time-decode(1)

timestamp decoder and converter

Section 1 time-decode bookworm source

Description

TIME-DECODE

NAME

Time-decode - timestamp decoder and converter

SYNOPSIS

time-decode [-h] [--unix] [--umil] [--wh] [--whle] [--chrome] [--active] [--uhbe] [--uhle] [--cookie] [--oleb] [--olel] [--mac] [--hfsdec] [--hfsbe] [--hfsle] [--fat] [--msdos] [--systime] [--ft] [--hotmail] [--pr] [--auto] [--ms1904] [--ios] [--sym] [--gps] [--eitime] [--bplist] [--gsm] [--vm] [--tiktok] [--twitter] [--discord] [--ksuid] [--mastodon] [--meta] [--sony] [--uu][--guess] [--timestamp [DATE]] [--version]

DESCRIPTION

time-decode provides the functionality to decode various timestamps and UUIDs to aid digital forensics and incident response processes. The supported formats range from common ones, like Unix epochs, WebKit/Chrome timestamps and Microsoft’s FILETIME to more exotic formats like LDAP/Active Directory timestamps and Metasploit payload UUIDs. In addition, even timestamps used by some social media services, like Twitter, are included.

OPTIONS

-h, --help

show this help message and exit

--unix UNIX

convert from Unix Seconds

--umil UMIL

convert from Unix Milliseconds

--wh WH

convert from Windows 64-bit Hex BE

--whle WHLE

convert from Windows 64-bit Hex LE

--chrome CHROME

convert from Google Chrome time

--active ACTIVE

convert from Active Directory value

--uhbe UHBE

convert from Unix Hex 32-bit BE

--uhle UHLE

convert from Unix Hex 32-bit LE

--cookie COOKIE

convert from Windows Cookie Date (Low Value,High Value)

--oleb OLEB

convert from Windows OLE 64-bit BE - remove 0x and spaces!
example from SRUM: 0x40e33f5d 0x97dfe8fb should be 40e33f5d97dfe8fb

--olel OLEL

convert from Windows OLE 64-bit LE

--mac MAC

convert from Mac Absolute Time

--hfsdec HFSDEC

convert from Mac OS/HFS+ Decimal Time

--hfsbe HFSBE

convert from HFS(+) BE times (HFS = Local, HFS+ = UTC)

--hfsle HFSLE

convert from HFS(+) LE times (HFS = Local, HFS+ = UTC)

--fat FAT

convert from FAT Date + Time (wFat)

--msdos MSDOS

convert from 32-bit MS-DOS time - result is Local Time

--systime SYSTIME

convert from 128-bit SYSTEMTIME

--ft FT

convert from FILETIME timestamp

--hotmail HOTMAIL

convert from a Hotmail timestamp

--pr PR

convert from Mozilla’s PRTime

--auto AUTO

convert from OLE Automation Date format

--ms1904 MS1904

convert from MS Excel 1904 Date format

--ios IOS

convert from iOS 11 timestamp

--sym SYM

convert from Symantec’s 12-byte AV timestamp

--gps GPS

convert from a GPS timestamp

--eitime EITIME

convert from a Google EI URL timestamp

--bplist BPLIST

convert from an iOS Binary Plist timestamp

--gsm GSM

convert from a GSM timestamp

--vm VM

convert from a VMWare Snapshot (.vmsd) timestamp
enter as "high value,low value"

--tiktok TIKTOK

convert from a TikTok URL value

--twitter TWITTER

convert from a Twitter URL value

--discord DISCORD

convert from a Discord URL value

--ksuid KSUID

convert from a KSUID value

--mastodon MASTODON

convert from a Mastodon URL value

--meta META

convert from a Metasploit Payload UUID

--sony SONY

convert from a Sonyflake URL value

--uu UU

convert from a UUID: 00000000-0000-0000-0000-000000000000

--guess GUESS

guess timestamp and output all reasonable possibilities

--timestamp [DATE]

convert date to every timestamp
enter date as "YYYY-MM-DD HH:MM:SS.f" in 24h fmt.
without any argument given, the current date/time will be converted

--version, -v

show program’s version number and exit

EXAMPLES

Guess the timestamp format and present most probable results

time-decode --guess 1631902084

Convert multiple timestamps of different formats at once

time-decode --unix 1631902084 --umil 1631951802869

Extract time from a UUID

time-decode --uu b54adc00-67f9-11d9-9669-0800200c9a66

Convert the current datetime to all implemented timestamp formats

time-decode --timestamp

Convert a specific datetime to all implemented timestamp formats

time-decode --timestamp "2020-09-17 20:00:00.123"

AUTHORS

Written by Corey Forman

REPORTING BUGS

When submitting a bug report, please include a description of the problem, how you found it, and your contact information. Submit bug reports to: https://github.com/digitalsleuth/time_decode

COPYRIGHT

This project is licensed under terms of the MIT License - https://opensource.org/licenses/MIT. Copyright by Corey Forman

This manual page was written by Jan Gruber <j4n6ru@gmail.com>, for the Debian project (and may be used by others).

SEE ALSO

Additional information on time-decode appears in the README file, distributed with the time-decode source code.