SlideShare a Scribd company logo

(120915) #fitalk digital times

INSIGHT FORENSIC
INSIGHT FORENSIC

2012 F-INSIGHT TALK

Technology
1 of 24
Download to read offline
FORENSIC INSIGHT SEMINAR Digital Times dorumugs Malware.co.kr And yet it does move
forensicinsight.org Page 2 / 25 Index 1. UTC and GMT 2. Time Unit 3. Digital Times 4. Many Kinds of Times 5. Tool : time_maker 6. Q&A
forensicinsight.org Page 3 / 25 UTC and GMT
forensicinsight.org Page 4 / 25 UTC(Universal Time Code) and GMT(Greenwich Mean Time)  There is a little GAP between UTC and GMT. But we used to handle two times in the same way.  UTC : http://en.wikipedia.org/wiki/Coordinated_Universal_Time  GMT : http://en.wikipedia.org/wiki/Greenwich_Mean_Time
forensicinsight.org Page 5 / 25 Time Unit
forensicinsight.org Page 6 / 25 Time Unit  1 o' clock is 3600 seconds  1 day is 86400 seconds  1 year is 8760 hours  1 year is 31536000 seconds  1 second is 1000000000 nanoseconds  1 second is 1000000 microseconds  1 second is 1000 milliseconds  URL : http://www.convertworld.com/ko/time/
forensicinsight.org Page 7 / 25 Digital Times
forensicinsight.org Page 8 / 25 Digital Times Time Format Detail Example Usage w64 Windows 64bit Big Time 129943698100000000 w64_big_h (Hex) Windows 64bit Big Time 01cda71ade0d1500 w64_lit_h (Hex) Windows 64bit Little Time 00150dde1aa7cd01 NTFS(MFT), INFO2, Registry, Index.dat, Link File wfiletime (Hex) Windows FILETIME Time de0d1500:01cda71a wcookie Windows Cookie Date Time 372539929630254000 chrome Google Chrome Time 12994369810317300 History (Google Chrome), Cookies (Google Chrome)
forensicinsight.org Page 9 / 25 Digital Times Time Format Detail Example Usage unum Unix Numeric Time 1349896210 moz_cookies (firefox), global_history.dat (opera) umilli Unix Millisecond Time 1349896210000 umicro Unix Microsecond Time 1349896210000000 moz_cookies (firefox) unum_big_h (Hex) Unix Numeric Big Time 5075c812 unum_lit_h (Hex) Unix Numeric Little Time 12c87550 EXT2, EXT3, EXT4
forensicinsight.org Page 10 / 25 Digital Times Time Format Detail Example Usage mac_ab Mac Absolute Time 371589010 History.plist(safari) mac_ab_h (Hex) Mac Absolute Time 1625ff92 ms32_big_h (Hex) MS-DOS 32bit Big Time 414a994a ms32_lit_h (Hex) MS-DOS 32bit Little Time 4a994a41 PE Compiled Time hfs32_big_h (hex) HFS 32bit Big Time cc9b7892 sms.db(Iphone), HFS+ hfs32_lit_h (hex) HFS 32bit Little Time 92789bcc
forensicinsight.org Page 11 / 25 Many Kinds of Times - Windows 64bit Time - Windows FILETIME Time - Unix Numeric Time - Unix Millisecond Time - Unix Microsecond Time - Windows Cookie Date Time - Google Chrome Time - Mac Absolute Time - MS-DOS 32bit Time - HFS 32bit Time
forensicinsight.org Page 12 / 25 Many Kinds of Times  Seconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Example • 63072000 => 1972-01-01 00:00:00 (31536000 Seconds is 1 year) Unix Numeric Time
forensicinsight.org Page 13 / 25 Many Kinds of Times  MilliSeconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Unix Millisecond Time = Unix Numeric Time * 1000  Example • 315532800 * 1000 => 315532800000 Unix Millisecond Time
forensicinsight.org Page 14 / 25 Many Kinds of Times  Nano Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  116444736000000000 Nano Seconds is 1970-01-01 00:00:00  windows_64bit_time = windows 64bit start + (unix numeric time * 10000000) • You can calculate windows 64bit time by 10000000 Not 1000000000  1 second is 10000000 nano seconds  Example • 119600064000000000 => 1980-01-01 00:00:00 Windows 64bit Time
forensicinsight.org Page 15 / 25 Many Kinds of Times  Windows 64bit Time => Hex => 1212121234343434 => 34343434:12121212  Example • 01cda71ade0d1500 => de0d1500:01cda71a Windows FILETIME Time
forensicinsight.org Page 16 / 25 Many Kinds of Times  Windows Filetime => 34343434:12121212 => decimal(34343434),decimal(12121212)  Exmaple • de0d1500:01cda71a => 3725399296,30254874 Windows Cookie Date Time
forensicinsight.org Page 17 / 25 Many Kinds of Times  Micro Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  11644473600000000 Micro seconds is 1970 Year 01 Month 01 day 00 Hour 00 Minute 00 Second  Google Chrome Time = Windows 64bit time / 10  1 Second is 1000000 Micro Seconds  Example • 119600064000000000 => 11960006400000000 Google Chrome Time
forensicinsight.org Page 18 / 25 Many Kinds of Times  Seconds From 2001 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  MAC Absolute_time = Unix Numeric Time - 978307200  978307200 Seconds is Unix Time from 2001-01-01 00:00:00  Example • 0 => 2001-01-01 00:00:00 Mac Absolute Time
forensicinsight.org Page 19 / 25 Many Kinds of Times  0000000|0000|00000|00000|000000|00000 Year Month Day Hour Minute Second  Year = Input Year - 1980  bin(Month,Day,Hour,Minute,Second) = Input Month,Day,Hour,Minute - 0  bin(Second) = (Input Second -0) / 2  Example • Decimal(101010001000010000000000000000) => Hex(706805760) => 0x2A210000  Systems record MS-DOS 32bit Time by little endian. You can see just 0x00002100 not 0x2A210000. MS-DOS 32bit Time
forensicinsight.org Page 20 / 25 Many Kinds of Times  Seconds From 1904 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  HFS 32bit Time = 2082844800 + unix_numeric_time  2082844800 Seconds is Unix Time from 1904-01-01 00:00:00 to 1970-01-01 00:00:00  Example • 8ef45680 => 1980-01-01 00:00:00 HFS 32bit Time
forensicinsight.org Page 21 / 25 Tool : time_maker
forensicinsight.org Page 22 / 25 Tool : time_maker.py
forensicinsight.org Page 23 / 25 Q & A
forensicinsight.org Page 24 / 25 Q & A

