[Bug] MFT DataStreams Field Appears Cut Off for SmartScreen

[reece394]

Thanks @FranticTyping for #210. This will be super useful for creating hunting rules. When testing it with hunt mode I noticed with the SmartScreen ADS it outputs in stream data "Anahe" instead of "Anaheim". The Zone.Identifier one appears okay correctly outputting ZoneId=3 including the correct URL information. Uploaded is the output of PowerShell and Mft2Csv extracting the full string out to prove the string is fully present. To reproduce download Advanced IP Scanner with Microsoft Edge (Chromium) and SmartScreen/ Microsoft Defender SmartScreen in Edge settings enabled.

- stream_name: SmartScreen
  stream_data: "\0\0Anahe"
  stream_number: 0
- stream_name: Zone.Identifier
  stream_data: "\0\0[ZoneTransfer]\r\nZoneId=3\r\nReferrerUrl=https://www.advanced-ip-scanner.com/\r\nHostUrl=https://download.advanced-ip-scanner.com/download/files/Advanced_IP_Scanner_2.5.4594.1.exe"
  stream_number: 1

Get-Content '.\Advanced_IP_Scanner_2.5.4594.1 (1).exe' -Stream Smartscreen
Anaheim

[FranticTyping]

Hmm, interesting. Thanks for the report.

I can replicate the bug on my end, and it looks like the issue exists in the underlying MFT parsing library we use. I'm away for the next week or so but then I can take a look!

Please do let me know if you experience any other bugs with the new MFT parsing features, I only had a small dataset to set with so some bits might have slipped by.