Week 8 - Common Data Structures - Timestamps

Question 1

What is memory File System Data?

Answer 1

It is possible to read file system info from certain manufacturers, by using commercial forensic tools or some flasher tools.

This provides a certain amount of device info that might not be available on logical examination.

Question 2

What is the Binary Coded Decimal (BCD) timestamp format?

Answer 2

BCD uses 6 bytes

YYMMDDHHmmSS

No conversion needed as it is decimal already

eg.
220704190525 = 2022 July 4th 19:05:25

Question 3

What is the extended Binary Code Decimal (BCD) timestamp format?

Answer 3

Uses 7 bytes (one extra year value)

YYYYMMDDHHmmSS

20220704190525 = 2022 July 4th 19:05:25

Question 4

What is Binary Coded Decimal (BCD) Reverse Nibbled Timestamp format?

Answer 4

It’s the same as BCD but you need to reverse the nibbles to make the values make sense.

YYMMDDHHmmSS

227040915052 = 220704190525

= 2022 July 4tj 19:05:25

Question 5

What is the GSM (positive or negative offset) timestamp format?

Answer 5

7 bytes

Reverse Nibbled so need to first reverse each nibble

YYMMDDHHmmSSOO. Where OO is the offset value. This offset value is handled differently to the rest. It is in 15 min intervals.

Reverse the nibbles in each byte

For the YYMMDDHHmmSS data this is all you need to do (like BCD)

For the last byte (the offset value). Convert this value to binary. The first bit tells us if it is negative or positive offset (0 = positive, 1 = negative)

Get the full binary value and convert to decimal

Then multiply this value by 4 and that gives the offset value

eg if the last byte value was 40.
Reverse it to 04. Convert it to binary =0000 0100 then to dec = 04
4 x 15 = 60 minutes = + 1 hour

Question 6

What is the Nokia Series 40 timestamp format?

Answer 6

7 bytes
Stored as HEX values so convert each field value to decimal

YYYYMMDDHHmmSS

E. G
07DA0910053222

Year = 07DA= 2010
Month = 09 = 9
Day = 10 = 16
Hours = 05 = 5
Mins = 32 = 50
Secs = 22 = 34

Question 7

What is the LG timestamp format?

Answer 7

6 bytes
YYMMDDHHmmSS

017020119590 = 100702115909
= 2010 July 2nd 11:59:09

Reverse all nibbles
Then that is it.

Question 8

What is the Samsung timestamp format?

Answer 8

It is a 4 byte hex value stored in little Endian. No seconds stored. Just year, month, day, hour and minutes

It results in a 32 binary value.
The year = first 12 bits (convert to dec)
The month = next 4 bits (covert to dec)
The day = next 5 bits (convert to dec)
The hours = next 5 bits (convert to dec)
The mins = next 5 bits (convert to dec)

Start value is Little Endian. So need to first reverse the Bytes.

E.g. AF11A17D becomes 7DA111AF

Then convert each Indiv digit to its binary value to get the full 32 bits

eg 7 = 0111

Question 9

What is the Unix Timestamp Structure?

Answer 9

Epoch date: 1st January 1970
Unit value: Seconds
Stored in: Decimal
Timezone: UTZ

So the value is a decimal value of the number of seconds since 00:00:00 on 1st January 1970

There is also a millisecond version

And a big or little Endian hex version

Question 10

What is the format of the MAC absolute timestamp?

Answer 10

Epoch: 1st January 2001 UTC
Unit value: seconds
Stored in: decimal
Timezone: UTC

So the value is no. of seconds since 00:00:00 on January 1st 2001

There is also a nanosecond version