ntfstool v1.5 releases: Forensics tool for NTFS
ntfstool
NTFSTool is a forensic tool to play with disks and NTFS volumes. It supports reading partition info (mbr, partition table, vbr) but also information on bitlocker encrypted partition (fve). See examples below to see some of the features!
Features
Forensics
NTFSTool displays the complete structure of the master boot record, volume boot record, partition table, and MFT file record. It is also possible to dump any file (even hidden $mft) or parse $usnjrnl, $logfile including a file from Alternate Data Stream (ADS). The undelete command will search for any file record marked as “not in use” and allow you to retrieve the file (or part of the file if it was already rewritten). It supports input from image file or live disks. You can also use tools like OSFMount to mount your disk image. Sparse and compressed files are also (partially) supported.
Bitlocker support
For bitlocked partition, it can display FVE records, check a password and support 3 formats (bek, password, recovery key), extract VMK and FVEK. There is no bruteforcing feature because GPU-based cracking is better (see Bitcracker and Hashcat).
Shell
There is a limited shell with few commands (exit, cd, ls , cat , pwd, cp).
Use
the help command displays some examples for each command. Options can be entered as decimal or hex number with “0x” prefix.
| Command | Description |
|---|---|
| info | Display information for all disks and volumes |
| mbr | Display MBR structure, code and partitions for a disk |
| gpt | Display GPT structure, code and partitions for a disk |
| vbr | Display VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported) |
| extract | Extract a file from a volume. |
| image | Create an image file of a disk or volume. |
| mft | Display FILE record details for a specified MFT inode. Almost all attribute types supported |
| btree | Display VCN content and Btree index for an inode |
| bitlocker | Display detailed information and hash ($bitlocker$) for all VMK. It is possible to test a password or recovery key. If it is correct, the decrypted VMK and FVEK is displayed. |
| bitdecrypt | Decrypt a volume to a file using password, recovery key or bek. |
| efs | List, display and decrypt EFS related structures. |
| fve | Display information for the specified FVE block (0, 1, 2) |
| reparse | Parse and display reparse points from $Extend$Reparse. |
| logfile | Dump $LogFile file in specified format: csv, json, raw. |
| usn | Dump $UsnJrnl file in specified format: csv, json, raw. |
| shadow | List volume shadow snapshots from selected disk and volume. |
| streams | Display Alternate Data Streams |
| undelete | Search and extract deleted files for a volume. |
| shell | Start a mini Unix-like shell |
| smart | Display S.M.A.R.T data |
Changelog v1.5
- Many fixes from the last release!
Install
Copyright (c) 2019 thewhiteninja
