TScopy is a Python script used to parse the NTFS $MFT file to locate and copy specific files. By parsing the Master File Table (MFT), the script bypasses operating system locks on files. The script was originally based on the work of RawCopy. RawCopy is written in AutoIT and is difficult to modify for our purposes. The decision to port RawCopy to Python was done because of the need to incorporate this functionality natively into our toolset.

Download How to Get TScopy
Option 1
To download the TScopy, type the following command in Linux:
Options 2
View on Git
help How to Get Help with TScopy

For bug reports or enhancements, please open an issue on this project’s github page.

TrustedSec Security Blog OneNote Malware Analysis