fixed NewFromDeltaAndYear to respect leap years

log2timeline / dfdatetime

Digital Forensics date and time

Apache License 2.0

23 stars 15 forks source link

fixed NewFromDeltaAndYear to respect leap years #268

Closed faase closed 1 year ago

faase commented 1 year ago

Running

$ cat syslog 
Feb 29 00:00:01 hostname dhcpd[12345]: DHCPREQUEST for 1.1.1.1 from af:fe:af:fe:af:fe via eth0
$ log2timeline.py syslog

returns

dfdatetime/interface.py", line 828, in _GetNumberOfSecondsFromElements
    raise ValueError(f'Day of month value: {day_of_month:d} out of bounds.')

This patch adds a leap year test to NewFromDeltaAndYear. If it fails, it chooses the most recent leap year.

joachimmetz commented 1 year ago

Can you provide some context on how you are using this method?

joachimmetz commented 1 year ago

log2timeline.py syslog

this is likely a Plaso related issue not being to determine the year correctly and not an issue in dfdatetime

also see https://github.com/log2timeline/plaso/issues/4384

@faase please open an issue with Plaso with the necessary details, closing this PR

faase commented 12 months ago

I tracked the issue from plaso/plaso/engine/timeliner.py line 186. My thought was that calling NewFromDeltaAndYear with year as single parameter should return a valid date, so i assumed this to be the proper location for fixing it.

Am I correct in the assumption that I should put the test in plaso/plaso/engine/timeliner.py in the calling _GetEvent method to prevent NewFromDeltaAndYear from creating an incorrect date?

joachimmetz commented 12 months ago

so i assumed this to be the proper location for fixing it.

unfortunately it was not,

Plaso does an estimate of the base year, this could be incorrect. To do it properly the estimate base year should be updated with similar logic.