ntfstool v1.5 releases: Forensics tool for NTFS

NTFS Forensics tool

ntfstool

NTFSTool is a forensic tool to play with disks and NTFS volumes. It supports reading partition info (mbr, partition table, vbr) but also information on bitlocker encrypted partition (fve). See examples below to see some of the features!

Features

Forensics

NTFSTool displays the complete structure of the master boot record, volume boot record, partition table, and MFT file record. It is also possible to dump any file (even hidden $mft) or parse $usnjrnl, $logfile including a file from Alternate Data Stream (ADS). The undelete command will search for any file record marked as “not in use” and allow you to retrieve the file (or part of the file if it was already rewritten). It supports input from image file or live disks. You can also use tools like OSFMount to mount your disk image. Sparse and compressed files are also (partially) supported.

Bitlocker support

For bitlocked partition, it can display FVE records, check a password and support 3 formats (bek, password, recovery key), extract VMK and FVEK. There is no bruteforcing feature because GPU-based cracking is better (see Bitcracker and Hashcat).

Shell

There is a limited shell with few commands (exit, cd, ls , cat , pwd, cp).

Use

the help command displays some examples for each command. Options can be entered as decimal or hex number with “0x” prefix.

Command Description
info Display information for all disks and volumes
mbr Display MBR structure, code and partitions for a disk
gpt Display GPT structure, code and partitions for a disk
vbr Display VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported)
extract Extract a file from a volume.
image Create an image file of a disk or volume.
mft Display FILE record details for a specified MFT inode. Almost all attribute types supported
btree Display VCN content and Btree index for an inode
bitlocker Display detailed information and hash ($bitlocker$) for all VMK. It is possible to test a password or recovery key. If it is correct, the decrypted VMK and FVEK is displayed.
bitdecrypt Decrypt a volume to a file using password, recovery key or bek.
efs List, display and decrypt EFS related structures.
fve Display information for the specified FVE block (0, 1, 2)
reparse Parse and display reparse points from $Extend$Reparse.
logfile Dump $LogFile file in specified format: csv, json, raw.
usn Dump $UsnJrnl file in specified format: csv, json, raw.
shadow List volume shadow snapshots from selected disk and volume.
streams Display Alternate Data Streams
undelete Search and extract deleted files for a volume.
shell Start a mini Unix-like shell
smart Display S.M.A.R.T data

Changelog v1.5

  • Many fixes from the last release!

Install

Copyright (c) 2019 thewhiteninja