Need help with time...
 
Notifications
Clear all

Need help with timestamps

9 Posts
6 Users
0 Likes
2,382 Views
(@bbflipz)
Posts: 5
Active Member
Topic starter
 

Hi

I am working on a case with mobile phones and the court asked me to make clear if the timestamps of the messages are in Local time or in UTC time and if any further calculations are needed.

I used Cellebrite UFED Physical Analyzer for this case and I noticed that in some messages the report shows (UTC +0) in other (UTC +3) and some times there is only date and time. The settings while i was working were in original UTC mode. Is it calculated or do I have to do the calculation in the brackets?

My question is how to cross-check and make sure every time i test a phone if the timestamp is in Local time or UTC time? Does anyone have similar issue? What is the proper answer in the court in order to be as a lab right? Not all the phones are functional. Is there an automated procedure for proper results?

I also use Oxygen, XRY and Katana Lantern.

If anyone has an advice or guideline, it will be much appreciated.

Thank you in advance!

 
Posted : 06/04/2014 5:25 pm
 RonS
(@rons)
Posts: 358
Reputable Member
 

Which phone vendor and model was it and what version was used to generate these reports?

Ron

 
Posted : 07/04/2014 12:53 am
(@bbflipz)
Posts: 5
Active Member
Topic starter
 

Hi Ron,

Thank you for the response. I made a Physical acquisition of a Nokia Asha 300 in UFED Touch (version 2.2.5.4) and the report was created with Physical Analyzer (version 2.2.5.4). For this phone, sent messages appear with (UTC +0) and inbox with (UTC +3).

Is there a standar procedure that I have to follow or a setting in the software that i should check before i start the examination?

I'm saying this because I have around 200 different mobile phones to examine for this case and all must be checked for the timestamp if it is local time or UTC. Do I have to check every single one according to the vendor and the model?

Yesterday I checked another phone (Samsung GT-E2600) and although the phone messages didn't have any UTC in timestamp, the SIM messages appeared in report with (UTC +3) and they don't appear in the phone so i can do a cross-check.

Thank you in advance.

Tim

 
Posted : 07/04/2014 5:28 pm
(@bbflipz)
Posts: 5
Active Member
Topic starter
 

Sorry I wrote wrong. The physical analyzer (software) version was 3.8.6.4.

 
Posted : 07/04/2014 6:36 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Have you tried contacting the vendor?

You may get "an" answer quicker via sources such as this forum, but you will get "the" answer if you contact the vendor. If you're using a licensed version of their product, I'm not clear as to why contacting them would be an issue.

 
Posted : 07/04/2014 10:25 pm
(@coligulus)
Posts: 165
Estimable Member
 

The timestamps of the Incoming messages should be accurate as this is provided by the network. As I understand it the message was sent at x time in a timezone which is GMT+3. The time shown is the time sent in that timezone. So a message sent at 1700hrs GMT+3 was sent at 1400hrs GMT and so on.

The outgoing message timestamp is most likely unreliable and in addition seldom will it record anything other than GMT+0, if it includes a timezone at all. This timestamp is pulled from the device clock and should be relied upon with the utmost caution and only after validation with call data records from the network provider.

GMT - UTC - Essentially the same thing.

 
Posted : 08/04/2014 7:51 pm
(@bbflipz)
Posts: 5
Active Member
Topic starter
 

Thank you all for your responses.

So far, I also noticed, by cross-checking the same messages from the UFED report with the messages inside the phone, that incoming messages (with UTC +3 for example) inside the brackets are already calculated, in most scenarios. The sent messages are indeed unreliable and must check user defined settings that period of time, Daylight Saving Time, Network. For example, in old phones, if you remove the battery and then open the phone and sent a message, timestamp will be wrong.

So far so good, but there are some cases where report doesn't show the same timestamp as the incoming message in the phone, and the calculations doesn't fit either. So, cross-checking with the phone must be done after all. I will try contact with Cellebrite if they have a answer on that. I will post again if i come to a better solution/answer.

I good way to check things is timeline from UFED Analyzer.

Another thing that I noticed lately (although a different topic is needed) is that sometimes logical acquisition brings more results than physical. It happened twice. As well as physical loses some data from the phone. Do a cross-checking if possible!

 
Posted : 10/04/2014 8:16 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

Have you tried contacting the vendor?

You may get "an" answer quicker via sources such as this forum, but you will get "the" answer if you contact the vendor. If you're using a licensed version of their product, I'm not clear as to why contacting them would be an issue.

RonS is the vendor in this case as he's highly placed in Cellebrite )

 
Posted : 11/04/2014 5:22 am
(@merriora)
Posts: 44
Eminent Member
 

Hi

I am working on a case with mobile phones and the court asked me to make clear if the timestamps of the messages are in Local time or in UTC time and if any further calculations are needed.

Are you able to get the cell detail records from the cell phone company via production order? Confirming the timestamps via software is obviously a good step, but the actual cell phone records will be a valuable confirmation for the courts and negate any possible arguments via defense regarding the timestamps since its coming from an un-biased 3rd party. You can also check for any possible missed messages not extracted by the forensic software.

 
Posted : 12/04/2014 5:41 pm
Share: