SlideShare a Scribd company logo

(120915) #fitalk digital times

INSIGHT FORENSIC
INSIGHT FORENSIC

This document discusses different digital time formats used in forensic analysis and provides examples of how to convert between them. It introduces tools like time_maker.py for working with different time formats. The key time formats discussed include Windows 64-bit time, Unix time, FILETIME, Google Chrome time, Mac time, MS-DOS time, and HFS time. Conversion methods between these formats are explained, such as how Windows 64-bit time relates to Unix time and how different platforms measure time origins.

Technology
1 of 24
Download to read offline
FORENSIC INSIGHT SEMINAR Digital Times dorumugs Malware.co.kr And yet it does move
forensicinsight.org Page 2 / 25 Index 1. UTC and GMT 2. Time Unit 3. Digital Times 4. Many Kinds of Times 5. Tool : time_maker 6. Q&A
forensicinsight.org Page 3 / 25 UTC and GMT
forensicinsight.org Page 4 / 25 UTC(Universal Time Code) and GMT(Greenwich Mean Time)  There is a little GAP between UTC and GMT. But we used to handle two times in the same way.  UTC : http://en.wikipedia.org/wiki/Coordinated_Universal_Time  GMT : http://en.wikipedia.org/wiki/Greenwich_Mean_Time
forensicinsight.org Page 5 / 25 Time Unit
forensicinsight.org Page 6 / 25 Time Unit  1 o' clock is 3600 seconds  1 day is 86400 seconds  1 year is 8760 hours  1 year is 31536000 seconds  1 second is 1000000000 nanoseconds  1 second is 1000000 microseconds  1 second is 1000 milliseconds  URL : http://www.convertworld.com/ko/time/
forensicinsight.org Page 7 / 25 Digital Times
forensicinsight.org Page 8 / 25 Digital Times Time Format Detail Example Usage w64 Windows 64bit Big Time 129943698100000000 w64_big_h (Hex) Windows 64bit Big Time 01cda71ade0d1500 w64_lit_h (Hex) Windows 64bit Little Time 00150dde1aa7cd01 NTFS(MFT), INFO2, Registry, Index.dat, Link File wfiletime (Hex) Windows FILETIME Time de0d1500:01cda71a wcookie Windows Cookie Date Time 372539929630254000 chrome Google Chrome Time 12994369810317300 History (Google Chrome), Cookies (Google Chrome)
forensicinsight.org Page 9 / 25 Digital Times Time Format Detail Example Usage unum Unix Numeric Time 1349896210 moz_cookies (firefox), global_history.dat (opera) umilli Unix Millisecond Time 1349896210000 umicro Unix Microsecond Time 1349896210000000 moz_cookies (firefox) unum_big_h (Hex) Unix Numeric Big Time 5075c812 unum_lit_h (Hex) Unix Numeric Little Time 12c87550 EXT2, EXT3, EXT4
forensicinsight.org Page 10 / 25 Digital Times Time Format Detail Example Usage mac_ab Mac Absolute Time 371589010 History.plist(safari) mac_ab_h (Hex) Mac Absolute Time 1625ff92 ms32_big_h (Hex) MS-DOS 32bit Big Time 414a994a ms32_lit_h (Hex) MS-DOS 32bit Little Time 4a994a41 PE Compiled Time hfs32_big_h (hex) HFS 32bit Big Time cc9b7892 sms.db(Iphone), HFS+ hfs32_lit_h (hex) HFS 32bit Little Time 92789bcc
