Mac Forensics Tips and Tricks: The Epoch Converter Utility
What time is it? The time is 3442503385.
This number makes sense to our startup chiming Mac machinery (it is a Mac OS timestamp), but we’ve got some converting to do before it makes sense to most humanoids (if you can read raw timestamps, our fedoras are off to you)!
All operating systems generate timestamps as part of their day-to-day file system record keeping duties, and software applications retain timestamp information. In ‘raw’ form, these timestamps look like large numerals that may or may not include decimal places. Timestamp numerals represent the number of incremental time units that have elapsed since a predetermined date and time. The ‘zero time,’ or the date and time that the numeral equaled zero, is the timestamp epoch.
Not all Mac-related timestamps are based on the same epoch (zero time), and timestamp time units are not always the same unit of measure (although most represent the number of seconds or 100-nanoseconds that have elapsed since the epoch). Timestamp epochs and timestamp units of measure vary by file system format and software application. So, a forensic examiner must know where to look for relevant timestamp information (usually in multiple locations throughout the filesystem), then figure out which epoch and time unit type the raw timestamp is based on, then convert the timestamp to a meaningful humanoid-compatible format (usually a Gregorian calendar format).
Common OS X Timestamp Formats
OS X and native HFS+ Macintosh file systems maintain five metadata timestamp entries: Date Created, Date Accessed, Date Modified, Attribute Modification Date, and Backup Date. In addition, the OS X Lion and Mountain Lion operating systems maintain a sixth Date Added timestamp.
Unfortunately, operating system timestamps alone do not always provide forensic examiners with enough evidence to construct a comprehensive timeline, so investigators must examine application-based timestamps too. These timestamps are usually stored in .plist files and SQLite database files, or embedded in file metadata such as as EXIF metadata.
Here are a few timestamp formats investigators commonly encounter during a Mac forensic examination:
* The Cocoa epoch ‘zero time’ is technically 1-1-1970 plus a constant offset that essentially puts ‘zero time‘ at January 1, 2001. Some call this date a reference date rather than an epoch.
As you can imagine, manual timestamp conversion can be time consuming. Our BlackLight forensic analysis software includes built-in timestamp conversion, and our Epoch Converter utility (recently updated and available free of charge to current BlackBag software and training customers, and MiCFE certified professionals!) converts the timestamp formats listed in the table above. To see each timestamp format epoch, in the Epoch text field, type a zero, and select the Convert button.
Using Epoch Converter to Convert a Safari Timestamp
Internet browser artifacts yield valuable information that examiners use to determine user Internet surfing behavior. For example, the Safari ‘Cookies.plist’ file includes a key containing a ‘created’ date with a corresponding WebKit timestamp value. In this example, the WebKit timestamp is ‘347160273.64099997282’. To convert this timestamp, simply copy and paste it from the .plist file into the Epoch Converter Epoch text field, and select the Convert button.
In the Cocoa/WebKit Date text field, the correct converted timestamp displays.
Notice that we only included the digits to the left of the decimal point when we converted the timestamp, as the digits to the right of it have no affect on the converted output. To confirm this, let’s include the digits to the right of the decimal point, and convert the timestamp again.
As you can see, the converted timestamp is the same.
The Epoch Converter utility also converts Gregorian dates and times to raw timestamps. To do so, at the top of the Epoch Converter application window, select the Date –> Integer tab. Enter date and time information into the text fields, and select the Convert button.
Converting Multiple Timestamps
The BlackBag Epoch Converter utility accepts plain text files containing multiple numeric timestamp values as input, converts them, and exports the results to a .csv file. This allows examiners to copy and paste multiple raw timestamps from a .plist or database file, into a plain text document, and convert all of them at the same time.
In this example, we entered multiple line-separated raw timestamps into a plain text (not rich text) file named Multiple_Convert.txt, and saved the file to our Desktop. (Be sure to include the .txt extension.)
To convert these timestamps simultaneously, in the lower right corner of the Epoch Converter utility window, select the Choose Epochs button.
A ‘Convert Multiple Epochs’ dialog window appears. To select the timestamp text file, manually type the file pathname, or click on the Select… button to navigate to the file using the Finder. Select the Convert button to begin the conversion.
The Epoch Converter converts the timestamps, and outputs them to a .csv file. An examiner may then view the timestamps using any spreadsheet application, and import the file into a BlackLight case to include it in the examiner report.
So, what time is it? Glad you asked! The time is 2013-01-31 10:56:25 Thu PST.
To download the BlackBag Epoch Converter and other helpful free forensics tools, please visit our Free Tools product page. For more information about our BlackLight forensic analysis software, please visit the BlackLight product page.