Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jeffbryner/pymftgrabber
Utility to retrieve the Master File Table (MFT) from a live running NTFS volume and send it to a netcat listener.
https://github.com/jeffbryner/pymftgrabber
Last synced: about 2 months ago
JSON representation
Utility to retrieve the Master File Table (MFT) from a live running NTFS volume and send it to a netcat listener.
- Host: GitHub
- URL: https://github.com/jeffbryner/pymftgrabber
- Owner: jeffbryner
- License: other
- Created: 2012-10-14T20:38:47.000Z (about 12 years ago)
- Default Branch: master
- Last Pushed: 2014-10-09T19:47:18.000Z (about 10 years ago)
- Last Synced: 2024-04-16T03:39:18.493Z (8 months ago)
- Language: Python
- Size: 4.09 MB
- Stars: 39
- Watchers: 9
- Forks: 8
- Open Issues: 0
-
Metadata Files:
- Readme: README
- License: COPYING
Awesome Lists containing this project
README
2012 Jeff Bryner
Script to retrieve the Master File Table (MFT) record for an NTFS file system from a live system.
Usage:
Victim/Client NTFS/Windows box:
python pyMFTGrabber.py -f "\\.\C:" -s 10.200.1.1 -p 6666
(or compile it using pyinstaller and run without python)
Forensic workstation at 10.200.1.1:
nc -l -p 6666 >mft.dd
You can then use several tools to decode the MFT records:
1) analyzeMFT.py ( https://github.com/dkovar/analyzeMFT )
analyzeMFT.py -f mft.dd -o mft.out
2) INDXParse (https://github.com/williballenthin/INDXParse )
MFTINDX.py -t MFT -m -d mft.dd > mft.out
Demo at: http://www.youtube.com/watch?v=uKSM_kbpn4g