Recommended

Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Joris Berthelot
 
Y2 k38.
Y2 k38.Y2 k38.
Y2 k38.Presentaionslive.blogspot.com
 
Y2k38
Y2k38Y2k38
Y2k38KiruthikaTamilarasan
 
Convertidor de horas en C#
Convertidor de horas en C#Convertidor de horas en C#
Convertidor de horas en C#pequemec
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for funINSIGHT FORENSIC
 
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_koga
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_kogaWww1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_koga
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_kogaGRAND_GOUT
 
Sajak Mengintai Ruang Insaf
Sajak Mengintai Ruang InsafSajak Mengintai Ruang Insaf
Sajak Mengintai Ruang InsafAzwira Ariwana
 
Blago sa tavana
Blago sa tavanaBlago sa tavana
Blago sa tavanaLimundo
 

Recommended

Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Joris Berthelot
 
Y2 k38.
Y2 k38.Y2 k38.
Y2 k38.Presentaionslive.blogspot.com
 
Y2k38
Y2k38Y2k38
Y2k38KiruthikaTamilarasan
 
Convertidor de horas en C#
Convertidor de horas en C#Convertidor de horas en C#
Convertidor de horas en C#pequemec
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for funINSIGHT FORENSIC
 
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_koga
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_kogaWww1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_koga
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_kogaGRAND_GOUT
 
Sajak Mengintai Ruang Insaf
Sajak Mengintai Ruang InsafSajak Mengintai Ruang Insaf
Sajak Mengintai Ruang InsafAzwira Ariwana
 
Blago sa tavana
Blago sa tavanaBlago sa tavana
Blago sa tavanaLimundo
 
(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacksINSIGHT FORENSIC
 
Sajak Adat Sezaman
Sajak Adat SezamanSajak Adat Sezaman
Sajak Adat SezamanAzwira Ariwana
 
Hikayat Inderaputera
Hikayat InderaputeraHikayat Inderaputera
Hikayat InderaputeraAzwira Ariwana
 
SwiftLint
SwiftLintSwiftLint
SwiftLintSyo Ikeda
 
Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出Yusaku Kawaguchi
 
Kata Sendi Nama
Kata Sendi NamaKata Sendi Nama
Kata Sendi NamaNur Ain Mohd. Amin
 
(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석INSIGHT FORENSIC
 
Php date & time functions
Php date & time functionsPhp date & time functions
Php date & time functionsProgrammer Blog
 
17 ruby date time
17 ruby date time17 ruby date time
17 ruby date timeWalker Maidana
 
Epoch Time
Epoch TimeEpoch Time
Epoch TimeGurudutt07
 
How to work with dates and times in swift 3
How to work with dates and times in swift 3How to work with dates and times in swift 3
How to work with dates and times in swift 3allanh0526
 
jkfdlsajfklafj
jkfdlsajfklafjjkfdlsajfklafj
jkfdlsajfklafjPlanetExpressATX
 
doc
docdoc
docPlanetExpressATX
 
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsAndroid Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsDroidConTLV
 
