±Forensic Focus Partners
±Your Account
Membership:
New Today: 0
New Yesterday: 1
Overall: 27851
Visitors: 54±Forensic Focus Partner Ads
±Latest Articles
· Using SQL as a date/time conversion tool
· Forensics and Bitcoin
· Investigation and Intelligence Framework (IIF) – an evidence extraction model for investigation
· Extracting data from dump of mobile devices running Android operating system
· Development of Digital Forensic Tools on Mobile Device, a Potential Area to Consider?
· Can You Get That License Plate?
· How To Decrypt WeChat EnMicroMsg.db Database?
· A guide to RegRipper and the art of timeline building
· Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions
· FT Cyber Security Summit 2014 – Recap
· Forensics and Bitcoin
· Investigation and Intelligence Framework (IIF) – an evidence extraction model for investigation
· Extracting data from dump of mobile devices running Android operating system
· Development of Digital Forensic Tools on Mobile Device, a Potential Area to Consider?
· Can You Get That License Plate?
· How To Decrypt WeChat EnMicroMsg.db Database?
· A guide to RegRipper and the art of timeline building
· Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions
· FT Cyber Security Summit 2014 – Recap
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
You may want to check out the article on 'Julian day' on Wikipedia -- the format that PauiSanderson suggests is (I think) the Rata Die system, or something closely related.
Note that you have to be very careful with Julian dates. Real Julian days begins at noon, but there are adjusted formats that begin at midnight, more in line with modern calender usage. You have to use the right formulas to get the right time conversion.
Evernote database files
Go to page 1, 2, 3 Next
Evernote database files
Posted: Wed Jun 04, 2014 2:49 am
Has anyone done work with Evernote database files before?
I'm seeing some useful information in the one of the .exb database files. To view it can be opened in various SQL tools or the extension changed to .db3 or whatever you need.
My question is around the date/time format used as the tools are reporting something weird.
The date created for a particular entry is 734508.144780093 (edited as excel was rounding the 'time' portion to 4 decimal places)
From looking at other entries it appears the 734508 is the date, and then I assume the 1448 is the time, however the time is not 24 format as this one would seem to indicate, as other times are listed as 9504 and various other numbers.
My first thought was Unix time, but it's not formatted correctly for that.
My next though is that the SQL tools while interpreting most of the data correctly maybe just don't know how to represent that field so it's a 'best effort' approach..
Any thoughts out there?
Edit: I have posted a query on the Evernote forums but thought I'd ask here in case they don't want to divulge
Last edited by Adam10541 on Wed Jun 04, 2014 8:00 pm; edited 1 time in total
I'm seeing some useful information in the one of the .exb database files. To view it can be opened in various SQL tools or the extension changed to .db3 or whatever you need.
My question is around the date/time format used as the tools are reporting something weird.
The date created for a particular entry is 734508.144780093 (edited as excel was rounding the 'time' portion to 4 decimal places)
From looking at other entries it appears the 734508 is the date, and then I assume the 1448 is the time, however the time is not 24 format as this one would seem to indicate, as other times are listed as 9504 and various other numbers.
My first thought was Unix time, but it's not formatted correctly for that.
My next though is that the SQL tools while interpreting most of the data correctly maybe just don't know how to represent that field so it's a 'best effort' approach..
Any thoughts out there?
Edit: I have posted a query on the Evernote forums but thought I'd ask here in case they don't want to divulge
Last edited by Adam10541 on Wed Jun 04, 2014 8:00 pm; edited 1 time in total
-
Adam10541 - Senior Member
Re: Evernote database files
Posted: Wed Jun 04, 2014 3:13 am
Hi Adam
Looking at the date it *could be* that the integer part is the number of days from 1/1/0000
and the fractional part *may be* the fraction of the day so .1448 = 86400 *.1448 = 3:28:30.
To really bowl this out your would need more info though.
_________________
Paul Sanderson
Forensic Toolkit for SQLite
Like and share FB Page for a chance to win a licence
www.facebook.com/SQLiteToolkit
Looking at the date it *could be* that the integer part is the number of days from 1/1/0000
and the fractional part *may be* the fraction of the day so .1448 = 86400 *.1448 = 3:28:30.
To really bowl this out your would need more info though.
_________________
Paul Sanderson
Forensic Toolkit for SQLite
Like and share FB Page for a chance to win a licence
www.facebook.com/SQLiteToolkit
-
PaulSanderson - Senior Member
Re: Evernote database files
Posted: Wed Jun 04, 2014 4:41 am
Ahhh very interesting Paul, is there some sort of online calculator that can be used for that conversion or are you drawing on mathematical knowledge?
I'm ashamed to admit that maths baffles me at the best of times
You could be on to something here, I did a quick google on how many years 734508 days is and it's 2011.2 years..
I'm ashamed to admit that maths baffles me at the best of times
You could be on to something here, I did a quick google on how many years 734508 days is and it's 2011.2 years..
-
Adam10541 - Senior Member
Re: Evernote database files
Posted: Wed Jun 04, 2014 4:47 am
No sorry (or rather I don't know of one) I knocked up a little program to do the conversion.
It should be easy enough to knock up something in excel to do the conversion.
There is a similar format for OLE automation mentioned in my article
sandersonforensics.com...ime-stamps
I'll add a converter to RevEnge for this date as soon as I get a minute away from coding my new prog SQLite Recovery
_________________
Paul Sanderson
Forensic Toolkit for SQLite
Like and share FB Page for a chance to win a licence
www.facebook.com/SQLiteToolkit
It should be easy enough to knock up something in excel to do the conversion.
There is a similar format for OLE automation mentioned in my article
sandersonforensics.com...ime-stamps
I'll add a converter to RevEnge for this date as soon as I get a minute away from coding my new prog SQLite Recovery
_________________
Paul Sanderson
Forensic Toolkit for SQLite
Like and share FB Page for a chance to win a licence
www.facebook.com/SQLiteToolkit
-
PaulSanderson - Senior Member
Re: Evernote database files
Posted: Wed Jun 04, 2014 4:49 am
Reading the article now with a glass of wine.....may not be the best method for retention but I'll re-read tomorrow when I return to work
Thanks Paul, much appreciated.
Thanks Paul, much appreciated.
-
Adam10541 - Senior Member
Re: Evernote database files
Posted: Wed Jun 04, 2014 4:50 am
My not be best for retention but I can't think of a better way 
_________________
Paul Sanderson
Forensic Toolkit for SQLite
Like and share FB Page for a chance to win a licence
www.facebook.com/SQLiteToolkit
_________________
Paul Sanderson
Forensic Toolkit for SQLite
Like and share FB Page for a chance to win a licence
www.facebook.com/SQLiteToolkit
-
PaulSanderson - Senior Member
Re: Evernote database files
Posted: Wed Jun 04, 2014 8:43 am
- Adam10541is there some sort of online calculator that can be used for that conversion
You may want to check out the article on 'Julian day' on Wikipedia -- the format that PauiSanderson suggests is (I think) the Rata Die system, or something closely related.
Note that you have to be very careful with Julian dates. Real Julian days begins at noon, but there are adjusted formats that begin at midnight, more in line with modern calender usage. You have to use the right formulas to get the right time conversion.
-
athulin - Senior Member