Also yield STANDARD_INFORMATION timestamps in timeliner

dgmcdona · dgmcdona · commit a0ca33b284e4 · 2025-04-04T11:30:27.000-05:00
diff --git a/volatility3/framework/plugins/windows/mftscan.py b/volatility3/framework/plugins/windows/mftscan.py
@@ -238,9 +238,9 @@ def generate_timeline(self):
             _depth, row_data = row
 
             # Only Output FN Records
-            if row_data[6] == "FILE_NAME":
+            if row_data[6] in ("FILE_NAME", "STANDARD_INFORMATION"):
                 filename = row_data[-1]
-                description = f"MFT FILE_NAME entry for {filename}"
+                description = f"MFT {row_data[6]} entry for {filename}"
                 yield (description, timeliner.TimeLinerType.CREATED, row_data[7])
                 yield (description, timeliner.TimeLinerType.MODIFIED, row_data[8])
                 yield (description, timeliner.TimeLinerType.CHANGED, row_data[9])
