dfDateTime Release 20210701

unknown

Aug 22, 2021

CONTENTS

1 Getting started 3 1.1 Installation instructions...... 3

2 Date and time values 5 2.1 Terminology...... 5 2.2 Accuracy and precision...... 5 2.3 APFS timestamp...... 6 2.4 Cocoa timestamp...... 6 2.5 Delphi TDateTime...... 7 2.6 FAT date and time...... 7 2.7 FILETIME...... 7 2.8 HFS timestamp...... 8 2.9 Java timestamp...... 8 2.10 OLE Automated date...... 8 2.11 POSIX timestamp...... 8 2.12 RFC2579 date-time...... 9 2.13 SYSTEMTIME...... 9 2.14 UUID version 1 time...... 10 2.15 WebKit timestamp...... 10

3 dfdatetime package 11 3.1 Submodules...... 11 3.2 dfdatetime.apfs_time module...... 11 3.3 dfdatetime.cocoa_time module...... 12 3.4 dfdatetime.decorators module...... 12 3.5 dfdatetime.definitions module...... 13 3.6 dfdatetime.delphi_date_time module...... 13 3.7 dfdatetime.factory module...... 14 3.8 dfdatetime.fake_time module...... 14 3.9 dfdatetime.fat_date_time module...... 15 3.10 dfdatetime.filetime module...... 16 3.11 dfdatetime.hfs_time module...... 17 3.12 dfdatetime.interface module...... 17 3.13 dfdatetime.java_time module...... 21 3.14 dfdatetime.ole_automation_date module...... 21 3.15 dfdatetime.posix_time module...... 22 3.16 dfdatetime.precisions module...... 25 3.17 dfdatetime.rfc2579_date_time module...... 27 3.18 dfdatetime.semantic_time module...... 29 3.19 dfdatetime.systemtime module...... 32

i 3.20 dfdatetime.time_elements module...... 33 3.21 dfdatetime.uuid_time module...... 37 3.22 dfdatetime.webkit_time module...... 37 3.23 Module contents...... 38

4 Indices and tables 39

Python Module Index 41

Index 43

ii dfDateTime, Release 20210701 dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision. The source code is available from the project page.

CONTENTS 1 dfDateTime, Release 20210701

2 CONTENTS CHAPTER ONE

GETTING STARTED

To be able to use dfDateTime you first need to install it. There are multiple ways to install dfDateTime, check the following instructions for more detail.

1.1 Installation instructions

1.1.1 pip

Note that using pip outside virtualenv is not recommended since it ignores your systems package manager. If you aren’t comfortable debugging package installation issues, this is not the option for you. Create and activate a virtualenv: virtualenv dfdatetimeenv cd dfdatetimeenv source ./bin/activate

Upgrade pip and install dfDateTime dependencies: pip install --upgrade pip pip install dfdatetime

To deactivate the virtualenv run: deactivate

1.1.2 Ubuntu 18.04 and 20.04 LTS

To install dfDateTime from the GIFT Personal Package Archive (PPA): sudo add-apt-repository ppa:gift/stable

Update and install dfDateTime: sudo apt-get update sudo apt-get install python3-dfdatetime

3 dfDateTime, Release 20210701

1.1.3 Windows

The l2tbinaries contains the necessary packages for running dfDateTime. l2tbinaries provides the following branches: • main; branch intended for the “packaged release” of dfDateTime and dependencies; • dev; branch intended for the “development release” of dfDateTime; • testing; branch intended for testing newly created packages. The l2tdevtools project provides an update script to ease the process of keeping the dependencies up to date. The script requires pywin32 and Python WMI. To install the release versions of the dependencies run: set PYTHONPATH=.

C:\Python38\python.exe tools\update.py--preset dfdatetime

4 Chapter 1. Getting started CHAPTER TWO

DATE AND TIME VALUES

2.1 Terminology

Calendar: a system of organising days. Epoch: a reference point from which time is measured. Leap second: a leap second is a one-second adjustment that is occasionally applied to Coordinated Universal Time (UTC) in order to keep its time of day close to the mean solar time.

2.1.1 Also see

• Wikipedia: Calendar • Wikipedia: Epoch • Wikipedia: Leap second

2.2 Accuracy and precision

• accuracy is used to describe the closeness of a measurement to the true value; • precision is the closeness of agreement among a set of results. In NTFS data and time values are stored using a FILETIME structure. The FILETIME structure stores a date and time value as a 64-bit integer that represents the number of 100-nanosecond intervals since “January 1, 1601 00:00:00.0000000 UTC”. This provides an upper bound of a 100-nanosecond interval data granularity. For disam- biguation we’ll refer to this as datetime storage granularity. However this does not have to mean that the actual value stored within the FILETIME structure has a 100-nanosecond interval data granularity. E.g. the FILETIME MSDN article also mentions that on NTFS, the access time has a res- olution of 1 hour. For disambiguation the term resolution is comparable with that of Display resolution or Audio resolution, we’ll refer to this as datetime value granularity. The FILETIME MSDN article also mentions that some values should be interpreted not as date and time values e.g. 0xFFFFFFFF can be used to specify that a file’s previous access time should be preserved, or 0 to specify that thedate and time value is not set. For disambiguation we’ll refer to this as datetime value semantics (in other words meaning or representation).

5 dfDateTime, Release 20210701

2.2.1 Digital forensics significance

A large part of digital forensic analysis is about the interpretation of computer data. If date and time values are converted from a storage format to another storage format or a string representation we are likely to change granularity and semantics in the process. If the analyst is aware of this the impact should be minimal, however if we wish to have automation assisted analysis we’ll have to preserve concepts of granularity and semantics and represent them in a machine process-able manner. So that the automation can distinguish between a FILETIME date and time value that is not set versus a FILETIME date and time value that represents “January 1, 1601 00:00:00.0000000 UTC”. Another aspect relevant to digital forensic analysis is how to represent a datetime value with a value granularity of 1 day (e.g. FAT access time) in a timeline of microseconds, where the analyst is only interested in the events that occurred within a specific hour on that day. Technically the access time should be included in the resulting timeline sincethe access could have occurred during that specific hour.

2.2.2 References

• Wikipedia: Accuracy and precision • Wikipedia: Computer forensics • Wikipedia: Granularity - Data Granularity • Wikipedia: Semantics • FILETIME structure • File Times • Precision and accuracy of DateTime, by Eric Lippert, April 8, 2010

2.3 APFS timestamp

2.3.1 Characteristics

2.3.2 Format

2.4 Cocoa timestamp

2.4.1 Characteristics

2.4.2 Format

2.4.3 Also see

• Apple Developer: Dates • Apple Developer: NSDate

6 Chapter 2. Date and time values dfDateTime, Release 20210701

2.5 Delphi TDateTime

2.5.1 Characteristics

2.5.2 Format

2.5.3 Also see

• Embarcadero: System.TDateTime

2.6 FAT date and time

2.6.1 Characteristics

Sometimes 2099-12-31 23:59:58 is defined as the upper bound of DOS date and time. Alsosee: Time formatting and storage bugs - Year 2100

2.6.2 Format

The FAT (or DOS) date is a 16-bit value that consists of: The FAT (or DOS) time is a 16-bit value that consists of:

2.6.3 Also see

• Wikipedia: File Allocation Table • DosDateTimeToFileTime function

2.7 FILETIME

2.7.1 Characteristics

The actual upper bound of the supported date range is unclear. Also see: Latest possible FILETIME

2.7.2 Format

The FILETIME structure is 8 bytes of size and consists of: The FILETIME should be treated as a structure when stored and passed to Windows API functions. However it can be combined into a 64-bit integer, which will be indicated as a FILETIME timestamp, containing the number of seconds since 1601-01-01 00:00:00.0000000. An empty (or unset) FILETIME timestamp can be represented by 0, however the meaning can differ depending on the context in which the timestamp is used. Certain values of FILETIME such as { 0xffffffff, 0xffffffff } for the SetFileTime Windows API function areoverloaded with a special meaning.

2.5. Delphi TDateTime 7 dfDateTime, Release 20210701

2.7.3 Also see

• MSDN: FILETIME

2.8 HFS timestamp

Sometimes a distinction is made between HFS and HFS+ timestamps is that the former is stored in local time and the latter in UTC. Note that this behavior is highly depending on the context in which the timestamp is used.

2.8.1 Characteristics

2.8.2 Format

An empty (or unset) HFS timestamp can be represented by 0, however the meaning can differ depending on the context in which the timestamp is used.

2.8.3 Also see

• Wikipedia: HFS Plus • Technical Note TN1150 - HFS Plus Volume Format

2.9 Java timestamp

2.9.1 Characteristics

2.9.2 Format

2.9.3 Also see:

• Class java.util.Date

2.10 OLE Automated date

The OLE Automated date is also known as Floatingtime or Application time.

2.10.1 Characteristics

2.10.2 Format

2.11 POSIX timestamp

There multiple variants of the POSIX timestamp: • the time_t has different sizes and signs on different platforms

8 Chapter 2. Date and time values dfDateTime, Release 20210701

• variants exist that store the timestamp in milliseconds (Java), microsecond and nanoseconds (APFS) precision instead of second precision

2.11.1 Characteristics

2.11.2 Format

An empty (or unset) POSIX timestamp can be represented by 0, however the meaning can differ depending on the context in which the timestamp is used.

2.11.3 Also see

• Wikipedia: UNIX time

2.12 RFC2579 date-time

2.12.1 Characteristics

2.12.2 Format

The RFC2579 date-time structure is 11 bytes of size and consists of:

2.12.3 Also see

• RFC2579

2.13 SYSTEMTIME

2.13.1 Characteristics

2.13.2 Format

The SYSTEMTIME structure is 16 bytes of size and consists of: An empty (or unset) SYSTEMTIME can be represented by 16x 0-byte values.

2.13.3 Also see

• MSDN: SYSTEMTIME

2.12. RFC2579 date-time 9 dfDateTime, Release 20210701

2.14 UUID version 1 time

2.14.1 Characteristics

2.14.2 Format

2.14.3 Also see

• Wikipedia: Universally unique identifier

2.15 WebKit timestamp

2.15.1 Characteristics

2.15.2 Format

2.15.3 Also see

• Chromium source: time.h

10 Chapter 2. Date and time values CHAPTER THREE

DFDATETIME PACKAGE

3.1 Submodules

3.2 dfdatetime.apfs_time module

Apple File System (APFS) time implementation. class dfdatetime.apfs_time.APFSTime(time_zone_offset=None, timestamp=None) Bases: dfdatetime.posix_time.PosixTimeInNanoseconds Apple File System (APFS) timestamp. The APFS timestamp is a signed 64-bit integer that contains the number of nanoseconds since 1970-01-01 00:00:00. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a APFS timestamp from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the date and time value is not supported. CopyToDateTimeString() Copies the APFS timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.#########” or None if the timestamp is missing or invalid. Return type str

11 dfDateTime, Release 20210701

3.3 dfdatetime.cocoa_time module

Cocoa timestamp implementation. class dfdatetime.cocoa_time.CocoaTime(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues Cocoa timestamp. The Cocoa timestamp is a floating point value that contains the number of seconds since 2001-01-01 00:00:00 (also known as the Cocoa epoch). Negative values represent date and times predating the Cocoa epoch. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a Cocoa timestamp from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. CopyToDateTimeString() Copies the Cocoa timestamp to a date and time string. Returns date and time value formatted as: YYYY-MM-DD hh:mm:ss.###### or None if the timestamp cannot be copied to a date and time string. Return type str property timestamp Cocoa timestamp or None if not set. Type float class dfdatetime.cocoa_time.CocoaTimeEpoch Bases: dfdatetime.interface.DateTimeEpoch Cocoa time epoch.

3.4 dfdatetime.decorators module

Function decorators. dfdatetime.decorators.deprecated(function) Decorator to mark functions or methods as deprecated.

12 Chapter 3. dfdatetime package dfDateTime, Release 20210701

3.5 dfdatetime.definitions module

The date and time definitions. Also see: https://en.wikipedia.org/wiki/Day https://en.wikipedia.org/wiki/Hour https://en.wikipedia.org/wiki/ Minute

3.6 dfdatetime.delphi_date_time module

Delphi TDateTime implementation. class dfdatetime.delphi_date_time.DelphiDateTime(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues Delphi TDateTime timestamp. The Delphi TDateTime timestamp is a floating point value that contains the number of days since 1899-12-30 00:00:00 (also known as the epoch). Negative values represent date and times predating the epoch. The maximal correct date supported by TDateTime values is limited to: 9999-12-31 23:59:59.999 Also see: http://docwiki.embarcadero.com/Libraries/XE3/en/System.TDateTime is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a Delphi TDateTime timestamp from a string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. CopyToDateTimeString() Copies the Delphi TDateTime timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.######” or None if the timestamp is missing. Return type str property timestamp Delphi TDateTime timestamp or None if not set. Type float class dfdatetime.delphi_date_time.DelphiDateTimeEpoch Bases: dfdatetime.interface.DateTimeEpoch Delphi TDateTime epoch.

3.5. dfdatetime.definitions module 13 dfDateTime, Release 20210701

3.7 dfdatetime.factory module

The date and time values factory. class dfdatetime.factory.Factory Bases: object Date and time values factory. classmethod DeregisterDateTimeValues(date_time_values_type) Deregisters a date and time values type. Parameters date_time_values_type (type) – date and time values type. Raises KeyError – if date and time values type is not registered. classmethod NewDateTimeValues(class_name, **kwargs) Creates a new date and time values for the specific type indicator. Parameters • class_name (str) – type indicator. • kwargs (dict) – keyword arguments depending on the date and time values. Returns date and time values. Return type DateTimeValues Raises KeyError – if date and time values is not registered. classmethod RegisterDateTimeValues(date_time_values_type) Registers a date and time values type. Parameters date_time_values_type (type) – date and time values type. Raises KeyError – if date and time values is already registered.

3.8 dfdatetime.fake_time module

Fake timestamp implementation. class dfdatetime.fake_time.FakeTime(time_zone_offset=None) Bases: dfdatetime.interface.DateTimeValues Fake timestamp. The fake timestamp is intended for testing purposes. On initialization it contains the current time in UTC in microsecond precision. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a fake timestamp from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:##

14 Chapter 3. dfdatetime package dfDateTime, Release 20210701

Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. CopyToDateTimeString() Copies the fake timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss” or ”YYYY-MM-DD hh:mm:ss.######” or None if the number of seconds is missing. Return type str

3.9 dfdatetime.fat_date_time module

FAT date time implementation. class dfdatetime.fat_date_time.FATDateTime(fat_date_time=None, time_zone_offset=None) Bases: dfdatetime.interface.DateTimeValues FAT date time. The FAT date time is mainly used in DOS/Windows file formats and FAT. The FAT date and time is a 32-bit value containing two 16-bit values: • The date (lower 16-bit). * bits 0 - 4: day of month, where 1 represents the first day * bits 5 - 8: month of year, where 1 represent January * bits 9 - 15: year since 1980 • The time of day (upper 16-bit). * bits 0 - 4: seconds (in 2 second intervals) * bits 5 - 10: minutes * bits 11 - 15: hours The FAT date time has no time zone information and is typically stored in the local time of the computer. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a FAT date time from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. CopyToDateTimeString() Copies the FAT date time to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss” or None if number of seconds is missing. Return type str

3.9. dfdatetime.fat_date_time module 15 dfDateTime, Release 20210701

property fat_date_time FAT date time or None if not set. Type int class dfdatetime.fat_date_time.FATDateTimeEpoch Bases: dfdatetime.interface.DateTimeEpoch FAT date time time epoch.

3.10 dfdatetime.filetime module

FILETIME timestamp implementation. class dfdatetime.filetime.Filetime(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues FILETIME timestamp. The FILETIME timestamp is a 64-bit integer that contains the number of 100th nano seconds since 1601-01-01 00:00:00. Do not confuse this with the FILETIME structure that consists of 2 x 32-bit integers and is presumed to be unsigned. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a FILETIME timestamp from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. CopyToDateTimeString() Copies the FILETIME timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.#######” or None if the timestamp is missing or invalid. Return type str property timestamp FILETIME timestamp or None if not set. Type int class dfdatetime.filetime.FiletimeEpoch Bases: dfdatetime.interface.DateTimeEpoch FILETIME epoch.

16 Chapter 3. dfdatetime package dfDateTime, Release 20210701

3.11 dfdatetime.hfs_time module

HFS time implementation. class dfdatetime.hfs_time.HFSTime(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues HFS timestamp. The HFS timestamp is an unsigned 32-bit integer that contains the number of seconds since 1904-01-01 00:00:00. Where in HFS the timestamp is typically in local time and in HFS+/HFSX in UTC. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a HFS timestamp from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. CopyToDateTimeString() Copies the HFS timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss” or None if the times- tamp is missing or invalid. Return type str property timestamp HFS timestamp or None if not set. Type int class dfdatetime.hfs_time.HFSTimeEpoch Bases: dfdatetime.interface.DateTimeEpoch HFS time epoch.

3.12 dfdatetime.interface module

Date and time interfaces. class dfdatetime.interface.DateTimeEpoch(year, month, day_of_month) Bases: object Date and time epoch interface. This is the super class of different epoch representations. year year that is the start of the epoch e.g. 1970.

3.11. dfdatetime.hfs_time module 17 dfDateTime, Release 20210701

Type int month month that is the start of the epoch, where 1 represents January. Type int day_of_month day of the month that is the start of the epoch, where 1 represents the first day. Type int class dfdatetime.interface.DateTimeValues(time_zone_offset=None) Bases: object Date and time values interface. This is the super class of different date and time representations. is_local_time True if the date and time value is in local time. Type bool abstract CopyFromDateTimeString(time_string) Copies a date time value from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. CopyFromString(**kwargs) Copies a date time value from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. abstract CopyToDateTimeString() Copies the date time value to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.######” or None if the timestamp cannot be copied to a date and time string. Return type str CopyToDateTimeStringISO8601() Copies the date time value to an ISO 8601 date and time string. Returns date and time value formatted as an ISO 8601 date and time string or None if the timestamp cannot be copied to a date and time string.

18 Chapter 3. dfdatetime package dfDateTime, Release 20210701

Return type str CopyToPosixTimestamp() Copies the date time value to a POSIX timestamp. Returns a POSIX timestamp in seconds or None if no timestamp is available. Return type int CopyToStatTimeTuple() Copies the date time value to a stat timestamp tuple. Returns a POSIX timestamp in seconds and the remainder in 100 nano seconds or (None, None) on error. Return type tuple[int, int] GetDate() Retrieves the date represented by the date and time values. Note that the date is adjusted to UTC. Returns year, month, day of month or (None, None, None) if the date and time values do not rep- resent a date. Return type tuple[int, int, int] GetDateWithTimeOfDay() Retrieves the date with time of day. Note that the date and time are adjusted to UTC. Returns year, month, day of month, hours, minutes, seconds or (None, None, None, None, None, None) if the date and time values do not represent a date or time of day. Return type tuple[int, int, int, int, int, int] GetPlasoTimestamp() Retrieves a timestamp that is compatible with Plaso. Returns a POSIX timestamp in microseconds or None if no timestamp is available. Return type int GetTimeOfDay() Retrieves the time of day represented by the date and time values. Note that the time is adjusted to UTC. Returns hours, minutes, seconds or (None, None, None) if the date and time values do not repre- sent a time of day. Return type tuple[int, int, int] __eq__(other) Determines if the date time values are equal to other. Parameters other (DateTimeValues) – date time values to compare against.

3.12. dfdatetime.interface module 19 dfDateTime, Release 20210701

Returns True if the date time values are equal to other. Return type bool __ge__(other) Determines if the date time values are greater than or equal to other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are greater than or equal to other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __gt__(other) Determines if the date time values are greater than other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are greater than other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __le__(other) Determines if the date time values are greater than or equal to other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are greater than or equal to other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __lt__(other) Determines if the date time values are less than other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are less than other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __ne__(other) Determines if the date time values are not equal to other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are not equal to other. Return type bool property precision precision of the date and time value, which should be one of the PRECISION_VALUES in definitions. Type precision (str) property time_zone_offset time zone offset in number of minutes from UTC or None if notset. Type time_zone_offset (int)

20 Chapter 3. dfdatetime package dfDateTime, Release 20210701 class dfdatetime.interface.NormalizedTimeEpoch Bases: dfdatetime.interface.DateTimeEpoch dfDateTime normalized time epoch.

3.13 dfdatetime.java_time module

Java java.util.Date timestamp implementation. class dfdatetime.java_time.JavaTime(time_zone_offset=None, timestamp=None) Bases: dfdatetime.posix_time.PosixTimeInMilliseconds Java java.util.Date timestamp. The Java java.util.Date timestamp is a signed integer that contains the number of milliseconds since 1970-01- 01 00:00:00 (also known as the POSIX epoch). Negative values represent date and times predating the POSIX epoch. Also see: https://docs.oracle.com/javase/8/docs/api/java/util/Date.html is_local_time True if the date and time value is in local time. Type bool CopyToDateTimeString() Copies the POSIX timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.######” or None if the timestamp is missing. Return type str

3.14 dfdatetime.ole_automation_date module

OLE automation date (or Floatingtime or Application time) implementation. class dfdatetime.ole_automation_date.OLEAutomationDate(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues OLE Automation date. The OLE Automation date is a floating point value that contains the number of days since 1899-12-30 (also known as the OLE Automation date epoch), and the fractional part represents the fraction of a day since midnight. Negative values represent date and times predating the OLE Automation date epoch. Also see: https://docs.microsoft.com/en-us/dotnet/api/system.datetime.tooadate is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies an OLE Automation date from a date and time string.

3.13. dfdatetime.java_time module 21 dfDateTime, Release 20210701

Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. CopyToDateTimeString() Copies the OLE Automation date to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.######” or None if the timestamp is missing. Return type str property timestamp OLE Automation date timestamp or None if not set. Type float class dfdatetime.ole_automation_date.OLEAutomationDateEpoch Bases: dfdatetime.interface.DateTimeEpoch OLE automation date epoch.

3.15 dfdatetime.posix_time module

POSIX timestamp implementation. class dfdatetime.posix_time.PosixTime(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues POSIX timestamp. The POSIX timestamp is a signed integer that contains the number of seconds since 1970-01-01 00:00:00 (also known as the POSIX epoch). Negative values represent date and times predating the POSIX epoch. The POSIX timestamp was initially 32-bit though 64-bit variants are known to be used. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a POSIX timestamp from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. CopyToDateTimeString() Copies the POSIX timestamp to a date and time string. Returns

22 Chapter 3. dfdatetime package dfDateTime, Release 20210701

date and time value formatted as: “YYYY-MM-DD hh:mm:ss” or None if the times- tamp is missing. Return type str property timestamp POSIX timestamp or None if not set. Type int class dfdatetime.posix_time.PosixTimeEpoch Bases: dfdatetime.interface.DateTimeEpoch POSIX time epoch. class dfdatetime.posix_time.PosixTimeInMicroseconds(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues POSIX timestamp in microseconds. Variant of the POSIX timestamp in microseconds. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a POSIX timestamp from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. CopyToDateTimeString() Copies the POSIX timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.######” or None if the timestamp is missing. Return type str property timestamp POSIX timestamp in microseconds or None if not set. Type int class dfdatetime.posix_time.PosixTimeInMilliseconds(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues POSIX timestamp in milliseconds. Variant of the POSIX timestamp in milliseconds. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a POSIX timestamp from a date and time string.

