MFT parser adjustment

[nyrm-f]

Describe the bug MFT_parser as it is now parses only 1 entry in kuiper but holds all 6-8 timestamps in one entry

Expected behavior MFT_parser should parse individual entries for EACH timestamp it detects. This is better for timeline analysis and seeing when files are created, accessed, etc in the timeline

Screenshots

So if we look at these two time columns here, the time for the "time stamp" entry might be based on data.FNCreated. but if we see Data.SILastAccessed, its a different timestamp at 2022-09-14.

There should be different entries for each of these timestamps.

So when i search for this file "soo.ps1" there should be 7-8 entries for it, with each entry being a different timestamp attribute

Then in details maybe it has the variable for what attribute it is, FN,SI, created, etc

[salehmuhaysin]

Hi,

you can create new parser for MFTTimeline, where in the interface you get each record and create 8 records from it and change the @timestamp value for each record based on the modification, access, creation, change and for standard and filename.

but i prefer to be separate parser not the same MFT parser since MFTTimeline will generate huge number of records

[nyrm-f]

ok thanks for the reply! I will try to see if I can make this on my own.

Each MFT timestamp being is own record is common among other MFT parsers and analysis tools. Will try to see what I can come up with