Afin de vous proposer des services et offres adaptés à vos centres d'intérêt, Airbus utilise des cookies. En continuant de naviguer sur le site, vous déclarez accepter leur utilisation. En savoir plus

Si vous ne souhaitez pas que Google Analytics collecte vos données, cliquez ici.

Merci. Nous avons programmé un cookie qui empêchera Google Analytics de collecter vos données lors de votre prochaine visite.

Introducing MftCrawler, a MFT parser with $i30 carving capabilities

Published:20/01/14
by Jerome Leseinne

During Incident Response missions, we have to use forensics tools either on a local system or at the company scale. For different reasons, we could not use the available MFT parsers available and we needed to do live $I30 carving as well.
So we decided to create our own. We named it MftCrawler.

MftCrawler is a MFT parser written in Lua with $i30 carving capabilities.
It can be used to parse offline MFT (saved MFT file) or Live (Windows & Linux).

When running in live mode MftCrawler can carve $i30 records and try to resurrect deleted file entries.

MftCrawler was designed with these goals in mind:

Simple & easy to modify
Fast (*)
Low memory consumption (*)

(*) The $i30 carving does impact the performance.

This is still a work in progress (read BETA, so bugs will happen) and several features are still missing (owner SID, non resident attribute spanning several records,…)

Source & documentation can be found here: http://bitbucket.cassidiancybersecurity.com/mftcrawler

Feedback & bug reports highly appreciated !

Back to Blog