Add MFT update for time box (Velocidex#1121)

artifacts/definitions/Windows/NTFS/MFT.yaml

@@ -1,4 +1,5 @@
 name: Windows.NTFS.MFT
+author: "Matt Green - @mgreen27"
 description: |
   This artifact parses $MFT files and returns rows of each in scope  MFT record.
   This artifact can be used as the basis for other artifacts where the MFT needs
@@ -19,7 +20,6 @@ description: |
   - Time bounds to select files with a timestamp within time ranges
   - FileSize bounds
 
-author: "Matt Green - @mgreen27"
 
 parameters:
   - name: MFTFilename
@@ -51,11 +51,18 @@ parameters:
 
 sources:
   - query: |
-      -- firstly set timebounds for performance
-      LET DateAfterTime <= if(condition=DateAfter,
-            then=DateAfter, else="1600-01-01")
-      LET DateBeforeTime <= if(condition=DateBefore,
-            then=DateBefore, else="2200-01-01")
+      -- time testing
+      LET time_test(stamp) = 
+            if(condition= DateBefore AND DateAfter,
+                then= stamp < DateBefore AND stamp > DateAfter,
+                else= 
+            if(condition=DateBefore,
+                then= stamp < DateBefore,
+                else= 
+            if(condition= DateAfter,
+                then= stamp > DateAfter,
+                else= True
+            )))
 
 
       -- find all ntfs drives
@@ -71,28 +78,21 @@ sources:
         FROM parse_mft(filename=MFTPath, accessor=Accessor)
         WHERE FullPath =~ PathRegex
             AND FileName =~ FileRegex
-            AND Created0x10 < DateBeforeTime
-            AND Created0x10 > DateAfterTime
-            AND Created0x30 < DateBeforeTime
-            AND Created0x30 > DateAfterTime
-            AND LastModified0x10 < DateBeforeTime
-            AND LastModified0x10 > DateAfterTime
-            AND LastModified0x30 < DateBeforeTime
-            AND LastModified0x30 > DateAfterTime
-            AND LastRecordChange0x10 < DateBeforeTime
-            AND LastRecordChange0x10 > DateAfterTime
-            AND LastRecordChange0x30 < DateBeforeTime
-            AND LastRecordChange0x30 > DateAfterTime
-            AND LastAccess0x10 < DateBeforeTime
-            AND LastAccess0x10 > DateAfterTime
-            AND LastAccess0x30 < DateBeforeTime
-            AND LastAccess0x30 > DateAfterTime
             AND if(condition=SizeMax,
                 then=FileSize < atoi(string=SizeMax),
                 else=TRUE)
             AND if(condition=SizeMin,
                 then=FileSize > atoi(string=SizeMin),
                 else=TRUE)
+            AND 
+             ( time_test(stamp=Created0x10)
+            OR time_test(stamp=Created0x30)
+            OR time_test(stamp=LastModified0x10)
+            OR time_test(stamp=LastModified0x30)
+            OR time_test(stamp=LastRecordChange0x10)
+            OR time_test(stamp=LastRecordChange0x30)
+            OR time_test(stamp=LastAccess0x10)
+            OR time_test(stamp=LastAccess0x30))
 