forensicinsight.org Page 11 / 25 Many Kinds of Times - Windows 64bit Time - Windows FILETIME Time - Unix Numeric Time - Unix Millisecond Time - Unix Microsecond Time - Windows Cookie Date Time - Google Chrome Time - Mac Absolute Time - MS-DOS 32bit Time - HFS 32bit Time
forensicinsight.org Page 12 / 25 Many Kinds of Times  Seconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Example • 63072000 => 1972-01-01 00:00:00 (31536000 Seconds is 1 year) Unix Numeric Time
forensicinsight.org Page 13 / 25 Many Kinds of Times  MilliSeconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Unix Millisecond Time = Unix Numeric Time * 1000  Example • 315532800 * 1000 => 315532800000 Unix Millisecond Time
forensicinsight.org Page 14 / 25 Many Kinds of Times  Nano Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  116444736000000000 Nano Seconds is 1970-01-01 00:00:00  windows_64bit_time = windows 64bit start + (unix numeric time * 10000000) • You can calculate windows 64bit time by 10000000 Not 1000000000  1 second is 10000000 nano seconds  Example • 119600064000000000 => 1980-01-01 00:00:00 Windows 64bit Time
forensicinsight.org Page 15 / 25 Many Kinds of Times  Windows 64bit Time => Hex => 1212121234343434 => 34343434:12121212  Example • 01cda71ade0d1500 => de0d1500:01cda71a Windows FILETIME Time
forensicinsight.org Page 16 / 25 Many Kinds of Times  Windows Filetime => 34343434:12121212 => decimal(34343434),decimal(12121212)  Exmaple • de0d1500:01cda71a => 3725399296,30254874 Windows Cookie Date Time
forensicinsight.org Page 17 / 25 Many Kinds of Times  Micro Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  11644473600000000 Micro seconds is 1970 Year 01 Month 01 day 00 Hour 00 Minute 00 Second  Google Chrome Time = Windows 64bit time / 10  1 Second is 1000000 Micro Seconds  Example • 119600064000000000 => 11960006400000000 Google Chrome Time
forensicinsight.org Page 18 / 25 Many Kinds of Times  Seconds From 2001 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  MAC Absolute_time = Unix Numeric Time - 978307200  978307200 Seconds is Unix Time from 2001-01-01 00:00:00  Example • 0 => 2001-01-01 00:00:00 Mac Absolute Time
forensicinsight.org Page 19 / 25 Many Kinds of Times  0000000|0000|00000|00000|000000|00000 Year Month Day Hour Minute Second  Year = Input Year - 1980  bin(Month,Day,Hour,Minute,Second) = Input Month,Day,Hour,Minute - 0  bin(Second) = (Input Second -0) / 2  Example • Decimal(101010001000010000000000000000) => Hex(706805760) => 0x2A210000  Systems record MS-DOS 32bit Time by little endian. You can see just 0x00002100 not 0x2A210000. MS-DOS 32bit Time
forensicinsight.org Page 20 / 25 Many Kinds of Times  Seconds From 1904 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  HFS 32bit Time = 2082844800 + unix_numeric_time  2082844800 Seconds is Unix Time from 1904-01-01 00:00:00 to 1970-01-01 00:00:00  Example • 8ef45680 => 1980-01-01 00:00:00 HFS 32bit Time
forensicinsight.org Page 21 / 25 Tool : time_maker
forensicinsight.org Page 22 / 25 Tool : time_maker.py
forensicinsight.org Page 23 / 25 Q & A
forensicinsight.org Page 24 / 25 Q & A

