Interpretation of timestamps
Almost all artifacts have some sort of timestamp. Below, the most common timestamps are listed.
| Timestamp | Value |
|---|---|
| Created time | The time the file data was created. |
| Modified time | The last time the file data was modified. |
| Accessed time | The last time the file was read. |
| Status changed | The last time metadata of the file was changed, for example, by changing permissions. |
Note: Make sure you know where the timestamps in the artifacts originate from. Timestamps can originate from many different places along the network path. Investigators should always validate the analyzed time data.
To help investigating from where extracted timestamps originate, source information is added in parentheses after the timestamp.
- Timestamps marked with (Device) were generated based on the device's system clock and are affected by time settings done in the device (date, time, and time zone). This means the phone owner could have manipulated the time stamp.
- Timestamps marked with (Network) come from either the mobile network that the phone was connected to or from the Internet.
- Timestamps marked with (Other client) come from another device. The source could be another phone, a tablet, a computer, or something else. This means that the timestamp could come from an unknown source and potentially has been manipulated.
- Timestamps without any of the above parentheses come from an unknown source.
How timestamps are set
For you to know how to interpret the decoded data from the data sources in your case, you must know how XAMN sets the timestamps in different contexts.
Exporting a file to save locally
When exporting one or more files to save on your local computer, the following is true:
- For created, accessed, and modified timestamps, UTC date time is set.
- If created, accessed, or modified is missing:
- Date and time is set to 1970-01-01 00:00:00.
Exporting a file to a .zip file
When exporting one or more files to save as a .zip file, the following is true:
- For created, accessed, and modified timestamps, UTC date time is set.
- If created, accessed, or modified is missing:
- No date is set.
When no UTC offset is available for a file
If an UTC offset is not available in the original device extraction for a particular file or artifact, the following is true:
- All timestamps are assumed to be in UTC.
Select viewing time zone
In XAMN, the artifact timestamps can be adjusted to any time zone. It is often more convenient to see extracted time data in some other time zone than UTC, for example the local time.
Adjusting the timestamps to another time zone is non-destructive, and it only affects the presentation of data. You can always go back to show the original value.
Enable time zone selection
-
To enable timestamp adjustment, click Options, select the General page and then select the Show in local time checkbox.
Select the time zone for adjusted timestamps
- In the ribbon menu, in the Time zone group, click the drop-down arrow and then select a time zone.
- The selected time zone is respected when presenting timestamps within XAMN.
- This is applicable for timestamps with UTC offset information, but has does not affect timestamps without UTC offset information
- In addition, daylight savings time is applied when relevant for the selected time zone.
- The selected time zone is not respected when exporting files.
- The selected time zone is respected when presenting timestamps within XAMN.
-
Only timestamps in UTC format can be adjusted.
- When timestamp adjustment is enabled (that is, Show in local time is selected), all reports and exported files except Extended XML files contain timestamps adjusted to the selected time zone. Extended XML files include both the UTC timestamp and the adjusted timestamp.
- Even when timestamp adjustment is disabled (that is Show in local time is not selected), the Time filter finds artifacts by the adjusted time zone.
Details pane
If Show in local time is selected, both the UTC timestamp and the adjusted timestamps are shown. If Show in local time is cleared, only UTC timestamps are shown.
Artifacts pane
In the List view, only one timestamp is shown. If Show in local time is selected, timestamps are adjusted to the selected time zone. If Show in local time is cleared, UTC timestamps are shown.
In the Column view, adjusted timestamps are shown as "UTC+hh:mm". In the below example, this means that the timestamp is adjusted to a timezone that is 2 hours after UTC time.
| Timestamp in the Column view |
|
| Same timestamp in the Details pane |
|
Daylight saving time
Daylight saving time (DST) has no effect on UTC timestamps, but is always automatically included in adjusted timestamps. For example, if a local time zone jurisdiction includes daylight saving time, the time for a local event is shown as UTC+4 hours in summer, and UTC+3 hours in the winter.