Additional rules #46

dkovar · 2017-04-27T10:43:45Z

M - modified, B - birth, A - accessed:

If M < B then likely file copy Detected at B
If M and B < A == volume file move

…ely_move

…d in bodyfile output #33 Data run calculations are wrong? #21 Investigate update sequence numbers #9 Datarun oddity #16 Additional rules #46

noahrubin pushed a commit to analyzeDFIR/analyzeMFT that referenced this issue Aug 12, 2017

Issue rowingdude#46: Additional Rules - implement likely_copy and lik…

bee62c8

…ely_move

mpilking mentioned this issue Mar 8, 2018

Copy move #53

Merged

rowingdude self-assigned this Aug 1, 2024

rowingdude added a commit that referenced this issue Sep 4, 2024

Adds body file, timeline, l2t back. Closes Files not marked as delete…

cef6594

…d in bodyfile output #33 Data run calculations are wrong? #21 Investigate update sequence numbers #9 Datarun oddity #16 Additional rules #46

rowingdude added this to AnalyzeMFT Sep 4, 2024

rowingdude added enhancement question Standard_Addition labels Sep 4, 2024

rowingdude closed this as completed Sep 4, 2024

github-project-automation bot moved this to Done in AnalyzeMFT Sep 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Additional rules #46

Additional rules #46

dkovar commented Apr 27, 2017

Additional rules #46

Additional rules #46

Comments

dkovar commented Apr 27, 2017