Memory Forensic for DateTime Type

In C or C++, a DateTime value is often represented by time_t type, it’s a UNIX timestamp format, which is number of seconds elapsed since 1970-1-1.  This type is defined as long (4 bytes long) on 32 bit machine, and long long (8 bytes long) on 64 bit machine.

 
And Datetime value has one important trait:

In short time the high byte won’t change.

Suppose a DateTime value is DDCCBBAA, so in memory it will be AA BB CC DD (in little endian), the highest byte (DD) won’t change in short time, and the second highest byte (CC) don’t change much. This is because the low 2 bytes can represent 65536 seconds, which is about 18 hours, that means after every 18 hours the second highest byte will only increase by 1. And the highest byte only change after 18*256 hours (nearly 192 days) passed by.

 

Next we will see how to use Python to convert bytes array to timestamp value, and display it as readable format

The data variable contains bytes needed work on, after some observing and investigation,  we think byte 4 to byte 8 is the DateTime value. Then we use struct.unpack function to convert the bytes to timestamp value, ‘<L’ means little endian and long type. Next we will convert timestamp value to human-readable format.

 

Note that time_t doesn’t contain timezone information, you need discover timezone at other places.