Binary-Coded Decimal Timestamps

Introduction

Following on from the release of Digital Detective’s free DCode™ tool, we are compiling a series of blog posts explaining the various timestamp formats available in the new version. In this post, we are looking at Binary-Coded Decimal or BCD.

Binary-Coded Decimal (BCD)

Binary-Coded Decimal is a system for encoding decimal numbers as a series of bits suitable for use in electronic systems. Rather than converting numbers into binary, BCD splits the number up into digits and encodes each value as a 4-bit nibble.

The following table shows the difference between numbers 0 to 15 encoded as Binary and Binary-Coded Decimal:

Binary-Coded Decimal Comparison to Binary

For numbers 0 to 9, both Binary and Binary-Coded Decimal have equal 4-bit values. For values 10 to 99, the Binary-Coded Decimal system requires 8-bits to encode the number.

One of the advantages this system has for the observer is that BCD encoded values viewed in Hexadecimal format can be easily read without having to be converted.

Timestamps

During a digital forensic examination, timestamps can be found encoded in a wide variety of weird and wonderful formats. In the case of BCD timestamps, they are usually found in data recovered from mobile handsets in the non-smartphone category.

Binary-Coded Decimal (48-bit)

This timestamp uses six bytes to store a date and time value. In this case, it uses one byte to store the year part:

21 08 03 08 33 49

If we split this value into its component parts, we end up with:

Binary-Coded Decimal Example

Therefore, the bytes 21 08 03 08 33 49 represents 2021-08-03 08:33:49. We can see the decoded value in DCode™ below:

 

DCode showing Binary Coded Decimal timestamp

DCode™ with Binary Coded Decimal (48-bit) Timestamp

 

Extended Binary-Coded Decimal (56-bit)

This timestamp is similar to the one above; however, in this case it uses two bytes to store the year part, resulting in a total of seven bytes for the full value.

20 21 08 03 11 05 18

If we split this value into its component parts, we end up with:

Binary-Coded Decimal Extended 56-bit Example

Therefore, the bytes 20 21 08 03 11 05 18 represents 2021-08-03 11:05:18. We can see the decoded value in DCode™ below:

 

DCode showing 56-bit Extended Binary Coded Decimal timestamp

DCode™ with Extended Binary Coded Decimal (56-bit) Timestamp

 

Binary-Coded Decimal (Reverse Nibble)

This timestamp is similar to the first timestamp we examined. It uses six bytes to store the date and time value. However, in this case, the nibble for each byte is reversed. The easiest way to understand this is to look at an example:

12 80 40 41 24 95

Before we assign each byte to its associated component part, we must first swap each nibble back to its original position. The first byte 12 becomes 21 and the process continues to the end of the bytes:

21 08 04 14 42 59

Now if we split this value into its component parts, we end up with:

Binary-Coded Decimal Reverse Nibble Example

Therefore, the original bytes 12 80 40 41 24 95 represents 2021-08-04 14:42:59. We can see the decoded value in DCode™ below:

 

DCode showing 48-bit Binary Coded Decimal Reverse Nibble timestamp

DCode™ with Binary Coded Decimal (48-bit) Reverse Nibble Timestamp

 

Global System for Mobile Communications (GSM) Timestamp

This timestamp is used in digital cellular telecommunications and is outlined in the technical specification GSM 03.40.

This value is similar to the reverse nibble Binary-Coded Decimal timestamp outlined above. However, in this version, we need an additional byte to represent the time zone offset.

This value indicates the difference, expressed in quarters of an hour, between the local time and UTC. The most significant bit of the seventh byte represents the algebraic sign of this difference (0 is positive, 1 is negative).

As before, the easiest way to understand this is to breakdown an example:

12 80 40 32 84 64 8A

Before we assign each byte to its associated component part, we must first swap each nibble back to its original position. The first byte 12 becomes 21 and the process continues to the end of the bytes:

21 08 04 23 48 46 A8

Now if we split this value into its component parts, we end up with:

GSM Timestamp with Binary-Coded Decimals and Time Zone Offset

If the most significant bit of the first nibble is set to 1 (time zone byte), then the offset will be negative. If we convert the value to binary, we get the following:

A8 = 1010 1000

In the case above, the most significant bit is set to 1 (this is the left-most bit on the left-most nibble), this means the time zone offset will be a negative value. Next, we take the remaining bits and examine their value (remember the most significant bit is used as a marker for the algebraic sign):

0010 1000 = 28
28 x 15 minute intervals = -420 minutes offset

Therefore, the original bytes 12 80 40 32 84 64 8A represents 2021-08-04 23:48:46 -07:00. We can see the decoded value in DCode™ below:

 

Digital Detective's DCode with GSM Timestamp

DCode™ with GSM Timestamp

The post Binary-Coded Decimal Timestamps appeared first on Digital Detective.

Article Link: https://www.digital-detective.net/binary-coded-decimal-timestamps/