Skip to content

MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all.

Notifications You must be signed in to change notification settings

kero99/mftmactime

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
 
 
 
 

Repository files navigation

Description

This is an MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all.

It uses Omer BenAmram's (https://github.com/omerbenamram/mft) great MFT rust parsing libraries, which allows a great speed and efficiency in the process. The integration with the USN Journal parser allows to have in the same timeline the combined MFT and USN data.

You can use as input files either individual files derived from a triage or a forensic image in RAW format or a mixture of both modes. In case the input is RAW the artifacts will be dumped in a selected directory.

Requirement

pip install mft argparse tqdm pytz pytsk3 yara-python

Use

usage: mftmactime [-h] [-V] -f FILE -o OUTPUT [-m DRIVE] [-n] [-tz TIMEZONE] [-r RESIDENT] [-u USN] [-s OFFSET] [-d DUMP_PATH] [-y YARA_RULES] [-yc YARA_COMPILED]

Example

mftmactime.py -f /mnt/comp001/\$MFT -o comp001_fstl.csv -n

image

Example with dump resident files

mftmactime -f MFT -o test.csv -n -r recovery_output

Screenshot at 2022-09-07 11-29-48

Example of inode entries with USN Journal and MFT mixed data

image

Example of dump and process from RAW Evidence

mftmactime -n -f ../evidence/Testing/test-img.dd -u ../evidence/Testing/test-img.dd -o ./filesystem_tln.csv -d dump -r resindents

image

Example of run yara rules over resident files

mftmactime-yara

About

MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all.

Topics

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages