GitHub - msuhanov/dfir_ntfs: An NTFS/FAT parser for digital forensics & incident response

msuhanov / dfir_ntfs Public

Notifications You must be signed in to change notification settings
Fork 30
Star 196

An NTFS/FAT parser for digital forensics & incident response

GPL-3.0, Unknown licenses found

Licenses found

GPL-3.0

License

Unknown

License.Python-LLFUSE

196 stars 30 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 78 Commits
dfir_ntfs		dfir_ntfs
test_data		test_data
ChangeLog		ChangeLog
License		License
License.Python-LLFUSE		License.Python-LLFUSE
ReadMe		ReadMe
fat_parser		fat_parser
ntfs_parser		ntfs_parser
setup.py		setup.py
test_cases.py		test_cases.py
vsc_mount		vsc_mount

Repository files navigation

dfir_ntfs: an NTFS/FAT parser for digital forensics & incident response
(Python 3 only.)

1. Project goals

- Parse $MFT, $UsnJrnl:$J, $LogFile files, extract as much data as possible.
- Parse volumes, volume images, and volume shadow copies.
- Parse FAT12/16/32, exFAT volumes.

2. Installation

# pip3 install https://github.com/msuhanov/dfir_ntfs/archive/1.1.19.tar.gz

3. Timestamps

All timestamps reported by the tools are in UTC.
(For FAT file systems, all timestamps are local or UTC, returned as is.)

The MACE notation is used:
- modified (M),
- last accessed (A),
- created (C),
- $MFT entry modified (E).

In the WSL set of timestamps (and FAT):
- inode changed (CH).

4. License

This project is made available under the terms of the GNU GPL, version 3.
See the 'License' file.

The first exception is the "nist-hacking-case.mft" file.
This file is from the NIST Hacking Case, which is distributed by NIST. See
the 'Use of NIST Information' section here: <https://www.nist.gov/disclaimer>.

The second exception is boot code embedded in some test data.
This code is not covered by the GNU GPL, version 3.

(All exceptions are in the "test_data" directory, which is not installed.)

---
(c) Maxim Suhanov