Timestamp formats often boil down to two components: a reference point and a convention or algorithm used to represent the amount of time that has passed from the said reference point. Documentation exists for most timestamps and can help us to determine the best means to convert raw time data into a human-readable timestamp.
As mentioned in the introduction, there is a wide array of timestamp formats, some of which we've already encountered, such as Unix time and Windows FILETIME. This makes the conversion process more difficult as the forensic scripts we develop may need to be prepared to process multiple time formats.
Python has several standard libraries bundled in the distribution that can help us convert timestamps. We've used the datetime module before to properly handle time values and store them within a Python object. We'll introduce two new libraries—time, which is part of the standard library, and the third-party dateutil module.
We can download and install dateutil (version 2.7.5) by running pip install python-dateutil==2.7.5. This library will be used to parse strings into datetime objects. The parser() method from the dateutil library takes a string as input and attempts to automatically convert it into a datetime object. Unlike the strptime() method, which requires explicit declaration of the format of the timestamp, the dateutil.parser converts timestamps of varying formats without requiring input from the developer.
An example string could be Tuesday December 8th, 2015 at 6:04 PM or 12/08/2015 18:04, and both would be converted by the parser() method into the same datetime object. The following code block demonstrates this functionality, and works in both Python 2.7.15 and Python 3.7.1:
>>> from dateutil import parser as duparser
>>> d = duparser.parse('Tuesday December 8th, 2015 at 6:04 PM')
>>> d.isoformat()
'2015-12-08T18:04:00'
>>> d2 = duparser.parse('12/08/2015 18:04')
>>> d2.isoformat()
'2015-12-08T18:04:00'
On the first line of the code block, we import the dateutil parser and create an alias, duparser, as the function name parser is a generic term that could possibly collide with another variable or function. We then call the parse() method and pass a string representing a timestamp. Assigning this parsed value to the variable, d, we view its ISO format using the isoformat() function. We repeat these steps with a second timestamp in a different format and observe the same end result.