NTFSTool – Forensics Tool For NTFS (Parser, MTF, Bitlocker, Deleted Files)
NTFSTool is a forensic tool focused on NTFS volumes. It supports reading partition info (mbr, partition table, vbr) but also information on bitlocker encrypted volume, EFS encrypted files and more.
See below for some examples of the features!
Features
Forensics
NTFSTool displays the complete structure of master boot record, volume boot record, partition table and MFT file record. It is also possible to dump any file (even $mft or SAM) or parse USN journals, LogFile including streams from Alternate Data Stream (ADS). The undelete command will search for any file record marked as “not in use” and allow you to retrieve the file (or part of the file if it was already rewritten). It support input from image file or live disk but you can also use tools like OSFMount to mount your disk image. Sparse and compressed files are also supported.
Bitlocker support
For bitlocked partition, it can display FVE records, check a password and key (bek, password, recovery key), extract VMK and FVEK. There is no bruteforce feature because GPU-based cracking is better (see Bitcracker and Hashcat) but you can get the hash for these tools.
EFS support
In the current version, masterkeys, private keys and certificates can be listed, displayed and decrypted using needed inputs (SID, password). Certificates with private keys can be exported using the backup command. Reinmport the backup on another machine to be able to read your encrypted file again!
More information on Mimikatz Wiki
Decryption of EFS encrypted files is coming!
Shell
There is a limited shell with few commands (exit, cd, ls, cat, pwd, cp).
Help & Examples
Help command displays description and examples for each command. Options can be entered as decimal or hex number with “0x” prefix (ex: inode).
ntfstool help [command]
Command | Description |
---|---|
info | Display information for all disks and volumes |
mbr | Display MBR structure, code and partitions for a disk |
gpt | Display GPT structure, code and partitions for a disk |
vbr | Display VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported) |
extract | Extract a file from a volume. |
image | Create an image file of a disk or volume. |
mft | Display FILE record details for a specified MFT inode. Almost all attribute types supported |
btree | Display VCN content and Btree index for an inode |
bitlocker | Display detailed information and hash ($bitlocker$) for all VMK. It is possible to test a password or recovery key. If it is correct, the decrypted VMK and FVEK is displayed. |
bitdecrypt | Decrypt a volume to a file using password, recovery key or bek. |
efs.backup | Export EFS keys in PKCS12 (pfx) format. |
efs.certificate | List, display and export system certificates (SystemCertificates/My/Certificates). |
efs.key | List, display, decrypt and export private keys (Crypto/RSA). |
efs.masterkey | List, display and decrypt masterkeys (Protect). |
fve | Display information for the specified FVE block (0, 1, 2) |
reparse | Parse and display reparse points from $Extend$Reparse. |
logfile | Dump $LogFile file in specified format: csv, json, raw. |
usn | Dump $UsnJrnl file in specified format: csv, json, raw. |
shadow | List volume shadow snapshots from selected disk and volume. |
streams | Display Alternate Data Streams |
undelete | Search and extract deleted files for a volume. |
shell | Start a mini Unix-like shell |
smart | Display S.M.A.R.T data |
Limitations
- Some unsupported cases. WIP.
- No documentation
Feel free to open an issue or ask for a new feature!
Build
Vcpkg is the best way to install required third-party libs.
Install vcpkg as described here: vcpkg#getting-started
git clone https://github.com/microsoft/vcpkg
.vcpkgbootstrap-vcpkg.bat
Integrate it to your VisualStudio env:
vcpkg integrate install
At build time, VisualStudio will detect the vcpkg.json
file and install required packages automatically.
Current third-party libs:
- openssl: OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
- nlohmann-json: JSON for Modern C++
- distorm: Powerful Disassembler Library For x86/AMD64
- cppcoro: A library of C++ coroutine abstractions for the coroutines TS.
