Unix epoch time, also known as Unix time or Posix time, is stored as the number of seconds (or milliseconds) since midnight on January 1st, 1970 UTC. A 10-digit value indicates it is in seconds, while a 13-digit value is indicative of a millisecond value (at least for times likely to be found on a smartphone, as 9-digit second and 12-digit millisecond values haven't occurred since 2001). In our example, the value is 1422206858650; Google Chrome was last used 1 billion, 422 million, 206 thousand, 858 seconds, and 650 milliseconds since midnight on January 1st, 1970! Don't worry, we don't know what date/time that is either. There are many scripts and tools available for download that can convert this into a human-readable format; we like DCode, a free tool that can be found here: http://www.digital-detective.net/digital-forensic-software/free-tools/.

In DCode, simply select Unix: Millisecond Value from the dropdown list, type in the value in the Value to Decode field, and click Decode:

The Add Bias field can be selected to convert the time into the desired timezone.

Alternatively, there is also a very useful online epoch calculator at http://www.epochconverter.com/.

Using either method, we can see that Google Chrome was actually last used on January 25th, 2015 at 17:27:38.650 UTC. Unix epoch time is frequently used on Android devices to store date/time values, and will come up repeatedly in our application analysis.