I was sifting around in an imaged drive I play with and was checking out /home/USER/.cache to see if there is more items I could “discover”
In this image I noticed that Gedit was called and had some meta-data that was hanginng out in .cache. I took a look….
there was a simple gedit-metadata.xml that was created.
Inside the <document> element is something that I was amazed to find. It was the name of the last text document I opened (I recall opening up this txt)
there was also an “atime” inside the element. Googling agound I learned that ctime atime and mtime are for created/accessed/modified. cool, now there’s a record of when I accessed the file… BUT the format was weird.
atime=”1247720990″
This is what’s called “Epoch Time” the number of seconds that have passed since Midnight of January 1, 1970 GMT.
Now, you can google up thousands of Epoch to standard time converters, snag some apps, or do the math yourself. Either way, we now have the ability to find a way to make sense of these times.
I soon later realized that Epoch time is used quite a bit in /var/log. Items that deal with Kernel activity are usually not put in standard time. Also Udev seems to use Epoch time. Every distro is different, and some logging could be pure Epoch, pure Standard, or a mix. Just knowing how to decode that time is worthwhile.
Tags: linkedin