UNIX Time Stamp ID and Hotmail

Return to Main Forensics Help Page

Frequently you encounter UNIX time codes embedded in history files, etc.  Most often the need is to decode the UNIX code to a readable format.  There are several tools out there to do that, with Craig Wilson's being among the best for forensic use.

There does come a time when you wish to go in the other direction, that is you wish to create a UNIX time code for a given date or time.  I find that a useful tool when searching for Hotmail around a certain date / time period.  Within the URL in the history and within the Hotmail web page itself, there is an ID number for that particular message that can be used to link the history entry with a particular Hotmail web page.  This is especially useful when your Hotmail Inbox web page is found in the unallocated clusters, void of normal file date/time stamps, and you want to determine the date / time of the page and link it to a particular entry in the history.  The common link between the two is a ID number that comprises of a UNIX time stamp followed by a number representing the sequential number of the message stamped during any given second by the Hotmail system.  

http%3a%2f%2flw10fd%2elaw10%2ehotmail%2emsn%2ecom%2fcgi%2dbin%2fgetmsg%3fcurmbox%3dF000000001%26a%3d52a5bba276c98f76b07d7d18f864b19b%26

msg%3dMSG1045345894%2e72%26start%3d62418%26len%3d903%26msgread%3d1&PI=44364&DI=7474&PS=8315

http://http://lw10fd.law10.hotmail.msn.com/cgi-bin/getmsg?curmbox=F000000001&a=52a5bba276c98f76b07d7d18f864b19b&

msg=MSG1045345894.72&start=62418&len=903&msgread=1&PI=44364&DI=7474&PS=8315

The above two lines (split to fit on page) are from the entries in the index.dat file for my Hotmail Inbox.  Note the bolded type and within that bolded type is the UNIX date stamp is in red and the sequential ID number for that particular second is in purple.  Usually it is separated by a period, but is often expressed as hex 2E in text (%2e).  

The linkage between the above and the Hotmail Inbox may be found, usually more than once, within the html code of the Inbox page, typically "HoTMaiL[1].htm", with the number in the brackets having been inserted to track the various numbers of same file in the cache.  Below is the data found in the HTML code of the Hotmail Inbox, located near the bottom of the page.  

<IMG SRC="http://h.msn.com/c.gif?RF=http%3a%2f%2flw10fd%2elaw10%2ehotmail%2emsn%2ecom%2fcgi%2dbin%2fgetmsg%3f

curmbox%3dF000000001%26a%3d52a5bba276c98f76b07d7d18f864b19b%26msg%3dMSG1045345894%2e72%26start%3d62418

%26len%3d903%26msgread%3d1&PI=44364&DI=7474&PS=8315" width=1 height=1>

Note that when this same URL is seen in a Netscape history file, it appears with a "ct=" in front of it instead of the "MSG".  Don't ask why, but that's simply what I've been finding! 

We frequently encounter having to locate web mail, hotmail in particular, on public site machines that are refreshed daily, meaning we work pretty much exclusively on data in the unallocated clusters.  If an incident, typically some fraud, occurred on one of these sites, we typically look to see if they checked their web mail while there.  They often do.  While they may or may not read or create mail, if they check their mail, they look at their inbox and usually, at the very least, their inbox is in cache or rolled out to the unallocated clusters.  To keep things simple and because it is the most prevalent artifact, this discussion is limited to the Hotmail Inbox.

Knowing that there is linkage between the history and inbox web page, the message ID #,  and the date of the incident, it is useful to develop search terms that seek this UNIX time stamp.  Many times we discover the date and time from carving out the history entries from the unallocated clusters using Craig Wilson's enscript that is packaged with his web analyzer.  With that we have a specific time stamp and ID for which to search.  There are also times where we want to thoroughly search for a range and the time stamp and ID is not yet known.  In those cases, we need to generate a time stamp value on which to conduct the search.

This link is very good for generating a UNIX time stamp for a date / time range.  A caution is to be noted in that the time zone offset for this utility is not specified and I find that I have to use an offset of GMT +4:00 to correct this utility's output to match my local time setting of GMT -5:00.  Validate and adjust accordingly so that you are searching for the correct time stamp!

Using your adjusted output, a search term can be generated to look for time stamps for a given date or date range.

For example:

##########[\.%]2?e? will find any ten digit UNIX time stamp followed by a period or it's hex equivalent of 2E written in text (%2E).  This will give you all time stamps, which is usually too much information.

We need to narrow down the search.  But first, let's look at the UNIX time stamp further.  UNIX date/time is the number of seconds since December 31, 1969 23:59:59.

Thus, here is how the number progresses.

Mon, 17 February 2003 23:30:45 GMT
1045524645

Tue, 18 February 2003 00:30:45 GMT (advancing one hour advances number by 3600 seconds)
1045528245

Tue, 18 February 2003 00:31:45 GMT (advancing one minute advances number by 60)
1045528305

Tue, 18 February 2003 00:31:46 GMT (advancing one second advances number by 1)
1045528306


Using this knowledge, we could then search for ##########[\.%]2?e? but modify it to hone in on a specific date.  As there are 86400 seconds in a day, find the outside range of your search and subtract 86, 400 from it.  You may want to widen your range to a two or three day window to allow for time zone offsets, etc.  Three days of web mail is manageable to examine, especially when the alternative could be all the hotmail, which could number in the thousands!  

If we wanted all the time stamps from Mon, 17 February 2003 23:30:45 GMT to Tue, 18 February 2003 23:30:45 GMT, we would want:

1045524645 through 1045611045  

##########[\.%]2?e? would be modified to 1045[56]#####[\.%]2?e?  To cut down on false hits, we could further refine this search to:

[Mc][St][G=]1045[56]#####[\.%]2?e?  - This would find the time stamp preceded by either "MSG" or "ct=" and still narrow the date range.

This search would cover more than those date and time ranges, but would certainly narrow down the search.

Once you've linked a history entry with date and time to a hotmail web page, you'll usually seek to determine to whom the hotmail inbox  belongs.  The name of the user to whom the inbox belongs can be found in the html code as follows:

/cgi-bin/protect?login=                         Login name only immediately follows
id="HMname"                                       complete hotmail address follows
<!-- FILE: title.asp-->                            complete hotmail address follows

This area begs for more research, but there are clear links between the URL entries and the actual HTML coded web page that comprises the web mail inbox (or other pages) viewed when checking their mail.  This ID number based in part on the UNIX time stamp plus a unique sequential ID number is one of those links and there could be more.  Once the Hotmail inbox gets into the unallocated clusters, this linkage would seem all that remains to resolve a date and time.  I haven't looked into the other forms of web mail, but it stands to reason there is a link in them as well.