Introducing MftCrawler, a MFT parser with $i30 carving capabilities
During Incident Response missions, we have to use forensics tools either on a local system or at the company scale.
For different reasons, we could not use the available MFT parsers available and we needed to do live $I30 carving as well.
So we decided to create our own. We named it MftCrawler.
MftCrawler is a MFT parser written in Lua with $i30 carving capabilities.
It can be used to parse offline MFT (saved MFT file) or Live (Windows & Linux).
When running in live mode MftCrawler can carve $i30 records and try to resurrect deleted file entries.
MftCrawler was designed with these goals in mind:
- Simple & easy to modify
- Fast (*)
- Low memory consumption (*)
(*) The $i30 carving does impact the performance.
This is still a work in progress (read BETA, so bugs will happen) and several features are still missing (owner SID, non resident attribute spanning several records,...)
Source & documentation can be found here: http://bitbucket.cassidiancybersecurity.com/mftcrawler
Feedback & bug reports highly appreciated !