SlideShare a Scribd company logo

(120915) #fitalk digital times

INSIGHT FORENSIC
INSIGHT FORENSIC

This document discusses different digital time formats used in forensic analysis and provides examples of how to convert between them. It introduces tools like time_maker.py for working with different time formats. The key time formats discussed include Windows 64-bit time, Unix time, FILETIME, Google Chrome time, Mac time, MS-DOS time, and HFS time. Conversion methods between these formats are explained, such as how Windows 64-bit time relates to Unix time and how different platforms measure time origin points.

1 of 24
Download to read offline
FORENSIC INSIGHT SEMINAR Digital Times dorumugs Malware.co.kr And yet it does move
forensicinsight.org Page 2 / 25 Index 1. UTC and GMT 2. Time Unit 3. Digital Times 4. Many Kinds of Times 5. Tool : time_maker 6. Q&A
forensicinsight.org Page 3 / 25 UTC and GMT
forensicinsight.org Page 4 / 25 UTC(Universal Time Code) and GMT(Greenwich Mean Time)  There is a little GAP between UTC and GMT. But we used to handle two times in the same way.  UTC : http://en.wikipedia.org/wiki/Coordinated_Universal_Time  GMT : http://en.wikipedia.org/wiki/Greenwich_Mean_Time
forensicinsight.org Page 5 / 25 Time Unit
forensicinsight.org Page 6 / 25 Time Unit  1 o' clock is 3600 seconds  1 day is 86400 seconds  1 year is 8760 hours  1 year is 31536000 seconds  1 second is 1000000000 nanoseconds  1 second is 1000000 microseconds  1 second is 1000 milliseconds  URL : http://www.convertworld.com/ko/time/
forensicinsight.org Page 7 / 25 Digital Times
forensicinsight.org Page 8 / 25 Digital Times Time Format Detail Example Usage w64 Windows 64bit Big Time 129943698100000000 w64_big_h (Hex) Windows 64bit Big Time 01cda71ade0d1500 w64_lit_h (Hex) Windows 64bit Little Time 00150dde1aa7cd01 NTFS(MFT), INFO2, Registry, Index.dat, Link File wfiletime (Hex) Windows FILETIME Time de0d1500:01cda71a wcookie Windows Cookie Date Time 372539929630254000 chrome Google Chrome Time 12994369810317300 History (Google Chrome), Cookies (Google Chrome)
forensicinsight.org Page 9 / 25 Digital Times Time Format Detail Example Usage unum Unix Numeric Time 1349896210 moz_cookies (firefox), global_history.dat (opera) umilli Unix Millisecond Time 1349896210000 umicro Unix Microsecond Time 1349896210000000 moz_cookies (firefox) unum_big_h (Hex) Unix Numeric Big Time 5075c812 unum_lit_h (Hex) Unix Numeric Little Time 12c87550 EXT2, EXT3, EXT4
forensicinsight.org Page 10 / 25 Digital Times Time Format Detail Example Usage mac_ab Mac Absolute Time 371589010 History.plist(safari) mac_ab_h (Hex) Mac Absolute Time 1625ff92 ms32_big_h (Hex) MS-DOS 32bit Big Time 414a994a ms32_lit_h (Hex) MS-DOS 32bit Little Time 4a994a41 PE Compiled Time hfs32_big_h (hex) HFS 32bit Big Time cc9b7892 sms.db(Iphone), HFS+ hfs32_lit_h (hex) HFS 32bit Little Time 92789bcc
