Tool Release: fuse-mft

Over the past few months and years, I’ve developed a number of tools for forensic investigators. These are tools I needed for one reason or another, and actively used over many investigations. Although I’ve mentioned some of them in passing at various points (such as at OSDFC, or in my MFT analysis presentation, many of the tools have never received a formal introduction or release. These posts change that. ref

fuse-mft is a FUSE file system driver for MFT files. It allows an analyst to mount the file system tree defined by an MFT on their analysis machine. Then, they can use familiar command line or graphical tools to explore the contents. fuse-mft uses the metadata found within the MFT to populate the entries, and exposes a few virtual files to provide additional context.

For more information, please visit the tool page here.