How many ?Epoch? times? Epocalypse.py timestamp converter
Interpreting and converting timestamps in the right format (and especially timezone) is paramount in every analysis. Conveniently enough, all forensics analysis suites do this automatically for us and there are also some utilities, some available online [1], some free [2] and some other not really [3], which help converting epoch times. However, all of those I have found either are GUI based (and mostly MS Windows utilities), so if you mainly/often use the command line you have to do it manually yourself.
In dealing with “epoch” times, the though part is to remember all of them, the day zero of the different systems. When saying Epoch time, we usually tend to refer to The Epoch time as per Unix time which represent the number of seconds elapsed since January 1, 1970 00:00:00. But if we are doing an analysis on iPhone for example, iOS uses MAC Absolute time (or Cocoa time)[4], which represents the number of seconds elapsed since January 1, 2001 00:00:00. What if you are on a Mac OS X? Yet another one, HFS+ counts the number of seconds from January 1, 1904 00:00:00. NTFS? Even nicer, the number of 100 nano seconds since January 1, 1601 00:00:00 [5]. And the list goes on and on, you got it.
So I thought I would automate the conversion and collect the most frequent Epoch times I encounter into a script, epochalypse.py
At the moment, this is the list of Epoch timestamps supported
| TIMESTAMP | EPOCH | RESOLUTION |
|----------------+---------------------------+--------------+
| Mac OSX (HFS+) | 1904-01-01 00:00:00 UTC | 1s |
|----------------+---------------------------+--------------+
| Cocoa | 2001-01-01 00:00:00 UTC | 1s |
|----------------+---------------------------+--------------+
| WebKit | 1601-01-01 00:00:00 UTC | 1μs |
|----------------+---------------------------+--------------+
| Unix | 1970-01-01 00:00:00 UTC | 1s |
|----------------+---------------------------+--------------+
|Microsoft (NFTS)| 1601-01-01 00:00:00 UTC | 100ns |
|----------------+---------------------------+--------------+
| FAT | 1980-01-01 00:00:00 UTC | 1s |
|________________|___________________________|______________|
Usage is quite straightforward: use the –e option to pass the epoch time to be converted and that’s it
Argo:epochalypse paco$ python epochalypse.py
usage: epochalypse.py [-h] [-e]
optional arguments:
-h, --help show this help message and exit
-e , --epoch Epoch time to be converted
As you can see from this simple test, if you pass 0 it will give back the starting point of each epoch time:
Argo:epochalypse paco$ python epochalypse.py -e 0
##########################################################
# #
# Epochalypse - Epoch time converter utility #
# by Pasquale Stirparo, @pstirparo #
# #
##########################################################
Epoch Time input to be converted: 0
Unix: 1970-01-01 00:00:00 UTC
COCOA: 2001-01-01 00:00:00 UTC
FAT: 1980-01-01 00:00:00 UTC
HFS+: 1904-01-01 00:00:00 UTC
WebKit: 1601-01-01 00:00:00 UTC
NTFS: 1601-01-01 00:00:00 UTC
If you pass any other value, it will try to compute for each different epoch, it’s up to you to pick up the one from the system you were referring to. If the input is not a valid one for a given epoch time, it will just leave the line empty
Argo:epochalypse paco$ python epochalypse.py -e 1479650099
...
Epoch Time input to be converted: 1479650099
Unix: 2016-11-20 13:54:59 UTC
COCOA: 2047-11-21 13:54:59 UTC
FAT: 2026-11-20 13:54:59 UTC
HFS+: 1950-11-20 13:54:59 UTC
WebKit: 1601-01-01 00:24:39 UTC
NTFS: 1601-01-01 00:02:27 UTC
Argo:epochalypse paco$ python epochalypse.py -e -1479650099
...
Epoch Time input to be converted: -1479650099
Unix: 1923-02-11 10:05:01 UTC
COCOA: 1954-02-11 10:05:01 UTC
FAT: 1933-02-10 10:05:01 UTC
HFS+: -
WebKit: 1600-12-31 23:35:20 UTC
NTFS: 1600-12-31 23:57:32 UTC
That’s it. This is a quick and dirty solution it was useful for me and thought I would share. If you would like to add any other timestamp, just reach out and let me know, more than happy to make it more comprehensive. Off course, any bug report is welcome as well. You can find the code in my github repo https://github.com/pstirparo/utils
Happy Hunting,
Pasquale
References:
[1] – EpochConverter, http://www.epochconverter.com/
[2] – Digital Detective, DCode, http://www.digital-detective.net/digital-forensic-software/free-tools/
[3] – BlackBag Technologies, Epoch Converter, https://www.blackbagtech.com/resources/freetools/epochconverter.html
[4] – Apple, Cocoa Date and Time Programming Guide, https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/DatesAndTimes/Articles/dtDates.html
[5] – Microsoft NTFS File Time, https://msdn.microsoft.com/en-us/library/windows/desktop/ms724290(v=vs.85).aspx
----
Pasquale Stirparo, Ph.D.
@pstirparo
Comments
Here are some reference web articles that describe some highlights of my adventure:
https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/
https://social.technet.microsoft.com/wiki/contents/articles/12814.active-directory-lastlogontimestamp-conversion.aspx
https://anandthearchitect.com/2014/02/13/lastlogontimestamp-how-to-parse-the-18-digit-number-in-powershell/
http://stackoverflow.com/questions/15387353/convert-datetime-value-to-integer8-for-activedirectory-query
My opinion: The Microsoft Integer8 date value is a fascinating, and annoying, computer math problem.
Anonymous
Nov 21st 2016
8 years ago