POSIX vs Extended Attribute: Which Timestamps Should You Use?
Timestamps are an essential part of computing, as they allow us to keep track of when a particular event took place. In the world of macOS, there are two commonly used timestamp formats: POSIX/UNIX timestamps and Apple Extended Attribute (EA) timestamps. While both are used to record timestamps, there are significant differences between the two that are important to understand, especially in the context of forensic investigations.
POSIX timestamps, also known as UNIX time, are a system for recording time as the number of seconds that have elapsed since the Unix epoch, which is defined as January 1st, 1970, at 00:00:00 UTC. POSIX timestamps are used in various operating systems, including Unix, Linux, and of course, macOS. They are stored as a 32- or 64-bit signed integer and have a maximum value of January 19, 2038, after which they will overflow. These timestamps were originally introduced once Classic MacOS merged with NEXT to create macOS X. As macOS has continued to grow and introduce its own method of tracking user interaction with a file, it has started to rely less and less on the POSIX timestamps in favor of its own Apple Extended Attribute timestamps.
Apple Extended Attribute timestamps are used exclusively on Apple’s macOS and iOS operating systems. They are stored as a 64-bit signed floating-point number and represent the number of seconds since January 1st, 2001, at 00:00:00 UTC. Unlike POSIX timestamps, Apple EA timestamps have a much higher maximum value, which means that they will not overflow for many years to come.
One of the key differences between the two timestamp formats is their level of precision. POSIX timestamps are limited to whole seconds, meaning that they can only record the time down to the nearest second. Apple EA timestamps, on the other hand, are stored as a floating-point number and have a much higher level of precision, allowing them to record time down to the nearest nanosecond. This increased precision is important for forensic investigations, as it allows investigators to have a more accurate representation of when events took place.
Another difference between the two timestamp formats is the way they handle time zones. POSIX timestamps are stored as UTC time, which means that they are not affected by time zone changes. However, Apple EA timestamps are stored as local time, which means that they will change based on the time zone of the device. This is important to keep in mind for forensic investigations, as it means that the timestamps for events that took place in different time zones will be recorded differently.
Finally, it is worth mentioning that Apple EA timestamps are stored as extended attributes, which are additional pieces of metadata that can be associated with a file or directory. This makes Apple EA timestamps more versatile than POSIX timestamps, as they can be used to record timestamps for various events, such as the time a file was created, the time it was last modified, and the time it was last accessed. This added versatility is useful for forensic investigations, as it allows investigators to have a more comprehensive picture of the events that took place on a device.
To see the difference between the two timestamp formats in action, let’s use the mdls command in macOS. The mdls command allows us to display the metadata for a particular file, including the timestamps.
For example, if we take a picture from an iPhone that was airdropped to a Mac and run the mdls command against it, we could see the following different timestamps.
kMDItemContentCreationDate = 2022-10-07 18:39:33 +0000
kMDItemContentCreationDate_Ranking = 2022-10-07 00:00:00 +0000
kMDItemContentModificationDate = 2022-10-07 18:39:33 +0000
kMDItemDateAdded = 2023-02-22 17:30:47 +0000
kMDItemFSContentChangeDate = 2023-02-22 17:30:12 +0000
kMDItemFSCreationDate = 2023-02-22 17:30:12 +0000
kMDItemInterestingDate_Ranking = 2023-02-22 00:00:00 +0000
kMDItemLastUsedDate = 2023-02-22 17:31:41 +0000
kMDItemLastUsedDate_Ranking = 2023-02-22 00:00:00 +0000
kMDItemUsedDates = (
“2022-12-09 05:00:00 +0000”
“2023-01-16 05:00:00 +0000”
“2023-02-22 05:00:00 +0000”
)
kMDItemUserSharedReceivedDate = (
“2023-02-22 17:30:47 +0000”
)
As we can see, the timestamps displayed by the mdls command show us a lot of information about the file. Including when it was added to the file system, when the content itself was modified, when a user has last used the file (kMDItemLastUsedDate), and when it was shared to our system (kMDItemUserSharedReceivedDate).
Inversely, if we run the stat -x command on the same file to display the POSIX timestamps, we’re limited to only the below output.
Access: Wed Feb 22 12:31:41 2023
Modify: Wed Feb 22 12:30:12 2023
Change: Wed Feb 22 12:31:41 2023
Birth: Wed Feb 22 12:30:12 2023
Based on the above output, the POSIX timestamps show us little to no information about the file. We don’t know when the picture was originally taken, when a user has accessed it, when it was shared to our system.
In addition to timestamps about the file’s history inside the operating system, Apple Extended Attribute timestamps also include information about a file’s usage, such as the “Use Count”, “Used Dates”, and “Last Used Date”. These timestamps can be used to track a user’s interaction with a file and provide valuable insights into how the file has been used.
The “Use Count” attribute approximates how many times the file has been opened or used. The “Used Dates” will append the current date value each time a file has been opened, which can display how a file has been used over time. The “Last Used Date” attribute shows the last time the file was opened or used. This information can be extremely useful in forensic investigations, as it provides a timeline of when and how often a file was used, and can help to establish the context of the user’s activity.
For example, if we use the mdls command to view the file’s metadata, we might see the following output:
kMDItemUseCount = 8
kMDItemLastUsedDate = 2023-02-22 10:44:05 +0000
kMDItemUsedDates = (
“2022-12-09 05:00:00 +0000”
“2023-01-16 05:00:00 +0000”
“2023-02-22 05:00:00 +0000”
This output tells us that the file has been used approximately 8 times, with the last use occurring on February 22, 2023 at 10:44:05 AM UTC. We can also see that this file was interacted with over the course of multiple months and wasn’t just accessed on a single day. This information can be used to build a timeline of the user’s activity, and could be used to support or refute claims about when the file was last used or if it was used in general.
In conclusion, the Apple Extended Attribute timestamps, including the “Use Count” and “Last Used Date”, provide valuable information about a user’s interaction with a file. These timestamps can be used to track a user’s activity, build a timeline of file usage, and provide valuable insights into the context of the user’s activity. This information can be extremely useful in forensic investigations, and highlights the importance of understanding and using the Apple EA timestamps in a forensic context.