Recommended

Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Joris Berthelot
 
Y2 k38.
Y2 k38.Y2 k38.
Y2 k38.Presentaionslive.blogspot.com
 
Y2k38
Y2k38Y2k38
Y2k38KiruthikaTamilarasan
 
Convertidor de horas en C#
Convertidor de horas en C#Convertidor de horas en C#
Convertidor de horas en C#pequemec
 
(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log file(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log fileINSIGHT FORENSIC
 
(120513) #fitalk windows 8 forensics
(120513) #fitalk windows 8 forensics(120513) #fitalk windows 8 forensics
(120513) #fitalk windows 8 forensicsINSIGHT FORENSIC
 
(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recovery(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recoveryINSIGHT FORENSIC
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 

Recommended

Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Joris Berthelot
 
Y2 k38.
Y2 k38.Y2 k38.
Y2 k38.Presentaionslive.blogspot.com
 
Y2k38
Y2k38Y2k38
Y2k38KiruthikaTamilarasan
 
Convertidor de horas en C#
Convertidor de horas en C#Convertidor de horas en C#
Convertidor de horas en C#pequemec
 
(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log file(120513) #fitalk a dig into the $log file
(120513) #fitalk a dig into the $log fileINSIGHT FORENSIC
 
(120513) #fitalk windows 8 forensics
(120513) #fitalk windows 8 forensics(120513) #fitalk windows 8 forensics
(120513) #fitalk windows 8 forensicsINSIGHT FORENSIC
 
(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recovery(120211) #fitalk sq lite record recovery
(120211) #fitalk sq lite record recoveryINSIGHT FORENSIC
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요
(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요
(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요INSIGHT FORENSIC
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifactsINSIGHT FORENSIC
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensicsINSIGHT FORENSIC
 
(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응
(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응
(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응INSIGHT FORENSIC
 
(120804) #fitalk advanced mac os forensics (hfs+ filesystem)
(120804) #fitalk advanced mac os forensics (hfs+ filesystem)(120804) #fitalk advanced mac os forensics (hfs+ filesystem)
(120804) #fitalk advanced mac os forensics (hfs+ filesystem)INSIGHT FORENSIC
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensicsINSIGHT FORENSIC
 
Php date & time functions
Php date & time functionsPhp date & time functions
Php date & time functionsProgrammer Blog
 
17 ruby date time
17 ruby date time17 ruby date time
17 ruby date timeWalker Maidana
 
Epoch Time
Epoch TimeEpoch Time
Epoch TimeGurudutt07
 
How to work with dates and times in swift 3
How to work with dates and times in swift 3How to work with dates and times in swift 3
How to work with dates and times in swift 3allanh0526
 
jkfdlsajfklafj
jkfdlsajfklafjjkfdlsajfklafj
jkfdlsajfklafjPlanetExpressATX
 
doc
docdoc
docPlanetExpressATX
 
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsAndroid Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsDroidConTLV
 
Python datetime
Python datetimePython datetime
Python datetimesureshraj43
 
JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8Serhii Kartashov
 
Lesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLagamaPasala
 
(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensicsINSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)INSIGHT FORENSIC
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fsINSIGHT FORENSIC
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trendINSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안INSIGHT FORENSIC
 

More Related Content

Viewers also liked

(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요
(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요
(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요INSIGHT FORENSIC
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifactsINSIGHT FORENSIC
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensicsINSIGHT FORENSIC
 
(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응
(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응
(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응INSIGHT FORENSIC
 
(120804) #fitalk advanced mac os forensics (hfs+ filesystem)
(120804) #fitalk advanced mac os forensics (hfs+ filesystem)(120804) #fitalk advanced mac os forensics (hfs+ filesystem)
(120804) #fitalk advanced mac os forensics (hfs+ filesystem)INSIGHT FORENSIC
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensicsINSIGHT FORENSIC
 

Viewers also liked (6)

(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요
(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요
(Ficon2016) #6 귀사의 보안 프로그램은 안녕하신가요
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
 
(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics(130720) #fitalk trends in d forensics
(130720) #fitalk trends in d forensics
 
(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응
(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응
(Fios#02) 3. 빠르게 끝내는 악성코드 분석과 대응
 
(120804) #fitalk advanced mac os forensics (hfs+ filesystem)
(120804) #fitalk advanced mac os forensics (hfs+ filesystem)(120804) #fitalk advanced mac os forensics (hfs+ filesystem)
(120804) #fitalk advanced mac os forensics (hfs+ filesystem)
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
 

Similar to (120915) #fitalk digital times

Php date & time functions
Php date & time functionsPhp date & time functions
Php date & time functionsProgrammer Blog
 
How to work with dates and times in swift 3
How to work with dates and times in swift 3How to work with dates and times in swift 3
How to work with dates and times in swift 3allanh0526
 
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsAndroid Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsDroidConTLV
 
JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8Serhii Kartashov
 
Lesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLagamaPasala
 

Similar to (120915) #fitalk digital times (10)

Php date & time functions
Php date & time functionsPhp date & time functions
Php date & time functions
 
17 ruby date time
17 ruby date time17 ruby date time
17 ruby date time
 
Epoch Time
Epoch TimeEpoch Time
Epoch Time
 
How to work with dates and times in swift 3
How to work with dates and times in swift 3How to work with dates and times in swift 3
How to work with dates and times in swift 3
 
jkfdlsajfklafj
jkfdlsajfklafjjkfdlsajfklafj
jkfdlsajfklafj
 
doc
docdoc
doc
 
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsAndroid Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
 
Python datetime
Python datetimePython datetime
Python datetime
 
JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8
 
Lesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptx
 

More from INSIGHT FORENSIC

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensicsINSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)INSIGHT FORENSIC
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fsINSIGHT FORENSIC
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trendINSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안INSIGHT FORENSIC
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식INSIGHT FORENSIC
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatchINSIGHT FORENSIC
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석INSIGHT FORENSIC
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석INSIGHT FORENSIC
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법INSIGHT FORENSIC
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysisINSIGHT FORENSIC
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)INSIGHT FORENSIC
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threatINSIGHT FORENSIC
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recoveryINSIGHT FORENSIC
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)INSIGHT FORENSIC
 
(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in koreaINSIGHT FORENSIC
 
(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memoryINSIGHT FORENSIC
 
(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dump(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dumpINSIGHT FORENSIC
 

More from INSIGHT FORENSIC (20)

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 
(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea(130105) #fitalk criminal civil judicial procedure in korea
(130105) #fitalk criminal civil judicial procedure in korea
 
(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory(131116) #fitalk extracting user typing history on bash in mac os x memory
(131116) #fitalk extracting user typing history on bash in mac os x memory
 
(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dump(131102) #fitalk get windows logon password in memory dump
(131102) #fitalk get windows logon password in memory dump
 

