Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 379
  • Last Modified:

I am completing a forensic analysis of a computer. I have found many fragments of Yahoo! instant messages and would like to identify when they were sent. I see a field called "time" with a value of 12

I am completing a forensic analysis of a computer. I have found many fragments of Yahoo! instant messages and would like to identify when they were sent. I see a field called "time" with a value of 1236909708612 along with a field called "clientTime" with a corresponding value of 1236909707123. Any ideas on how to convert these times into a more readable date/time format?
0
Todd_Wilson
Asked:
Todd_Wilson
  • 2
3 Solutions
 
reswobslcCommented:
This figure is in "Milliseconds since midnight January 1, 1970", a common numeric representation of dates and times on today's computers.

Here is a website that gives you an online calculator.  It works in SECONDS, not milliseconds, so remove the last 3 digits off of each.

http://www.dracon.biz/timestamp.php

The stamp 1236909708612 corresponds to Friday the 13th!  Maybe the suspect is the Grim Reaper.
0
 
reswobslcCommented:
Also, I notice that that online time stamp calculator assumes that the number is relative to GMT, and offers to convert it to "local time".  That has the potential to be misleading.

That may or may not be true depending on how the Yahoo chat application is programmed to work.  The idea of storing the number of seconds since 1/1/1970 is not married to the idea that the time stored must be GMT.  It could very well be the computer's local time.

Maybe the content of one of the chat logs can give you an initial bearing as to what time zone it is, so you can correct it accordingly.
0
 
btanExec ConsultantCommented:
Agree with reswobslc on the tool. There are also another one such as the below:
- http://www.epochconverter.com/, it even provides scripts to do conversion if you are interested

Just to add on to the overall picture on Yahoo fragment forensic (which you may already be doing).
- Check out this article - http://www.xerafoo.com/files/YIM_unallocated.pdf
- I believe it is doing what you may be intending to do. It talks about recovering Yahoo IM fragments from unallocated area, form a .dat file and decrypt it (provided knowing the user login name) for viewing and easier analysis (date are all decoded by yahoo dat viewer - http://www.topshareware.com/yahoo-dat-viewer/downloads/1.htm).

Extract from PDF (relevance to your "clientTime"):

UNIX DATE: This is a 4 byte value that is the amount of seconds that have elapsed since 1/1/1970.

NOTE: It is important to known what year or range of years you are searching for messages from.
Use a hex converter to convert dates to UNIX hex values. The last byte is the most significant, so
we will only include this byte in the search. For example: between 10/01/2006 and the present
will be either 0x45 0x46 or 0x47

======Other useful info========
There are also tools to read archived files (if they are available and you are able to extract from target) like "Yahoo Message Archive Decoder" - http://www.ikitek.com/products/Yahoo-Message-Archive-Decoder.html
- It reads Yahoo! Messenger archive files (.dat files) and presents them in a format that you can read.
- But it is not free.

There are online version as well - http://www.archive-decoder.com/

Note: the archive can be found in (for Win XP) C:\ Program Files\ Yahoo!\ Messenger\ Profiles \urYahooID \ Archive\ Messages or if you are using Windows Vista:
C:\Users\WindowsUsername\ AppData\Local\VirtualStore\ Program Files\Yahoo!\ Messenger\Profiles\Yahoo!ID

Hope it helps
0
 
Todd_WilsonAuthor Commented:
THANK YOU! That was a big help - I was able to get a date/time stamp off of one file and compare it to the time of the instant message and they matched perfectly (with a 5 hour adjustment). I greatly appreciate the guidance.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now