Search This Blog

Code Snippets

Code snippets and command line gymnastics useful for Linux-based forensics

Converting epoch times

Date and time stamps are often recorded in epoch times, or dates from which time measurement begins. There’s unixepoch (1970-01-01 00:00:00), Mac Absolute (2001-01-01 00:00:00), Windows Time (1601-01-01 00:00:00) and GPS Time (1980-01-06 00:00:00), to name a very few. Date stamps are most often recorded as the number of seconds, milliseconds, or even nano seconds from a particular epoch.

The unix date command assumes unixepoch and seconds (as opposed to milliseconds, etc) when calculating dates.

$ date -d @1378937703
Wed Sep 11 15:15:03 PDT 2013

The command above can be interpreted as "There have been 1,378,937,703 seconds between 2013-09-11 15:15:03 PDT and 1970-01-01 00:00:00 UTC. The command is just a shorthand for:

$ date -d "UTC 1970-01-01 1378937703 sec"
Wed Sep 11 15:15:03 PDT 2013

In this second command, we supply the epoch time for the calculation. The time 00:00:00 is assumed. By extension, we can substitute the unixepoch time with another epoch time, like Windows time. Here is a calculation from a Windows MFT name attribute I recently calculated:

$ date -d "UTC 1601-01-01 12846227541 sec"
Wed Jan 30 20:32:21 PST 2008
The time stamp in the name attribute is an 8-bit little-endian integer representing nanoseconds since UTC 1601-01-01 00:00:00. Thus, I had to first convert the hex to an integer and then divide by 1,000,000 to convert to seconds for the date command operation

Time Perspective

Time Perspective Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamp...