NTFSTool is a forensic tool focused on NTFS volumes. It supports reading partition info (mbr, partition table, vbr) but also information on bitlocker encrypted volume, EFS encrypted files and more.
See below for some examples of the features!
Forensics
NTFSTool displays the complete structure of master boot record, volume boot record, partition table and MFT file record. It is also possible to dump any file (even $mft or SAM) or parse USN journals, LogFile including streams from Alternate Data Stream (ADS). The undelete command will search for any file record marked as "not in use" and allow you to retrieve the file (or part of the file if it was already rewritten). It support input from image file or live disk but you can also use tools like OSFMount to mount your disk image. Sparse and compressed files are also supported.
Bitlocker support
For bitlocked partition, it can display FVE records, check a password and key (bek, password, recovery key), extract VMK and FVEK. There is no bruteforce feature because GPU-based cracking is better (see Bitcracker and Hashcat) but you can get the hash for these tools.
EFS support
In the current version, masterkeys, private keys and certificates can be listed, displayed and decrypted using needed inputs (SID, password). Certificates with private keys can be exported using the backup command. Reinmport the backup on another machine to be able to read your encrypted file again!
More information on Mimikatz Wiki
Decryption of EFS encrypted files is coming!
Shell
There is a limited shell with few commands (exit, cd, ls, cat, pwd, cp).
Help & Examples
Help command displays description and examples for each command. Options can be entered as decimal or hex number with "0x" prefix (ex: inode).
ntfstool help [command]
| Command | Description |
|---|---|
| info | Display information for all disks and volumes |
| mbr | Display MBR structure, code and partitions for a disk |
| gpt | Display GPT structure, code and partitions for a disk |
| vbr | Display VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported) |
| extract | Extract a file from a volume. |
| image | Create an image file of a disk or volume. |
| mft | Display FILE record details for a specified MFT inode. Almost all attribute types supported |
| btree | Display VCN content and Btree index for an inode |
| bitlocker | Display detailed information and hash ($bitlocker$) for all VMK. It is possible to test a password or recovery key. If it is correct, the decrypted VMK and FVEK is displayed. |
| bitdecrypt | Decrypt a volume to a file using password, recovery key or bek. |
| efs.backup | Export EFS keys in PKCS12 (pfx) format. |
| efs.certificate | List, display and export system certificates (SystemCertificates/My/Certificates). |
| efs.key | List, display, decrypt and export private keys (Crypto/RSA). |
| efs.masterkey | List, display and decrypt masterkeys (Protect). |
| fve | Display information for the specified FVE block (0, 1, 2) |
| reparse | Parse and display reparse points from $Extend$Reparse. |
| logfile | Dump $LogFile file in specified format: csv, json, raw. |
| usn | Dump $UsnJrnl file in specified format: csv, json, raw. |
| shadow | List volume shadow snapshots from selected disk and volume. |
| streams | Display Alternate Data Streams |
| undelete | Search and extract deleted files for a volume. |
| shell | Start a mini Unix-like shell |
| smart | Display S.M.A.R.T data |
Limitations
- Some unsupported cases. WIP.
- No documentation
Feel free to open an issue or ask for a new feature!
Build
Vcpkg is the best way to install required third-party libs.
Install vcpkg as described here: vcpkg#getting-started
git clone https://github.com/microsoft/vcpkg
.\vcpkg\bootstrap-vcpkg.bat
Integrate it to your VisualStudio env:
vcpkg integrate install
At build time, VisualStudio will detect the vcpkg.json file and install required packages automatically.
Current third-party libs:
- openssl: OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
- nlohmann-json: JSON for Modern C++
- distorm: Powerful Disassembler Library For x86/AMD64
- cppcoro: A library of C++ coroutine abstractions for the coroutines TS.
