From d109f1bf18ccb4930e31e20041863f5ed723a0af Mon Sep 17 00:00:00 2001
From: Brian Carrier <carrier@sleuthkit.org>
Date: Mon, 29 Jan 2024 10:53:35 -0500
Subject: [PATCH] Ensure NTFS date ranges out of Unix EPOCH are 0s. From
 https://www.forensicfocus.com/articles/interpretation-of-ntfs-timestamps/

---
 tsk/fs/ntfs.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tsk/fs/ntfs.c b/tsk/fs/ntfs.c
index fe720fd5c..80ffa865c 100644
--- a/tsk/fs/ntfs.c
+++ b/tsk/fs/ntfs.c
@@ -84,6 +84,8 @@
  * subtract the number of seconds between 1601 and 1970
  * i.e. TIME - DELTA
  *
+ * Returns 0 if NT date is outside of Unix range
+ *
  */
 uint32_t
 nt2unixtime(uint64_t ntdate)
@@ -91,9 +93,17 @@ nt2unixtime(uint64_t ntdate)
 // (369*365 + 89) * 24 * 3600 * 10000000
 #define	NSEC_BTWN_1601_1970	(uint64_t)(116444736000000000ULL)
 
+    // return 0 if before 1970
+    if (ntdate < NSEC_BTWN_1601_1970) 
+        return 0;
+
     ntdate -= (uint64_t) NSEC_BTWN_1601_1970;
     ntdate /= (uint64_t) 10000000;
 
+    // return if beyond 32-bit epoch range
+    if (ntdate > 0xffffffffULL) 
+        return 0;
+
     return (uint32_t) ntdate;
 }
 
-- 
GitLab