Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FN info times from MFT #289

Open
MariasStory opened this issue Oct 15, 2020 · 5 comments
Open

FN info times from MFT #289

MariasStory opened this issue Oct 15, 2020 · 5 comments
Labels
enhancement

Comments

@MariasStory
Copy link

Hi,
Thanks for the cool tool.
Do you also parce the FN info times from MFT?
It would be nice to compare the times.
I would love to see the times that differ marked with a different color. At least as an option.
@lfcnassif
Copy link
Member

lfcnassif commented Oct 15, 2020
edited
Loading

That would be interesting, but we consume sleuthkit java API, and it does not expose those dates to be queried (https://github.com/sleuthkit/sleuthkit/blob/develop/bindings/java/src/org/sleuthkit/datamodel/AbstractFile.java)

This should be asked and added to sleuthkit project as a java API first, so we could query and index FN MFT dates, and compare them to STANDARD_INFO dates.

@MariasStory MariasStory mentioned this issue Nov 17, 2020
Open
@MariasStory
Copy link
Author

Can we use https://github.com/dkovar/analyzeMFT or something similar to parse the MFT?
From my experience, it is a fast and reliable method to get all time stamps.
Maybe it is something that can be done first and the data may be correlated with the sleuthkit results.
Let's use the quick wins, to give the most important information during analyze.

@lfcnassif
Copy link
Member

lfcnassif commented Apr 9, 2021
edited
Loading

I think the CPL license is ok.
But I don't like very much the idea of stopping the world, waiting for this tool to finish, and then starting the processing of the items discovered by sleuthkit, with the new timestamps. I've done patches in sleuthkit to don't wait for its item discovery to finish to start processing items (takes minutes, and eventually hours...). I think they addressed this limitation in 4.9 or 4.10 version with the so called streaming processing, and I will remove my patches when we upgrade to facilitate new upgrades.

Another possible way is updating case items properties (adding new dates) after they were processed. But this will need #24 to be implemented before, I "plan" to start this month...

@MariasStory
Copy link
Author

Just to mention:
AnalyzeMFT is no longer maintained and has known shortcomings rowingdude/analyzeMFT#56
Maybe an alternative like:
https://github.com/EricZimmerman/MFTECmd

@lfcnassif
Copy link
Member

Thanks @MariasStory for pointing out AnalyzeMFT limitation and MFTECmd. But I still think the best approach would be to TSK expose FN info to the java API, as that info is already decoded by TSK istat tool, so the integration would be fairly easy.

@MariasStory MariasStory mentioned this issue Sep 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MariasStory @lfcnassif