 
       -- include all attached drives

artifacts/testdata/server/testcases/mft.in.yaml

@@ -0,0 +1,41 @@
+Queries:
+  # Setup our mocks --parse_mft needs to be mocked
+  - |
+    LET _ <= SELECT
+          mock(plugin='info', results=[dict(OS='windows')]),
+          mock(plugin='parse_mft', results=[
+            dict(
+              EntryNumber=287634,InUse=true,ParentEntryNumber=287637,
+              FullPath='Program Files/Velociraptor/client.config.yaml',FileName='client.config.yaml',
+              FileSize=2512,ReferenceCount=2,IsDir=false,
+              Created0x10=timestamp(string='2021-06-21T01:39:11.6812434Z'),Created0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+              LastModified0x10=timestamp(string='2021-08-01T01:39:48.8960671Z'),LastModified0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+              LastRecordChange0x10=timestamp(string='2021-06-25T01:39:48.8960671Z'),LastRecordChange0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+              LastAccess0x10=timestamp(string='2021-06-21T14:35:09.727465Z'),LastAccess0x30=timestamp(string='2021-06-21T01:39:11.6812434Z')
+            ),
+            dict(
+              EntryNumber=287639,InUse=true,ParentEntryNumber=287637,
+              FullPath='ProgramFiles/Velociraptor/Velociraptor.exe',FileName='Velociraptor.exe',
+              FileSize=41810344,ReferenceCount=2,IsDir=false,
+              Created0x10=timestamp(string='2021-06-01T01:39:11.6812434Z'),Created0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+              LastModified0x10=timestamp(string='2021-06-25T01:39:48.8960671Z'),LastModified0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+              LastRecordChange0x10=timestamp(string='2021-06-25T01:39:48.8960671Z'),LastRecordChange0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+              LastAccess0x10=timestamp(string='2021-06-21T14:35:09.727465Z'),LastAccess0x30=timestamp(string='2021-06-21T01:39:11.6812434Z')
+            ),
+            dict(
+              EntryNumber=287649,InUse=true,ParentEntryNumber=287637,
+              FullPath='ProgramFiles/Velociraptor/velociraptor.writeback.yaml',FileName='velociraptor.writeback.yaml',
+              FileSize=3520,ReferenceCount=2,IsDir=false,
+              Created0x10=timestamp(string='2021-06-21T01:39:11.6812434Z'),Created0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+              LastModified0x10=timestamp(string='2021-02-02T01:39:48.8960671Z'),LastModified0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+              LastRecordChange0x10=timestamp(string='2021-01-25T01:39:48.8960671Z'),LastRecordChange0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+              LastAccess0x10=timestamp(string='2021-06-21T14:35:09.727465Z'),LastAccess0x30=timestamp(string='2021-06-21T01:39:11.6812434Z')
+            )])
+      FROM scope()
+
+  # Test MFT output
+  - SELECT * FROM Artifact.Windows.NTFS.MFT()
+  # Test time contraints
+  - SELECT * FROM Artifact.Windows.NTFS.MFT(DateBefore='2021-06-21')
+  - SELECT * FROM Artifact.Windows.NTFS.MFT(DateAfter='2021-07-01')
+  - SELECT * FROM Artifact.Windows.NTFS.MFT(DateAfter='2021-07-01', DateBefore='2021-09-01')

