search

kiddinn / log2timeline

Automatically exported from code.google.com/p/log2timeline
GNU General Public License v3.0
0 stars 3 forks source link

Incorrect Time with non-standard PDF "CreationDate" tags #16

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Generate a PDF with the create date tag of the format 
"/CreationDate(MM/DD/YYYY HH:MM:SS)" 
2. Run the log2timeline PDF module against the PDF

What is the expected output? What do you see instead?
In our case, the expected output was a creation date 12-15-2008 16:10:5 int the 
timeline or we would expect the non-standard date to be ignored.  The actual 
result was 5-20-2012 01:16:10.  The actual tag was /CreationDate(12/15/2008 
16:10:5).  

What version of the product are you using? On what operating system?
log2timeline v 0.62 on the Sift-Workstation

Please provide any additional information below.
The same PDF contained another creation date tag in the format specified by 
Adobe e.g. /CreationDate(D:YYYYMMDDHHmmSSOHH'mm). This was correctly translated 
and entered into the timeline.

The PDF had a producer tag of "GNU Ghostscript 7.05" and a Creator tag of 
"PSript5.dll Version 5.2"

Original issue reported on code.google.com by zach...@gmail.com on 16 Jan 2013 at 9:05

GoogleCodeExporter commented 9 years ago 
Have you tried upgrading log2timeline to the latest stable release, version 
0.65 and see what the results are?

Also did that date come from the EXIF module or the PDF module?

The original pdf_to_date function that takes the tag inside the PDF module 
should follow this syntax:
# PDF dates are in the form: D:20050718143045-04'00 or D:20091113194615
# the can also be in the form of "D:YYYY:MM:DD HH:M:SS"
# according to the PDF specifications:
#
# 7.9.4       Dates
# Date values used in a PDF shall conform to a standard date format, which 
closely follows that of the
# international standard ASN.1 (Abstract Syntax Notation One), defined in 
ISO/IEC 8824. A date shall be a text
# string of the form
#      ( D : YYYYMMDDHHmmSSOHH ' mm )

It would be good to see if the latest version still exhibits this behavior or 
if this is an already fixed issue.

Original comment by ki...@kiddaland.net on 23 Jan 2013 at 9:54

GoogleCodeExporter commented 9 years ago 
I just checked it on version 0.65 and it produces the same result
(incorrect time).  It comes from the PDF module (Source: "PDF" Sourcetype:
"PDF Metadata").  The PDF module is also the latest version listed (v. 0.3).

Original comment by zach...@gmail.com on 23 Jan 2013 at 10:27