co-authored by Ian Whiffin, Decoding Manager at Cellebrite
In the field of digital forensics, time is not just a concept but a critical piece of evidence that, when decoded correctly, can reveal the hidden stories behind digital activities. They are essential in investigations to establish a chronology, validate data and build a narrative.
A timestamp, embedded in digital files, serves as a digital fingerprint, documenting the exact moment an action occurred—be it the creation, modification or access or deletion of a file.
The accuracy and integrity of these timestamps can make or break a case, providing key proof of events and a device user’s activities.
Understanding how to properly extract, analyze and interpret these timestamps can unlock a wealth of information. In this article, we share some factors to consider when decoding timestamps, as well as best practices for ensuring timestamp accuracy in forensic investigations.
Understanding Timestamp Formats
Mastering the skill of decoding timestamps requires both the right tools and a deep understanding of their intricacies, especially because they come in various formats, such as Unix, Webkit/Chrome and Apple Cocoa Core Data, each with its unique storage method.
What many timestamps have in common is that they are number of units (seconds, nanoseconds etc.) from a given point in time. For example:
- Unix timestamps represent the number of seconds that have elapsed since January 1, 1970 (the Unix epoch) and are widely used in many operating systems and file formats.
- Webkit/Chrome timestamps are based on the number of microseconds since January 1, 1601, and are primarily found in browser-related data.
- Cocoa timestamps, also known as “Mac absolute time,” that are used in macOS and iOS systems, represent the number of seconds since January 1, 2001.
Other timestamp formats may work completely differently, requiring you to break apart and rearrange a hexadecimal value to find the date of interest.
Understanding these different formats, the contexts in which they are used and how to convert them into the required format, is crucial for accurately interpreting the data.
Accounting for Time Zones and Daylight Saving
One of the trickier aspects of dealing with timestamps is accounting for time zone changes. Devices that travel across time zones pose a particular challenge, as the timestamps can significantly alter the perceived timeline of events.
Daylight saving time changes, which shift clocks forward or backward, further complicate matters. It’s essential for digital forensic investigators to be meticulous in accounting for these variations to maintain the integrity of the timeline they are reconstructing. Additionally, some timestamps may be stored in Coordinated Universal Time (UTC), while others may reflect local time settings, requiring investigators to perform accurate conversions to ensure consistency.
It’s also important to recognize that some systems and applications may introduce discrepancies due to incorrect system clocks or software bugs, necessitating a critical eye and a comprehensive approach to cross-referencing timestamps with other pieces of evidence. For example, if a device is set to Eastern Time zone when it is actually in California, any timestamp recorded in Local Time will be incorrect, such as the Capture Time of a photograph. This can lead to inaccurate timeline reconstruction if investigators are unaware of the device settings and the context in which the data was captured. This underscores the most critical piece of your workflow: validation. Due to the nature of timestamps, validation is mandatory.
Decoding and Validating Timestamps
Having forensic tools such as Cellebrite’s Inseyets Physical Analyzer (Inseyets.PA) can help with quickly decoding and converting timestamps. These tools typically read data from databases and convert timestamps into an examiner’s preferred format, such as UTC (Coordinated Universal Time) or the time zone in which the phone was used.
Still, anomalies can occur, such as timestamps displaying dates from centuries past or in the future, indicating a potential issue with the data conversion. This is why it is important to also validate and verify that the data obtained is accurate.
Once you have confirmed that the value of the timestamp matches up to what is in the database, the second part is to find out how that value was generated. This involves testing and confirming that the timestamps correspond accurately to the events they are supposed to represent, such as browsing history entries or call logs.
To do this, investigators can use test data from a controlled environment. By performing specific actions on a device and then extracting the data, investigators can compare the recorded timestamps with the actual times the actions were performed. This process helps ensure that the timestamps are not only decoded correctly but are also accurately representing the timing of events.
Presenting Timestamps in Court
In cases where you have to present timestamp information, the first step is to consider your audience—including the judge, jury and legal counsel. Remember that not everyone in the courtroom will have a technical background and using terms such as “UTC -5” might be confusing for those unfamiliar with time zone conventions.
Instead, it can be helpful to convert timestamps into the local time relevant to the case, ensuring that the jury and others can easily relate to and understand the timeline being presented. Another key aspect of presenting timestamps in court is to talk with the legal counsel—whether it’s the prosecution or defense —and ask how they would like the timestamps to be presented.
It's essential to clarify any time zone adjustments or format conversions. This transparency helps to prevent misunderstandings and ensures that the presented evidence is accurate and trustworthy. As easy as it may seem, calculating Local Times from UTC while giving testimony is only going to make a stressful situation worse and likely confusing for the jury, especially if you also have to contend with Daylight Saving.
Timestamp Takeaways
Timestamps are a key component for presenting the chronological order of events in a case, which makes them extremely useful in investigations. To ensure the data is valid and presented in court accurately, it’s important to:
- Understand and accurately interpret different timestamp formats
- Account for time zone differences and daylight savings time adjustments
- Use forensic tools for decoding and conversion and be sure to validate the data
- Consider your audience in the courtroom and prepare timestamp information accordingly
As a member of The 101 at Cellebrite, you will get access to a variety of handy cheat sheets, including one on timestamp formats and methods to verify decoding accuracy in your digital evidence – helping you lay the foundation of your case.
About the Authors
Heather Barnhart is the Senior Director of Community Engagement at Cellebrite, a global leader in premier Digital Investigative solutions for the public and private sectors. She educates and advises digital forensic professionals on cases around the globe. For more than 20 years, Heather’s worked on high-profile cases, investigating everything from child exploitation to Osama Bin Laden's digital media.
A veteran of both the South Yorkshire Police in the UK and Calgary Police Service, Ian Whiffin is the Decoding Manager at Cellebrite. He knows each case presents its own unique challenge, and Ian excels in diving into the data – decoding and understanding artifacts. Ian’s worked on all kinds of criminal cases and is proudest when his work, particularly the discovery of a new artifact, led to incarcerating the evil person behind a crime and bringing justice to a victim.