During Incident Response missions, we have to use forensics tools either on a local system or at the company scale. For different reasons, we could not use the available MFT parsers available and we needed to do live $I30 carving as well.
So we decided to create our own. We named it MftCrawler.
MftCrawler is a MFT parser written in Lua with $i30 carving capabilities.
It can be used to parse offline MFT (saved MFT file) or Live (Windows & Linux).
When running in live mode MftCrawler can carve $i30 records and try to resurrect deleted file entries.
MftCrawler was designed with these goals in mind:
Simple & easy to modify
Fast (*)
Low memory consumption (*)
(*) The $i30 carving does impact the performance.
This is still a work in progress (read BETA, so bugs will happen) and several features are still missing (owner SID, non resident attribute spanning several records,…)
Source & documentation can be found here: http://bitbucket.cassidiancybersecurity.com/mftcrawler
Feedback & bug reports highly appreciated !