dfDateTime Release 20210701 unknown Aug 22, 2021 CONTENTS 1 Getting started 3 1.1 Installation instructions.........................................3 2 Date and time values 5 2.1 Terminology...............................................5 2.2 Accuracy and precision.........................................5 2.3 APFS timestamp.............................................6 2.4 Cocoa timestamp.............................................6 2.5 Delphi TDateTime............................................7 2.6 FAT date and time............................................7 2.7 FILETIME................................................7 2.8 HFS timestamp..............................................8 2.9 Java timestamp..............................................8 2.10 OLE Automated date...........................................8 2.11 POSIX timestamp............................................8 2.12 RFC2579 date-time...........................................9 2.13 SYSTEMTIME..............................................9 2.14 UUID version 1 time........................................... 10 2.15 WebKit timestamp............................................ 10 3 dfdatetime package 11 3.1 Submodules............................................... 11 3.2 dfdatetime.apfs_time module...................................... 11 3.3 dfdatetime.cocoa_time module...................................... 12 3.4 dfdatetime.decorators module...................................... 12 3.5 dfdatetime.definitions module...................................... 13 3.6 dfdatetime.delphi_date_time module.................................. 13 3.7 dfdatetime.factory module........................................ 14 3.8 dfdatetime.fake_time module...................................... 14 3.9 dfdatetime.fat_date_time module.................................... 15 3.10 dfdatetime.filetime module........................................ 16 3.11 dfdatetime.hfs_time module....................................... 17 3.12 dfdatetime.interface module....................................... 17 3.13 dfdatetime.java_time module...................................... 21 3.14 dfdatetime.ole_automation_date module................................ 21 3.15 dfdatetime.posix_time module...................................... 22 3.16 dfdatetime.precisions module...................................... 25 3.17 dfdatetime.rfc2579_date_time module.................................. 27 3.18 dfdatetime.semantic_time module.................................... 29 3.19 dfdatetime.systemtime module...................................... 32 i 3.20 dfdatetime.time_elements module.................................... 33 3.21 dfdatetime.uuid_time module...................................... 37 3.22 dfdatetime.webkit_time module..................................... 37 3.23 Module contents............................................. 38 4 Indices and tables 39 Python Module Index 41 Index 43 ii dfDateTime, Release 20210701 dfDateTime, or Digital Forensics date and time, provides date and time objects to preserve accuracy and precision. The source code is available from the project page. CONTENTS 1 dfDateTime, Release 20210701 2 CONTENTS CHAPTER ONE GETTING STARTED To be able to use dfDateTime you first need to install it. There are multiple ways to install dfDateTime, check the following instructions for more detail. 1.1 Installation instructions 1.1.1 pip Note that using pip outside virtualenv is not recommended since it ignores your systems package manager. If you aren’t comfortable debugging package installation issues, this is not the option for you. Create and activate a virtualenv: virtualenv dfdatetimeenv cd dfdatetimeenv source ./bin/activate Upgrade pip and install dfDateTime dependencies: pip install --upgrade pip pip install dfdatetime To deactivate the virtualenv run: deactivate 1.1.2 Ubuntu 18.04 and 20.04 LTS To install dfDateTime from the GIFT Personal Package Archive (PPA): sudo add-apt-repository ppa:gift/stable Update and install dfDateTime: sudo apt-get update sudo apt-get install python3-dfdatetime 3 dfDateTime, Release 20210701 1.1.3 Windows The l2tbinaries contains the necessary packages for running dfDateTime. l2tbinaries provides the following branches: • main; branch intended for the “packaged release” of dfDateTime and dependencies; • dev; branch intended for the “development release” of dfDateTime; • testing; branch intended for testing newly created packages. The l2tdevtools project provides an update script to ease the process of keeping the dependencies up to date. The script requires pywin32 and Python WMI. To install the release versions of the dependencies run: set PYTHONPATH=. C:\Python38\python.exe tools\update.py--preset dfdatetime 4 Chapter 1. Getting started CHAPTER TWO DATE AND TIME VALUES 2.1 Terminology Calendar: a system of organising days. Epoch: a reference point from which time is measured. Leap second: a leap second is a one-second adjustment that is occasionally applied to Coordinated Universal Time (UTC) in order to keep its time of day close to the mean solar time. 2.1.1 Also see • Wikipedia: Calendar • Wikipedia: Epoch • Wikipedia: Leap second 2.2 Accuracy and precision • accuracy is used to describe the closeness of a measurement to the true value; • precision is the closeness of agreement among a set of results. In NTFS data and time values are stored using a FILETIME structure. The FILETIME structure stores a date and time value as a 64-bit integer that represents the number of 100-nanosecond intervals since “January 1, 1601 00:00:00.0000000 UTC”. This provides an upper bound of a 100-nanosecond interval data granularity. For disam- biguation we’ll refer to this as datetime storage granularity. However this does not have to mean that the actual value stored within the FILETIME structure has a 100-nanosecond interval data granularity. E.g. the FILETIME MSDN article also mentions that on NTFS, the access time has a res- olution of 1 hour. For disambiguation the term resolution is comparable with that of Display resolution or Audio resolution, we’ll refer to this as datetime value granularity. The FILETIME MSDN article also mentions that some values should be interpreted not as date and time values e.g. 0xFFFFFFFF can be used to specify that a file’s previous access time should be preserved, or 0 to specify that thedate and time value is not set. For disambiguation we’ll refer to this as datetime value semantics (in other words meaning or representation). 5 dfDateTime, Release 20210701 2.2.1 Digital forensics significance A large part of digital forensic analysis is about the interpretation of computer data. If date and time values are converted from a storage format to another storage format or a string representation we are likely to change granularity and semantics in the process. If the analyst is aware of this the impact should be minimal, however if we wish to have automation assisted analysis we’ll have to preserve concepts of granularity and semantics and represent them in a machine process-able manner. So that the automation can distinguish between a FILETIME date and time value that is not set versus a FILETIME date and time value that represents “January 1, 1601 00:00:00.0000000 UTC”. Another aspect relevant to digital forensic analysis is how to represent a datetime value with a value granularity of 1 day (e.g. FAT access time) in a timeline of microseconds, where the analyst is only interested in the events that occurred within a specific hour on that day. Technically the access time should be included in the resulting timeline sincethe access could have occurred during that specific hour. 2.2.2 References • Wikipedia: Accuracy and precision • Wikipedia: Computer forensics • Wikipedia: Granularity - Data Granularity • Wikipedia: Semantics • FILETIME structure • File Times • Precision and accuracy of DateTime, by Eric Lippert, April 8, 2010 2.3 APFS timestamp 2.3.1 Characteristics 2.3.2 Format 2.4 Cocoa timestamp 2.4.1 Characteristics 2.4.2 Format 2.4.3 Also see • Apple Developer: Dates • Apple Developer: NSDate 6 Chapter 2. Date and time values dfDateTime, Release 20210701 2.5 Delphi TDateTime 2.5.1 Characteristics 2.5.2 Format 2.5.3 Also see • Embarcadero: System.TDateTime 2.6 FAT date and time 2.6.1 Characteristics Sometimes 2099-12-31 23:59:58 is defined as the upper bound of DOS date and time. Alsosee: Time formatting and storage bugs - Year 2100 2.6.2 Format The FAT (or DOS) date is a 16-bit value that consists of: The FAT (or DOS) time is a 16-bit value that consists of: 2.6.3 Also see • Wikipedia: File Allocation Table • DosDateTimeToFileTime function 2.7 FILETIME 2.7.1 Characteristics The actual upper bound of the supported date range is unclear. Also see: Latest possible FILETIME 2.7.2 Format The FILETIME structure is 8 bytes of size and consists of: The FILETIME should be treated as a structure when stored and passed to Windows API functions. However it can be combined into a 64-bit integer, which will be indicated as a FILETIME timestamp, containing the number of seconds since 1601-01-01 00:00:00.0000000. An empty (or unset) FILETIME timestamp can be represented by 0, however the meaning can differ depending on the context in which the timestamp is used. Certain values of FILETIME such as { 0xffffffff, 0xffffffff } for the SetFileTime Windows API function areoverloaded with a special meaning. 2.5. Delphi TDateTime 7 dfDateTime, Release 20210701 2.7.3 Also see • MSDN: FILETIME 2.8 HFS timestamp Sometimes a distinction is made between