forensicinsight.org Page 11 / 25 Many Kinds of Times - Windows 64bit Time - Windows FILETIME Time - Unix Numeric Time - Unix Millisecond Time - Unix Microsecond Time - Windows Cookie Date Time - Google Chrome Time - Mac Absolute Time - MS-DOS 32bit Time - HFS 32bit Time
forensicinsight.org Page 12 / 25 Many Kinds of Times  Seconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Example • 63072000 => 1972-01-01 00:00:00 (31536000 Seconds is 1 year) Unix Numeric Time
forensicinsight.org Page 13 / 25 Many Kinds of Times  MilliSeconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Unix Millisecond Time = Unix Numeric Time * 1000  Example • 315532800 * 1000 => 315532800000 Unix Millisecond Time
forensicinsight.org Page 14 / 25 Many Kinds of Times  Nano Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  116444736000000000 Nano Seconds is 1970-01-01 00:00:00  windows_64bit_time = windows 64bit start + (unix numeric time * 10000000) • You can calculate windows 64bit time by 10000000 Not 1000000000  1 second is 10000000 nano seconds  Example • 119600064000000000 => 1980-01-01 00:00:00 Windows 64bit Time
forensicinsight.org Page 15 / 25 Many Kinds of Times  Windows 64bit Time => Hex => 1212121234343434 => 34343434:12121212  Example • 01cda71ade0d1500 => de0d1500:01cda71a Windows FILETIME Time
forensicinsight.org Page 16 / 25 Many Kinds of Times  Windows Filetime => 34343434:12121212 => decimal(34343434),decimal(12121212)  Exmaple • de0d1500:01cda71a => 3725399296,30254874 Windows Cookie Date Time
forensicinsight.org Page 17 / 25 Many Kinds of Times  Micro Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  11644473600000000 Micro seconds is 1970 Year 01 Month 01 day 00 Hour 00 Minute 00 Second  Google Chrome Time = Windows 64bit time / 10  1 Second is 1000000 Micro Seconds  Example • 119600064000000000 => 11960006400000000 Google Chrome Time
forensicinsight.org Page 18 / 25 Many Kinds of Times  Seconds From 2001 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  MAC Absolute_time = Unix Numeric Time - 978307200  978307200 Seconds is Unix Time from 2001-01-01 00:00:00  Example • 0 => 2001-01-01 00:00:00 Mac Absolute Time
forensicinsight.org Page 19 / 25 Many Kinds of Times  0000000|0000|00000|00000|000000|00000 Year Month Day Hour Minute Second  Year = Input Year - 1980  bin(Month,Day,Hour,Minute,Second) = Input Month,Day,Hour,Minute - 0  bin(Second) = (Input Second -0) / 2  Example • Decimal(101010001000010000000000000000) => Hex(706805760) => 0x2A210000  Systems record MS-DOS 32bit Time by little endian. You can see just 0x00002100 not 0x2A210000. MS-DOS 32bit Time
forensicinsight.org Page 20 / 25 Many Kinds of Times  Seconds From 1904 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  HFS 32bit Time = 2082844800 + unix_numeric_time  2082844800 Seconds is Unix Time from 1904-01-01 00:00:00 to 1970-01-01 00:00:00  Example • 8ef45680 => 1980-01-01 00:00:00 HFS 32bit Time
forensicinsight.org Page 21 / 25 Tool : time_maker
forensicinsight.org Page 22 / 25 Tool : time_maker.py
forensicinsight.org Page 23 / 25 Q & A
forensicinsight.org Page 24 / 25 Q & A

