Usefulness of Epoch in Digital Forensics Investigation

(UNIX and MacOS perspective)

In digital forensics investigation, epoch plays an important role in event reconstruction. Hence, we try to provide detailed insight into the UNIX and MAC OS epoch values. An epoch is a date and time that a computer uses to determine the computer's clock and timestamp values. Epoch is sometimes also referred to as epoch time, POSIX time, and Unix time. In simple words, it is the starting point of the operating system that determines a computer’s date and time by counting ticks (seconds/ nanoseconds/picoseconds). Epochs can persist into the file metadata, system files, log files, and other metadata files. The value of epoch varies from operating system (OS) to OS and file system to file system.

The epoch traditionally corresponds to 0 hours, 0 minutes, and 0 seconds Coordinated Universal Time (UTC) on a specific date, which varies from system to system, as the starting date of each system is different.

List of operating systems with their counter value and epoch.

OPERATING SYSTEM	COUNTER VALUE	EPOCH
Apple macOS	1 sec	January 1, 1904 to February 6, 2040.
NSDate in Apple’s Cocoa framework	1 sec	1 January 2001
Microsoft DOS	1 sec	January 1, 1980 to January 1, 2108.
Microsoft Windows	100 ns	January 1, 1601 to AD 30828.
POSIX	1 sec	January 1, 1970 to January 19, 2038.
Unix	1 sec	January 1, 1970 to January 19, 2038.
Microsoft Excel	1 sec	0 January 1900 (31 December 1899)

Why epoch based date and time representation is used?

Epoch based time representation could enable operating systems to efficiently manage the system date and time for maintaining logs and timestamping. Suppose you want to add or subtract time value in case of epoch you don’t need any conversion.

Epoch time conversion examples in Ubuntu

You can run the following commands in your own terminal to convert dates and times to and from Unix epoch time.

EX 1- To convert a timestamp to a human-readable date- substitute the timestamp in the given example with your own timestamp.

For IST:

For UTC (Coordinated Universal Time) :

Converting epoch to human readable date and time

There are many programming languages which have functions that help convert an epoch. Following code is an example of converting epoch to date and time using python language.

For UNIX/LINUX:

Epoch timestamp of Unix is 00:00:00 UTC on 1st January 1970.

Let us derive the date and time for Unix using python.

import datetime

epoch_time = int(input("Enter the epoch time of unix: "))

timestamp = datetime.datetime.fromtimestamp(c)

print(timestamp.strftime('%Y-%m-%d %H:%M:%S'))

FOR MAC:

Epoch timestamp of MAC is 00:00:00 UTC on 1st January, 2001. It uses Apple’s Cocoa framework.

Following is the code for converting epoch timestamp to current human-readable date and time.

import datetime

epoch_time = int(input("Enter the core data timestamp: "))

c=978307200+epoch_time

timestamp = datetime.datetime.fromtimestamp(c)

print(timestamp.strftime('%Y-%m-%d %H:%M:%S'))

The difference between a Core Data timestamp and a Unix timestamp (seconds since 1/1/1970) is 978307200 seconds. Hence, it is added to the epoch time of core data to get the current time for MAC, in the following code for e.g. c=978307200+epoch_time.

Earlier Y2K Problem

The Y2k problem refers to Y as Year and 2k signifies year 2000. The problem arose as storage on computers was quite expensive at that time hence programmers minimized usage. In, 20th century when computers gained wide usage the problem related to year storage also started. Earlier programs could simply prefix “19” to the year date and only the last 2 digits were changed instead of four. Hence, before 2000 a lot of disk space was used in storing data which was in turn saving money as unusable disk space was used to store data.

Problems arose due to Y2K

● Taxi meters stopped working in some countries, thus giving incorrect fares

● In the United States, the US Naval Observatory, which runs the master clock that keeps the country's official time, gave the date on its website as 1 Jan 19100.

2038 Problem

The Year 2038 problem is a software bug in computer systems that will cause time and date calculations to be improperly handled. Due to this bug, representing times after 03:14:07 UTC on 19 January 2038 will cause problems.

According to the standard time library, a standard 4-byte (32 bit) format for the storage of time values is used. The standard 4-byte format assumes that the beginning of time is January 1, 1970, at 12:00:00 a.m., which is 0 as stated earlier. Any time/date value is expressed as the number of seconds following that zero value. For example, the current seconds (epoch) is 1656526819, following that zero value, which can be used to find the current date and time.

As we know, a signed 4-byte integer can have the maximum value as 2147483647. This is where the Year 2038 problem arises, as the maximum value of time before it goes invalid is 2147483647, which is equivalent to 03:14:07 UTC on January 19, 2038. On this date, any operating system that uses the standard time library will start to have problems with date calculations.

Since there is no universal solution yet, one possible solution can be using 8-byte values for the storage format. Which means storing epoch either in milliseconds or microseconds or in simple words, epoch in a signed 64-bit integer, providing a minimum range of 300,000 years at microsecond resolution.

So the Year 2038 problem should not be nearly as hard to fix as the Y2K problem was.

We will be further updating the discussion on Windows Epoch timestamp in the next blog.

References

Contributors:

1. Ms. Vedika Agrawal, B.Tech. CSE, O P Jindal University, Raigarh, CG.

2. Mr. Aman Pandey, B.Tech. CSE, O P Jindal University, Raigarh, CG.

3. Dr. Nitesh K Bharadwaj, Sr. Assistant Professor, Deptt. of CSE, O P Jindal University, Raigarh, CG

Search This Blog

Inforensics