DATECONV


PURPOSE   OPERATION   COMMAND LINES   OPTIONS   OUTPUT SAMPLES   RELATED PROGRAMS


Author: Dan Mares, dmares @ maresware . com
Portions Copyright 1998-2016 by Dan Mares and Mares and Company, LLC
Phone: 678-427-3275
Last update: January 23, 2016.

This is a command line program.
MUST be run within a command window as administrator.


Purpose

This program: dateconv: is a command line date converter. It can also take a text input file containing values to convert.

This is a simple program designed to take a number and display the calendar date which it refers to.

Forensic or security persons will use it to decode a series of 32 bit decimal (1325376000) or 64 bit hex (01C98C88:3E85D950) file date/times which have been obtained from various programs, and need the date displayed in a human readable format. (ie: Wed, 11 February 2009 15:35:14)

One of the current number types it will accept is a decimal number which in technical terms is a long decimal value equating to a 32-bit (UNIX) value. It is most often found in the browser history and cookie file date representations. Similar to a Firefox/Mozilla exported bookmark entry containing:
"http://www.google.com" ADD_DATE="1119460787" LAST_MODIFIED="1119460802" etc etc etc.
This 32 bit long value is also found or displayed by some operating systems as an internally stored date/time. Many forensic and other software programs also display date/time values as this 32 bit long number. It is often called the UNIX date time. (UNIX Epoch: 00:00:00 UTC on 1 January 1970)

Since the advent of the exFat(64) file system, Microsoft has made available an older format of date and time using a 32-bit data size. This is similar if not identicle to the old DOS date/time format. Currently it is only found on selected external media, so most people won't have a need for it. Dateconv can handle these dates, but because the Unix and exFat dates are both 32 bit formats, it is somewhat difficult to automatically determine which date we are dealing with. For this reason, and because the exFat dates are not currently the most prolific, the default processing is to consider any 32-bit date a Unix (epoch) date. However, if the user has a file which only contains 32-bit exFat dates, or the 32 bit dates in a mixed file are exFat, then the user should use the -x option to Force any 32-bit conversion to the exFat format.

Dateconv will also accept a 16 character hex representation (1234567890ABCDEF) of both a Little Endian and BIG Endian 64 bit hex number. This is the traditional 64-bit date/time as stored internally by many Windows operating systems, and cell phones. The 64-bit value is the number of 100 nanoseconds increments since January 1, 1601, while the 32-bit decimal is the number of milliseconds since Janyary 1, 1970.

A 64-bit (100) nanosecond decimal of 18 digits (130207911680000000) is also properly decoded to WINDOWS 64bit","Mon, 12 August 2013 14:26:08:000. While: 130207911680300000 decodes as Mon, 12 August 2013 14:26:08:030. Notice the 30 milliseconds. (If you put comas in the correct location you get 030,000,0. Since MFT dates are maintained in 100 nanosecond intervals, this means 30 milliseconds, zero (0) microseconds, and 0 of 10 nanosecond chunks.) However, if the decoded date doesn't seem reasonable, it might be necessary to use the -U option. But this is rarely needed.

As of Jan 11, 2010, the program seems to be intelligent enough to be able to distinguish between: 32 bit UNIX, big and little endian 64 bit (hex) Windows times. (Providing the format and the date is a reasonable date between 1940 and 2040 and not corrupted in some way. (AND: the 32-bit date is NOT an exFat format.)

Even though the program has some intelligence built in. In some cases, it may not be able to properly identify the date/time type. In this case, please use an appropriate option to force the proper conversion. This is needed usually with the UNIX time that has the millisecond added to the time.

One final simple input is for the user to input a MM DD YYYY item on the command line, and the program will display the 32-bit (UNIX) and 64-Bit Big Endian (decimal and hex) values of the date provided.

The output of Dateconv is either to the screen, or to a file depending on the type of input the user provides.
All keyboard inputs except the .csv file type input are processed to the screen.
A file input of .csv or text type is output to a file with _conv appended to the filename. So an input command of
C:>dateconv xyz.csv
would create a default output file in the SAME location named
xyz_conv.csv

Apple iMAC phone dates are 32 bit values from 1/1/2001. The item: 219216022 converts to:Thu Dec 13 05:20:22 2007. When using the program to convert these iPhone dates make sure you add the -I option.

This link   leads to an excellent program which can be used to validate individual conversions (less the millisecond part).


top

Operation

The program can take different types of input.

The simplest type of input is for the user to run the program without any command line arguments. In this mode, the program asks for an (unix decimal, 64 bit decimal or hex) input, and displays the date converted to the screen. This is a one to one operation, meaning that after each input, the program displays the date and ends.

An alternative to this first operation, if for the user to place the number to convert on the command line, and the program will convert it as if in the interactive mode. However, this output is NOT conducive to redirecting to output files.

The user can also place on the command line three additional items representing the MM DD YYYY that the user wished to have converted back to a UNIX (32 bit) or Windows 64 bit Big Endian format). The user must seperate the MM DD YYYY items by spaces. However, two input forms are acceptable: YYYY MM DD, or MM DD YYYY. Sorry, military types, the program does not accept: DD MM YYYY.


CSV FILE INPUT

The third and most useful method of operation is for the user to supply a csv delimeted file to the program.
The csv file MUST have as its FIRST field, the number to convert. This file can also be a single field with only the item to be converted.
The output is to a file with _conv appended to the filename.

The program takes the file, reads one line (record) at a time, captures the first field and translates it to the proper date. The first field can be the hex value or the decimal value of the item to be converted. If it is a hex value, and the item contains any of the a-f characters, it will properly interpret it. If the hex value only contains numbers, (which is unusual, but possible), a leading X or 0X must be supplied to the number to allow the program to know it is hex value and not a simple integer.

Assume the input records are:
 
000003e4a36bc901,"this is a 64 bit (hex) little endian date, with successive csv fields." 
1230768000,"this is a 32 bit UNIX style date, successive csv fields."
0X1234567890000000,"this is a 64 bit hex, with the required 0X trigger for hex values"
0X12345678:90000000,"this is a 64 bit hex, with the required 0X trigger for hex values"
"0X3C207145","HEX UNIX DATE OF: 1008759109","Notice it is also quoted. which is acceptable"

The program reads the input, one line at a time, converts the first field, and prints to an output file. As part of the output file, the entire input record is first printed, then the converted information is placed with csv formatting. Meaning all the added fields are comma delimeted and quoted.

319823837,"iPhone MAC date","Sat Feb 19 15:57:17 2011",2011-02-19,15:57:17,UTC
129071674100000000,"WINDOWS64 time JAN 5,2010","WINDOWS 64bit","Tue, 5 January 2010 12:16:50 ","Offset:-5","2010-01-05","12:16:50 UTC"
0x01C98C883E85B240,"Wed, 11 February 2009 15:35:14","WINDOWS 64bit","Wed, 11 February 2009 20:35:14 ","Offset:-5","2009-02-11","20:35:14 UTC"
1008759109,"UNIX 32 BIT DATE","UNIX 32bit","Wed Dec 19 10:51:49 2001","Offset:-5","2001-12-19","10:51:49 UTC"
3C207145,"HEX_DATE OF: 1008759109","UNIX 32bit","Wed Dec 19 10:51:49 2001","Offset:-5","2001-12-19","10:51:49 UTC"
0X3C207145,"HEX_DATE OF: 1008759109","UNIX 32bit","Wed Dec 19 10:51:49 2001","Offset:-5","2001-12-19","10:51:49 UTC"
1CA8DC3EEEB0800,"WINDOWS64 time 1-5-2010, notice this and below are same"
129071674100000000,"WINDOWS64 time Tue, 5 January 2010 05:00:00:000"

In addition to some obvious housekeeping items (string of the date/time spelled out), we also add the string "WINDOWS 64bit", or "UNIX 32bit" and the current computer UTC offset, to advise what type of conversion was done on the string.

The output file name is automatically generated using the input name, and an "_conv" is added to the name. So an input name of input.csv generates an output name: input_conv.csv


top

Options

The program has been tested with a number of usual date/times, and can figure out the format for itself, so the options are basically unnecessary. Because it uses artificial intelligence (often called my own) to determine if the input is 32bit, 64bit BIG, 64bit Little endian, it may not always correctly interpret the data, and the output conversion may seem unusual. If this is the case, and you know for a fact that the input is either BIG or LITTLE endian, you can force it to treat the input accordingly using the options below.

-[xX]:  The 32-bit date formats on the input file are exFat dates. They use a different epoch (January 1, 1980) start date (rather than Unix epoch of January 1, 1970) and if this -x is not used, will use an incorrect base year.

-b:  Entire input file is to be treated (Forced) as Big-Endian 64 bit data.

-l:   (thats an ell) Entire input file is to be treated (Forced) as Little-Endian 64 bit data.

Note: that forcing to either big or little may cause the program to abort, if it finds records that don't fit the criteria. It is the users responsibility to provide perfected data. It is better to let it decide first, find any records that might be in error, and fix them for another run.

-I:   (thats an uppercase EYE). Input is an iPhone date beginning at: 1/1/2001

-u:   input is UNIX.

-U:   input is 13 digit UNIX with milliseconds. this assumes the value is only a 13 digit millisecond count.

