Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: How many “Epoch” times? Epocalypse.py timestamp converter - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
How many “Epoch” times? Epocalypse.py timestamp converter

Interpreting and converting timestamps in the right format (and especially timezone) is paramount in every analysis. Conveniently enough, all forensics analysis suites do this automatically for us and there are also some utilities, some available online [1], some free [2] and some other not really [3], which help converting epoch times. However, all of those I have found either are GUI based (and mostly MS Windows utilities), so if you mainly/often use the command line you have to do it manually yourself. 

In dealing with “epoch” times, the though part is to remember all of them, the day zero of the different systems. When saying Epoch time, we usually tend to refer to The Epoch time as per Unix time which represent the number of seconds elapsed since January 1, 1970 00:00:00. But if we are doing an analysis on iPhone for example, iOS uses MAC Absolute time (or Cocoa time)[4], which represents the number of seconds elapsed since January 1, 2001 00:00:00. What if you are on a Mac OS X? Yet another one, HFS+ counts the number of seconds from January 1, 1904 00:00:00. NTFS? Even nicer, the number of 100 nano seconds since January 1, 1601 00:00:00 [5]. And the list goes on and on, you got it.

So I thought I would automate the conversion and collect the most frequent Epoch times I encounter into a script, epochalypse.py 
At the moment, this is the list of Epoch timestamps supported

|    TIMESTAMP   |           EPOCH           |  RESOLUTION  |
|----------------+---------------------------+--------------+
| Mac OSX (HFS+) |  1904-01-01 00:00:00 UTC  |      1s      |
|----------------+---------------------------+--------------+
|      Cocoa     |  2001-01-01 00:00:00 UTC  |      1s      |
|----------------+---------------------------+--------------+
|     WebKit     |  1601-01-01 00:00:00 UTC  |      1μs     |
|----------------+---------------------------+--------------+
|      Unix      |  1970-01-01 00:00:00 UTC  |      1s      |
|----------------+---------------------------+--------------+
|Microsoft (NFTS)|  1601-01-01 00:00:00 UTC  |     100ns    |
|----------------+---------------------------+--------------+
|       FAT      |  1980-01-01 00:00:00 UTC  |      1s      |
|________________|___________________________|______________|

 

Usage is quite straightforward: use the –e option to pass the epoch time to be converted and that’s it
Argo:epochalypse paco$ python epochalypse.py
usage: epochalypse.py [-h] [-e]

optional arguments:
  -h, --help     show this help message and exit
  -e , --epoch   Epoch time to be converted


As you can see from this simple test, if you pass 0 it will give back the starting point of each epoch time:

Argo:epochalypse paco$ python epochalypse.py -e 0

##########################################################
#                                                        #
#      Epochalypse - Epoch time converter utility        #
#            by Pasquale Stirparo, @pstirparo            #
#                                                        #
##########################################################

Epoch Time input to be converted:  0
Unix:   1970-01-01 00:00:00 UTC
COCOA:  2001-01-01 00:00:00 UTC
FAT:    1980-01-01 00:00:00 UTC
HFS+:   1904-01-01 00:00:00 UTC
WebKit: 1601-01-01 00:00:00 UTC
NTFS:   1601-01-01 00:00:00 UTC

If you pass any other value, it will try to compute for each different epoch, it’s up to you to pick up the one from the system you were referring to. If the input is not a valid one for a given epoch time, it will just leave the line empty

Argo:epochalypse paco$ python epochalypse.py -e 1479650099
...
Epoch Time input to be converted:  1479650099
Unix:   2016-11-20 13:54:59 UTC
COCOA:  2047-11-21 13:54:59 UTC
FAT:    2026-11-20 13:54:59 UTC
HFS+:   1950-11-20 13:54:59 UTC
WebKit: 1601-01-01 00:24:39 UTC
NTFS:   1601-01-01 00:02:27 UTC

Argo:epochalypse paco$ python epochalypse.py -e -1479650099
...
Epoch Time input to be converted:  -1479650099
Unix:   1923-02-11 10:05:01 UTC
COCOA:  1954-02-11 10:05:01 UTC
FAT:    1933-02-10 10:05:01 UTC
HFS+: - 
WebKit: 1600-12-31 23:35:20 UTC
NTFS:   1600-12-31 23:57:32 UTC

That’s it. This is a quick and dirty solution it was useful for me and thought I would share. If you would like to add any other timestamp, just reach out and let me know, more than happy to make it more comprehensive. Off course, any bug report is welcome as well. You can find the code in my github repo https://github.com/pstirparo/utils

Happy Hunting,
Pasquale

 

References:
[1] – EpochConverter, http://www.epochconverter.com/
[2] – Digital Detective, DCode, http://www.digital-detective.net/digital-forensic-software/free-tools/
[3] – BlackBag Technologies, Epoch Converter, https://www.blackbagtech.com/resources/freetools/epochconverter.html
[4] – Apple, Cocoa Date and Time Programming Guide, https://developer.apple.com/library/content/documentation/Cocoa/Conceptual/DatesAndTimes/Articles/dtDates.html
[5] – Microsoft NTFS File Time, https://msdn.microsoft.com/en-us/library/windows/desktop/ms724290(v=vs.85).aspx

----
Pasquale Stirparo, Ph.D.
@pstirparo

Pasquale Stirparo

15 Posts
ISC Handler
A recent adventure in timestamp value conversions for my work involved the timestamp values used in AD objects.
Here are some reference web articles that describe some highlights of my adventure:

https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/

https://social.technet.microsoft.com/wiki/contents/articles/12814.active-directory-lastlogontimestamp-conversion.aspx

https://anandthearchitect.com/2014/02/13/lastlogontimestamp-how-to-parse-the-18-digit-number-in-powershell/

http://stackoverflow.com/questions/15387353/convert-datetime-value-to-integer8-for-activedirectory-query


My opinion: The Microsoft Integer8 date value is a fascinating, and annoying, computer math problem.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!