It is intended to help the analyst triaging individual boot record dumps or whole disk images.
The latter is preferred since it allows the script to perform additional checks that would not be possible on individual dumps alone.

This script only detects anomalies that have to be manually investigated by an analyst.
Because it works with a whitelist mechanism it will be able to detect a wide range of malicious codes,
but it will also detect legitimate (encryption software, etc...) or benign modification of the boot records.

This topic has been presented during a talk at the French conference CORI&IN 2017.

How does it work ?
==================
The script is based on the fact that boot records contain code sections that do not vary much from a machine to another.
The differences can be identified and understood by performing a static analysis.

This script merely implements the results of these analyses and tries to narrow down these "invariant" codes and hash them.
The hash is then compared to a whitelist of known good signatures that has to be built by the analyst (an example is given, but it is advised to build its own).
If no record is found in the whitelist then the boot recor