dfir_ntfs: a forensic parser for NTFS filesystems
NTFS filesystem is a gold mine for forensic analysis on Microsoft Windows systems.
There are a lot of tools useful for extract a timeline of the activities on the filesystem, or for search anomalies that identify time stomping events.
Recently I’ve discovered another useful tool, developed by Maxim Suhanov, named dfir_ntfs :
dfir_ntfs: an NTFS parser for digital forensics & incident response
- Parse $MFT, $UsnJrnl:$J, $LogFile files, extract as much data as possible.
- Parse volumes, volume images, and volume shadow copies.
All timestamps reported by the tools are in UTC.
The MACE notation is used:
- modified (M)
- last accessed (A)
- created (C)
- $MFT entry modified (E).
# pip3 install https://github.com/msuhanov/dfir_ntfs/archive/1.0.9.tar.gz