Python datetime
Python datetimePython datetime
Python datetimesureshraj43
 
JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8Serhii Kartashov
 
Lesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLagamaPasala
 
(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensicsINSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)INSIGHT FORENSIC
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fsINSIGHT FORENSIC
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trendINSIGHT FORENSIC
 

More Related Content

Viewers also liked

(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacksINSIGHT FORENSIC
 
Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出Yusaku Kawaguchi
 
(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석INSIGHT FORENSIC
 

Viewers also liked (7)

(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks
 
Sajak Adat Sezaman
Sajak Adat SezamanSajak Adat Sezaman
Sajak Adat Sezaman
 
Hikayat Inderaputera
Hikayat InderaputeraHikayat Inderaputera
Hikayat Inderaputera
 
SwiftLint
SwiftLintSwiftLint
SwiftLint
 
Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出
 
Kata Sendi Nama
Kata Sendi NamaKata Sendi Nama
Kata Sendi Nama
 
(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석
 

Similar to (120915) #fitalk digital times

Php date & time functions
Php date & time functionsPhp date & time functions
Php date & time functionsProgrammer Blog
 
How to work with dates and times in swift 3
How to work with dates and times in swift 3How to work with dates and times in swift 3
How to work with dates and times in swift 3allanh0526
 
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsAndroid Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsDroidConTLV
 
JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8Serhii Kartashov
 
Lesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLagamaPasala
 

Similar to (120915) #fitalk digital times (10)

Php date & time functions
Php date & time functionsPhp date & time functions
Php date & time functions
 
17 ruby date time
17 ruby date time17 ruby date time
17 ruby date time
 
Epoch Time
Epoch TimeEpoch Time
Epoch Time
 
How to work with dates and times in swift 3
How to work with dates and times in swift 3How to work with dates and times in swift 3
How to work with dates and times in swift 3
 
jkfdlsajfklafj
jkfdlsajfklafjjkfdlsajfklafj
jkfdlsajfklafj
 
doc
docdoc
doc
 
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsAndroid Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
 
Python datetime
Python datetimePython datetime
Python datetime
 
JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8JSR 310. New Date API in Java 8
JSR 310. New Date API in Java 8
 
Lesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptx
 

More from INSIGHT FORENSIC

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensicsINSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)INSIGHT FORENSIC
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fsINSIGHT FORENSIC
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trendINSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안INSIGHT FORENSIC
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifactsINSIGHT FORENSIC
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식INSIGHT FORENSIC
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatchINSIGHT FORENSIC
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석INSIGHT FORENSIC
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석INSIGHT FORENSIC
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법INSIGHT FORENSIC
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysisINSIGHT FORENSIC
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)INSIGHT FORENSIC
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threatINSIGHT FORENSIC
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensicsINSIGHT FORENSIC
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threatINSIGHT FORENSIC
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recoveryINSIGHT FORENSIC
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)INSIGHT FORENSIC
 

More from INSIGHT FORENSIC (20)

