So in #DFIR you'll come across lots (and lots) of timestamps. Let's take a quick dive into this weird and wonderful world....(1/x)
For Windows, FILETIME is your main man. It's a 64-bit value that represents the number of 100-nanosecond intervals that have elapsed since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC). (2/x) docs.microsoft.com/en-au/windows/…
So why 1601? According to Microsoft, "The Gregorian calendar operates on a 400-year cycle, and 1601 is the first year of the cycle...active at the time Windows NT was being designed...it was chosen to make the math come out nicely." Seems fair. (3/x) devblogs.microsoft.com/oldnewthing/20…
If you have a binary blob (say, from a carved registry or unknown key) then you can scan the blob for valid FILETIME records with this short script. (4/x) github.com/mattnotmax/bru…
Before FILETIME, there was MS-DOS time. It's pretty rubbish: only 2 sec accuracy and stored in local time. Still, things like USBs can be FAT32 so it's important to understand. docs.microsoft.com/en-au/windows/…. Brian Carrier has a breakdown in File System Forensic Analysis (p 263) (5/x)
In the Unix world, we are ruled by the Unix epoch which is the number of seconds since 00:00:00 UTC on 1 January 1970. You'll see this a lot given the plethora of devices running Unix/Linux. (6/x)
Some random Unix epoch facts:
- leap seconds aren't counted.
- 23:31:30 UTC on Fri 13 February 2009 was represented by 1234567890 (oooh, spooky)
- get you party hat on Sun 13 September 2020 at 12:26:40 UTC when the clock ticks over to 1600000000 (7/x)
- leap seconds aren't counted.
- 23:31:30 UTC on Fri 13 February 2009 was represented by 1234567890 (oooh, spooky)
- get you party hat on Sun 13 September 2020 at 12:26:40 UTC when the clock ticks over to 1600000000 (7/x)
The two most useful Excel formulae in the world are:
=(A1/86400)+DATE(1970,1,1) to convert UNIX -> Date/Time
=(A1-DATE(1970,1,1))*86400 to convert Date/Time -> UNIX
don't @ me. (8/x)
=(A1/86400)+DATE(1970,1,1) to convert UNIX -> Date/Time
=(A1-DATE(1970,1,1))*86400 to convert Date/Time -> UNIX
don't @ me. (8/x)
Chrome, Mac and others use varieties of an epoch measured in seconds, milliseconds and nanoseconds. Generally playing around in Excel/CyberChef or Python will get you there. Or just be smart and use either DCode or Sanderson DateDecoder digital-detective.net/dcode/ (9/x)
But quick examples:
- HFS+: Seconds since January 1, 1904 12:00:00 AM UTC
- Mac “Absolute Time”: Seconds since January 1, 2001, 12:00:00 AM UTC.
- Chrome/Webkit: Milliseconds since January 1, 1601, 12:00:00 AM UTC.
Ref & thanks: medium.com/@bromiley/tool… (10/x)
- HFS+: Seconds since January 1, 1904 12:00:00 AM UTC
- Mac “Absolute Time”: Seconds since January 1, 2001, 12:00:00 AM UTC.
- Chrome/Webkit: Milliseconds since January 1, 1601, 12:00:00 AM UTC.
Ref & thanks: medium.com/@bromiley/tool… (10/x)
So where else can we find timestamps? Everywhere! There are Google ei timestamps in URLs (see: bitofhex.com/2018/05/29/cyb… for details) and the #Cyberchef recipe: gchq.github.io/CyberChef/#rec… (11/x) 
UUIDs can also hold a timestamp (see: tools.ietf.org/html/rfc4122#s…). Of course, they have to do it different and it's based on a count of 100-nanosecond intervals since 00:00:00.00, 15 October 1582 (the date the old, Julian calendar changed to the new, Gregorian one). (12/x)
There are custom implementations. @_RyanBenson recent tweets reminded me that Twitter implements the 'Snowflake ID' which contains a timestamp. To convert this in Python take the Snowflake ID and perform a bitwise shift to the right by 22 and add 'their' epoch as below. (13/x)
So how can you keep your timestamps in check?
- Use ISO 8601 format where possible. Something like: YYYY-MM-DD HH:MM:SS. (I have no words for you MM-DD-YYYY people).
- I've avoided time-zones because really there only is one true timezone: time.is/UTC (14/x)
- Use ISO 8601 format where possible. Something like: YYYY-MM-DD HH:MM:SS. (I have no words for you MM-DD-YYYY people).
- I've avoided time-zones because really there only is one true timezone: time.is/UTC (14/x)
I'm sure other people will know of other useful tidbits and timestamp formats (web/database/mobile/file system?) Please share any interesting ones you've come across! Thanks! (15/end)
(now here is a cat with lasers GIF)
(now here is a cat with lasers GIF)