3.15. dfdatetime.posix_time module 23 dfDateTime, Release 20210701

Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. CopyToDateTimeString() Copies the POSIX timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.######” or None if the timestamp is missing. Return type str property timestamp POSIX timestamp in milliseconds or None if not set. Type int class dfdatetime.posix_time.PosixTimeInNanoseconds(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues POSIX timestamp in nanoseconds. Variant of the POSIX timestamp in nanoseconds. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a POSIX timestamp from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. CopyToDateTimeString() Copies the POSIX timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.#########” or None if the timestamp is missing or invalid. Return type str property timestamp POSIX timestamp or None if not set. Type int

24 Chapter 3. dfdatetime package dfDateTime, Release 20210701

3.16 dfdatetime.precisions module

Date and time precision helpers. class dfdatetime.precisions.DateTimePrecisionHelper Bases: object Date time precision helper interface. This is the super class of different date and time precision helpers. Time precision helpers provide functionality for converting date and time values between different precisions. classmethod CopyMicrosecondsToFractionOfSecond(microseconds) Copies the number of microseconds to a fraction of second value. Parameters microseconds (int) – number of microseconds. Returns fraction of second, which must be a value between 0.0 and 1.0. Return type decimal.Decimal classmethod CopyToDateTimeString(time_elements_tuple, fraction_of_second) Copies the time elements and fraction of second to a string. Parameters • time_elements_tuple (tuple[int, int, int, int, int, int]) – time ele- ments, contains year, month, day of month, hours, minutes and seconds. • fraction_of_second (decimal.Decimal) – fraction of second, which must be a value between 0.0 and 1.0. Returns date and time value formatted as: YYYY-MM-DD hh:mm:ss with fraction of second part that corresponds to the precision. Return type str class dfdatetime.precisions.MicrosecondsPrecisionHelper Bases: dfdatetime.precisions.DateTimePrecisionHelper Microseconds precision helper. classmethod CopyMicrosecondsToFractionOfSecond(microseconds) Copies the number of microseconds to a fraction of second value. Parameters microseconds (int) – number of microseconds. Returns fraction of second, which must be a value between 0.0 and 1.0. Return type decimal.Decimal Raises ValueError – if the number of microseconds is out of bounds. classmethod CopyToDateTimeString(time_elements_tuple, fraction_of_second) Copies the time elements and fraction of second to a string. Parameters • time_elements_tuple (tuple[int, int, int, int, int, int]) – time ele- ments, contains year, month, day of month, hours, minutes and seconds.

3.16. dfdatetime.precisions module 25 dfDateTime, Release 20210701

• fraction_of_second (decimal.Decimal) – fraction of second, which must be a value between 0.0 and 1.0. Returns date and time value formatted as: YYYY-MM-DD hh:mm:ss.###### Return type str Raises ValueError – if the fraction of second is out of bounds. class dfdatetime.precisions.MillisecondsPrecisionHelper Bases: dfdatetime.precisions.DateTimePrecisionHelper Milliseconds precision helper. classmethod CopyMicrosecondsToFractionOfSecond(microseconds) Copies the number of microseconds to a fraction of second value. Parameters microseconds (int) – number of microseconds. Returns fraction of second, which must be a value between 0.0 and 1.0. Return type decimal.Decimal Raises ValueError – if the number of microseconds is out of bounds. classmethod CopyToDateTimeString(time_elements_tuple, fraction_of_second) Copies the time elements and fraction of second to a string. Parameters • time_elements_tuple (tuple[int, int, int, int, int, int]) – time ele- ments, contains year, month, day of month, hours, minutes and seconds. • fraction_of_second (decimal.Decimal) – fraction of second, which must be a value between 0.0 and 1.0. Returns date and time value formatted as: YYYY-MM-DD hh:mm:ss.### Return type str Raises ValueError – if the fraction of second is out of bounds. class dfdatetime.precisions.PrecisionHelperFactory Bases: object Date time precision helper factory. classmethod CreatePrecisionHelper(precision) Creates a precision helper. Parameters precision (str) – precision of the date and time value, which should be one of the PRECISION_VALUES in definitions. Returns date time precision helper class. Return type class Raises ValueError – if the precision value is unsupported. class dfdatetime.precisions.SecondsPrecisionHelper Bases: dfdatetime.precisions.DateTimePrecisionHelper

26 Chapter 3. dfdatetime package dfDateTime, Release 20210701

Seconds precision helper. classmethod CopyMicrosecondsToFractionOfSecond(microseconds) Copies the number of microseconds to a fraction of second value. Parameters microseconds (int) – number of microseconds. Returns fraction of second, which must be a value between 0.0 and 1.0. For the seconds precision helper this will always be 0.0. Return type decimal.Decimal Raises ValueError – if the number of microseconds is out of bounds. classmethod CopyToDateTimeString(time_elements_tuple, fraction_of_second) Copies the time elements and fraction of second to a string. Parameters • time_elements_tuple (tuple[int, int, int, int, int, int]) – time ele- ments, contains year, month, day of month, hours, minutes and seconds. • fraction_of_second (decimal.Decimal) – fraction of second, which must be a value between 0.0 and 1.0. Returns date and time value formatted as: YYYY-MM-DD hh:mm:ss Return type str Raises ValueError – if the fraction of second is out of bounds.

3.17 dfdatetime.rfc2579_date_time module

RFC2579 date-time implementation. class dfdatetime.rfc2579_date_time.RFC2579DateTime(rfc2579_date_time_tuple=None) Bases: dfdatetime.interface.DateTimeValues RFC2579 date-time. The RFC2579 date-time structure is 11 bytes of size and contains: struct { uin16_t year, uint8_t month, uint8_t day_of_month, uint8_t hours, uint8_t minutes, uint8_t seconds, uint8_t deciseconds, char direction_from_utc, uint8_t hours_from_utc, uint8_t minutes_from_utc } Also see: https://tools.ietf.org/html/rfc2579 year year, 0 through 65536. Type int month month of year, 1 through 12. Type int day_of_month day of month, 1 through 31.

3.17. dfdatetime.rfc2579_date_time module 27 dfDateTime, Release 20210701

Type int hours hours, 0 through 23. Type int minutes minutes, 0 through 59. Type int seconds seconds, 0 through 59, where 60 is used to represent a leap-second. Type int deciseconds deciseconds, 0 through 9. Type int CopyFromDateTimeString(time_string) Copies a RFC2579 date-time from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the date string is invalid or not supported. CopyToDateTimeString() Copies the RFC2579 date-time to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.#” or None if the num- ber of seconds is missing. Return type str property day_of_month day of month or None if not set. Type int property deciseconds number of deciseconds or None if not set. Type int property hours number of hours or None if not set. Type int property minutes number of minutes or None if not set. Type int property month month or None if not set.

