by Chris Atha, High-Tech Crime Specialist at the National White Collar Crime Center (NW3C)
In an earlier article, the concept of relative time as it relates to computing devices and the memorialization of time was discussed, as was how to recognize potential time stamps. However, what specific format we met nor any of the histories were discussed. On this trip around the clock face, we will discuss popular time stamps, their formats, uses, and their brief history. Now is a suitable time to take some time and learn about a brief history of time stamps.
Dr. Stephen Hawking, in his acclaimed book, A Brief History of Time, eloquently wrote:
“We find ourselves in a bewildering world. We want to make sense of what we see around us and to ask: What is the nature of the universe? What is our place in it and where did it come from? Why is it the way it is?”
Time Stamps in Digital Forensics
How does this apply to digital forensics and incident response? The answer comes most strongly from the final sentence of the quote: “Why is it the way it is?” which is a question I encourage all to ask. The desire to ask such a question is often suppressed by our own hubris and biases. One may proclaim internally or even externally: “Why does it matter?” “What use is it to me to know?” or one of the most dangerous, “I’ve been doing this task for quite some time, without knowing or asking, and I’m just fine!”
These statements often have their roots, in what many would argue is the original sin, self-sovereignty. Why should we inspect our own knowledge and risk admitting we have deficits in our understanding of critical information? It is my belief, we must know. It is more than just memorialized numbers being time. It is the representation of freedom and livelihood. Whether an examiner is protecting critical infrastructure or analyzing evidence in a court of law, the interpretation and understanding of these key pieces of information is necessary. No one is entitled, upon mere speculation, to impede upon the inalienable rights or privileges of another. Rather objective fact is the driver.
Unix Epoch Time Stamp
With this sober explanation of importance, let us spend some time understanding time. The question, of which time stamp formats to focus on, and even more explicitly, which one first? I have decided upon what is the most common time stamp met by a modern digital forensics’ analyst, the Unix Epoch Timestamp.
While not nearly as important as the programmatic function of the time format, it is interesting to understand its history. The Unix operating system was developed in the late 1960s and early 1970s at AT&T’s Bell Labs by a group of computer scientists, including Ken Thompson, Dennis Ritchie, and others. As part of the development of Unix, they needed a consistent way to store time and handle date calculations within the operating system.
Ken Thompson, one of the key figures behind Unix, decided to use January 1, 1970, 00:00:00 UTC as the starting point for Unix time. This decision is credited to 1970 being the beginning of a new decade, making it a convenient and logical choice. Additionally, this date ensured that the time stamp would be positive for most of the 32-bit time representation’s range.
Unix’s first implementation used a 32-bit signed integer to represent time, which counted the number of seconds since the chosen starting point, January 1, 1970, at UTC. This representation made it relatively easy for mathematical operations within the operating system, as it is a simple linear progression. It is also more concise than representing a given date and time in a human-centric format such as ISO-8601, which has several variants but is most widely known as YYYY-MM-DD HH:MM: SS. This is because the Unix epoch is a single point in time, while a human-centric format requires specifying both the date and time.
However, this representation also has some limitations. For example, it will reach its maximum value (2^31-1 seconds, or 2,147,483,647 seconds) on January 19, 2038. This is known as the Year 2038 problem. To address the limitations of the 32-bit time representation, some systems started using 64-bit representations for time, allowing for a much larger time range. Despite its limitations, the Unix epoch time stamp is still in widespread use due to its simplicity and compatibility. Modern programming languages and operating systems often provide ways to work with both 32-bit and 64-bit time representations.
Structured Query Language (SQL)
In modern forensics, we often encounter time stamps stored within SQLite databases. SQLite stores information with a declared type affinity; time stamps are often stored with the type affinity, integer or numeric. These type affinities allow for a variety of time formats, including the aforementioned formats associated with Unix Epoch.
A key example of this format being used can be found in Apple iOS. Specifically, the voicemail.db an SQLite database located at: private/var/mobile/Library/Voicemail/voicemail.db. In the context of a full file system acquisition.