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

(120915) #fitalk digital times

  • 1. FORENSIC INSIGHT SEMINAR Digital Times dorumugs Malware.co.kr And yet it does move
  • 2. forensicinsight.org Page 2 / 25 Index 1. UTC and GMT 2. Time Unit 3. Digital Times 4. Many Kinds of Times 5. Tool : time_maker 6. Q&A
  • 3. forensicinsight.org Page 3 / 25 UTC and GMT
  • 4. forensicinsight.org Page 4 / 25 UTC(Universal Time Code) and GMT(Greenwich Mean Time)  There is a little GAP between UTC and GMT. But we used to handle two times in the same way.  UTC : http://en.wikipedia.org/wiki/Coordinated_Universal_Time  GMT : http://en.wikipedia.org/wiki/Greenwich_Mean_Time
  • 5. forensicinsight.org Page 5 / 25 Time Unit
  • 6. forensicinsight.org Page 6 / 25 Time Unit  1 o' clock is 3600 seconds  1 day is 86400 seconds  1 year is 8760 hours  1 year is 31536000 seconds  1 second is 1000000000 nanoseconds  1 second is 1000000 microseconds  1 second is 1000 milliseconds  URL : http://www.convertworld.com/ko/time/
  • 7. forensicinsight.org Page 7 / 25 Digital Times
  • 8. forensicinsight.org Page 8 / 25 Digital Times Time Format Detail Example Usage w64 Windows 64bit Big Time 129943698100000000 w64_big_h (Hex) Windows 64bit Big Time 01cda71ade0d1500 w64_lit_h (Hex) Windows 64bit Little Time 00150dde1aa7cd01 NTFS(MFT), INFO2, Registry, Index.dat, Link File wfiletime (Hex) Windows FILETIME Time de0d1500:01cda71a wcookie Windows Cookie Date Time 372539929630254000 chrome Google Chrome Time 12994369810317300 History (Google Chrome), Cookies (Google Chrome)
  • 9. forensicinsight.org Page 9 / 25 Digital Times Time Format Detail Example Usage unum Unix Numeric Time 1349896210 moz_cookies (firefox), global_history.dat (opera) umilli Unix Millisecond Time 1349896210000 umicro Unix Microsecond Time 1349896210000000 moz_cookies (firefox) unum_big_h (Hex) Unix Numeric Big Time 5075c812 unum_lit_h (Hex) Unix Numeric Little Time 12c87550 EXT2, EXT3, EXT4
  • 10. forensicinsight.org Page 10 / 25 Digital Times Time Format Detail Example Usage mac_ab Mac Absolute Time 371589010 History.plist(safari) mac_ab_h (Hex) Mac Absolute Time 1625ff92 ms32_big_h (Hex) MS-DOS 32bit Big Time 414a994a ms32_lit_h (Hex) MS-DOS 32bit Little Time 4a994a41 PE Compiled Time hfs32_big_h (hex) HFS 32bit Big Time cc9b7892 sms.db(Iphone), HFS+ hfs32_lit_h (hex) HFS 32bit Little Time 92789bcc
  • 11. forensicinsight.org Page 11 / 25 Many Kinds of Times - Windows 64bit Time - Windows FILETIME Time - Unix Numeric Time - Unix Millisecond Time - Unix Microsecond Time - Windows Cookie Date Time - Google Chrome Time - Mac Absolute Time - MS-DOS 32bit Time - HFS 32bit Time
  • 12. forensicinsight.org Page 12 / 25 Many Kinds of Times  Seconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Example • 63072000 => 1972-01-01 00:00:00 (31536000 Seconds is 1 year) Unix Numeric Time
  • 13. forensicinsight.org Page 13 / 25 Many Kinds of Times  MilliSeconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Unix Millisecond Time = Unix Numeric Time * 1000  Example • 315532800 * 1000 => 315532800000 Unix Millisecond Time
  • 14. forensicinsight.org Page 14 / 25 Many Kinds of Times  Nano Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  116444736000000000 Nano Seconds is 1970-01-01 00:00:00  windows_64bit_time = windows 64bit start + (unix numeric time * 10000000) • You can calculate windows 64bit time by 10000000 Not 1000000000  1 second is 10000000 nano seconds  Example • 119600064000000000 => 1980-01-01 00:00:00 Windows 64bit Time
  • 15. forensicinsight.org Page 15 / 25 Many Kinds of Times  Windows 64bit Time => Hex => 1212121234343434 => 34343434:12121212  Example • 01cda71ade0d1500 => de0d1500:01cda71a Windows FILETIME Time
  • 16. forensicinsight.org Page 16 / 25 Many Kinds of Times  Windows Filetime => 34343434:12121212 => decimal(34343434),decimal(12121212)  Exmaple • de0d1500:01cda71a => 3725399296,30254874 Windows Cookie Date Time
  • 17. forensicinsight.org Page 17 / 25 Many Kinds of Times  Micro Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  11644473600000000 Micro seconds is 1970 Year 01 Month 01 day 00 Hour 00 Minute 00 Second  Google Chrome Time = Windows 64bit time / 10  1 Second is 1000000 Micro Seconds  Example • 119600064000000000 => 11960006400000000 Google Chrome Time
  • 18. forensicinsight.org Page 18 / 25 Many Kinds of Times  Seconds From 2001 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  MAC Absolute_time = Unix Numeric Time - 978307200  978307200 Seconds is Unix Time from 2001-01-01 00:00:00  Example • 0 => 2001-01-01 00:00:00 Mac Absolute Time
  • 19. forensicinsight.org Page 19 / 25 Many Kinds of Times  0000000|0000|00000|00000|000000|00000 Year Month Day Hour Minute Second  Year = Input Year - 1980  bin(Month,Day,Hour,Minute,Second) = Input Month,Day,Hour,Minute - 0  bin(Second) = (Input Second -0) / 2  Example • Decimal(101010001000010000000000000000) => Hex(706805760) => 0x2A210000  Systems record MS-DOS 32bit Time by little endian. You can see just 0x00002100 not 0x2A210000. MS-DOS 32bit Time
  • 20. forensicinsight.org Page 20 / 25 Many Kinds of Times  Seconds From 1904 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  HFS 32bit Time = 2082844800 + unix_numeric_time  2082844800 Seconds is Unix Time from 1904-01-01 00:00:00 to 1970-01-01 00:00:00  Example • 8ef45680 => 1980-01-01 00:00:00 HFS 32bit Time
  • 21. forensicinsight.org Page 21 / 25 Tool : time_maker
  • 22. forensicinsight.org Page 22 / 25 Tool : time_maker.py