28 Chapter 3. dfdatetime package dfDateTime, Release 20210701

Type int property seconds number of seconds or None if not set. Type int property year year or None if not set. Type int

3.18 dfdatetime.semantic_time module

Semantic time implementation. class dfdatetime.semantic_time.InvalidTime Bases: dfdatetime.semantic_time.SemanticTime Semantic time that represents invalid. class dfdatetime.semantic_time.Never Bases: dfdatetime.semantic_time.SemanticTime Semantic time that represents never. __eq__(other) Determines if the date time values are equal to other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are equal to other. Return type bool __ge__(other) Determines if the date time values are greater than or equal to other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are greater than or equal to other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __gt__(other) Determines if the date time values are greater than other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are greater than other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __le__(other) Determines if the date time values are less than or equal to other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are greater than or equal to other. Return type bool

3.18. dfdatetime.semantic_time module 29 dfDateTime, Release 20210701

Raises ValueError – if other is not an instance of DateTimeValues. __lt__(other) Determines if the date time values are less than other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are less than other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __ne__(other) Determines if the date time values are not equal to other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are not equal to other. Return type bool class dfdatetime.semantic_time.NotSet Bases: dfdatetime.semantic_time.SemanticTime Semantic time that represents not set. class dfdatetime.semantic_time.SemanticTime(string=None) Bases: dfdatetime.interface.DateTimeValues Semantic time. Semantic time is term to describe date and time values that have specific meaning such as: “Never”, “Yesterday”, “Not set”. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies semantic time from a date and time string. Parameters time_string (str) – semantic representation of the time, such as: “Never”, “Not set”. Raises ValueError – because semantic time cannot be copied from a string. CopyToDateTimeString() Copies the date time value to a date and time string. Returns semantic representation of the time, such as: “Never”, “Not set”. Return type str CopyToDateTimeStringISO8601() Copies the date time value to an ISO 8601 date and time string. Returns date and time value formatted as an ISO 8601 date and time string, which always be None since semantic time cannot be represented in ISO 8601. Return type str CopyToStatTimeTuple() Copies the semantic timestamp to a stat timestamp tuple.

30 Chapter 3. dfdatetime package dfDateTime, Release 20210701

Returns a POSIX timestamp in seconds and the remainder in 100 nano seconds, which will al- ways be None, None. Return type tuple[int, int] GetPlasoTimestamp() Retrieves a timestamp that is compatible with plaso. Returns a POSIX timestamp in microseconds, which will always be 0. Return type int __eq__(other) Determines if the date time values are equal to other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are equal to other. Return type bool __ge__(other) Determines if the date time values are greater than or equal to other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are greater than or equal to other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __gt__(other) Determines if the date time values are greater than other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are greater than other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __le__(other) Determines if the date time values are greater than or equal to other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are greater than or equal to other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __lt__(other) Determines if the date time values are less than other. Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are less than other. Return type bool Raises ValueError – if other is not an instance of DateTimeValues. __ne__(other) Determines if the date time values are not equal to other.

3.18. dfdatetime.semantic_time module 31 dfDateTime, Release 20210701

Parameters other (DateTimeValues) – date time values to compare against. Returns True if the date time values are not equal to other. Return type bool property string semantic representation of the time, such as: “Never”. Type str

3.19 dfdatetime.systemtime module

SYSTEMTIME structure implementation. class dfdatetime.systemtime.Systemtime(system_time_tuple=None, time_zone_offset=None) Bases: dfdatetime.interface.DateTimeValues SYSTEMTIME structure. The SYSTEMTIME structure is 16 bytes of size and contains: struct { WORD year, WORD month, WORD day_of_week, WORD day_of_month, WORD hour, WORD minute, WORD second, WORD millisecond } year year, 1601 through 30827. Type int month month of year, 1 through 12. Type int day_of_week day of week, 0 through 6. Type int day_of_month day of month, 1 through 31. Type int hours hours, 0 through 23. Type int minutes minutes, 0 through 59. Type int seconds seconds, 0 through 59. Type int milliseconds milliseconds, 0 through 999.

32 Chapter 3. dfdatetime package dfDateTime, Release 20210701

Type int CopyFromDateTimeString(time_string) Copies a SYSTEMTIME structure from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the date string is invalid or not supported. CopyToDateTimeString() Copies the SYSTEMTIME structure to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.###” or None if the number of seconds is missing. Return type str

3.20 dfdatetime.time_elements module

Time elements implementation. class dfdatetime.time_elements.TimeElements(time_elements_tuple=None, time_zone_offset=None) Bases: dfdatetime.interface.DateTimeValues Time elements. Time elements contain separate values for year, month, day of month, hours, minutes and seconds. is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies time elements from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. CopyFromDatetime(datetime_object) Copies time elements from a Python datetime object. A naive datetime object is considered in local time. Parameters datetime_object (datetime.datetime) – Python datetime object. CopyFromStringISO8601(time_string) Copies time elements from an ISO 8601 date and time string. Currently not supported: * Duration notation: “P...” * Week notation “2016-W33” * Date with week number notation “2016-W33-3” * Date without year notation “–08-17” * Ordinal date notation “2016-230”

3.20. dfdatetime.time_elements module 33 dfDateTime, Release 20210701

Parameters time_string (str) – date and time value formatted as: YYYY-MM- DDThh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. CopyFromStringRFC1123(time_string) Copies time elements from a RFC 1123 date and time string. Parameters time_string (str) – date and time value formatted as: DAY, D MONTH YYYY hh:mm:ss ZONE Where weekday (DAY) and seconds (ss) are optional and day of month (D) can consist of 1 or 2 digits. Raises ValueError – if the time string is invalid or not supported. CopyFromStringRFC822(time_string) Copies time elements from a RFC 822 date and time string. Parameters time_string (str) – date and time value formatted as: DAY, D MONTH YY hh:mm:ss ZONE Where weekday (DAY) and seconds (ss) are optional and day of month (D) can consist of 1 or 2 digits. Raises ValueError – if the time string is invalid or not supported. CopyFromStringTuple(time_elements_tuple) Copies time elements from string-based time elements tuple. Parameters time_elements_tuple (Optional[tuple[str, str, str, str, str, str]]) – time elements, contains year, month, day of month, hours, minutes and seconds. Raises ValueError – if the time elements tuple is invalid. CopyToDateTimeString() Copies the time elements to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss” or None if time ele- ments are missing. Return type str property day_of_month day of month or None if not set. Type int property hours number of hours or None if not set. Type int property minutes number of minutes or None if not set. Type int property month month or None if not set.

34 Chapter 3. dfdatetime package dfDateTime, Release 20210701

Type int property seconds number of seconds or None if not set. Type int property year year or None if not set. Type int class dfdatetime.time_elements.TimeElementsInMicroseconds(time_elements_tuple=None, time_zone_offset=None) Bases: dfdatetime.time_elements.TimeElementsWithFractionOfSecond Time elements in microseconds. fraction_of_second fraction of second, which must be a value between 0.0 and 1.0. Type decimal.Decimal is_local_time True if the date and time value is in local time. Type bool precision precision of the date of the date and time value, that represents 1 microsecond (PRECI- SION_1_MICROSECOND). Type str CopyFromStringTuple(time_elements_tuple) Copies time elements from string-based time elements tuple. Parameters time_elements_tuple (Optional[tuple[str, str, str, str, str, str, str]]) – time elements, contains year, month, day of month, hours, minutes, seconds and microseconds. Raises ValueError – if the time elements tuple is invalid. property microseconds number of microseconds. Type int class dfdatetime.time_elements.TimeElementsInMilliseconds(time_elements_tuple=None, time_zone_offset=None) Bases: dfdatetime.time_elements.TimeElementsWithFractionOfSecond Time elements in milliseconds. fraction_of_second fraction of second, which must be a value between 0.0 and 1.0. Type decimal.Decimal is_local_time True if the date and time value is in local time. Type bool

3.20. dfdatetime.time_elements module 35 dfDateTime, Release 20210701

precision precision of the date of the date and time value, that represents 1 millisecond (PRECI- SION_1_MILLISECOND). Type str CopyFromStringTuple(time_elements_tuple) Copies time elements from string-based time elements tuple. Parameters time_elements_tuple (Optional[tuple[str, str, str, str, str, str, str]]) – time elements, contains year, month, day of month, hours, minutes, seconds and milliseconds. Raises ValueError – if the time elements tuple is invalid. property milliseconds number of milliseconds. Type int class dfdatetime.time_elements.TimeElementsWithFractionOfSecond(fraction_of_second=None, time_elements_tuple=None, time_zone_offset=None) Bases: dfdatetime.time_elements.TimeElements Time elements with a fraction of second interface. fraction_of_second fraction of second, which must be a value between 0.0 and 1.0. Type decimal.Decimal is_local_time True if the date and time value is in local time. Type bool CopyFromDatetime(datetime_object) Copies time elements from a Python datetime object. A naive datetime object is considered in local time. Parameters datetime_object (datetime.datetime) – Python datetime object. CopyFromStringTuple(time_elements_tuple) Copies time elements from string-based time elements tuple. Parameters time_elements_tuple (Optional[tuple[str, str, str, str, str, str, str]]) – time elements, contains year, month, day of month, hours, minutes, seconds and fraction of seconds. Raises ValueError – if the time elements tuple is invalid. CopyToDateTimeString() Copies the time elements to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss” or ”YYYY-MM-DD hh:mm:ss.######” or None if time elements are missing. Return type str Raises ValueError – if the precision value is unsupported.