Image 1a NW3C
Image 1a (above) is a screen shot captured of the aforementioned voicemail.db opened using DB browser for SQLite (https://sqlitebrowser.org/), with the voicemail table being browsed. Several columns appearing to contain time stamps are visible, most notably the “date” column, “expiration” column, and “trashed_date” column. This particular database is interesting as in a single table two different time formats are utilized. The ‘date” column is using the Unix Epoch time format, while the “expiration” and “trashed_date” columns utilize the macAbsolute time format, which has a host of names that will be addressed in detail in further writing.
Recognising Unix Epoch Format
In modern times, the Unix Epoch time format is most easily recognized by the number of digits displayed. For times within the recent past and recent future, Unix Epoch timestamps will have 10 digits. If the timestamp reflects an event farther in the past, the number of digits to represent the value may be smaller. Conversely, as we move into the future, at a point which is a greater number of seconds from the past, the value will grow to 11 digits. This is because the Unix Epoch time format is a count of the number of seconds since January 1, 1970, at UTC. As time goes on, the number of seconds since the Unix Epoch will increase, and therefore the number of integers in the timestamp will also increase.
The integer in image 1a is read big endian, with the most significant value being the left most visually.
Image 1b is a close-up view of the “date” column from the “voicemail” table of an Apple iOS voicemail.db. Visible in each row, is a 10-digit integer. If the topmost integer is “1433890002.” This integer is read big endian and represents the number of seconds relative to January 1, 1970, 00:00:00 UTC. To reconcile this to something more human-centric, we must first understand a few constructs of time and how it is experienced. Days are made up of a specific number of seconds, 86,400 seconds to be precise. This can be demonstrated by multiplying the number of seconds in a minute, minutes in an hour, and hours contained within a day. Practically speaking, all days are perfect days, in that they have the same number of seconds. Years, however, are different.
Most individuals are aware of the Gregorian calendar, the calendar which most of us utilize, and are familiar with a leap year every four years. However, the rules do not stop there. A year observed on the Gregorian calendar is 365.2425 days long, therefore, not an exact quarter year. How then does a leap year every four years work, or could it be there is more to a leap year?
According to the United States Naval Observatory, “Every year that is exactly divisible by four is a leap year, except for years that are exactly divisible by 100, but these centurial years are leap years if they are exactly divisible by 400.”
Calculating Unix Epoch Time Stamps
Knowing each day is 86,400 seconds, and more information on a year, we can correctly calculate a Unix Epoch time stamp. Often an examiner is assisted by automation within a tool, or a specific date and time tool. One of my favorite tools for this task is CyberChef (https://gchq.github.io/CyberChef/). Using cyber chef, we can simply copy and paste our integer into the input, and select “From Unix Epoch” as our recipe, with seconds being selected as the unit.
As proof of concept, we will enter a value of “0” and form the hypothesis, a Unix Epoch time value of zero will be its starting time, 1-1-1970 Midnight GMT.
Our hypothesis is confirmed in Image 2b with a “0” rendering as Thu 1 January 1970 00:00:00 UTC. With our assertion of a day being 86,400 seconds, and Unix Epoch time stamps being the number of seconds from Thu 1 January 1970 00:00:00 UTC, further validation can be performed. Our new hypothesis is, entering a value of 86,400 will result in the Unix Epoch time stamp date will be Fri 2 January 1970 00:00:00 UTC.
Our hypothesis is confirmed in image 2c with “86,400” rendering as Fri 2 January 1970 00:00:00 UTC. We can now try one of the observed time stamps from image 1a and image 1b.
Image 2a depicts this example, with our now human readable date of Tue 9 June 2015 22:46:42 UTC. An understandable representation of “1433890002.”
We have worked through a specific time stamp format and worked through its structure and how to analyze it into a human-centric format. This was one of many formats; exploration of further formats will be the topic of the next article in this series of tackling time, succeeding when seconds matter.
Chris Atha is a law enforcement officer who specializes in investigating Cyber-crime. Chris lives in the Southern Appalachian Mountain Range of the United States and is married to one of the brightest minds in education.