Code Snippets

Code snippets and command line gymnastics useful for Linux-based forensics

Converting epoch times

Date and time stamps are often recorded in epoch times, or dates from which time measurement begins. There’s unixepoch (1970-01-01 00:00:00), Mac Absolute (2001-01-01 00:00:00), Windows Time (1601-01-01 00:00:00) and GPS Time (1980-01-06 00:00:00), to name a very few. Date stamps are most often recorded as the number of seconds, milliseconds, or even nano seconds from a particular epoch.

The unix date command assumes unixepoch and seconds (as opposed to milliseconds, etc) when calculating dates.

$ date -d @1378937703
Wed Sep 11 15:15:03 PDT 2013

The command above can be interpreted as "There have been 1,378,937,703 seconds between 2013-09-11 15:15:03 PDT and 1970-01-01 00:00:00 UTC. The command is just a shorthand for:

$ date -d "UTC 1970-01-01 1378937703 sec"
Wed Sep 11 15:15:03 PDT 2013

In this second command, we supply the epoch time for the calculation. The time 00:00:00 is assumed. By extension, we can substitute the unixepoch time with another epoch time, like Windows time. Here is a calculation from a Windows MFT name attribute I recently calculated:

$ date -d "UTC 1601-01-01 12846227541 sec"
Wed Jan 30 20:32:21 PST 2008
The time stamp in the name attribute is an 8-bit little-endian integer representing nanoseconds since UTC 1601-01-01 00:00:00. Thus, I had to first convert the hex to an integer and then divide by 1,000,000 to convert to seconds for the date command operation

No comments:

Post a Comment

Time Perspective

Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...