Digital Projects

Introduction

Timestamps play an important role in forensic investigations to build timelines of events and report on the times that activity occurred. One may find timestamps when reviewing files from desktops, servers, embedded computers, and other computerised devices with storage. You can view timestamps using tools such as FTK Imager, file browsers, and command line shell.

The standard formats for most timestamps include:

●YYYY-MM-DD hh:mm:ss

●MM-DD-YYYY hh:mm:ss

●”Month” DD, YYYY, hh:mm:ss(such as “June 6, 2021”)Other than format, some timestamps vary in terms of the use of 12-hour time versus 24-hour time and the timezone.

Standardization of timestamps is provided by ISO 8601 (https://www.iso.org/iso-8601-date-and-time-format.html).In the professional field, it is best to try to organize these timestamps and come to a standard for how timestamps are formatted and labeled; the most common format for timestamps in a forensic investigation or report would be YYYY-MM-DD hh:mm:ss in 24-hour time and in a timezone called “UTC” or Universal Time Coordinated (UTC), otherwise known as Greenwich Mean Time (GMT).

UTC timezone is “absolute” time, and it represents the time at the Royal Observatory in Greenwich, UK where it is considered a cartographic prime meridian on most maps.

Because of this, there are two timezone “fields” to the West and East of it; the West zone is negatively relative in time to UTC, notated as (UTC-x), while the East zone is relatively positive in time to UTC, notated as (UTC+x), with a maximum of 14 hours difference between the westernmost or easternmost timezones and the UTC zone.

Conversion Converting

Times Converting from a local time to UTC, or the reverse, requires the additional knowledge of “daylight savings” time. For example, New York is in the “Eastern US Time” timezone, but a time like 14:00 can either be 18:00 UTC or 19:00 UTC, depending on whether Daylight Savings is applied at that given day.

Daylight Savings starts on the second Sunday of March, then ends on the first Sunday of November in the United States and around 70 other countries. However, in certain countries such as Japan, China, and India, it is not common to observe daylight savings.

Before daylight savings starts in the US (November to March), a timezone such as Eastern Time (ET) may be showing 12:00 time(noon) EST, whereas when Daylight Savings starts, the clocks get set one hour forward, showing 13:00 EDT. However, it will still represent the same time in UTC, as standard time ET has an offset of 5 hours (UTC-5:00), while daylight time ET has an offset of 4 hours from UTC (UTC-4:00). This is done to save daylight hours. Table 1 shows certain time-zones and their offset from UTC.A complete map of time zones can be found at Time & Date.