Digital Forensics:Timestamp Decoder

What is Timestamp Decoder?

Timestamp Decoder  is a FREE forensic utility for converting data found on desktop and mobile devices into human-readable timestamps. It is the most comprehensive tool available for decoding timestamps.

To open this case in the software, an investigator would launch Autopsy, click Open Case, and select this Drug_Dealer.aut file.

The Target Evidence: You can see that the  archive (J8AXB7647798GRJ-20210421_0920.tar), which was added as a Logical File data source in your earlier steps, is successfully reloaded and mapped under the LogicalFileSet1 host directory.

Step 1: Navigating the File System (Data Sourcing)

Path: com.android.providers.calendar -> databases

This directory contains the database files responsible for storing the device's native calendar data.

Step 2: Selecting the Target Database

In the top-center Listing panel, the database file has been selected:

• File Name: calendar.db

• File Path: The full path at the top reveals it originates from the ingested logical file extraction: /LogicalFileSet1/Image/J8AXB7647798GRJ-20210421_0920.tar/data/data/com.android.providers.calendar/databases

Step 3: Utilizing the Built-In SQLite Viewer

Instead of viewing raw data, the investigator clicked the Application tab in the lower content viewer pane.

• Autopsy automatically recognizes that calendar.db is an SQLite database.

Step 4: Analyzing the Target Evidence Row

The investigator has highlighted Row 36, which contains highly relevant data for the case:

• title: The entry is named "Pizza delivery". (In drug investigations, this is often a code word used for a transaction/drop-off).

• eventLocation: Autopsy extracts GPS coordinates directly from this field: 33.529455426023574, -112.0847381568517. This allows investigators to pinpoint exactly where the meeting was planned to take place on a map.

• dtstart / dtend: These columns contain the Unix Epoch Timestamps (1618039800000)

To convert the Unix timestamp identified in your forensic evidence, follow these step-by-step

Option 1: Using DCode (Forensic Tool)

DCode is a specialized tool for investigators to handle multiple timestamp formats.

1. Select Format: In the Decode Format dropdown, select Unix: Numeric Value.

2. Set Time Zone: Ensure Add Bias is set to UTC 00:00 for a standard forensic report.

3. Input Value: Type or paste 1618039800000 into the Value to Decode field.

4. Execute: Click the Decode button.

5. Result: The Date & Time field will display Sat, 10 April 2021 07:30:00 UTC.

 

Option 2: Using EpochConverter (Online)

1. Input: Enter 1618039800000 into the main conversion box.

2. Convert: Click Timestamp to readable date.

3. Check Precision: The tool will automatically assume the timestamp is in milliseconds because it is 13 digits long.

4. Result: It will show the date as Saturday, April 10, 2021 at 7:30:00 AM GMT.

Option 3: Using CyberChef (Advanced Web Tool)  https[:]//gchq.github[.]io/CyberChef

1. Select Category: Click on Date / Time in the left-hand operations pane.

2. Choose Recipe: Drag From UNIX Timestamp into the Recipe column.

3. Configure Units: In the recipe options, change the Units dropdown to Milliseconds (ms).

4. Input Data: Paste 1618039800000 into the Input box on the top right.

5. Result: The converted time, Sat 10 April 2021 07:30:00.000 UTC, will appear instantly in the Output box.

อ่านเพิ่มเติม:

• Lab : practical exercise to map GPS coordinates extracted
• Convert Chrome/WebKit timestamps to human-readable date
• SQLite Forensics with OSForensic
• UTC 
• Timestamp

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น ช่วยเตือนความจำ

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud