Skip to content
/ mftAnomaly Public

Outputs exceptions if $FILE_NAME creation date attribute is after $STD_INFO creation date

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

oxytis/mftAnomaly

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits

README.md

README.md

 
 

mft.py

mft.py

 
 

Repository files navigation

mftAnomaly

mftAnomaly - forensic timestamp tampering and file tunneling detection

first use TZWORKS to parse Master File Table:

ntfswalk64 -mftfile $MFT > mftfile

Then run -> python mft.py mftfile stomp

python mft.py mftfile stomp "Users\user" <-- only this directory

or

python mft.py mftfile tunnel "filename" <-- only check for this filename

output example:

ANOMALY---

 \[root]\<path corrupted>\p\pfBL.dll
 $STD_INFO:  01/03/2018   13:33:44.000 
 $FILE_NAME: 11/19/2019   17:09:09.403

About

Outputs exceptions if $FILE_NAME creation date attribute is after $STD_INFO creation date

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages