Home > analyzeMFT > New version of analyzeMFT

New version of analyzeMFT

I’ve been awfully busy with real work, but thanks to the gentle prodding of some interested parties, I updated analyzeMFT over the past few weeks.

  • Version 1.5:
    • Fixed date/time reporting. I wasn’t reporting useconds at all.
    • Added anomaly detection, with many thanks to Greg Kelley. Adds two columns:
      • std-fn-shift:  If Y, entry’s FN create time is after the STD create time
      • usec-zero: If Y, entry’s STD create time’s usec value is zero
  • Version 1.6: Various bug fixes
  • Version 1.7: Bodyfile support, with thanks to Dave Hull

The anomaly detection isn’t perfect by any stretch of the imagination, it simply helps reduce the noise a bit.

  • On the $MFT from a volume on a workstation with 110593 total records, checking for FN creation times greater than STF creation times resulted in 19649 flagged records. Pretty significant reduction.
  • On the same file, checking to see if the STF creation time microseconds are zero resulted in 14571 flagged records.
  • Turning both on resulted in 2157 flagged records. Most appear to be benign. (I hope they all are!)

That’s still 2157 (or 19,649, or 14571) files that you need to check by other means, but it is a lot less than 110593.

If there’s some feature you’d like to see in analyzeMFT, please, do drop me a note.

You can find the source and more details here….

There’s also a great post on how to install Python and run analyzeMFT’s source code here….

Advertisements
Categories: analyzeMFT
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: