Forensic Focus - Mobile Phone Forensics - MacOSDate

Forensic Focus

Go to page 1, 2, 3  Next  :| |:

Mobile Phone Forensics

MacOSDate

MacOSDate

Posted: Fri Dec 24, 2010 1:53 am
Author: triran Location: Bolton
Anyone come across the MacOSDate within the PlayCounts.plist on the iPhone?

Re: MacOSDate

Posted: Tue Jan 04, 2011 4:52 am
Author: AlexC Location: UK
"Mac Dates" tend to be a floating point number which is the seconds since Jan 1st 2001. Try that, see if it makes sense!

Re: MacOSDate

Posted: Tue Jan 04, 2011 5:03 am
Author: triran Location: Bolton
I used DCode with Mac Date and got INVALID DATE. Tried knocking the end digit off then got a random date.

Re: MacOSDate

Posted: Tue Jan 04, 2011 5:34 am
Author: TomP Location: Uk
As AlexC says, the Mac times tend to be from 01/01/2001 or at least with the 'Mac Absolute Time' that I have come across this was the case.

To convert the times I used a pretty basic process within excel of converting the 01/01/2001 to an epoc time (3187468800) and added this to the extracted time stamp (also in seconds). I then divided this by 86400 and formatted the cells in the dd/mm/yyyy hh:mm:ss format. The results were manually verified using dcode and the Mac Absolute Time converter however I wanted a formula that would work within excel for multiple extracted time stamps.

Re: MacOSDate

Posted: Tue Jan 04, 2011 5:59 am
Author: AlexC Location: UK
- triran
I used DCode with Mac Date and got INVALID DATE. Tried knocking the end digit off then got a random date.


Could you post an example of the date format?

Re: MacOSDate

Posted: Tue Jan 04, 2011 6:08 am
Author: triran Location: Bolton
- AlexC
- triran
I used DCode with Mac Date and got INVALID DATE. Tried knocking the end digit off then got a random date.


Could you post an example of the date format?


3371884758

So as you can see there is one extra digit but if i trim either side I get a random date.

The value is an integer from the playcounts plist.

Re: MacOSDate

Posted: Tue Jan 04, 2011 6:22 am
Author: AlexC Location: UK
Could be the old MacOS epoch which is 1904/01/01?
That gives you 2010/11/06 10:39:18 - does that seem more reasonable?
All times are GMT - 6 Hours
Page 1 of 3 Go to page 1, 2, 3  Next  :| |:
http://www.forensicfocus.com/