irt/mft
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2 Commits 1 Branch 0 Tags
1849418ee689c96db5a2d0fe0a21384f85a53cc4
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE

Readme.md

MFT Carver and Parser

This repository contains two tools designed to help you work with NTFS Master File Table (MFT) records:

  • carve_mft.go (Golang Program)
    A robust, multi-threaded tool for carving MFT records from disk images. It extracts 1024-byte blocks starting at each MFT entry, parses various attributes, and outputs detailed information as JSONL. It supports processing multiple files or entire directories in parallel, with optional raw record dumping.

  • show_mft.py (Python Script)
    A self-contained Python script that parses a single extracted MFT record and prints out as much detail as possible—including MAC times, file attributes, object IDs, security descriptors, and file hashes—in a human-readable format.

Features

carve_mft.go (Golang)

  • Parallel Processing: Utilizes all available CPU cores to carve and parse disk images efficiently.
  • Flexible Input: Accepts a single disk image or a directory of images.
  • Configurable Output: Options to dump raw MFT records to a specified folder and to append parsed records to a JSONL file.
  • Robust Parsing: Extracts multiple attributes (e.g., Standard Information, File Name, Data, and more) and is designed to handle corrupted disk images gracefully.

show_mft.py (Python)

  • Detailed Record Inspection: Parses a given MFT record file and displays comprehensive details using Python's pretty-print.
  • Hashing Support: Computes MD5, SHA256, SHA512, and CRC32 of the record for integrity verification.
  • Minimal Dependencies: Self-contained script with minimal external requirements.

Requirements

  • carve_mft: Go (latest stable version recommended)
  • show_mft.py: Python 3.x

Usage

Building and Running carve_mft

  1. Build:

    go build -o carve_mft ./path/to/carve_mft.go

 Run: The tool accepts several command-line options:
     --dump: Enable dumping of raw MFT records (off by default).
     --jsonl: Specify the output JSONL file path. If not provided, a default name based on the input file and timestamp is used.
     --dump-folder: Specify a folder to store raw dumps. If not provided, a default folder is created.

 Example:

 ./carve_mft --dump --jsonl=/path/to/output.jsonl --dump-folder=/path/to/dumps /path/to/disk/image/or/directory

  2. Running show_mft.py

Simply point the script at an extracted MFT record file:

python show_mft.py path/to/extracted_record.bin
Reference in New Issue View Git Blame Copy Permalink
Description
A simple MFT carver and Parser
Readme 41 KiB
Languages
Python 60.3%
Go 39.7%