Recommended

Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Joris Berthelot
 
Y2 k38.
Y2 k38.Y2 k38.
Y2 k38.
Presentaionslive.blogspot.com
 
Y2k38
Y2k38Y2k38
Y2k38KiruthikaTamilarasan
 
Convertidor de horas en C#
Convertidor de horas en C#Convertidor de horas en C#
Convertidor de horas en C#pequemec
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun
INSIGHT FORENSIC
 
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_koga
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_kogaWww1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_koga
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_koga
GRAND_GOUT
 
Sajak Mengintai Ruang Insaf
Sajak Mengintai Ruang InsafSajak Mengintai Ruang Insaf
Sajak Mengintai Ruang InsafAzwira Ariwana
 
Blago sa tavana
Blago sa tavanaBlago sa tavana
Blago sa tavana
Limundo
 

Recommended

Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Will the computer world collapse in 2038?
Will the computer world collapse in 2038?Joris Berthelot
 
Y2 k38.
Y2 k38.Y2 k38.
Y2 k38.
Presentaionslive.blogspot.com
 
Y2k38
Y2k38Y2k38
Y2k38KiruthikaTamilarasan
 
Convertidor de horas en C#
Convertidor de horas en C#Convertidor de horas en C#
Convertidor de horas en C#pequemec
 
(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun(120303) #fitalk ip finder and geo ip for fun
(120303) #fitalk ip finder and geo ip for fun
INSIGHT FORENSIC
 
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_koga
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_kogaWww1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_koga
Www1 serbiancafe com_lat_diskusije_mesg_15_015802633_za_koga
GRAND_GOUT
 
Sajak Mengintai Ruang Insaf
Sajak Mengintai Ruang InsafSajak Mengintai Ruang Insaf
Sajak Mengintai Ruang InsafAzwira Ariwana
 
Blago sa tavana
Blago sa tavanaBlago sa tavana
Blago sa tavana
Limundo
 
(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks
INSIGHT FORENSIC
 
Sajak Adat Sezaman
Sajak Adat SezamanSajak Adat Sezaman
Sajak Adat SezamanAzwira Ariwana
 
Hikayat Inderaputera
Hikayat InderaputeraHikayat Inderaputera
Hikayat InderaputeraAzwira Ariwana
 
SwiftLint
SwiftLintSwiftLint
SwiftLint
Syo Ikeda
 
Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出
Yusaku Kawaguchi
 
Kata Sendi Nama
Kata Sendi NamaKata Sendi Nama
Kata Sendi Nama
Nur Ain Mohd. Amin
 
(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석
INSIGHT FORENSIC
 
Php date & time functions
Php date & time functionsPhp date & time functions
Php date & time functions
Programmer Blog
 
17 ruby date time
17 ruby date time17 ruby date time
17 ruby date timeWalker Maidana
 
Epoch Time
Epoch TimeEpoch Time
Epoch Time
Gurudutt07
 
How to work with dates and times in swift 3
How to work with dates and times in swift 3How to work with dates and times in swift 3
How to work with dates and times in swift 3
allanh0526
 
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsAndroid Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
DroidConTLV
 
Python datetime
Python datetimePython datetime
Python datetime
sureshraj43
 
Python time
Python timePython time
Python time
Janu Jahnavi
 
Lesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptx
LagamaPasala
 
(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
INSIGHT FORENSIC
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
INSIGHT FORENSIC
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
INSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
INSIGHT FORENSIC
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
INSIGHT FORENSIC
 

More Related Content

Viewers also liked

(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks
INSIGHT FORENSIC
 
SwiftLint
SwiftLintSwiftLint
SwiftLint
Syo Ikeda
 
Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出
Yusaku Kawaguchi
 
Kata Sendi Nama
Kata Sendi NamaKata Sendi Nama
Kata Sendi Nama
Nur Ain Mohd. Amin
 
(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석
INSIGHT FORENSIC
 

Viewers also liked (7)

(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks(120107) #fitalk mft and indx slacks
(120107) #fitalk mft and indx slacks
 
Sajak Adat Sezaman
Sajak Adat SezamanSajak Adat Sezaman
Sajak Adat Sezaman
 
Hikayat Inderaputera
Hikayat InderaputeraHikayat Inderaputera
Hikayat Inderaputera
 
SwiftLint
SwiftLintSwiftLint
SwiftLint
 
Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出Nagoya.R #15 順位相関係数の信頼区間の算出
Nagoya.R #15 順位相関係数の信頼区間の算出
 
Kata Sendi Nama
Kata Sendi NamaKata Sendi Nama
Kata Sendi Nama
 
(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석(Fios#02) 7. 윈도우 10 포렌식 분석
(Fios#02) 7. 윈도우 10 포렌식 분석
 

Similar to (120915) #fitalk digital times

Php date & time functions
Php date & time functionsPhp date & time functions
Php date & time functions
Programmer Blog
 
Epoch Time
Epoch TimeEpoch Time
Epoch Time
Gurudutt07
 
How to work with dates and times in swift 3
How to work with dates and times in swift 3How to work with dates and times in swift 3
How to work with dates and times in swift 3
allanh0526
 
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsAndroid Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
DroidConTLV
 
Python datetime
Python datetimePython datetime
Python datetime
sureshraj43
 
Python time
Python timePython time
Python time
Janu Jahnavi
 
Lesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptx
LagamaPasala
 

Similar to (120915) #fitalk digital times (8)

Php date & time functions
Php date & time functionsPhp date & time functions
Php date & time functions
 
17 ruby date time
17 ruby date time17 ruby date time
17 ruby date time
 
Epoch Time
Epoch TimeEpoch Time
Epoch Time
 
How to work with dates and times in swift 3
How to work with dates and times in swift 3How to work with dates and times in swift 3
How to work with dates and times in swift 3
 
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and TipsAndroid Crash analysis and The Dalvik Garbage collector – Tools and Tips
Android Crash analysis and The Dalvik Garbage collector – Tools and Tips
 
Python datetime
Python datetimePython datetime
Python datetime
 
Python time
Python timePython time
Python time
 
Lesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptxLesson 05 - Time in Distrributed System.pptx
Lesson 05 - Time in Distrributed System.pptx
 

More from INSIGHT FORENSIC

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
INSIGHT FORENSIC
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
INSIGHT FORENSIC
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
INSIGHT FORENSIC
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
INSIGHT FORENSIC
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
INSIGHT FORENSIC
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
INSIGHT FORENSIC
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
INSIGHT FORENSIC
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
INSIGHT FORENSIC
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
INSIGHT FORENSIC
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
INSIGHT FORENSIC
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
INSIGHT FORENSIC
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
INSIGHT FORENSIC
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
INSIGHT FORENSIC
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
INSIGHT FORENSIC
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
INSIGHT FORENSIC
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
INSIGHT FORENSIC
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
INSIGHT FORENSIC
 

More from INSIGHT FORENSIC (20)

(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics(160820) #fitalk fileless malware forensics
(160820) #fitalk fileless malware forensics
 
(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)(150124) #fitalk advanced $usn jrnl forensics (korean)
(150124) #fitalk advanced $usn jrnl forensics (korean)
 
(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)(150124) #fitalk advanced $usn jrnl forensics (english)
(150124) #fitalk advanced $usn jrnl forensics (english)
 
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs(140118) #fitalk detection of anti-forensics artifacts using ioa fs
(140118) #fitalk detection of anti-forensics artifacts using ioa fs
 
(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend(140118) #fitalk 2013 e-discovery trend
(140118) #fitalk 2013 e-discovery trend
 
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
(141031) #fitalk plaso 슈퍼 타임라인 분석 도구 활용 방안
 
(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts(141031) #fitalk os x yosemite artifacts
(141031) #fitalk os x yosemite artifacts
 
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식(140716) #fitalk 전자금융사고에서의 디지털 포렌식
(140716) #fitalk 전자금융사고에서의 디지털 포렌식
 
(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch(140716) #fitalk digital evidence from android-based smartwatch
(140716) #fitalk digital evidence from android-based smartwatch
 
(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석(140625) #fitalk sq lite 소개와 구조 분석
(140625) #fitalk sq lite 소개와 구조 분석
 
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석(140407) #fitalk d trace를 이용한 악성코드 동적 분석
(140407) #fitalk d trace를 이용한 악성코드 동적 분석
 
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법(140625) #fitalk sq lite 삭제된 레코드 복구 기법
(140625) #fitalk sq lite 삭제된 레코드 복구 기법
 
