Feature Request: NSDate

[randomaccess3]

nsdate time format, seen on iOS

import datetime nsdate = 540790206.087728 unixTS = 978307200 final = nsdate + unixTS date = str(datetime.datetime.fromtimestamp(final)) print (date)

[Fetchered]

Hi Phil,

This timestamp is already available in the tool, as iostime.

Have you tried that option already? If not, give it a shot and let me know if that's what you're looking for.

Cheers

Corey

On Thu, Feb 28, 2019, 1:18 AM Phill Moore notifications@github.com wrote:

nsdate time format, seen on iOS

import datetime nsdate = 540790206.087728 unixTS = 978307200 final = nsdate + unixTS date = str(datetime.datetime.fromtimestamp(final)) print (date)

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Fetchered/time_decode/issues/3, or mute the thread https://github.com/notifications/unsubscribe-auth/AJ-Tenm_v3lukpicC2HKNWPuSLHcRxnMks5vR3SzgaJpZM4bWF4F .

[randomaccess3]

Yeah, it's user error im sure

python time_decode.py --ios "540790206.087728" ERROR:root:<class 'TypeError'>,must be str, not bool

[Fetchered]

Let me take a look and get back to you.

On Thu, Feb 28, 2019 at 6:03 AM Phill Moore notifications@github.com wrote:

Yeah, it's user error im sure

python time_decode.py --ios "540790206.087728" ERROR:root:<class 'TypeError'>,must be str, not bool

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Fetchered/time_decode/issues/3#issuecomment-468231650, or mute the thread https://github.com/notifications/unsubscribe-auth/AJ-TevMh_6VavTSx8KRrHxSJy-Wkcrc6ks5vR7d1gaJpZM4bWF4F .

[Fetchered]

BTW, what's the actual date and time you're expecting so I can compare results?

On Thu, Feb 28, 2019 at 6:55 AM Red Forman fetchered@gmail.com wrote:

Let me take a look and get back to you.

On Thu, Feb 28, 2019 at 6:03 AM Phill Moore notifications@github.com wrote:

Yeah, it's user error im sure

python time_decode.py --ios "540790206.087728" ERROR:root:<class 'TypeError'>,must be str, not bool

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Fetchered/time_decode/issues/3#issuecomment-468231650, or mute the thread https://github.com/notifications/unsubscribe-auth/AJ-TevMh_6VavTSx8KRrHxSJy-Wkcrc6ks5vR7d1gaJpZM4bWF4F .

[Fetchered]

The timestamp format in iOS is either a Mac Absolute Time (9-digit) or iOS nanosecond date (18 digit). The value you gave me isn't a full 18 digit (since it's separated by a decimal) but the first 9 are the Mac Absolute Timestamp of 2018-02-20 03:30:06 UTC.

On Thu, Feb 28, 2019 at 7:01 AM Red Forman fetchered@gmail.com wrote:

BTW, what's the actual date and time you're expecting so I can compare results?

On Thu, Feb 28, 2019 at 6:55 AM Red Forman fetchered@gmail.com wrote:

Let me take a look and get back to you.

On Thu, Feb 28, 2019 at 6:03 AM Phill Moore notifications@github.com wrote:

Yeah, it's user error im sure

python time_decode.py --ios "540790206.087728" ERROR:root:<class 'TypeError'>,must be str, not bool

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Fetchered/time_decode/issues/3#issuecomment-468231650, or mute the thread https://github.com/notifications/unsubscribe-auth/AJ-TevMh_6VavTSx8KRrHxSJy-Wkcrc6ks5vR7d1gaJpZM4bWF4F .

[randomaccess3]

it's taken from an nsdate field within a plist (within another plist within an sqlite database, because apple...) the mac absolute timestamp you posted looks right

[Fetchered]

Any chance you're able to tell me the names of the plists and sqlite files so I can do some research? And is it possible that value you gave might be missing some digits?

The way the two timestamps appear in iOS, there shouldn't be a separator (such as the dot), so if it exists in these files, I'll have to have a reference to see why it might be there, and since the Absolute value is correct, it's possible the value after the dot is for something else.

Hope you're able to provide the references. I'll keep looking into it.

On Sat, Mar 2, 2019, 12:41 AM Phill Moore notifications@github.com wrote:

it's taken from an nsdate field within a plist (within another plist within an sqlite database, because apple...) the mac absolute timestamp you posted looks right

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Fetchered/time_decode/issues/3#issuecomment-468888170, or mute the thread https://github.com/notifications/unsubscribe-auth/AJ-TegOpv6zbKdBMsM9GApJSb89nHcDxks5vSg7xgaJpZM4bWF4F .

[randomaccess3]

yep, inside the knowledgeC database on an iOS device (file system extraction), there's an embedded plist within an embedded plist. Inside that there's nsdate fields.

decoding of the dates can be found at the bottom of this https://github.com/cclgroupltd/ccl-bplist/blob/master/ccl_bplist.py

[Fetchered]

I happen to have that already. I'll look into it and get it sorted. Thanks!

On Sat, Mar 2, 2019, 7:27 AM Phill Moore notifications@github.com wrote:

yep, inside the knowledgeC database on an iOS device (file system extraction), there's an embedded plist within an embedded plist. Inside that there's nsdate fields.

decoding of the dates can be found at the bottom of this https://github.com/cclgroupltd/ccl-bplist/blob/master/ccl_bplist.py

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Fetchered/time_decode/issues/3#issuecomment-468916124, or mute the thread https://github.com/notifications/unsubscribe-auth/AJ-TeoWxnRDqDaavJTpWG8b119kh42cPks5vSm4dgaJpZM4bWF4F .

[Fetchered]

So, the ccl_bplist essentially is taking the first 9 characters (the Mac Absolute Time) and converting that to the first piece of the timestamp, and the values after the decimal are the milliseconds/nanoseconds. Using the first 9 digits will give the correct time in time_decode.py down to the second, but I will add a feature in the next release to read/convert the bplist timestamp to include those milli/nanos.

In the meantime, the tool should still work for what you need. When you convert your value using the Mac Absolute, just use the value after the decimal as your milli/nano seconds.

I'll try to get the update done this weekend.

Cheers

On Sat, Mar 2, 2019 at 7:35 AM Red Forman fetchered@gmail.com wrote:

I happen to have that already. I'll look into it and get it sorted. Thanks!

On Sat, Mar 2, 2019, 7:27 AM Phill Moore notifications@github.com wrote:

yep, inside the knowledgeC database on an iOS device (file system extraction), there's an embedded plist within an embedded plist. Inside that there's nsdate fields.

decoding of the dates can be found at the bottom of this https://github.com/cclgroupltd/ccl-bplist/blob/master/ccl_bplist.py

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Fetchered/time_decode/issues/3#issuecomment-468916124, or mute the thread https://github.com/notifications/unsubscribe-auth/AJ-TeoWxnRDqDaavJTpWG8b119kh42cPks5vSm4dgaJpZM4bWF4F .

[randomaccess3]

Great, thanks!

[Fetchered]

Updated the tool, should work the way you expect now. I appreciate the feedback btw!

On Sat, Mar 2, 2019 at 8:21 PM Phill Moore notifications@github.com wrote:

Closed #3 https://github.com/Fetchered/time_decode/issues/3.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/Fetchered/time_decode/issues/3#event-2176046736, or mute the thread https://github.com/notifications/unsubscribe-auth/AJ-TeqYXiibweR2yPxbW9S_cEN-g1V3Dks5vSyOggaJpZM4bWF4F .