As mentioned in the introduction, there are a wide array of timestamp formats, some of which we've already encountered, such as UNIX time, and Windows FILETIME. This makes the conversion process more difficult as forensic scripts we develop may need to be prepared to process multiple time formats. Timestamp formats often boil down to two components: a reference point and a convention or algorithm used to represent the amount of time that has passed from the said reference point. Documentation exists for most timestamps and can help us determine the best means to convert the raw time data into a human-readable timestamp.
Python has several standard libraries bundled in the distribution that can help us convert timestamps. We have used the datetime
module before to properly handle time values and store them within a Python object. We will introduce two new libraries—time
, which is part of the standard library, and the third-party dateutil
module. We can download and install...