Examples
Info
info |
|
info disk=3 |
|
info disk=3 volume=1 |
|
MBR
mbr disk=2 |
|
GPT
gpt disk=1 |
|
VBR
vbr disk=3 volume=1 |
|
Extract
extract disk=3 volume=1 from=bob.txt output=d:bob.txt |
|
extract disk=0 volume=4 –system output=d:system |
|
Image
image disk=2 volume=2 output=d:imagevol.raw |
|
image disk=2 output=d:image.raw |
|
MFT
mft disk=2 volume=1 inode=5 (root folder) |
Created Time : 2009-12-02 02:03:31 | | | | | | Last File Write Time : 2020-02-24 19:42:23 | | | | | | FileRecord Changed Time : 2020-02-24 19:42:23 | | | | | | Last Access Time : 2020-02-24 19:42:23 | | | | | | Permissions : | | | | | | read_only : 0 | | | | | | hidden : 1 | | | | | | system : 1 | | | | | | device : 0 | | | | | | normal : 0 | | | | | | temporary : 0 | | | | | | sparse : 0 | | | | | | reparse_point : 0 | | | | | | compressed : 0 | | | | | | offline : 0 | | | | | | not_indexed : 1 | | | | | | encrypted : 0 | | | | | | Max Number of Versions : 0 | | | | | | Version Number : 0 | +——————————————————————————————————————+ | 2 | $FILE_NAME | False | 68 | Parent Dir Record Index : 5 | | | | | | Parent Dir Sequence Num : 5 | | | | | | File Created Time : 2009-12-02 02:03:31 | | | | | | Last File Write Time : 2011-12-24 03:13:12 | | | | | | FileRecord Changed Time : 2011-12-24 03:13:12 | | | | | | Last Access Time : 1970-01-01 00:59:59 | | | | | | Allocated Size : 0 | | | | | | Real Size : 0 | | | | | | —— | | | | | | Name : . | +——————————————————————————————————————+ | 3 | $OBJECT_ID | False | 16 | Object Unique ID : {cce8fec5-9a29-11df-be68-0017f29 | | | | | | 8268d} | +——————————————————————————————————————+ | 4 | $INDEX_ROOT | False | 152 | Attribute Type : 00000030h | | | | | | Collation Rule : 1 | | | | | | Index Alloc Entry Size : 4096 | | | | | | Cluster/Index Record : 1 | | | | | | —– | | | | | | First Entry Offset : 16 | | | | | | Index Entries Size : 136 | | | | | | Index Entries Allocated : 136 | | | | | | Flags : Large Index | +——————————————————————————————————————+ | 5 | $INDEX_ALLOCATION | True | 12288 | Index | | | | | | 0000000000000004 : $AttrDef | | | | | | 0000000000000008 : $BadClus | | | | | | 0000000000000006 : $Bitmap | | | | | | 0000000000000007 : $Boot | | | | | | 000000000000000b : $Extend | | | | | | 0000000000000002 : $LogFile | | | | | | 0000000000000000 : $MFT | | | | | | 0000000000000001 : $MFTMirr | | | | | | 000000000000002d : $RECYCLE.BIN | | | | | | 0000000000000009 : $Secure | | | | | | 000000000000000a : $UpCase | | | | | | 0000000000000003 : $Volume | | | | | | 0000000000000005 : . | | | | | | 000000000000240c : Dir1 | | | | | | 0000000000000218 : Dir2 | | | | | | 000000000000212a : Dir3 | | | | | | 0000000000000024 : Dir4 | | | | | | 0000000000000def : RECYCLER | | | | | | 000000000000001b : System Volume Information | | | | | | 000000000000001b : SYSTEM~1 | +——————————————————————————————————————+ | 6 | $BITMAP | False | 8 | Index Node Used : 2 | +——————————————————————————————————————+ “>
|
Btree
btree disk=0 volume=1 inode=5 (root folder) |
