Before examining the data, it is important to understand the different timestamps used on the iPhone. Timestamps found on the iPhone are presented either in the Unix timestamp or Mac absolute time format. The examiner must ensure that the tools properly convert the timestamps for the files. Access to the raw SQLite files will allow the examiner to verify the timestamps manually.
A Unix timestamp is the number of seconds that offsets the Unix epoch time, which starts on January 1, 1970. A Unix timestamp can be converted easily using the date command on a Mac workstation or using an online Unix epoch convertor on a Windows workstation. The date command is shown as follows:
$date -r 1388538061 Wed Jan 1 06:31:01 IST 2014