Examples
Info
| info |
|
| info disk=3 |
|
| info disk=3 volume=1 |
|
MBR
| mbr disk=2 |
|
GPT
| gpt disk=1 |
|
VBR
| vbr disk=3 volume=1 |
|
Extract
| extract disk=3 volume=1 from=\bob.txt output=d:\bob.txt |
|
| extract disk=0 volume=4 --system output=d:\system |
|
Image
| image disk=2 volume=2 output=d:\imagevol.raw |
|
| image disk=2 output=d:\image.raw |
|
MFT
| mft disk=2 volume=1 inode=5 (root folder) |
Created Time : 2009-12-02 02:03:31 | | | | | | Last File Write Time : 2020-02-24 19:42:23 | | | | | | FileRecord Changed Time : 2020-02-24 19:42:23 | | | | | | Last Access Time : 2020-02-24 19:42:23 | | | | | | Permissions : | | | | | | read_only : 0 | | | | | | hidden : 1 | | | | | | system : 1 | | | | | | device : 0 | | | | | | normal : 0 | | | | | | temporary : 0 | | | | | | sparse : 0 | | | | | | reparse_point : 0 | | | | | | compressed : 0 | | | | | | offline : 0 | | | | | | not_indexed : 1 | | | | | | encrypted : 0 | | | | | | Max Number of Versions : 0 | | | | | | Version Number : 0 | +------------------------------------------------------------------------------------------------------------------+ | 2 | $FILE_NAME | False | 68 | Parent Dir Record Index : 5 | | | | | | Parent Dir Sequence Num : 5 | | | | | | File Created Time : 2009-12-02 02:03:31 | | | | | | Last File Write Time : 2011-12-24 03:13:12 | | | | | | FileRecord Changed Time : 2011-12-24 03:13:12 | | | | | | Last Access Time : 1970-01-01 00:59:59 | | | | | | Allocated Size : 0 | | | | | | Real Size : 0 | | | | | | ------ | | | | | | Name : . | +------------------------------------------------------------------------------------------------------------------+ | 3 | $OBJECT_ID | False | 16 | Object Unique ID : {cce8fec5-9a29-11df-be68-0017f29 | | | | | | 8268d} | +------------------------------------------------------------------------------------------------------------------+ | 4 | $INDEX_ROOT | False | 152 | Attribute Type : 00000030h | | | | | | Collation Rule : 1 | | | | | | Index Alloc Entry Size : 4096 | | | | | | Cluster/Index Record : 1 | | | | | | ----- | | | | | | First Entry Offset : 16 | | | | | | Index Entries Size : 136 | | | | | | Index Entries Allocated : 136 | | | | | | Flags : Large Index | +------------------------------------------------------------------------------------------------------------------+ | 5 | $INDEX_ALLOCATION | True | 12288 | Index | | | | | | 0000000000000004 : $AttrDef | | | | | | 0000000000000008 : $BadClus | | | | | | 0000000000000006 : $Bitmap | | | | | | 0000000000000007 : $Boot | | | | | | 000000000000000b : $Extend | | | | | | 0000000000000002 : $LogFile | | | | | | 0000000000000000 : $MFT | | | | | | 0000000000000001 : $MFTMirr | | | | | | 000000000000002d : $RECYCLE.BIN | | | | | | 0000000000000009 : $Secure | | | | | | 000000000000000a : $UpCase | | | | | | 0000000000000003 : $Volume | | | | | | 0000000000000005 : . | | | | | | 000000000000240c : Dir1 | | | | | | 0000000000000218 : Dir2 | | | | | | 000000000000212a : Dir3 | | | | | | 0000000000000024 : Dir4 | | | | | | 0000000000000def : RECYCLER | | | | | | 000000000000001b : System Volume Information | | | | | | 000000000000001b : SYSTEM~1 | +------------------------------------------------------------------------------------------------------------------+ | 6 | $BITMAP | False | 8 | Index Node Used : 2 | +------------------------------------------------------------------------------------------------------------------+ "> |
Btree
| btree disk=0 volume=1 inode=5 (root folder) |
|
Bitlocker
| bitlocker disk=3 volume=1 |
|