I am completing a forensic analysis of a computer. I have found many fragments of Yahoo! instant messages and would like to identify when they were sent. I see a field called "time" with a value of 12

Posted on 2009-04-30
Last Modified: 2012-05-06
I am completing a forensic analysis of a computer. I have found many fragments of Yahoo! instant messages and would like to identify when they were sent. I see a field called "time" with a value of 1236909708612 along with a field called "clientTime" with a corresponding value of 1236909707123. Any ideas on how to convert these times into a more readable date/time format?
Question by:Todd_Wilson
    LVL 5

    Assisted Solution

    This figure is in "Milliseconds since midnight January 1, 1970", a common numeric representation of dates and times on today's computers.

    Here is a website that gives you an online calculator.  It works in SECONDS, not milliseconds, so remove the last 3 digits off of each.

    The stamp 1236909708612 corresponds to Friday the 13th!  Maybe the suspect is the Grim Reaper.
    LVL 5

    Assisted Solution

    Also, I notice that that online time stamp calculator assumes that the number is relative to GMT, and offers to convert it to "local time".  That has the potential to be misleading.

    That may or may not be true depending on how the Yahoo chat application is programmed to work.  The idea of storing the number of seconds since 1/1/1970 is not married to the idea that the time stored must be GMT.  It could very well be the computer's local time.

    Maybe the content of one of the chat logs can give you an initial bearing as to what time zone it is, so you can correct it accordingly.
    LVL 60

    Accepted Solution

    Agree with reswobslc on the tool. There are also another one such as the below:
    -, it even provides scripts to do conversion if you are interested

    Just to add on to the overall picture on Yahoo fragment forensic (which you may already be doing).
    - Check out this article -
    - I believe it is doing what you may be intending to do. It talks about recovering Yahoo IM fragments from unallocated area, form a .dat file and decrypt it (provided knowing the user login name) for viewing and easier analysis (date are all decoded by yahoo dat viewer -

    Extract from PDF (relevance to your "clientTime"):

    UNIX DATE: This is a 4 byte value that is the amount of seconds that have elapsed since 1/1/1970.

    NOTE: It is important to known what year or range of years you are searching for messages from.
    Use a hex converter to convert dates to UNIX hex values. The last byte is the most significant, so
    we will only include this byte in the search. For example: between 10/01/2006 and the present
    will be either 0x45 0x46 or 0x47

    ======Other useful info========
    There are also tools to read archived files (if they are available and you are able to extract from target) like "Yahoo Message Archive Decoder" -
    - It reads Yahoo! Messenger archive files (.dat files) and presents them in a format that you can read.
    - But it is not free.

    There are online version as well -

    Note: the archive can be found in (for Win XP) C:\ Program Files\ Yahoo!\ Messenger\ Profiles \urYahooID \ Archive\ Messages or if you are using Windows Vista:
    C:\Users\WindowsUsername\ AppData\Local\VirtualStore\ Program Files\Yahoo!\ Messenger\Profiles\Yahoo!ID

    Hope it helps

    Author Closing Comment

    THANK YOU! That was a big help - I was able to get a date/time stamp off of one file and compare it to the time of the instant message and they matched perfectly (with a 5 hour adjustment). I greatly appreciate the guidance.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Sometimes we have such a need to use two Skype accounts, for example, you may have a personal and a business account that you want to keep separate. By default, Skype can be run only once. Attempting to start it a second time fails. However, we …
    In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
    The goal of the tutorial is to teach the user how to instant message and make a video call in Skype.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now