Update AnalyzeMFT in SIFT

[mpilking]

I submitted 3 pull requests to AnalyzeMFT and they have been accepted. Please update AnalyzeMFT from GitHub repo so it includes these fixes. The updates are:

1. Fixed nanosecond anomaly check so it looks at the $SI create time instead of $FN create time.
2. Added new checks to flag possible file copies ($SI create time > $SI modify time) & volume moves ($SI access time > $SI create time & $SI modify time)
3. Narrowed stf-fn-shift logic so it only flags when $SI create time < $FN create time (previously it also alerted with a the first $FN entry is not present). This resulted in a few false-positives.

Thanks, Mike

[ekristen]

+1

[ekristen]

Closed by https://github.com/sans-dfir/sift-saltstack/compare/265c354e7713...4dcddc508b02