search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
970 stars 219 forks source link

FN info times from MFT #289

Open MariasStory opened 4 years ago

MariasStory commented 4 years ago

Hi, Thanks for the cool tool. Do you also parce the FN info times from MFT? It would be nice to compare the times. I would love to see the times that differ marked with a different color. At least as an option.

lfcnassif commented 4 years ago

That would be interesting, but we consume sleuthkit java API, and it does not expose those dates to be queried (https://github.com/sleuthkit/sleuthkit/blob/develop/bindings/java/src/org/sleuthkit/datamodel/AbstractFile.java)

This should be asked and added to sleuthkit project as a java API first, so we could query and index FN MFT dates, and compare them to STANDARD_INFO dates.

MariasStory commented 3 years ago

Can we use https://github.com/dkovar/analyzeMFT or something similar to parse the MFT? From my experience, it is a fast and reliable method to get all time stamps. Maybe it is something that can be done first and the data may be correlated with the sleuthkit results. Let's use the quick wins, to give the most important information during analyze.

lfcnassif commented 3 years ago

I think the CPL license is ok. But I don't like very much the idea of stopping the world, waiting for this tool to finish, and then starting the processing of the items discovered by sleuthkit, with the new timestamps. I've done patches in sleuthkit to don't wait for its item discovery to finish to start processing items (takes minutes, and eventually hours...). I think they addressed this limitation in 4.9 or 4.10 version with the so called streaming processing, and I will remove my patches when we upgrade to facilitate new upgrades.

Another possible way is updating case items properties (adding new dates) after they were processed. But this will need #24 to be implemented before, I "plan" to start this month...

MariasStory commented 2 years ago

Just to mention: AnalyzeMFT is no longer maintained and has known shortcomings dkovar/analyzeMFT#56 Maybe an alternative like: https://github.com/EricZimmerman/MFTECmd

lfcnassif commented 2 years ago

Thanks @MariasStory for pointing out AnalyzeMFT limitation and MFTECmd. But I still think the best approach would be to TSK expose FN info to the java API, as that info is already decoded by TSK istat tool, so the integration would be fairly easy.