Skip to content
/ pyMFTanomaly Public

Outputs exceptions if $FILE_NAME creation date attribute is after $STD_INFO creation date

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

oxytis/pyMFTanomaly

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

35 Commits
README.md
README.md
 
 
mft.py
mft.py
 
 

Repository files navigation

$MFT timestomping and tunneling detection

mft anomaly - forensic timestamp tampering and file tunneling detection

prerequisites

tzworks.net -> ntfswalk64

execution

  1. ntfswalk64 -mftfile $MFT > mftfile
  2. python mft.py mftfile stomp ""
    or
    python mft.py mftfile stomp "" | "Users\user" <-- only this directory
    or
    python mft.py mftfile tunnel "filename" <-- only check for this filename

output

ANOMALY---

 \[root]\<path corrupted>\p\pfBL.dll
 $STD_INFO:  01/03/2018   13:33:44.000 
 $FILE_NAME: 11/19/2019   17:09:09.403

SUMMARY...

 ('2023-03-20', 1)
 ('2023-04-11', 1)
 ('2024-02-20', 1)
 ('2023-02-21', 5)
 ('2022-12-19', 5)
 ('2022-12-15', 6)
 ('2023-08-30', 121)

About

Outputs exceptions if $FILE_NAME creation date attribute is after $STD_INFO creation date

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages