dkovar
dkovar
Good afternoon, Maildb.py requires users/users.json but that file is not present and I cannot find any documentation of that file. What should that file contain? Are there any other files...
Use case is: It currently fails to detect the nanoseconds being zero on the 508 c:\windows\system32\dllhost\svchost.exe file See nano-zero folder on local dev: Python datetime doesn't handle nanoseconds, only milliseconds....
See this blog: http://az4n6.blogspot.com/2015/09/whos-your-master-mft-parsers-reviewed.html
M - modified, B - birth, A - accessed: If M < B then likely file copy Detected at B If M and B < A == volume file move
Test nanosecond zero detection. It currently fails to detect the nanoseconds being zero on the 508 c:\windows\system32\dllhost\svchost.exe file
Update anomaly detection to ONLY compare $StandardInfo and $Filename creation timestamps (it currently flags any timestamp anomaly between the two types of timestamps) -- their are too many reasons for...
Investigate records that generate "datarun oddity" errors. Dataruns with len 0 or > 6
Consider implementing a mechanism to look for specific things, such as .exe files in ProgramData.
http://msdn.microsoft.com/en-us/library/bb470124(v=vs.85).aspx Google MFT update sequence number
0 Unknown Inactive File 0 NoParent NoParent NoFNRecord 17 Good Inactive File 18 5 5 /bootex.log 0 Unknown Inactive File 0 NoParent NoParent NoFNRecord 0 Unknown Inactive File 0 NoParent...