artifacts/testdata/server/testcases/mft.out.yaml

@@ -0,0 +1,176 @@
+LET _ <= SELECT
+      mock(plugin='info', results=[dict(OS='windows')]),
+      mock(plugin='parse_mft', results=[
+        dict(
+          EntryNumber=287634,InUse=true,ParentEntryNumber=287637,
+          FullPath='Program Files/Velociraptor/client.config.yaml',FileName='client.config.yaml',
+          FileSize=2512,ReferenceCount=2,IsDir=false,
+          Created0x10=timestamp(string='2021-06-21T01:39:11.6812434Z'),Created0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+          LastModified0x10=timestamp(string='2021-08-01T01:39:48.8960671Z'),LastModified0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+          LastRecordChange0x10=timestamp(string='2021-06-25T01:39:48.8960671Z'),LastRecordChange0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+          LastAccess0x10=timestamp(string='2021-06-21T14:35:09.727465Z'),LastAccess0x30=timestamp(string='2021-06-21T01:39:11.6812434Z')
+        ),
+        dict(
+          EntryNumber=287639,InUse=true,ParentEntryNumber=287637,
+          FullPath='ProgramFiles/Velociraptor/Velociraptor.exe',FileName='Velociraptor.exe',
+          FileSize=41810344,ReferenceCount=2,IsDir=false,
+          Created0x10=timestamp(string='2021-06-01T01:39:11.6812434Z'),Created0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+          LastModified0x10=timestamp(string='2021-06-25T01:39:48.8960671Z'),LastModified0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+          LastRecordChange0x10=timestamp(string='2021-06-25T01:39:48.8960671Z'),LastRecordChange0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+          LastAccess0x10=timestamp(string='2021-06-21T14:35:09.727465Z'),LastAccess0x30=timestamp(string='2021-06-21T01:39:11.6812434Z')
+        ),
+        dict(
+          EntryNumber=287649,InUse=true,ParentEntryNumber=287637,
+          FullPath='ProgramFiles/Velociraptor/velociraptor.writeback.yaml',FileName='velociraptor.writeback.yaml',
+          FileSize=3520,ReferenceCount=2,IsDir=false,
+          Created0x10=timestamp(string='2021-06-21T01:39:11.6812434Z'),Created0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+          LastModified0x10=timestamp(string='2021-02-02T01:39:48.8960671Z'),LastModified0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+          LastRecordChange0x10=timestamp(string='2021-01-25T01:39:48.8960671Z'),LastRecordChange0x30=timestamp(string='2021-06-21T01:39:11.6812434Z'),
+          LastAccess0x10=timestamp(string='2021-06-21T14:35:09.727465Z'),LastAccess0x30=timestamp(string='2021-06-21T01:39:11.6812434Z')
+        )])
+  FROM scope()
+[]SELECT * FROM Artifact.Windows.NTFS.MFT()[
+ {
+  "EntryNumber": 287634,
+  "InUse": true,
+  "ParentEntryNumber": 287637,
+  "MFTPath": "C:/$MFT",
+  "FullPath": "Program Files/Velociraptor/client.config.yaml",
+  "FileName": "client.config.yaml",
+  "FileSize": 2512,
+  "ReferenceCount": 2,
+  "IsDir": false,
+  "Created0x10": "2021-06-21T01:39:11.6812434Z",
+  "Created0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastModified0x10": "2021-08-01T01:39:48.8960671Z",
+  "LastModified0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastRecordChange0x10": "2021-06-25T01:39:48.8960671Z",
+  "LastRecordChange0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastAccess0x10": "2021-06-21T14:35:09.727465Z",
+  "LastAccess0x30": "2021-06-21T01:39:11.6812434Z",
+  "_Source": "Windows.NTFS.MFT"
+ },
+ {
+  "EntryNumber": 287639,
+  "InUse": true,
+  "ParentEntryNumber": 287637,
+  "MFTPath": "C:/$MFT",
+  "FullPath": "ProgramFiles/Velociraptor/Velociraptor.exe",
+  "FileName": "Velociraptor.exe",
+  "FileSize": 41810344,
+  "ReferenceCount": 2,
+  "IsDir": false,
+  "Created0x10": "2021-06-01T01:39:11.6812434Z",
+  "Created0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastModified0x10": "2021-06-25T01:39:48.8960671Z",
+  "LastModified0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastRecordChange0x10": "2021-06-25T01:39:48.8960671Z",
+  "LastRecordChange0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastAccess0x10": "2021-06-21T14:35:09.727465Z",