|
Bitlocker
bitlocker disk=3 volume=1 |
|
bitlocker disk=3 volume=1 password=badpassword |
|
bitlocker disk=3 volume=1 password=123456789 |
|
Bitdecrypt
bitdecrypt disk=3 volume=1 output=decrypted.img fvek=35b8197e6d74d8521f49698d5f5565892cf286ae5323c65631965c905a9d7da4 |
|
EFS-backup
efs.backup disk=0 volume=4 password=123456 |
|
EFS-certificate
efs.certificate disk=0 volume=4 |
|
efs.certificate disk=0 volume=4 inode=0xb5a4 |
|
efs.certificate disk=0 volume=4 inode=0xb5a4 output=mycert format=pem |
|
EFS-key
efs.key disk=0 volume=4 |
|
efs.key disk=0 volume=4 inode=742107 |
Encryption Alg : CALG_AES_256 | | | | Hash Alg : CALG_SHA_512 | | | | | | | | Salt : ABABD5324CCE0254BC726C3BF5A777D38BC4D75CACC2360EF3276EB4DC42FF6A | | | | | | | | HMAC : – | | | | HMAC2 : D24F0B0AF684AE986F1328EAAFC01DA346D2BADE2B84CBE3C94CCB338D449EA6 | | | | | | | | Encrypted Data : D7DAD9229C91DBC9608852A4411527D7 | | | | 58DB27E19596DD118F2D70F68CC7913C | … | | | 7870F6C68DA1B9139BF6E39725F4E72E | | | | 4EC435C947F127CA3E333CB5E2F43978 | | | | | | | | Signature Data : 6077C027E6714A81C2710C5D334758F9AD463117DA4CBA8D0D05B5845A662E8F | | | | 5E38DCCAB05DA5DD6C8328F5CF925F378F229790D30A2BCC91D5E3370AE50FED | +——————————————————————————————————————+ | 6 | Hash | 0000000000000000000000000000000000000000 | +——————————————————————————————————————+ | 7 | ExportFlag | Version : 1 | | | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} | | | | MasterKey Version : 1 | | | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} | | | | | | | | Description : Export Flag | | | | Flags : 00000000h | | | | | | | | Encryption Alg : CALG_AES_256 | | | | Hash Alg : CALG_SHA_512 | | | | | | | | Salt : 772935C3582F625367716CE87D9626A524F15B9B7FF07166BB2C704B1223CB06 | | | | | | | | HMAC : – | | | | HMAC2 : 3BCA74ED2C83767F06D9FF907817FE85FBA65FDB72A94E9D8F2C7CF1D8E7DCA2 | | | | | | | | Encrypted Data : 875A6429226F11DFD3690D43BE633287 | | | | | | | | Signature Data : FD97F69A214C37D0DA968B5AA18EE7C80D475F72F650C8DCAE887C97E850DCD6 | | | | 9FA17D397A2375E362DE6F17193E3D084C06B0DCDB38E6C746150C1056145178 | +——————————————————————————————————————+ “>
|
efs.key disk=0 volume=4 inode=742107 masterkey=34fac126105ce30…178c5bff4979eb |
|
efs.key disk=0 volume=4 inode=742107 masterkey=34…eb output=mykey format=pem |
|
EFS-masterkey
efs.masterkey disk=0 volume=4 |
|
efs.masterkey disk=0 volume=4 inode=0x80544 |
|
efs.masterkey disk=0 volume=4 inode=0x80544 sid=”S-1-5-21-1521398…3175218-1001″ password=”ntfst00l” |
|
FVE
fve disk=3 volume=1 fve_block=2 |
|
reparse
reparse disk=0 volume=4 |
|
logfile
logfile disk=4 volume=1 output=logfile.csv format=csv |
|
Sample of logfile.csv |
|
usn
usn disk=4 volume=1 output=usn.csv format=csv |
|
Sample of usn.csv |
|
shadow
shadow disk=0 volume=4 |
|
streams
streams disk=0 volume=4 from=c:test.pdf |
|
undelete
undelete disk=4 volume=1 |
|
undelete disk=4 volume=1 inode=41 output=restored_kitten.jpg |
|
shell
shell disk=4 volume=1 |
|
smart
smart disk=1 |
|