ntfstool
NTFSTool is a forensic tool to play with NTFS partition. It supports reading partition info (mbr, partition table, vbr) but also information on bitlocker encrypted partition (fve). See examples below that show some features !
Features
Forensics
NTFSTool displays the complete structure of master boot record, volume boot record, partition table and MFT file record. It is also possible to dump any file (even hidden $mft) or parse $usnjrnl, $logfile. The undelete command will search for any file record marked as "not in use" and allow you to retrieve the file (or part of the file if it was already rewritten).
Bitlocker support
For bitlocked partition, it can check a password and support 3 formats (bek, password, recovery key). There is no bruteforcing feature because GPU-based cracking is better (see Bitcracker and Hashcat).
Shell
There is a very limited shell with few commands (exit, cd, ls , cat , pwd).
Help & Examples
the help command displays some examples for each command.
ntfstool help [command]
Command | Description |
---|---|
info | Display information for all disks and volumes |
mbr | Display MBR structure, code and partitions for a disk |
gpt | Display GPT structure, code and partitions for a disk |
vbr | Display VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported) |
mft | Display FILE record details for a specified MFT inode. Almost all attribute types supported |
bitlocker | Display detailed information and hash ( |
bitdecrypt | Decrypt a volume to a file using password, recovery key or bek. |
fve | Display information for the specified FVE block (0, 1, 2) |
logfile | Dump $LogFile file in specified format: csv, json, raw. |
usn | Dump $UsnJrnl file in specified format: csv, json, raw. |
undelete | Search and extract deleted files for a volume. |
shell | Start a mini-shell |
Limitations
- May contains bugs and unsupported cases.
- No image file support. You can use tools like OSFMount to mount your disk image.
- No documentation
😶 .
Third-parties
- cppcoro (vcpkg): A library of C++ coroutine abstractions for the coroutines TS.
Output examples
Info
info |
|
info disk=3 |
|
info disk=3 volume=1 |
|
MBR
mbr disk=3 |
|
GPT
gpt disk=1 |
|
VBR
vbr disk=3 volume=1 |
|
MFT
mft disk=2 volume=1 inode=5 (root folder) |
|
Bitlocker
bitlocker disk=3 volume=1 |
|
bitlocker disk=3 volume=1 password=badpassword |
|
bitlocker disk=3 volume=1 password=123456789 |
|
Bitdecrypt
bitdecrypt disk=3 volume=1 output=decrypted.img fvek=35b8197e6d74d8521f49698d5f5565892cf286ae5323c65631965c905a9d7da4 |
|
FVE
fve disk=3 volume=1 fve_block=2 |
|
logfile
logfile disk=4 volume=1 output=logfile.csv format=csv |
|
Sample of logfile.csv |
LSN,ClientPreviousLSN,UndoNextLSN,ClientID,RecordType,TransactionID,RedoOperation,UndoOperation,MFTClusterIndex,TargetVCN,TargetLCN 5269000,5268967,5268967,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700 5269019,5269000,5269000,0,1,24,UpdateNonresidentValue,Noop,0,0,37594 5269044,5269019,5269019,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700 5269063,5269044,5269044,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700 5269082,5269063,5269063,0,1,24,UpdateNonresidentValue,Noop,0,0,37594 5269103,5269082,5269082,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700 5269122,5269103,0,0,1,24,ForgetTransaction,CompensationLogRecord,0,0,18446744073709551615 5269133,0,0,0,1,24,UpdateResidentValue,UpdateResidentValue,2,13,43703 |
usn
usn disk=4 volume=1 output=usn.csv format=csv |
|
Sample of usn.csv |
MajorVersion,MinorVersion,FileReferenceNumber,FileReferenceSequenceNumber,ParentFileReferenceNumber,ParentFileReferenceSequenceNumber,Usn,Timestamp,Reason,SourceInfo,SecurityId,FileAttributes,Filename 2,0,53,4,5,5,0,2020-02-26 21:43:36,FILE_CREATE,0,0,DIRECTORY,Nouveau dossier 2,0,53,4,5,5,96,2020-02-26 21:43:36,FILE_CREATE+CLOSE,0,0,DIRECTORY,Nouveau dossier 2,0,53,4,5,5,192,2020-02-26 21:43:38,RENAME_OLD_NAME,0,0,DIRECTORY,Nouveau dossier 2,0,53,4,5,5,288,2020-02-26 21:43:38,RENAME_NEW_NAME,0,0,DIRECTORY,test 2,0,53,4,5,5,360,2020-02-26 21:43:38,RENAME_NEW_NAME+CLOSE,0,0,DIRECTORY,test 2,0,53,4,5,5,432,2020-02-26 21:43:39,OBJECT_ID_CHANGE,0,0,DIRECTORY,test 2,0,53,4,5,5,504,2020-02-26 21:43:39,OBJECT_ID_CHANGE+CLOSE,0,0,DIRECTORY,test 2,0,54,2,53,4,576,2020-02-26 21:43:41,FILE_CREATE,0,0,ARCHIVE,Nouveau document texte.txt |
undelete
undelete disk=4 volume=1 |
|
undelete disk=4 volume=1 inode=41 output=restored_kitten.jpg |
|
shell
shell disk=4 volume=1 |
|