+  "LastAccess0x30": "2021-06-21T01:39:11.6812434Z",
+  "_Source": "Windows.NTFS.MFT"
+ },
+ {
+  "EntryNumber": 287649,
+  "InUse": true,
+  "ParentEntryNumber": 287637,
+  "MFTPath": "C:/$MFT",
+  "FullPath": "ProgramFiles/Velociraptor/velociraptor.writeback.yaml",
+  "FileName": "velociraptor.writeback.yaml",
+  "FileSize": 3520,
+  "ReferenceCount": 2,
+  "IsDir": false,
+  "Created0x10": "2021-06-21T01:39:11.6812434Z",
+  "Created0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastModified0x10": "2021-02-02T01:39:48.8960671Z",
+  "LastModified0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastRecordChange0x10": "2021-01-25T01:39:48.8960671Z",
+  "LastRecordChange0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastAccess0x10": "2021-06-21T14:35:09.727465Z",
+  "LastAccess0x30": "2021-06-21T01:39:11.6812434Z",
+  "_Source": "Windows.NTFS.MFT"
+ }
+]SELECT * FROM Artifact.Windows.NTFS.MFT(DateBefore='2021-06-21')[
+ {
+  "EntryNumber": 287639,
+  "InUse": true,
+  "ParentEntryNumber": 287637,
+  "MFTPath": "C:/$MFT",
+  "FullPath": "ProgramFiles/Velociraptor/Velociraptor.exe",
+  "FileName": "Velociraptor.exe",
+  "FileSize": 41810344,
+  "ReferenceCount": 2,
+  "IsDir": false,
+  "Created0x10": "2021-06-01T01:39:11.6812434Z",
+  "Created0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastModified0x10": "2021-06-25T01:39:48.8960671Z",
+  "LastModified0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastRecordChange0x10": "2021-06-25T01:39:48.8960671Z",
+  "LastRecordChange0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastAccess0x10": "2021-06-21T14:35:09.727465Z",
+  "LastAccess0x30": "2021-06-21T01:39:11.6812434Z",
+  "_Source": "Windows.NTFS.MFT"
+ },
+ {
+  "EntryNumber": 287649,
+  "InUse": true,
+  "ParentEntryNumber": 287637,
+  "MFTPath": "C:/$MFT",
+  "FullPath": "ProgramFiles/Velociraptor/velociraptor.writeback.yaml",
+  "FileName": "velociraptor.writeback.yaml",
+  "FileSize": 3520,
+  "ReferenceCount": 2,
+  "IsDir": false,
+  "Created0x10": "2021-06-21T01:39:11.6812434Z",
+  "Created0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastModified0x10": "2021-02-02T01:39:48.8960671Z",
+  "LastModified0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastRecordChange0x10": "2021-01-25T01:39:48.8960671Z",
+  "LastRecordChange0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastAccess0x10": "2021-06-21T14:35:09.727465Z",
+  "LastAccess0x30": "2021-06-21T01:39:11.6812434Z",
+  "_Source": "Windows.NTFS.MFT"
+ }
+]SELECT * FROM Artifact.Windows.NTFS.MFT(DateAfter='2021-07-01')[
+ {
+  "EntryNumber": 287634,
+  "InUse": true,
+  "ParentEntryNumber": 287637,
+  "MFTPath": "C:/$MFT",
+  "FullPath": "Program Files/Velociraptor/client.config.yaml",
+  "FileName": "client.config.yaml",
+  "FileSize": 2512,
+  "ReferenceCount": 2,
+  "IsDir": false,
+  "Created0x10": "2021-06-21T01:39:11.6812434Z",
+  "Created0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastModified0x10": "2021-08-01T01:39:48.8960671Z",
+  "LastModified0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastRecordChange0x10": "2021-06-25T01:39:48.8960671Z",
+  "LastRecordChange0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastAccess0x10": "2021-06-21T14:35:09.727465Z",
+  "LastAccess0x30": "2021-06-21T01:39:11.6812434Z",
+  "_Source": "Windows.NTFS.MFT"
+ }
+]SELECT * FROM Artifact.Windows.NTFS.MFT(DateAfter='2021-07-01', DateBefore='2021-09-01')[
+ {
+  "EntryNumber": 287634,
+  "InUse": true,
+  "ParentEntryNumber": 287637,
+  "MFTPath": "C:/$MFT",
+  "FullPath": "Program Files/Velociraptor/client.config.yaml",
+  "FileName": "client.config.yaml",
+  "FileSize": 2512,
+  "ReferenceCount": 2,
+  "IsDir": false,
+  "Created0x10": "2021-06-21T01:39:11.6812434Z",
+  "Created0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastModified0x10": "2021-08-01T01:39:48.8960671Z",
+  "LastModified0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastRecordChange0x10": "2021-06-25T01:39:48.8960671Z",
+  "LastRecordChange0x30": "2021-06-21T01:39:11.6812434Z",
+  "LastAccess0x10": "2021-06-21T14:35:09.727465Z",
+  "LastAccess0x30": "2021-06-21T01:39:11.6812434Z",
+  "_Source": "Windows.NTFS.MFT"
+ }
+]