by Chris Atha, High-Tech Crime Specialist at the National White Collar Crime Center (NW3C)
I imagine, if you are like me, you can remember learning how to tell the time – and suddenly understanding a clock, a calendar, and their relationship with your life. Things would never be the same. A fascinating moment: realising that the observed numbers on a clock meant to not only you, but the entire world, that it was time to eat, work, sleep, and any of the other things we do on a daily, weekly, and yearly basis. It is ubiquitous to life, so much so we overlook it. Even when our understanding of it could very well be the determining factor of the freedom of a fellow human being. Famed author and theologian Clive Lewis often wrote on our relationship with time. In 1958, he is credited with the following:
“…we are so little reconciled to time that we are even astonished at it. ‘How he’s grown!’ we exclaim, ‘How time flies!’ as though the universal form of our experience were again and again a novelty. It is as strange as if a fish were repeatedly surprised at the very wetness of water.”~C. S. Lewis
Time and our relation to this relative concept are at the center of all high-tech crime investigations. Despite being at the center, an examiner may have misunderstandings about the time stamp they see before them, especially if only ever seen through the abstractive lens of a modern forensic analysis tool. While ATM transaction time stamps in a familiar format compared to banking records of similar appearance are often simple, the forensic analysis of an Apple iPhone or other digital device may prove more difficult, especially when needing to understand how these devices memorialize time.
One key difference to take note of is, we as humans like things which we understand. Our computers similarly work in manners pleasing and efficient to them, this assuming we temporarily personify our digital devices. The difference is the data we often find ourselves viewing as a digital forensics’ examiner, differs from the way it is presented to a typical device user. In short, the data isn’t written to you, it wasn’t meant for your eyes.
As a perpetual student of digital forensics, I have found a few key techniques, tactics, and procedures to be helpful when dealing with time. This article and several to follow will lay down these ideas.
Many time stamps encountered in a digital forensics’ exam are relative. Unix Epoch for instance, is the number of seconds from Thursday, January 1t,1970, 12:00:00 GMT. A Unix Epoch time stamp of 86400, which is the number of seconds in a day, would yield a relative Unix Epoch time stamp of Friday, January 2nd, 1970,12:00:00 GMT. This, in turn, confirms our notion of how many seconds are in a day, and the mechanics of a Unix Epoch time stamp.
Understanding the concept of time is relative. The mechanisms of time storage are relative, and this is one of the key points in identifying, finding, and analyzing timestamps. Given this concept, it gives an examiner several key characteristics to look for. As we are looking for the memorialization of something, which is compared to something else.
Image 1a (above) is an example of a timestamp as seen in a logically rendered SQLite database. This database specifically came from an Apple MacBook Pro running macOS Ventura. The column of numbers is how macOS memorializes the visit to a website. Each value is the relative number of seconds elapsed from 1-1-1-2001 12:00:00 GMT. This timestamp format has several names, though one of the most common is the “NSdate” (with NS paying homage to the predecessor of macOS, NeXT Step). Viewing the topmost three provides us with “658678592″, meaning the visit time of the associated web browsing activity occurred “658678592” seconds past (in the relative context of) time” 1-1-2001 12:00:00 GMT. This leaves us with a human-readable time of 11-15-2021 02:16:32 GMT.
The above example is not all-encompassing, of course, as different timestamps have different storage mechanisms. The above is one of the most common formats when investigating Apple products. SQLite derived time stamps are ubiquitous to most modern operating systems, though they’re not all encompassing. Windows NTFS file system Modified time stamps are not much different. While not stored as a record within an SQLite database, rather the value is stored in hexadecimal, a representation of binary which uses integers 0 through 9 and English alphabet letters a through f. These hexadecimal values are converted mathematically to a decimal value, which is nothing more than the relative location from the beginning of the Gregorian calendar of 1-1-1601 12:00:00 GMT and stored in nanoseconds.
Having a working concept of the relative concept of time not only makes the title track of the hit Broadway Show Rent more relatable; it also emboldens you as an examiner anytime you meet a time stamp. Or think you may be in the presence of a time stamp.
