During Incident Response missions, we have to use forensics tools either on a local system or at the company scale. For different reasons, we could not use the available MFT parsers available and we needed to do live $I30 carving as well.
So we decided to create our own. We named it MftCrawler.

MftCrawler is a MFT parser written in Lua with $i30 carving capabilities.
It can be used to parse offline MFT (saved MFT file) or Live (Windows & Linux).

When running in live mode MftCrawler can carve $i30 records and try to resurrect deleted file entries.

MftCrawler was designed with these goals in mind:

  • Simple & easy to modify
  • Fast (*)
  • Low memory consumption (*)

(*) The $i30 carving does impact the performance.

This is still a work in progress (read BETA, so bugs will happen) and several features are still missing (owner SID, non resident attribute spanning several records,...)

Source & documentation can be found here: http://bitbucket.cassidiancybersecurity.com/mftcrawler

Feedback & bug reports highly appreciated !