ntfstool

NTFSTool is a forensic tool focused on NTFS volumes. It supports reading partition info (MBR, partition table, VBR) but also information on Master File Table, Bitlocker encrypted volume, EFS encrypted files, USN journal and more.

Download the latest binaries on AppVeyor or by checking the last GitHub artefacts.

See below for some examples of the features!

Features

Forensics

NTFSTool displays the complete structure of master boot record, volume boot record, partition table and $MFT file record. It is also possible to dump any file (even $MFT or SAM) or parse and analyze USN journal, LogFile including streams from Alternate Data Stream (ADS). $MFT can be dumped as csv or json with Zone.Identifier parsing to quickly identify downloaded files. The undelete command will search for any file record marked as "not in use" and allow you to retrieve the file (or part of the file if it was already rewritten). It support input from image file, live disk or virtual like VeraCrypt and TrueCrypt, but you can also use tools like OSFMount to mount your disk image. Sparse and compressed files (lznt1, xpress) are also supported.

Bitlocker support

For bitlocked partition, it can display FVE records, check a password and key (bek, password, recovery key), extract VMK and FVEK. There is no bruteforce feature because GPU-based cracking is better (see Bitcracker and Hashcat) but you can get the hash for these tools.

EFS support

Masterkeys, private keys and certificates can be listed, displayed and decrypted using needed inputs (SID, password). Certificates with private keys can be exported using the backup command.

Reinmport the backup on another machine to be able to read your encrypted file again! Or you can use the efs.decrypt command to decrypt a file using the backed-up key.

More information on Mimikatz Wiki

USN Journal analysis

USN journal records can be analyzed using custom rules to detect suspicious programs and actions but also to have an overview of the journal (% of file deleted, created ...)

Default rules: Rules/default.json

  {
    "id": "lsass-dump",
    "description": "Dumped LSASS.exe process.",
    "severity": "high",
    "rule": {
      "filename": "lsass(\\.(dmp|dump))?"
    }
  }

See an example of run here: usn.analyze

Shell

There is a limited shell with few commands (exit, cd, ls, cat, pwd, cp, quit, rec).

Command rec shows the MFT record details.

Help & Examples

Help command displays description and examples for each command.

Options can be entered as decimal or hex number with "0x" prefix (ex: inode).

ntfstool help [command]

| Command | Description | | --- | --- | | info | Display information for all disks and volumes | | mbr | Display MBR structure, code and partitions for a disk | | gpt | Display GPT structure, code and partitions for a disk | | vbr | Display VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported) | | extract | Extract a file from a volume. | | image | Create an image file of a disk or volume. | | mft.dump | Dump $MFT file in specified format: csv, json, raw. | | mft.record | Display FILE record details for a specified MFT inode. Almost all attribute types supported | | mft.btree | Display VCN content and Btree index for an inode | | bitlocker.info | Display information and hash ($bitlocker$) for all VMK. Test a password or recovery key. | | bitlocker.decrypt | Decrypt a volume to a file using password, recovery key or bek. | | bitlocker.fve | Display information for the specified FVE block. | | efs.backup | Export EFS keys in PKCS12 (pfx) format. | | efs.decrypt | Decrypt EFS encrypted file using keys in PKCS12 (pfx) format. | | efs.certificate | List, display and export system certificates (SystemCertificates/My/Certificates). | | efs.key | List, display, decrypt and export private keys (Crypto/RSA). | | efs.masterkey | List, display and decrypt masterkeys (Protect). | | reparse | Parse and display reparse points from $Extend$Reparse. | | logfile.dump | Dump $LogFile file in specified format: csv, json, raw. | | usn.analyze | Analyze $UsnJrnl file with specified rules. Output : csv or json. | | usn.dump | Dump $UsnJrnl file in specified format: csv, json, raw. | | shadow | List volume shadow snapshots from selected disk and volume. | | streams | Display Alternate Data Streams | | undelete | Search and extract deleted files for a volume. | | shell | Start a limited Unix-like shell | | smart | Display S.M.A.R.T data |

Limitations

Some unsupported cases. WIP.
No documentation :no_mouth:.

Feel free to open an issue or ask for a new feature!

Build

Install Visual Studio 2022
Install vcpkg (for required third-party libs) as described here: vcpkg#getting-started
```
git clone https://github.com/microsoft/vcpkg
.\vcpkg\bootstrap-vcpkg.bat
```
Integrate it to your VisualStudio env:
```
vcpkg integrate install
```

At build time, VisualStudio will detect the vcpkg.json file and install required packages automatically.

Third-party libraries:

openssl: OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
nlohmann-json: JSON for Modern C++
distorm: Powerful Disassembler Library For x86/AMD64
cppcoro: A library of C++ coroutine abstractions for the coroutines TS.
re2: RE2 is a fast, safe, thread-friendly alternative to backtracking regular expression engines.

Examples

Info

+-------------------------------------------------------------------------------------+
| Id | Model                     | Type      | Partition | Size                       |
+-------------------------------------------------------------------------------------+
| 0  | Samsung SSD 850 EVO 500GB | Fixed SSD | GPT       | 500107862016 (465.76 GiBs) |
| 1  | ST2000DM001-1ER164        | Fixed HDD | GPT       | 2000398934016 (1.82 TiB)   |
| 2  | 15EADS External           | Fixed HDD | MBR       | 1500301910016 (1.36 TiB)   |
| 3  | osfdisk                   | Fixed HDD | MBR       | 536870912 (512.00 MiBs)    |
+-------------------------------------------------------------------------------------+

</td></tr> <tr><td>info disk=3</td></tr> <tr><td>

Model       : osfdisk
Version     : 1
Serial      :
Media Type  : Fixed HDD
Size        : 536870912 (512.00 MiBs)
Geometry    : 512 bytes * 63 sectors * 255 tracks * 65 cylinders
Volume      : MBR

+--------------------------------------------------------------------------------------------------+
| Id | Boot | Label     | Mounted | Filesystem | Offset           | Size                           |
+--------------------------------------------------------------------------------------------------+
| 1  | No   | NTFSDRIVE | F:\     | Bitlocker  | 0000000000000200 | 000000001ffffe00 (512.00 MiBs) |
+--------------------------------------------------------------------------------------------------+

</td></tr> <tr><td>info disk=3 volume=1</td></tr> <tr><td>

Serial Number  : 0000aa60-00002eae
Filesystem     : Bitlocker
Bootable       : False
Type           : Fixed
Label          : NTFSDRIVE
Offset         : 512 (512.00 bytes)
Size           : 536870400 (512.00 MiBs)
Free           : 519442432 (495.38 MiBs)
Mounted        : True (F:\)
Bitlocker      : True (Unlocked)

</td></tr> </table>

MBR

<table> <tr><td>mbr disk

Ntfstool

Install / Use

README