:%M:%S", time.localtime(1311342171303080/1000000))

Comment by pabl...@gmail.com, Mar 23, 2012

From http://www.sandersonforensics.com/forum/content.php?131-A-brief-history-of-time-stamps, you can also add this entry to the table:

HFS time

"Used in the Macintosh operating systems and records the number of seconds since 1st January 1904vii? GMT. In HFS this is local time, in HFS+ this is GMT."

These are timestamp examples:

C3554ECD HFS (Mon, 05 November 2007 22:50:53 Local)

C3554ECD HFS+ (Mon, 05 November 2007 22:50:53 UTC)

Comment by project member digitalo...@gmail.com, Apr 25, 2012

Thanks for sharing pablojr!


Sign in to add a comment
Powered by Google Project Hosting