Timestamps are one of the most important and varied pieces of evidence we use in DFIR work. They have numerous formats, requiring numerous parsers to normalize them to a common, cross-reference-capable format. This video covers a few of the more common formats you may encounter in DFIR evidence, as well as demonstrates why "what time is it?" can be a much more complex question than it seems at first.
Table of Contents:
00:00 - Introduction
00:44 - Variations of timestamp formats
02:59 - Syslog timestamp format
04:46 - UNIX epoch timestamp format
07:10 - Windows epoch timestamp format
08:58 - RFC 3339 timestamp format
11:18 - Wrap-up
12:51 - Conclusion
