search

Lazza / RecuperaBit

A tool for forensic file system reconstruction.
GNU General Public License v3.0
534 stars 75 forks source link

An OverflowError might arise with some corrupted timestamps #84

Closed Lazza closed 3 years ago

Lazza commented 3 years ago

A user reported the following error with timestamp conversion:

INFO:root:Found NTFS file record at sector 1934744171
INFO:root:Found NTFS file record at sector 1934744261
INFO:root:Found NTFS file record at sector 1934744429
INFO:root:Found NTFS boot sector at sector 1953520064
INFO:root:First scan completed
INFO:root:Saving results to /mnt/tb2/recuperabit_savefile_1TB.sav
INFO:root:Parsing MFT entries
Traceback (most recent call last):
  File "main.py", line 374, in <module>
    main()
  File "main.py", line 357, in main
    parts.update(scanner.get_partitions())
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/fs/ntfs.py", line 695, in get_partitions
    parsed = parse_file_record(dump)
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/fs/ntfs.py", line 151, in parse_file_record
    attributes = _attributes_reader(entry, header['off_first'])
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/fs/ntfs.py", line 110, in _attributes_reader
    attr, name = parse_mft_attr(entry[offset:])
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/fs/ntfs.py", line 91, in parse_mft_attr
    data = unpack(content[:size], attr_types_fmt[name])
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/utils.py", line 89, in unpack
    result[label] = formatter(data[low:high+1])
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/fs/ntfs_fmt.py", line 81, in index_root_parser
    entries = index_entries(dump[offset:])
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/fs/ntfs_fmt.py", line 58, in index_entries
    parsed = unpack(dump[offset:], indx_dir_entry_fmt)
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/utils.py", line 89, in unpack
    result[label] = formatter(data[low:high+1])
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/fs/ntfs_fmt.py", line 127, in try_filename
    unpack(dump, attr_types_fmt['$FILE_NAME'])
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/utils.py", line 89, in unpack
    result[label] = formatter(data[low:high+1])
  File "/mnt/tb2/root/RecuperaBit-master/recuperabit/fs/ntfs_fmt.py", line 47, in windows_time
    converted = datetime.utcfromtimestamp(value/10.**7 - 11644473600)
  File "/mnt/tb2/root/pypy3.7-v7.3.3-linux32/lib-python/3/datetime.py", line 1655, in utcfromtimestamp
    return cls._fromtimestamp(t, True, None)
  File "/mnt/tb2/root/pypy3.7-v7.3.3-linux32/lib-python/3/datetime.py", line 1614, in _fromtimestamp
    y, m, d, hh, mm, ss, weekday, jday, dst = converter(t)
OverflowError: timestamp out of range for platform time_t

If the values cannot be converted, the windows_time function should return None.