Two key questions, which I hope fills the space of an examiners’ internal dialogue, are: “How do I know what I believe I know?” and “What can I do if my tool doesn’t tell me the answer?”. The first question can be emboldened by what precedes this statement. A thorough understanding of the concept of information. The former, we will address a few tactics and procedures, based on the earlier explained concepts.
Image 2a demonstrates how we are accustomed to meeting time. It’s important to understand this view is for ‘us’ the user. It has been abstracted from source data and made at the cost of computing resources and space. To be something we can make sense of and relate to. It is easy to recognize date and time stamps, which appear like this or similar. What though if we ask the second question and are inspecting data which has yet to have its data abstracted.
When reviewing image 3a; much more is happening, and a simple ordinary human-readable time stamp isn’t visible. The information is there; however, it is not in the format we recognize daily. With the dichotomy between what our digital devices store and what we are used to seeing, how can we begin to make sense of the information? Remembering time is relative, and the concept of storing a unit of duration from a fixed point in the past to be time, will be our guide. Further, relying on what we know and recognize will help us decide which columns may store time. How so?
Image 4a is a closer peek at the data from Image 3a, with a few icons added to help with the explanation of a few principles of determining. Even though the ability to quickly recognize an epoch time stamp; we can recognize other numbers. If you look at the far-left column of image 4a, which has a blue star with number “1” in it, a column of “0’s” and “1’s” is observed. While what these numbers are is not immediately known, we can make an inference it isn’t a time stamp, because it isn’t congruent with the previously explained logic.
Moving one column to the right, annotated with an orange star with the number “2” inside. This column appears to be all “1’s”. Still, the meaning of these numbers is not yet known. But it is a safe assessment to say, “this is not a time stamp”. Again, moving one more column to the right, donated with a green star with the number “3”. This column has “0’s” and “4’s”.
Once more, moving to the right, this column annotated with a purple star with the number “4” inside. This column has, in contrast, much more going on. Leveraging first, the ability to recognize numbers we know. Internally, pose the question: is this United States telephone number? If you possess any familiarity with those, immediately you’ll realise the answer is “no” this is not a telephone number. Nor does it look like a credit card number.
While many things “it” is not has been declared, the question of what it is has yet to be answered. Where do we start? First, utilize the ability which is ubiquitous to most tools to sort a column by ascending or descending order. Pick one, as this will allow a trend of time stamps to be seen.
With the column sorted either ascending or descending, place a line on the numbers or utilize a ruler held up to the screen. This line will need to be slightly biased to the left of the whole number, for instance if the number displayed has nine whole numbers such as (978307200), I recommend the line be placed between the 8 and 3. (No line has been added to image 5a, to allow the reader to develop their own application of this tactic)
Look to the right of the line, focusing on the whole numbers; ask “Do they change often, seemingly every line is a different number?” If the answer is “yes”, put a check in the column for “this is a time stamp”. If not, while this trait is common of a timestamp, not meeting it isn’t the proverbial nail in the coffin.
Next, do the numbers appear to trend (this should be congruent with how you had sorted the column previously, either ascending or descending)? If an observable trend is observed, put a second check in the box “this is a time stamp”.
Move to the left of the line now – do the numbers change, but less frequently than the rate of change of numbers on the right side? If the answer is “yes”, put a check in the column for “this is a time stamp”. With the checks in the “this is a time stamp” column, I recommend looking for one more trait to seal the deal.
Looking to the left of the line, do the numbers appear to follow an ascending or descending trend? If so, is it congruent with the trend observed to the right of the line? If so, add a checkmark to the “yes this is a time stamp” column. If these four traits are met, chances are you have a timestamp.
What specific kind of time stamp have we found? What are the tools, techniques, and procedures to figure it out? Further analysis will be the topic of the next article in this series of tackling time, succeeding when seconds matter.
Chris Atha is a law enforcement officer who specializes in investigating Cyber-crime. Chris lives in the Southern Appalachian Mountain Range of the United States and is married to one of the brightest minds in education.