Using UFED Physical Analyzer to find which (supported) time stamp format is used

A few weeks ago, one of our customers emailed about a PIN locked Samsung SCH-U365 CDMA device. Searching within UFED Physical Analyzer for dates/times on this device, he wanted to find out whether the SMS PDU dates were his only option to choose, or if others might be available.

This particular device uses a Jan 1, 1980 epoch for SMS dates/times. Here’s a tutorial on how to use UFED Physical Analyzer to determine that information:

1) After opening the extraction, open the physical or file system extraction image file.

2) While the image hex viewer is open, select the desired data type (in this case SMS).

3) At the bottom part of the screen you will see a list of all the decoded fields from the selected data type.

4) Select your specific data field of interest to see where it is located in the hex view; in other words, where UFED decoded it from. In this case, it would be the time stamp of an SMS message.

SMS time stamp located in hex code

5) Switch to the “Values” tab and locate the “Date & Time” data type, then open the Epoch list.

6) Move the mouse cursor over the 4 bytes (highlighted in green) that, as earlier seen, are the time stamp.

7) Notice that the “Information Frame” dialog that displays the decoded time stamp (26/11/2012 02:17) matches the Epoch Jan 1, 1980. This is the desired format originally asked about.

Information Frame dialog displays the decoded time stamp

8) To perform a search and locate more potential deleted SMS messages, use the Find option and select the Dates category with “Epoch Jan 1, 1980” as the time stamp format to search for.

Since these are 4 bytes, define the date range that you want to search for in order to reduce false positive results. You can see in the image below that there were more than 5000 results in the test extraction.

To further reduce false positive results and also get more data before and after the result—the SMS text as an example that might be in a fixed offset from the time stamp—use the “Additional data” extraction/filter on the bottom right of the below dialog

additional data extraction/filter

