dkovar
commented
6 years ago Very nice work. Thank you very much for doing this. -David
Closed mpilking closed 6 years ago
dkovar
commented
6 years ago Very nice work. Thank you very much for doing this. -David
Hi David,
Please have a look at these changes to address the issue with nanosecond anomaly detection. It was previously checking the $FN creation time rather than the $SI creation time. It now works correctly on the SANS nromanoff C:\WIndows\System32\dllhost\svchost.exe example, per issue #45.
I also added a try/except to check if an SI creation time exists at all--and if not, ignore this check. Sometimes it will not (ref SANS nromanoff image, MFT record 9837).
So, if SI create doesn't exist, or if it does exist but has a fractional second value, then record['usec-zero'] will remain undefined, and the "uSec Zero" column gets an "N". If it does exist and is NOT a fractional second value, then it gets a "Y".
Example screenshot below. I can post all the parsed data from nromanoff elsewhere if you like, but it's too big for GitHub (at least here in the pull request).
Thanks, Mike