(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis(130216) #fitalk reverse connection tool analysis
(130216) #fitalk reverse connection tool analysis
 
(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
 
(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)(130202) #fitalk trends in d forensics (jan, 2013)
(130202) #fitalk trends in d forensics (jan, 2013)
 
(130202) #fitalk china threat
(130202) #fitalk china threat(130202) #fitalk china threat
(130202) #fitalk china threat
 
(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics(130119) #fitalk sql server forensics
(130119) #fitalk sql server forensics
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
 
(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery(130119) #fitalk all about physical data recovery
(130119) #fitalk all about physical data recovery
 
(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)(130105) #fitalk trends in d forensics (dec, 2012)
(130105) #fitalk trends in d forensics (dec, 2012)
 

Recently uploaded

ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
CatarinaPereira64715
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
Abida Shariff
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 

Recently uploaded (20)

ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 

(120915) #fitalk digital times

  • 1. FORENSIC INSIGHT SEMINAR Digital Times dorumugs Malware.co.kr And yet it does move
  • 2. forensicinsight.org Page 2 / 25 Index 1. UTC and GMT 2. Time Unit 3. Digital Times 4. Many Kinds of Times 5. Tool : time_maker 6. Q&A
  • 3. forensicinsight.org Page 3 / 25 UTC and GMT
  • 4. forensicinsight.org Page 4 / 25 UTC(Universal Time Code) and GMT(Greenwich Mean Time)  There is a little GAP between UTC and GMT. But we used to handle two times in the same way.  UTC : http://en.wikipedia.org/wiki/Coordinated_Universal_Time  GMT : http://en.wikipedia.org/wiki/Greenwich_Mean_Time
  • 5. forensicinsight.org Page 5 / 25 Time Unit
  • 6. forensicinsight.org Page 6 / 25 Time Unit  1 o' clock is 3600 seconds  1 day is 86400 seconds  1 year is 8760 hours  1 year is 31536000 seconds  1 second is 1000000000 nanoseconds  1 second is 1000000 microseconds  1 second is 1000 milliseconds  URL : http://www.convertworld.com/ko/time/
  • 7. forensicinsight.org Page 7 / 25 Digital Times
  • 8. forensicinsight.org Page 8 / 25 Digital Times Time Format Detail Example Usage w64 Windows 64bit Big Time 129943698100000000 w64_big_h (Hex) Windows 64bit Big Time 01cda71ade0d1500 w64_lit_h (Hex) Windows 64bit Little Time 00150dde1aa7cd01 NTFS(MFT), INFO2, Registry, Index.dat, Link File wfiletime (Hex) Windows FILETIME Time de0d1500:01cda71a wcookie Windows Cookie Date Time 372539929630254000 chrome Google Chrome Time 12994369810317300 History (Google Chrome), Cookies (Google Chrome)
  • 9. forensicinsight.org Page 9 / 25 Digital Times Time Format Detail Example Usage unum Unix Numeric Time 1349896210 moz_cookies (firefox), global_history.dat (opera) umilli Unix Millisecond Time 1349896210000 umicro Unix Microsecond Time 1349896210000000 moz_cookies (firefox) unum_big_h (Hex) Unix Numeric Big Time 5075c812 unum_lit_h (Hex) Unix Numeric Little Time 12c87550 EXT2, EXT3, EXT4
  • 10. forensicinsight.org Page 10 / 25 Digital Times Time Format Detail Example Usage mac_ab Mac Absolute Time 371589010 History.plist(safari) mac_ab_h (Hex) Mac Absolute Time 1625ff92 ms32_big_h (Hex) MS-DOS 32bit Big Time 414a994a ms32_lit_h (Hex) MS-DOS 32bit Little Time 4a994a41 PE Compiled Time hfs32_big_h (hex) HFS 32bit Big Time cc9b7892 sms.db(Iphone), HFS+ hfs32_lit_h (hex) HFS 32bit Little Time 92789bcc