-x:   inputs are exFat 32-bit date


top

Command lines

C:>DATECONV  csvfile.csv
The most used: A csv delimeted file containing a 1st field as either a 64bit little endian HEX value, or a 32bit integer to convert the 1st field of this csv file to a date and adds 2 fields to the record in a new output file named csvfile_conv.csv:

C:>DATECONV  -?
dateconv -?: gets this help screen

C:>DATECONV filename.csv
C:>dateconv will process csv records as WIN64 or Unix-32 dates"

C:>DATECONV filename.csv -x
C:>dateconv will process csv records as WIN64 and exFat32 dates"

C:>DATECONV filename.csv -b
C:>dateconv will process csv records as WIN64 BIG-Endian dates. This is default"

C:>DATECONV filename.csv -l (thats an ell)
C:>dateconv will process csv records as WIN64 LITTLE-Endian dates"

C:>DATECONV 
C:>dateconv without any command line arguments "asks user for a date to convert"

C:>DATECONV 
C:>dateconv without any command line arguments "asks user for a date to convert"

C:>DATECONV  value
a 32bit integer numeric date [1234567890] to convert

dateconv 1230768000
1230768000 is equivalent to: Thu Jan 01 00:00:00 2009

C:>DATECONV  32-bit hex value
a 64bit Little Endian hex value [804a151e3f1cc901] to convert.

C:>DATECONV  000003e4a36bc901
000003e4a36bc901 is equivalent to Thu Jan 01 00:00:00 2009

C:>DATECONV  130207911680000000
130207911680000000 is a 64 bit (100) nanosecond value of: WINDOWS 64bit","Mon, 12 August 2013 14:26:08:000 -0400

C:>DATECONV  01 20 2010
convert Jan 20, 2010 00:00:00 to a 32bit integer numeric date and a 64 bit decimal and hex number. Output is below;

For   01-20-2012     Unix: 1263945600  Wed Jan 20 00:00:00 2010 (UTC)
  64 Bit decimal = 129084192000000000  hex: 01CA996382474000

top
Sample FILE_conv.csv Output
0X3C207145,"HEX UNIX DATE 1008759109","UNIX 32bit","Wed Dec 19 10:51:49 2001"
"0X3C207145","HEX UNIX DATE OF: 1008759109","UNIX 32bit","Wed Dec 19 10:51:49 2001"
1008759109,"UNIX 32 BIT DATE","UNIX 32bit","Wed Dec 19 10:51:49 2001"
3C207145,"HEX DATE OF: 1008759109","UNIX 32bit","Wed Dec 19 10:51:49 2001"
X3C207145,"HEX UNIX DATE OF: 1008759109","UNIX 32bit","Wed Dec 19 10:51:49 2001"
854127309,"UNIX: DATE=Fri, 24 January 1997 17:35:09UTC"
987417644,"UNIX: DATE=Mon, 16 April 2001 10:40:44 UTC"
40B3B13FED2AC001,"WIN 64 LE,Sat, 30 September 2000 14:46:43 GMT"
39B1C8FFD2AFBF01,"WIN 64 LE,Wed, 26 April 2000 22:58:55  GMT"
69D8F2DDA9D7C101,"WIN 64 LE,Sat, 30 March 2002 05:15:11  GMT"
01CA1A15DCCD5500,"WINDOWS 64BIT HEX: Mon, 10 August 2009 18:54:13"
01CDCCD5500,"WINDOWS 64BIT HEX BAD RECORD: Mon, 10 August 2009 18:54:13"
01C1D7A9DDF2D869,"WIN 64 BE,Sat, 30 March 2002 05:15:11  GMT"
01C1C7F9DDFBD86F,"WIN 64 BE,Sun, 10 March 2002 06:07:32  GMT"
01C3DF121D432432,"WIN 64 BE,Tue, 20 January 2004 04:58:58  GMT"
"01CA02FBCED31FB0","WINDOWS 64BIT HEX BE: Sun, 12 July 2009 09:19:46"
"01CA1A15DCEC27A0","WINDOWS 64BIT HEX: Mon, 10 August 2009 18:54:13"
129071674100000000,"WINDOWS64 time JAN 5,2010","WINDOWS 64bit"
01C98C883E5F8CA0,"WINDOWS 64BIT HEX BE: Wed, 11 February 2009 15:35:14"
X01C9BC79FFE6CBB0,"WINDOWS 64BIT HEX BE: Mon, 13 April 2009 15:54:12"
0x01C98C883E85B240,"Wed, 11 February 2009 15:35:14","WINDOWS 64bit"
top

Related Programs

CAL

DATER

The date conversion program here

top