Interpreting and converting timestamps in the right format (and especially timezone) is paramount in every analysis. Conveniently enough, all forensics analysis suites do this automatically for us and there are also some utilities, some available online [1], some free [2] and some other not really [3], which help converting epoch times. However, all of those I have found either are GUI based (and mostly MS Windows utilities), so if you mainly/often use the command line you have to do it manually yourself. In dealing with “epoch” times, the though part is to remember all of them, the day zero of the different systems. When saying Epoch time, we usually tend to refer to The Epoch time as per Unix time which represent the number of seconds elapsed since January 1, 1970 00:00:00. But if we are doing an analysis on iPhone for example, iOS uses MAC Absolute time (or Cocoa time)[4], which represents the number of seconds elapsed since January 1, 2001 00:00:00. What if you are on a Mac OS X? Yet another one, HFS+ counts the number of seconds from January 1, 1904 00:00:00. NTFS? Even nicer, the number of 100 nano seconds since January 1, 1601 00:00:00 [5]. And the list goes on and on, you got it. So I thought I would automate the conversion and collect the most frequent Epoch times I encounter into a script, epochalypse.py | TIMESTAMP | EPOCH | RESOLUTION |
Usage is quite straightforward: use the –e option to pass the epoch time to be converted and that’s it optional arguments:
Argo:epochalypse paco$ python epochalypse.py -e 0 ########################################################## Epoch Time input to be converted: 0 If you pass any other value, it will try to compute for each different epoch, it’s up to you to pick up the one from the system you were referring to. If the input is not a valid one for a given epoch time, it will just leave the line empty Argo:epochalypse paco$ python epochalypse.py -e 1479650099 Argo:epochalypse paco$ python epochalypse.py -e -1479650099 That’s it. This is a quick and dirty solution it was useful for me and thought I would share. If you would like to add any other timestamp, just reach out and let me know, more than happy to make it more comprehensive. Off course, any bug report is welcome as well. You can find the code in my github repo https://github.com/pstirparo/utils Happy Hunting,
References: ---- |
Pasquale Stirparo 18 Posts Nov 20th 2016 |
Thread locked Subscribe |
Nov 20th 2016 5 years ago |
A recent adventure in timestamp value conversions for my work involved the timestamp values used in AD objects.
Here are some reference web articles that describe some highlights of my adventure: https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/ https://social.technet.microsoft.com/wiki/contents/articles/12814.active-directory-lastlogontimestamp-conversion.aspx https://anandthearchitect.com/2014/02/13/lastlogontimestamp-how-to-parse-the-18-digit-number-in-powershell/ http://stackoverflow.com/questions/15387353/convert-datetime-value-to-integer8-for-activedirectory-query My opinion: The Microsoft Integer8 date value is a fascinating, and annoying, computer math problem. |
Anonymous |
Quote |
Nov 21st 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!