Log2t::Time - A library that provides method to work with different timestamps.

This is a small library to assist with time manipulation. It contains multiple methods that can be used in log2timeline modules when dealing with converting timestamps that are stored in various formats into Epoch, and also to convert Epoch timestamps to textual representations.

This library should always be used when converting timestamps either to or from an epoch value since the sub routines defined here can be used by all modules (code reuse, and if a quicker method is developed it will make maintenance considerably easier).

All methods should be documented here in the code so that it will be easy for anyone to use them in the code.

METHODS

Win2Unix

A subroutine copied from ptfinder.pl developed by Andreas Schuster and Csaba Barta. This sub routine converts windows filetime into a unix format

Args:

Lo: An integer (32 bits) representing the lower 32 bits of the timestamp.

Hi: An integer (32 bits) representing the higher 32 bits of the timestamp.

Returns:

An integer representing the number of seconds since Epoch time.

getNanoWinFileTime

Args:

l: An integer, 32 bits, representing the lower 32 bits of the timestamp.

h: An integer, 32 bits, representing the higher 32 bits of the timestamp.

Returns:

An integer that represents the nanoseconds of a FILETIME timestamp.

Dos2Unix

Taken from the dos2unixtime function from the tsk3/fs/fatfs_meta.c file from The Sleuthkit. The logic and code taken there, and adapted to be a Perl code (the other is a C code)

Args:

date: Packed 16 bit (2 byte) value that represents the date.

time: Packed 16 bit (2 byte) value that represents the time of day.

iso2epoch

This routine transforms a date formated according to ISO 8601 to an epoch time (see definition on Wikipedia):

Args:

iso: A string containing the timestamp, in ISO_8601 notation.

tz: The timezone of the file.

Returns:

An integer representing the number of seconds since Epoch.

epoch2cftl

A sub routine that converts an Epoch timestamp into a timestamp that CFTL (Computer Forensics Time Lab accepts in it's XML schema).

Args:

epoch: An integer in the epoch format.

tz: The timezone of the timestamp.

Returns:

A string representing the timestamp in a format that CFTL accepts.

epoch2text

A sub routine that converts an Epoch timestamp into a textual human readable format.

The sub routine returns the text in three different formats depending on the value of the variable use_local.

Args:

epoch: An integer in the Epoch format

use_local: An integer that determines the format of the output, values can be found above in the description.

tz: The timezone of the timestamp.

Returns:

A string representing the timestamp, depending on the value of use_local.

month2int

A small sub routine that takes as an input a string that is an abbreviated textual representation of a month and returns an integer, that is the month value of that particular month, eg. Jan becomes 1, Nov becomes 11, etc.

Args:

Month: A string, abbreviated text of a month (eg Jan, Feb, Mar, ...)

Returns:

An integer, from 1-12

exceldate2epoch

A method that takes a timestamp that is defined in the native Excel format and transforms that into an Epoch timestamp.

Where DDDD is the number of days elapsed since 01/01/1901 and TTTT is the number of seconds since the start of the day.

Since Epoch is measured in seconds since 01/01/1970 there is only 69 year difference between the two representations, so we can just simply calculate the difference and return that.