36 Chapter 3. dfdatetime package dfDateTime, Release 20210701

3.21 dfdatetime.uuid_time module

UUID version 1 time implementation. class dfdatetime.uuid_time.UUIDTime(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues UUID version 1 timestamp. The UUID version 1 timestamp is an unsigned 60-bit value that contains the number of 100th nano seconds intervals since 1582-10-15 00:00:00. Also see: https://en.wikipedia.org/wiki/Universally_unique_identifier is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies an UUID timestamp from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. CopyToDateTimeString() Copies the UUID timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.#######” or None if the timestamp is missing or invalid. Return type str property timestamp UUID timestamp or None if not set. Type int class dfdatetime.uuid_time.UUIDTimeEpoch Bases: dfdatetime.interface.DateTimeEpoch UUID version 1 time epoch.

3.22 dfdatetime.webkit_time module

WebKit time implementation. class dfdatetime.webkit_time.WebKitTime(time_zone_offset=None, timestamp=None) Bases: dfdatetime.interface.DateTimeValues WebKit timestamp. The WebKit timestamp is a signed 64-bit integer that contains the number of microseconds since 1601-01-01 00:00:00.

3.21. dfdatetime.uuid_time module 37 dfDateTime, Release 20210701

is_local_time True if the date and time value is in local time. Type bool CopyFromDateTimeString(time_string) Copies a WebKit timestamp from a date and time string. Parameters time_string (str) – date and time value formatted as: YYYY-MM-DD hh:mm:ss.######[+-]##:## Where # are numeric digits ranging from 0 to 9 and the seconds fraction can be either 3 or 6 digits. The time of day, seconds fraction and time zone offset are optional. The default time zone is UTC. Raises ValueError – if the time string is invalid or not supported. CopyToDateTimeString() Copies the WebKit timestamp to a date and time string. Returns date and time value formatted as: “YYYY-MM-DD hh:mm:ss.######” or None if the timestamp is missing or invalid. Return type str property timestamp WebKit timestamp or None if not set. Type decimal.Decimal class dfdatetime.webkit_time.WebKitTimeEpoch Bases: dfdatetime.interface.DateTimeEpoch WebKit time epoch.

3.23 Module contents

Digital Forensics Date and Time (dfDateTime). dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision.

38 Chapter 3. dfdatetime package CHAPTER FOUR

INDICES AND TABLES

• genindex • modindex • search

39 dfDateTime, Release 20210701

40 Chapter 4. Indices and tables PYTHON MODULE INDEX

d dfdatetime, 38 dfdatetime.apfs_time, 11 dfdatetime.cocoa_time, 12 dfdatetime.decorators, 12 dfdatetime.definitions, 13 dfdatetime.delphi_date_time, 13 dfdatetime.factory, 14 dfdatetime.fake_time, 14 dfdatetime.fat_date_time, 15 dfdatetime.filetime, 16 dfdatetime.hfs_time, 17 dfdatetime.interface, 17 dfdatetime.java_time, 21 dfdatetime.ole_automation_date, 21 dfdatetime.posix_time, 22 dfdatetime.precisions, 25 dfdatetime.rfc2579_date_time, 27 dfdatetime.semantic_time, 29 dfdatetime.systemtime, 32 dfdatetime.time_elements, 33 dfdatetime.uuid_time, 37 dfdatetime.webkit_time, 37

41 dfDateTime, Release 20210701

42 Python Module Index INDEX

Symbols CopyFromDatetime() (dfdate- __eq__() (dfdatetime.interface.DateTimeValues time.time_elements.TimeElementsWithFractionOfSecond method), 19 method), 36 __eq__() (dfdatetime.semantic_time.Never method), 29 CopyFromDateTimeString() (dfdate- __eq__() (dfdatetime.semantic_time.SemanticTime time.apfs_time.APFSTime method), 11 method), 31 CopyFromDateTimeString() (dfdate- __ge__() (dfdatetime.interface.DateTimeValues time.cocoa_time.CocoaTime method), 12 method), 20 CopyFromDateTimeString() (dfdate- __ge__() (dfdatetime.semantic_time.Never method), 29 time.delphi_date_time.DelphiDateTime __ge__() (dfdatetime.semantic_time.SemanticTime method), 13 method), 31 CopyFromDateTimeString() (dfdate- __gt__() (dfdatetime.interface.DateTimeValues time.fake_time.FakeTime method), 14 method), 20 CopyFromDateTimeString() (dfdate- __gt__() (dfdatetime.semantic_time.Never method), 29 time.fat_date_time.FATDateTime method), __gt__() (dfdatetime.semantic_time.SemanticTime 15 method), 31 CopyFromDateTimeString() (dfdate- __le__() (dfdatetime.interface.DateTimeValues time.filetime.Filetime method), 16 method), 20 CopyFromDateTimeString() (dfdate- __le__() (dfdatetime.semantic_time.Never method), 29 time.hfs_time.HFSTime method), 17 __le__() (dfdatetime.semantic_time.SemanticTime CopyFromDateTimeString() (dfdate- method), 31 time.interface.DateTimeValues method), __lt__() (dfdatetime.interface.DateTimeValues 18 method), 20 CopyFromDateTimeString() (dfdate- __lt__() (dfdatetime.semantic_time.Never method), 30 time.ole_automation_date.OLEAutomationDate __lt__() (dfdatetime.semantic_time.SemanticTime method), 21 method), 31 CopyFromDateTimeString() (dfdate- __ne__() (dfdatetime.interface.DateTimeValues time.posix_time.PosixTime method), 22 method), 20 CopyFromDateTimeString() (dfdate- __ne__() (dfdatetime.semantic_time.Never method), 30 time.posix_time.PosixTimeInMicroseconds __ne__() (dfdatetime.semantic_time.SemanticTime method), 23 method), 31 CopyFromDateTimeString() (dfdate- time.posix_time.PosixTimeInMilliseconds A method), 23 CopyFromDateTimeString() (dfdate- APFSTime (class in dfdatetime.apfs_time), 11 time.posix_time.PosixTimeInNanoseconds C method), 24 CopyFromDateTimeString() (dfdate- CocoaTime (class in dfdatetime.cocoa_time), 12 time.rfc2579_date_time.RFC2579DateTime CocoaTimeEpoch (class in dfdatetime.cocoa_time), 12 method), 28 CopyFromDatetime() (dfdate- CopyFromDateTimeString() (dfdate- time.time_elements.TimeElements method), time.semantic_time.SemanticTime method), 33 30

