dfir_ntfs: a forensic parser for NTFS filesystems

NTFS filesystem is a gold mine for forensic analysis on Microsoft Windows systems.

There are a lot of tools useful for extract a timeline of the activities on the filesystem, or for search anomalies that identify time stomping events.

Recently I’ve discovered another useful tool, developed by Maxim Suhanov, named dfir_ntfs ^[1]:

dfir_ntfs: an NTFS parser for digital forensics & incident response

Project goals

- Parse $MFT, $UsnJrnl:$J, $LogFile files, extract as much data as possible.
- Parse volumes, volume images, and volume shadow copies.

Timestamps

All timestamps reported by the tools are in UTC.

The MACE notation is used:

- modified (M)
- last accessed (A)
- created (C)
- $MFT entry modified (E).

---

Installation

# pip3 install https://github.com/msuhanov/dfir_ntfs/archive/1.0.9.tar.gz

---

References

1. https://github.com/msuhanov/dfir_ntfs
2. How to extract data and timeline from Master File Table on NTFS filesystem
3. Using MFT anomalies to spot suspicious files in forensic analysis
4. MAC(b) times in Windows forensic analysis