Recently uploaded

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

(120915) #fitalk digital times

  • 1. FORENSIC INSIGHT SEMINAR Digital Times dorumugs Malware.co.kr And yet it does move
  • 2. forensicinsight.org Page 2 / 25 Index 1. UTC and GMT 2. Time Unit 3. Digital Times 4. Many Kinds of Times 5. Tool : time_maker 6. Q&A
  • 3. forensicinsight.org Page 3 / 25 UTC and GMT
  • 4. forensicinsight.org Page 4 / 25 UTC(Universal Time Code) and GMT(Greenwich Mean Time)  There is a little GAP between UTC and GMT. But we used to handle two times in the same way.  UTC : http://en.wikipedia.org/wiki/Coordinated_Universal_Time  GMT : http://en.wikipedia.org/wiki/Greenwich_Mean_Time
  • 5. forensicinsight.org Page 5 / 25 Time Unit
  • 6. forensicinsight.org Page 6 / 25 Time Unit  1 o' clock is 3600 seconds  1 day is 86400 seconds  1 year is 8760 hours  1 year is 31536000 seconds  1 second is 1000000000 nanoseconds  1 second is 1000000 microseconds  1 second is 1000 milliseconds  URL : http://www.convertworld.com/ko/time/
  • 7. forensicinsight.org Page 7 / 25 Digital Times
  • 8. forensicinsight.org Page 8 / 25 Digital Times Time Format Detail Example Usage w64 Windows 64bit Big Time 129943698100000000 w64_big_h (Hex) Windows 64bit Big Time 01cda71ade0d1500 w64_lit_h (Hex) Windows 64bit Little Time 00150dde1aa7cd01 NTFS(MFT), INFO2, Registry, Index.dat, Link File wfiletime (Hex) Windows FILETIME Time de0d1500:01cda71a wcookie Windows Cookie Date Time 372539929630254000 chrome Google Chrome Time 12994369810317300 History (Google Chrome), Cookies (Google Chrome)
  • 9. forensicinsight.org Page 9 / 25 Digital Times Time Format Detail Example Usage unum Unix Numeric Time 1349896210 moz_cookies (firefox), global_history.dat (opera) umilli Unix Millisecond Time 1349896210000 umicro Unix Microsecond Time 1349896210000000 moz_cookies (firefox) unum_big_h (Hex) Unix Numeric Big Time 5075c812 unum_lit_h (Hex) Unix Numeric Little Time 12c87550 EXT2, EXT3, EXT4
  • 10. forensicinsight.org Page 10 / 25 Digital Times Time Format Detail Example Usage mac_ab Mac Absolute Time 371589010 History.plist(safari) mac_ab_h (Hex) Mac Absolute Time 1625ff92 ms32_big_h (Hex) MS-DOS 32bit Big Time 414a994a ms32_lit_h (Hex) MS-DOS 32bit Little Time 4a994a41 PE Compiled Time hfs32_big_h (hex) HFS 32bit Big Time cc9b7892 sms.db(Iphone), HFS+ hfs32_lit_h (hex) HFS 32bit Little Time 92789bcc
  • 11. forensicinsight.org Page 11 / 25 Many Kinds of Times - Windows 64bit Time - Windows FILETIME Time - Unix Numeric Time - Unix Millisecond Time - Unix Microsecond Time - Windows Cookie Date Time - Google Chrome Time - Mac Absolute Time - MS-DOS 32bit Time - HFS 32bit Time
  • 12. forensicinsight.org Page 12 / 25 Many Kinds of Times  Seconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Example • 63072000 => 1972-01-01 00:00:00 (31536000 Seconds is 1 year) Unix Numeric Time
  • 13. forensicinsight.org Page 13 / 25 Many Kinds of Times  MilliSeconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Unix Millisecond Time = Unix Numeric Time * 1000  Example • 315532800 * 1000 => 315532800000 Unix Millisecond Time
  • 14. forensicinsight.org Page 14 / 25 Many Kinds of Times  Nano Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  116444736000000000 Nano Seconds is 1970-01-01 00:00:00  windows_64bit_time = windows 64bit start + (unix numeric time * 10000000) • You can calculate windows 64bit time by 10000000 Not 1000000000  1 second is 10000000 nano seconds  Example • 119600064000000000 => 1980-01-01 00:00:00 Windows 64bit Time
  • 15. forensicinsight.org Page 15 / 25 Many Kinds of Times  Windows 64bit Time => Hex => 1212121234343434 => 34343434:12121212  Example • 01cda71ade0d1500 => de0d1500:01cda71a Windows FILETIME Time
  • 16. forensicinsight.org Page 16 / 25 Many Kinds of Times  Windows Filetime => 34343434:12121212 => decimal(34343434),decimal(12121212)  Exmaple • de0d1500:01cda71a => 3725399296,30254874 Windows Cookie Date Time
  • 17. forensicinsight.org Page 17 / 25 Many Kinds of Times  Micro Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  11644473600000000 Micro seconds is 1970 Year 01 Month 01 day 00 Hour 00 Minute 00 Second  Google Chrome Time = Windows 64bit time / 10  1 Second is 1000000 Micro Seconds  Example • 119600064000000000 => 11960006400000000 Google Chrome Time
  • 18. forensicinsight.org Page 18 / 25 Many Kinds of Times  Seconds From 2001 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  MAC Absolute_time = Unix Numeric Time - 978307200  978307200 Seconds is Unix Time from 2001-01-01 00:00:00  Example • 0 => 2001-01-01 00:00:00 Mac Absolute Time
  • 19. forensicinsight.org Page 19 / 25 Many Kinds of Times  0000000|0000|00000|00000|000000|00000 Year Month Day Hour Minute Second  Year = Input Year - 1980  bin(Month,Day,Hour,Minute,Second) = Input Month,Day,Hour,Minute - 0  bin(Second) = (Input Second -0) / 2  Example • Decimal(101010001000010000000000000000) => Hex(706805760) => 0x2A210000  Systems record MS-DOS 32bit Time by little endian. You can see just 0x00002100 not 0x2A210000. MS-DOS 32bit Time
  • 20. forensicinsight.org Page 20 / 25 Many Kinds of Times  Seconds From 1904 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  HFS 32bit Time = 2082844800 + unix_numeric_time  2082844800 Seconds is Unix Time from 1904-01-01 00:00:00 to 1970-01-01 00:00:00  Example • 8ef45680 => 1980-01-01 00:00:00 HFS 32bit Time
  • 21. forensicinsight.org Page 21 / 25 Tool : time_maker
  • 22. forensicinsight.org Page 22 / 25 Tool : time_maker.py