43 dfDateTime, Release 20210701

CopyFromDateTimeString() (dfdate- CopyToDateTimeString() (dfdate- time.systemtime.Systemtime method), 33 time.fat_date_time.FATDateTime method), CopyFromDateTimeString() (dfdate- 15 time.time_elements.TimeElements method), CopyToDateTimeString() (dfdatetime.filetime.Filetime 33 method), 16 CopyFromDateTimeString() (dfdate- CopyToDateTimeString() (dfdate- time.uuid_time.UUIDTime method), 37 time.hfs_time.HFSTime method), 17 CopyFromDateTimeString() (dfdate- CopyToDateTimeString() (dfdate- time.webkit_time.WebKitTime method), 38 time.interface.DateTimeValues method), CopyFromString() (dfdate- 18 time.interface.DateTimeValues method), CopyToDateTimeString() (dfdate- 18 time.java_time.JavaTime method), 21 CopyFromStringISO8601() (dfdate- CopyToDateTimeString() (dfdate- time.time_elements.TimeElements method), time.ole_automation_date.OLEAutomationDate 33 method), 22 CopyFromStringRFC1123() (dfdate- CopyToDateTimeString() (dfdate- time.time_elements.TimeElements method), time.posix_time.PosixTime method), 22 34 CopyToDateTimeString() (dfdate- CopyFromStringRFC822() (dfdate- time.posix_time.PosixTimeInMicroseconds time.time_elements.TimeElements method), method), 23 34 CopyToDateTimeString() (dfdate- CopyFromStringTuple() (dfdate- time.posix_time.PosixTimeInMilliseconds time.time_elements.TimeElements method), method), 24 34 CopyToDateTimeString() (dfdate- CopyFromStringTuple() (dfdate- time.posix_time.PosixTimeInNanoseconds time.time_elements.TimeElementsInMicroseconds method), 24 method), 35 CopyToDateTimeString() (dfdate- CopyFromStringTuple() (dfdate- time.precisions.DateTimePrecisionHelper time.time_elements.TimeElementsInMilliseconds class method), 25 method), 36 CopyToDateTimeString() (dfdate- CopyFromStringTuple() (dfdate- time.precisions.MicrosecondsPrecisionHelper time.time_elements.TimeElementsWithFractionOfSecond class method), 25 method), 36 CopyToDateTimeString() (dfdate- CopyMicrosecondsToFractionOfSecond() (dfdate- time.precisions.MillisecondsPrecisionHelper time.precisions.DateTimePrecisionHelper class class method), 26 method), 25 CopyToDateTimeString() (dfdate- CopyMicrosecondsToFractionOfSecond() (dfdate- time.precisions.SecondsPrecisionHelper time.precisions.MicrosecondsPrecisionHelper class method), 27 class method), 25 CopyToDateTimeString() (dfdate- CopyMicrosecondsToFractionOfSecond() (dfdate- time.rfc2579_date_time.RFC2579DateTime time.precisions.MillisecondsPrecisionHelper method), 28 class method), 26 CopyToDateTimeString() (dfdate- CopyMicrosecondsToFractionOfSecond() (dfdate- time.semantic_time.SemanticTime method), time.precisions.SecondsPrecisionHelper class 30 method), 27 CopyToDateTimeString() (dfdate- CopyToDateTimeString() (dfdate- time.systemtime.Systemtime method), 33 time.apfs_time.APFSTime method), 11 CopyToDateTimeString() (dfdate- CopyToDateTimeString() (dfdate- time.time_elements.TimeElements method), time.cocoa_time.CocoaTime method), 12 34 CopyToDateTimeString() (dfdate- CopyToDateTimeString() (dfdate- time.delphi_date_time.DelphiDateTime time.time_elements.TimeElementsWithFractionOfSecond method), 13 method), 36 CopyToDateTimeString() (dfdate- CopyToDateTimeString() (dfdate- time.fake_time.FakeTime method), 15 time.uuid_time.UUIDTime method), 37

44 Index dfDateTime, Release 20210701

CopyToDateTimeString() (dfdate- module, 11 time.webkit_time.WebKitTime method), 38 dfdatetime.cocoa_time CopyToDateTimeStringISO8601() (dfdate- module, 12 time.interface.DateTimeValues method), dfdatetime.decorators 18 module, 12 CopyToDateTimeStringISO8601() (dfdate- dfdatetime.definitions time.semantic_time.SemanticTime method), module, 13 30 dfdatetime.delphi_date_time CopyToPosixTimestamp() (dfdate- module, 13 time.interface.DateTimeValues method), dfdatetime.factory 19 module, 14 CopyToStatTimeTuple() (dfdate- dfdatetime.fake_time time.interface.DateTimeValues method), module, 14 19 dfdatetime.fat_date_time CopyToStatTimeTuple() (dfdate- module, 15 time.semantic_time.SemanticTime method), dfdatetime.filetime 30 module, 16 CreatePrecisionHelper() (dfdate- dfdatetime.hfs_time time.precisions.PrecisionHelperFactory class module, 17 method), 26 dfdatetime.interface module, 17 D dfdatetime.java_time DateTimeEpoch (class in dfdatetime.interface), 17 module, 21 DateTimePrecisionHelper (class in dfdate- dfdatetime.ole_automation_date time.precisions), 25 module, 21 DateTimeValues (class in dfdatetime.interface), 18 dfdatetime.posix_time day_of_month (dfdatetime.interface.DateTimeEpoch at- module, 22 tribute), 18 dfdatetime.precisions day_of_month (dfdate- module, 25 time.rfc2579_date_time.RFC2579DateTime dfdatetime.rfc2579_date_time attribute), 27 module, 27 day_of_month (dfdate- dfdatetime.semantic_time time.rfc2579_date_time.RFC2579DateTime module, 29 property), 28 dfdatetime.systemtime day_of_month (dfdatetime.systemtime.Systemtime module, 32 attribute), 32 dfdatetime.time_elements day_of_month (dfdatetime.time_elements.TimeElements module, 33 property), 34 dfdatetime.uuid_time day_of_week (dfdatetime.systemtime.Systemtime at- module, 37 tribute), 32 dfdatetime.webkit_time deciseconds (dfdatetime.rfc2579_date_time.RFC2579DateTimemodule, 37 attribute), 28 deciseconds (dfdatetime.rfc2579_date_time.RFC2579DateTimeF property), 28 Factory (class in dfdatetime.factory), 14 DelphiDateTime (class in dfdatetime.delphi_date_time), FakeTime (class in dfdatetime.fake_time), 14 13 fat_date_time (dfdate- DelphiDateTimeEpoch (class in dfdate- time.fat_date_time.FATDateTime property), time.delphi_date_time), 13 15 deprecated() (in module dfdatetime.decorators), 12 FATDateTime (class in dfdatetime.fat_date_time), 15 DeregisterDateTimeValues() (dfdate- FATDateTimeEpoch (class in dfdatetime.fat_date_time), time.factory.Factory class method), 14 16 dfdatetime Filetime (class in dfdatetime.filetime), 16 module, 38 FiletimeEpoch (class in dfdatetime.filetime), 16 dfdatetime.apfs_time

Index 45 dfDateTime, Release 20210701

fraction_of_second (dfdate- is_local_time (dfdatetime.interface.DateTimeValues time.time_elements.TimeElementsInMicroseconds attribute), 18 attribute), 35 is_local_time (dfdatetime.java_time.JavaTime at- fraction_of_second (dfdate- tribute), 21 time.time_elements.TimeElementsInMilliseconds is_local_time (dfdate- attribute), 35 time.ole_automation_date.OLEAutomationDate fraction_of_second (dfdate- attribute), 21 time.time_elements.TimeElementsWithFractionOfSecondis_local_time (dfdatetime.posix_time.PosixTime at- attribute), 36 tribute), 22 is_local_time (dfdate- G time.posix_time.PosixTimeInMicroseconds GetDate() (dfdatetime.interface.DateTimeValues attribute), 23 method), 19 is_local_time (dfdate- GetDateWithTimeOfDay() (dfdate- time.posix_time.PosixTimeInMilliseconds time.interface.DateTimeValues method), attribute), 23 19 is_local_time (dfdate- GetPlasoTimestamp() (dfdate- time.posix_time.PosixTimeInNanoseconds time.interface.DateTimeValues method), attribute), 24 19 is_local_time (dfdate- GetPlasoTimestamp() (dfdate- time.semantic_time.SemanticTime attribute), time.semantic_time.SemanticTime method), 30 31 is_local_time (dfdate- GetTimeOfDay() (dfdatetime.interface.DateTimeValues time.time_elements.TimeElements attribute), method), 19 33 is_local_time (dfdate- H time.time_elements.TimeElementsInMicroseconds HFSTime (class in dfdatetime.hfs_time), 17 attribute), 35 HFSTimeEpoch (class in dfdatetime.hfs_time), 17 is_local_time (dfdate- hours (dfdatetime.rfc2579_date_time.RFC2579DateTime time.time_elements.TimeElementsInMilliseconds attribute), 28 attribute), 35 hours (dfdatetime.rfc2579_date_time.RFC2579DateTime is_local_time (dfdate- property), 28 time.time_elements.TimeElementsWithFractionOfSecond hours (dfdatetime.systemtime.Systemtime attribute), 32 attribute), 36 hours (dfdatetime.time_elements.TimeElements prop- is_local_time (dfdatetime.uuid_time.UUIDTime at- erty), 34 tribute), 37 is_local_time (dfdatetime.webkit_time.WebKitTime I attribute), 37 InvalidTime (class in dfdatetime.semantic_time), 29 is_local_time (dfdatetime.apfs_time.APFSTime J attribute), 11 JavaTime (class in dfdatetime.java_time), 21 is_local_time (dfdatetime.cocoa_time.CocoaTime at- tribute), 12 M is_local_time (dfdate- microseconds (dfdate- time.delphi_date_time.DelphiDateTime at- time.time_elements.TimeElementsInMicroseconds tribute), 13 property), 35 is_local_time (dfdatetime.fake_time.FakeTime at- MicrosecondsPrecisionHelper (class in dfdate- tribute), 14 time.precisions), 25 is_local_time (dfdate- milliseconds (dfdatetime.systemtime.Systemtime time.fat_date_time.FATDateTime attribute), attribute), 32 15 milliseconds (dfdate- is_local_time (dfdatetime.filetime.Filetime attribute), time.time_elements.TimeElementsInMilliseconds 16 property), 36 is_local_time (dfdatetime.hfs_time.HFSTime at- MillisecondsPrecisionHelper (class in dfdate- tribute), 17 time.precisions), 26

46 Index dfDateTime, Release 20210701 minutes (dfdatetime.rfc2579_date_time.RFC2579DateTimeP attribute), 28 PosixTime (class in dfdatetime.posix_time), 22 minutes (dfdatetime.rfc2579_date_time.RFC2579DateTimePosixTimeEpoch (class in dfdatetime.posix_time), 23 property), 28 PosixTimeInMicroseconds (class in dfdate- minutes (dfdatetime.systemtime.Systemtime attribute), time.posix_time), 23 32 PosixTimeInMilliseconds (class in dfdate- minutes (dfdatetime.time_elements.TimeElements prop- time.posix_time), 23 erty), 34 PosixTimeInNanoseconds (class in dfdate- module time.posix_time), 24 dfdatetime, 38 precision (dfdatetime.interface.DateTimeValues prop- dfdatetime.apfs_time, 11 erty), 20 dfdatetime.cocoa_time, 12 precision (dfdatetime.time_elements.TimeElementsInMicroseconds dfdatetime.decorators, 12 attribute), 35 dfdatetime.definitions, 13 precision (dfdatetime.time_elements.TimeElementsInMilliseconds dfdatetime.delphi_date_time, 13 attribute), 35 dfdatetime.factory, 14 PrecisionHelperFactory (class in dfdate- dfdatetime.fake_time, 14 time.precisions), 26 dfdatetime.fat_date_time, 15 dfdatetime.filetime, 16 R dfdatetime.hfs_time, 17 RegisterDateTimeValues() (dfdate- dfdatetime.interface, 17 time.factory.Factory class method), 14 dfdatetime.java_time, 21 RFC2579DateTime (class in dfdate- dfdatetime.ole_automation_date, 21 time.rfc2579_date_time), 27 dfdatetime.posix_time, 22 dfdatetime.precisions, 25 S dfdatetime.rfc2579_date_time, 27 dfdatetime.semantic_time, 29 seconds (dfdatetime.rfc2579_date_time.RFC2579DateTime dfdatetime.systemtime, 32 attribute), 28 dfdatetime.time_elements, 33 seconds (dfdatetime.rfc2579_date_time.RFC2579DateTime dfdatetime.uuid_time, 37 property), 29 dfdatetime.webkit_time, 37 seconds (dfdatetime.systemtime.Systemtime attribute), month (dfdatetime.interface.DateTimeEpoch attribute), 32 18 seconds (dfdatetime.time_elements.TimeElements prop- month (dfdatetime.rfc2579_date_time.RFC2579DateTime erty), 35 attribute), 27 SecondsPrecisionHelper (class in dfdate- month (dfdatetime.rfc2579_date_time.RFC2579DateTime time.precisions), 26 property), 28 SemanticTime (class in dfdatetime.semantic_time), 30 month (dfdatetime.systemtime.Systemtime attribute), 32 string (dfdatetime.semantic_time.SemanticTime prop- month (dfdatetime.time_elements.TimeElements prop- erty), 32 erty), 34 Systemtime (class in dfdatetime.systemtime), 32 N T Never (class in dfdatetime.semantic_time), 29 time_zone_offset (dfdate- NewDateTimeValues() (dfdatetime.factory.Factory time.interface.DateTimeValues property), class method), 14 20 NormalizedTimeEpoch (class in dfdatetime.interface), TimeElements (class in dfdatetime.time_elements), 33 20 TimeElementsInMicroseconds (class in dfdate- NotSet (class in dfdatetime.semantic_time), 30 time.time_elements), 35 TimeElementsInMilliseconds (class in dfdate- O time.time_elements), 35 TimeElementsWithFractionOfSecond (class in df- OLEAutomationDate (class in dfdate- datetime.time_elements), 36 time.ole_automation_date), 21 timestamp (dfdatetime.cocoa_time.CocoaTime prop- OLEAutomationDateEpoch (class in dfdate- erty), 12 time.ole_automation_date), 22

Index 47 dfDateTime, Release 20210701

timestamp (dfdatetime.delphi_date_time.DelphiDateTime property), 13 timestamp (dfdatetime.filetime.Filetime property), 16 timestamp (dfdatetime.hfs_time.HFSTime property), 17 timestamp (dfdatetime.ole_automation_date.OLEAutomationDate property), 22 timestamp (dfdatetime.posix_time.PosixTime property), 23 timestamp (dfdatetime.posix_time.PosixTimeInMicroseconds property), 23 timestamp (dfdatetime.posix_time.PosixTimeInMilliseconds property), 24 timestamp (dfdatetime.posix_time.PosixTimeInNanoseconds property), 24 timestamp (dfdatetime.uuid_time.UUIDTime property), 37 timestamp (dfdatetime.webkit_time.WebKitTime prop- erty), 38 U UUIDTime (class in dfdatetime.uuid_time), 37 UUIDTimeEpoch (class in dfdatetime.uuid_time), 37 W WebKitTime (class in dfdatetime.webkit_time), 37 WebKitTimeEpoch (class in dfdatetime.webkit_time), 38 Y year (dfdatetime.interface.DateTimeEpoch attribute), 17 year (dfdatetime.rfc2579_date_time.RFC2579DateTime attribute), 27 year (dfdatetime.rfc2579_date_time.RFC2579DateTime property), 29 year (dfdatetime.systemtime.Systemtime attribute), 32 year (dfdatetime.time_elements.TimeElements property), 35

48 Index