I was interested in finding a way to pull the Master File Table (MFT) without having to write to the disk of the target system it was being pulled from. E.g., not writing a binary to disk in order to initiate the copy process, and not dumping the contents to disk. One method would be to mount a remote share and write the contents to that share, but then there's still the issue of not dropping a binary to the workstation. So, I had the idea of funneling the contents through a network connection to a server. I figure that would be the simple part and the hard part being the actual copying of the MFT.
The gist of the MFT is that it's a special file (located at C:\$MFT) and the Windows API doesn't display it through your normal interfaces (i.e. Powershell, CMD, the Explorer GUI). In order to copy it, you have to go through the Windows API to get a handle to it, which will allow you to copy it. Luckily, I stumbled on a script that already did this. Funny enough, it was written by Jesse Davis; a guy I worked with in the Air Force.
On his GitHub page (linked below), his Export-MFT script did the brunt of the work; extracting the MFT and writing it to disk. So, the only two tasks I needed to accomplish were 1) to modify the destination location of where it wrote the contents, and 2) wrap the call with a handler that would do the network portion.
I opted to make use of Powershell's Runspace feature, which essentially allows you to create a separate work area, in the background, within your current Powershell session, then "fork" processes to it without blocking your current shell. Yeah, it's not a true fork in a traditional sense, but you get what I mean. The reason I wanted to do this was so I could continue performing other analysis tasks while that ran.
Being that MFT's can be large, depending on the age of the box, I didn't want my shell to be locked up for long periods of time. Funny that I went through the process of creating a Runspace and haven't actually freed up the shell yet, but it'll get there. So, for now, you'll have to wait for execution to finish before you get control of your shell back. During tests a ~200MB MFT transferred at a minute+30 secs. Here's a basic overview of what the script does:
- Create a PS Remote Session on the target workstation
- Create a Runspace
- Push the function for starting a local server that will catch the MFT bytes over the network to that Runspace
- Initialize the server in the Runspace
- Push/execute a modified Scriptblock of Jesse Davis's MFT copying script to the target workstation
Once execution begins, instead of writing to the target's disk, it writes to a Powershell network stream object, which forwards it back to my system, where it's then written to disk. All done without writing a binary or any of the contents to disk.
An important point to take into consideration is that this doesn't encrypt the MFT data stream prior to sending it over the network yet. Should be an easy fix and I'll add it when I get the chance.
