dfir_ntfs: a forensic parser for NTFS filesystems
NTFS filesystem is a gold mine for forensic analysis on Microsoft Windows systems.
Recently I’ve discovered another useful tool, developed by Maxim Suhanov, named dfir_ntfs :
dfir_ntfs: an NTFS parser for digital forensics & incident response
– Parse $MFT, $UsnJrnl:$J, $LogFile files, extract as much data as possible.
– Parse volumes, volume images, and volume shadow copies.
All timestamps reported by the tools are in UTC.
The MACE notation is used:
– modified (M)
– last accessed (A)
– created (C)
– $MFT entry modified (E).
# pip3 install https://github.com/msuhanov/dfir_ntfs/archive/1.0.9.tar.gz