MFTEntryCarver: Carve files for MFT entries (eg. blkls output or memory dumps)

~ hucktech

MFTEntryCarver: Carve files for MFT entries (eg. blkls output or memory dumps). Recovers filenames (long & short), timestamps ($STD & $FN) and data if resident. It will also parse half broken entries as long as at least one $FN entry is ok. There is a more detailed description of how and why I wrote that and how you can use it on my blog (https://www.cyberfox.blog/carving-mft-mftentrycarver-py/). I’m not really a developer but just an DFIR guy. So please excuse the spaghetti code.

https://www.cyberfox.blog/carving-mft-mftentrycarver-py/

https://github.com/cyb3rfox/MFTEntryCarver/

Published by hucktech

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s