Upload files to "Modules/Knowledge/SANS"
This commit is contained in:
35
Modules/Knowledge/SANS/file_system_artifacts.py
Normal file
35
Modules/Knowledge/SANS/file_system_artifacts.py
Normal file
@ -0,0 +1,35 @@
|
||||
def get_content():
|
||||
"""
|
||||
Returns structured content for NTFS, journaling, and anti-forensics artifacts.
|
||||
"""
|
||||
return [
|
||||
{
|
||||
"title": "NTFS Metadata and Attributes",
|
||||
"content": """
|
||||
- MFT Attributes: Tracks MAC timestamps, $File_Name, $Data (resident or non-resident).
|
||||
- $LogFile and $UsnJrnl: Log file changes and deletions.
|
||||
"""
|
||||
},
|
||||
{
|
||||
"title": "Timeline Analysis",
|
||||
"content": """
|
||||
- $SI and $FN timestamps: Can indicate timestomping or anti-forensic techniques.
|
||||
- Exiftool: Verifies discrepancies in timestamps and metadata.
|
||||
"""
|
||||
},
|
||||
{
|
||||
"title": "Advanced Analysis Tools",
|
||||
"content": """
|
||||
- LogfileParser: Extracts NTFS transactional logs.
|
||||
- Mftecmd: Parses MFT entries and supports Volume Shadow Copies.
|
||||
- Icat: Extracts data streams like Zone.Identifier for ADS.
|
||||
"""
|
||||
},
|
||||
{
|
||||
"title": "Deleted File Evidence",
|
||||
"content": """
|
||||
- MFT metadata persists even after deletion.
|
||||
- $INDEX_ROOT and $INDEX_ALLOCATION track directory changes.
|
||||
"""
|
||||
}
|
||||
]
|
||||
Reference in New Issue
Block a user