A quick note, before jumping into today’s post. Tomorrow, I’ll be giving a webcast talking about the latest NoSQL ransom events. If you follow this blog, you’ll see I’ve put up several posts about this in the past few weeks. I’ll be discussing the background to the attacks, why this happened, and how to secure NoSQL instances going forward. More information on the webcast is available here.
For today’s post, I’m going to discuss another tool that is a staple of my toolkit: DateDecoder. It’s no secret to any DFIR analyst that timestamps are one of the biggest pains in the butt. Let’s not even get into timezones! Unfortunately, our artifacts do not keep identical timestamp formats, and when you extrapolate across different operating systems and third-party applications, it’s sometimes a guessing game of WTF, is this a timestamp? Luckily, there’s a tool to help simplify these questions.
DateDecoder is a neat little tool published by Sanderson Forensics. The tool is free, and available for download here. Paul Sanderson is well-known for his in-depth analysis and posts on SQLite, but he luckily shares other great, free tools with us as well. Let’s take a look at how simple DateDecoder is:
And..that’s it! That’s all you need, actually. Before we start playing around with the tool, let’s first discuss why timestamps commonly cause analysts problems.
If you’ve been doing DFIR analysis for a while, you know that no two timestamps are alike. If you’re new to DFIR, then get ready for a whirlwind of variants. Variables such as application, operating system, user preferences, or developer whims can determine what time of timestamps our artifacts keep. Sometimes, simply knowing the operating system makes it easier for us; but even then, we may not know how the timestamps are stored. Other times, no pun intended, we have to rely on the artifact itself.
Here’s a few examples of this madness:
- NTFS — The number of 100ns intervals since January 1, 1601, 12:00:00 AM UTC.
- HFS+ — The number of seconds since January 1, 1904 12:00:00 AM UTC.
- Mac “Absolute Time” — The number of seconds since January 1, 2001, 12:00:00 AM UTC.
- Epoch/Unix/POSIX — The number of seconds since January 1, 1970, 12:00:00 AM UTC.
- Chrome/Webkit — The number of milliseconds since January 1, 1601, 12:00:00 AM UTC.
…so on and so forth. The list grows, and within DateDecoder, there are other formats to consider as well.
The problem isn’t that timestamps are different— it’s more making sure we analysts are interpreting our evidence correctly. Additionally, we usually like to overlay various artifacts to paint a better picture of an investigation. For example, while the browser and the file system may keep different formats, their activity is unquestionably linked. Timestamps are what help make that link.
Using the Tool
I was I could say it took some practice to get used to DateDecoder, but luckily Paul wrote such a solid tool that we’re given a simple, easy-to-use GUI. To convert a timestamp, simply paste a value, or line-separated list of values, into the ‘Source date/times’ box, and click ‘Decode’:
By default, the checkbox for ‘Validate date in range’ will be selected. This will attempt to validate that your timestamp falls within a certain range; remove it and you can get output for each format that DateDecoder can convert:
Here’s the same output with a list of values:
Notice that while the tool recognized almost immediately this was an Epoch timestamp, DateDecoder performs the necessary calculations for each other timestamp format. I’ve actually used this in reverse before; I had a timestamp that I don’t know the format of. Throw it into the tool, and see what format falls within the expected timeframe. This is of course then verified against the type of artifact, but it’s a little trick if you’re in a timestamp pinch. Of course, then make a note going forward which timestamp type the artifact uses :)
As you can see from screenshots above, we can also use DateDecoder to filter on particular formats. Here’s the previous list cleaned up:
The tool also allows for exporting of data into either XLS or CSV format:
You can drop a whole list of timestamps into the Source box, and output a sheet that can then be used as lookup values. I wouldn’t recommend trying to push an entire timeline through DateDecoder, but it can be very useful for one-off or a small batch of conversions. It also saves me scripting the conversion sometimes!
Thanks to Paul for building and providing the community with such a great tool! As I mentioned earlier, this tool is always with me and has saved the day many times in playing the timestamp game.
Until tomorrow, Happy Forensicating!