binary parser: parse filetime: handle timestamps of 0 better

williballenthin · web-flow · commit 28095cc24fdd · 2018-10-03T11:17:41.000-06:00
diff --git a/Evtx/BinaryParser.py b/Evtx/BinaryParser.py
@@ -105,6 +105,9 @@ def dosdate(dosdate, dostime):
 
 def parse_filetime(qword):
     # see http://integriography.wordpress.com/2010/01/16/using-phython-to-parse-and-present-windows-64-bit-timestamps/
+    if qword == 0:
+        return datetime.min
+    
     try:
         return datetime.utcfromtimestamp(float(qword) * 1e-7 - 11644473600)
     except (ValueError, OSError):
