Hello All,
I am currently carrying out some research into the application Viber on a mobile device. I have reached an obstacle with some of the interpretation of some of the data, namely the timestamp.
Viber message data is easily recoverable as it is all stored within one database file, however, some of the timestamps are stored in a format i am unfamiliar with. I have searched throughout the internet, both general forums, published papers and those which relate specifically to digital forensics but with no avail. The timestamp format is 18 digits long, and example of which is below
635597724527250000
This time date reference should be 'Tuesday 17th February 2015 1220pm' the seconds are unknown.
I have looked into LDAP timestamps and looked at the way they are converted into UNIX timestamps in an attempt to come closer to finding an exact conversion, with no luck.
I am not overly familiar with timestamps and seem to have currently exhausted my knowledge in attempting to find the correct format for these type of timestamps.
If any further information is required then please ask.
Any ideas or directions would be greatly appreciated.
Thanks,
J
This date is the number of nano seconds since 1/1/0001 or windows ticks and it is supported by the Forensic Browser for SQLite.
The screenshot below shows a test table I created with your example date added in the last row
Drop me an email if you would like a fully functional demo of the Browser.
Hi Paul,
Thank you very much for the information. Works perfectly. Can finally carry on with the research!
Thank you,
J
For future reference, it is always worth playing by dividing the number by possible seconds in a year.
If you take your number and divide by 365*24*60*60 you end up with a large number
20154671630 which does start 2015. You will probably get a better result if you use 365.25. However, a quick divide shows where data might be.
Other date starting times can be 1980, 1904, 1900 and I think something like 4912 BC.
The other way that dates are stored is bit compressed bit patters, such as YYYYYYYMMMMDDDDD. For this is much easier to see if the number is looked at in Hex. (Members in this group know that I hate decimal most of the time).