  • 11. forensicinsight.org Page 11 / 25 Many Kinds of Times - Windows 64bit Time - Windows FILETIME Time - Unix Numeric Time - Unix Millisecond Time - Unix Microsecond Time - Windows Cookie Date Time - Google Chrome Time - Mac Absolute Time - MS-DOS 32bit Time - HFS 32bit Time
  • 12. forensicinsight.org Page 12 / 25 Many Kinds of Times  Seconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Example • 63072000 => 1972-01-01 00:00:00 (31536000 Seconds is 1 year) Unix Numeric Time
  • 13. forensicinsight.org Page 13 / 25 Many Kinds of Times  MilliSeconds From 1970 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  Not exist From 1970 To 1972. Because UTC is from 1972-01-01  Unix Millisecond Time = Unix Numeric Time * 1000  Example • 315532800 * 1000 => 315532800000 Unix Millisecond Time
  • 14. forensicinsight.org Page 14 / 25 Many Kinds of Times  Nano Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  116444736000000000 Nano Seconds is 1970-01-01 00:00:00  windows_64bit_time = windows 64bit start + (unix numeric time * 10000000) • You can calculate windows 64bit time by 10000000 Not 1000000000  1 second is 10000000 nano seconds  Example • 119600064000000000 => 1980-01-01 00:00:00 Windows 64bit Time
  • 15. forensicinsight.org Page 15 / 25 Many Kinds of Times  Windows 64bit Time => Hex => 1212121234343434 => 34343434:12121212  Example • 01cda71ade0d1500 => de0d1500:01cda71a Windows FILETIME Time
  • 16. forensicinsight.org Page 16 / 25 Many Kinds of Times  Windows Filetime => 34343434:12121212 => decimal(34343434),decimal(12121212)  Exmaple • de0d1500:01cda71a => 3725399296,30254874 Windows Cookie Date Time
  • 17. forensicinsight.org Page 17 / 25 Many Kinds of Times  Micro Seconds From 1601 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Nano Second  11644473600000000 Micro seconds is 1970 Year 01 Month 01 day 00 Hour 00 Minute 00 Second  Google Chrome Time = Windows 64bit time / 10  1 Second is 1000000 Micro Seconds  Example • 119600064000000000 => 11960006400000000 Google Chrome Time
  • 18. forensicinsight.org Page 18 / 25 Many Kinds of Times  Seconds From 2001 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  MAC Absolute_time = Unix Numeric Time - 978307200  978307200 Seconds is Unix Time from 2001-01-01 00:00:00  Example • 0 => 2001-01-01 00:00:00 Mac Absolute Time
  • 19. forensicinsight.org Page 19 / 25 Many Kinds of Times  0000000|0000|00000|00000|000000|00000 Year Month Day Hour Minute Second  Year = Input Year - 1980  bin(Month,Day,Hour,Minute,Second) = Input Month,Day,Hour,Minute - 0  bin(Second) = (Input Second -0) / 2  Example • Decimal(101010001000010000000000000000) => Hex(706805760) => 0x2A210000  Systems record MS-DOS 32bit Time by little endian. You can see just 0x00002100 not 0x2A210000. MS-DOS 32bit Time
  • 20. forensicinsight.org Page 20 / 25 Many Kinds of Times  Seconds From 1904 Year 01 Month 01 Day / 00 Hour 00 Minute 00 Second  HFS 32bit Time = 2082844800 + unix_numeric_time  2082844800 Seconds is Unix Time from 1904-01-01 00:00:00 to 1970-01-01 00:00:00  Example • 8ef45680 => 1980-01-01 00:00:00 HFS 32bit Time
  • 21. forensicinsight.org Page 21 / 25 Tool : time_maker
  • 22. forensicinsight.org Page 22 / 25 Tool : time_maker.py