Timestamps
Before examining the data, it is important to understand the different timestamps used on the iPhone. Timestamps found on the iPhone are presented either in the Unix timestamp or Mac absolute time format. The examiner must ensure that the tools properly convert the timestamps for the files. Access to the raw SQLite files will allow the examiner to verify the timestamps manually.
Unix timestamps
A Unix timestamp is the number of seconds that offsets the Unix epoch time, which starts on January 1, 1970. A Unix timestamp can be converted easily using the date command on a Mac workstation or using an online Unix epoch convertor on a Windows workstation. The date command is shown as follows:
$date -r 1388538061 Wed Jan 1 06:31:01 IST 2014
Mac absolute time
iOS devices adopted the use of Mac absolute time with iOS 5 for most of the data. Mac absolute time is the number of seconds that offsets the Mac epoch time, which starts on January 1, 2001. The difference between the Unix epoch time...
