Interpreting and converting timestamps in the right format (and especially timezone) is paramount in every analysis. Conveniently enough, all forensics analysis suites do this automatically for us and there are also some utilities, some available online [1], some free [2] and some other not really [3], which help converting epoch times. However, all of those I have found either are GUI based (and mostly MS Windows utilities), so if you mainly/often use the command line you have to do it manually yourself.
In dealing with epoch times, the though part is to remember all of them, the day zero of the different systems. When saying Epoch time, we usually tend to refer to The Epoch time as per Unix time which represent the number of seconds elapsed since January 1, 1970 00:00:00. But if we are doing an analysis on iPhone for example, iOS uses MAC Absolute time (or Cocoa time)[4], which represents the number of seconds elapsed since January 1, 2001 00:00:00. What if you are on a Mac OS X? Yet another one, HFS+ counts the number of seconds from January 1, 1904 00:00:00. NTFS? Even nicer, the number of 100 nano seconds since January 1, 1601 00:00:00 [5]. And the list goes on and on, you got it.
So I thought I would automate the conversion and collect the most frequent Epoch times I encounter into a script, epochalypse.py">| TIMESTAMP | EPOCH | RESOLUTION |
|----------------+---------------------------+--------------+
| Mac OSX (HFS+) | 1904-01-01 00:00:00 UTC | 1s |
|----------------+---------------------------+--------------+
| Cocoa | 2001-01-01 00:00:00 UTC | 1s |
|----------------+---------------------------+--------------+
| WebKit | 1601-01-01 00:00:00 UTC | 1s |
|----------------+---------------------------+--------------+
| Unix | 1970-01-01 00:00:00 UTC | 1s |
|----------------+---------------------------+--------------+
|Microsoft (NFTS)| 1601-01-01 00:00:00 UTC | 100ns |
|----------------+---------------------------+--------------+
| FAT | 1980-01-01 00:00:00 UTC | 1s |
|________________|___________________________|______________|
Usage is quite straightforward: use the e option to pass the epoch time to be converted and that">optional arguments:
-h, --help show this help message and exit
-e , --epoch ">##########################################################
# #
# Epochalypse - Epoch time converter utility #
# by Pasquale Stirparo, @pstirparo #
# ">Epoch Time input to be converted: 0
Unix: 1970-01-01 00:00:00 UTC
COCOA: 2001-01-01 00:00:00 UTC
FAT: 1980-01-01 00:00:00 UTC
HFS+: 1904-01-01 00:00:00 UTC
WebKit: 1601-01-01 00:00:00 UTC
NTFS: 1601-01-01 00:00:00 UTC
If you pass any other value, it will try to compute for each different epoch, it">Argo:epochalypse paco$ python epochalypse.py -e 1479650099
...
Epoch Time input to be converted: 1479650099
Unix: 2016-11-20 13:54:59 UTC
COCOA: 2047-11-21 13:54:59 UTC
FAT: 2026-11-20 13:54:59 UTC
HFS+: 1950-11-20 13:54:59 UTC
WebKit: 1601-01-01 00:24:39 UTC
NTFS: ">Argo:epochalypse paco$ python epochalypse.py -e -1479650099
...
Epoch Time input to be converted: -1479650099
Unix: 1923-02-11 10:05:01 UTC
COCOA: 1954-02-11 10:05:01 UTC
FAT: 1933-02-10 10:05:01 UTC
HFS+: -
WebKit: 1600-12-31 23:35:20 UTC
NTFS: 1600-12-31 23:57:32 UTC
Thats it. This is a quick and dirty solution it was useful for me and thought I would share. If you would like to add any other timestamp, just reach out and let me know, more than happy to make it more comprehensive. Off course, any bug report is welcome as well. You can find the code in my github repo https://github.com/pstirparo/utils
Happy Hunting,
Pasquale
References:
[1] EpochConverter, http://www.epochconverter.com/
[2] Digital Detective, DCode, http://www.digital-detective.net/digital-forensic-software/free-tools/
[3] BlackBag Technologies, Epoch Converter, https://www.blackbagtech.com/resources/freetools/epochconverter.html
[4] Apple, Cocoa Date and Time Programming Guide, https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/DatesAndTimes/Articles/dtDates.html
[5] Microsoft NTFS File Time, https://msdn.microsoft.com/en-us/library/windows/desktop/ms724290(v=vs.85).aspx
----
Pasquale Stirparo, Ph.D.
@pstirparo