NTFSTool is a forensic tool focused on NTFS volumes.
It supports reading partition info (mbr, partition table, vbr) but also information on bitlocker encrypted volume, EFS encrypted files and more.
See below for some examples of the features!
Features
Forensics
NTFSTool displays the complete structure of master boot record, volume boot record, partition table and MFT file record.
It is also possible to dump any file (even $mft or SAM) or parse USN journals, LogFile including streams from Alternate Data Stream (ADS).
The undelete command will search for any file record marked as “not in use” and allow you to retrieve the file (or part of the file if it was already rewritten).
It support input from image file or live disk but you can also use tools like OSFMount to mount your disk image.
Sparse and compressed files are also supported.
Bitlocker support
For bitlocked partition, it can display FVE records, check a password and key (bek, password, recovery key), extract VMK and FVEK.
There is no bruteforce feature because GPU-based cracking is better (see Bitcracker and Hashcat) but you can get the hash for these tools.
EFS support
In the current version, masterkeys, private keys and certificates can be listed, displayed and decrypted using needed inputs (SID, password).
Certificates with private keys can be exported using the backup command.
Reinmport the backup on another machine to be able to read your encrypted file again!
More information on Mimikatz Wiki
Decryption of EFS encrypted files is coming!
Shell
There is a limited shell with few commands (exit, cd, ls, cat, pwd, cp).
Help & Examples
Help command displays description and examples for each command.
Options can be entered as decimal or hex number with “0x” prefix (ex: inode).
ntfstool help [command]
Command | Description |
---|---|
info | Display information for all disks and volumes |
mbr | Display MBR structure, code and partitions for a disk |
gpt | Display GPT structure, code and partitions for a disk |
vbr | Display VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported) |
extract | Extract a file from a volume. |
image | Create an image file of a disk or volume. |
mft | Display FILE record details for a specified MFT inode. Almost all attribute types supported |
btree | Display VCN content and Btree index for an inode |
bitlocker | Display detailed information and hash ($bitlocker$) for all VMK. It is possible to test a password or recovery key. If it is correct, the decrypted VMK and FVEK is displayed. |
bitdecrypt | Decrypt a volume to a file using password, recovery key or bek. |
efs.backup | Export EFS keys in PKCS12 (pfx) format. |
efs.certificate | List, display and export system certificates (SystemCertificates/My/Certificates). |
efs.key | List, display, decrypt and export private keys (Crypto/RSA). |
efs.masterkey | List, display and decrypt masterkeys (Protect). |
fve | Display information for the specified FVE block (0, 1, 2) |
reparse | Parse and display reparse points from $Extend$Reparse. |
logfile | Dump $LogFile file in specified format: csv, json, raw. |
usn | Dump $UsnJrnl file in specified format: csv, json, raw. |
shadow | List volume shadow snapshots from selected disk and volume. |
streams | Display Alternate Data Streams |
undelete | Search and extract deleted files for a volume. |
shell | Start a mini Unix-like shell |
smart | Display S.M.A.R.T data |
Limitations
- Some unsupported cases. WIP.
- No documentation
Feel free to open an issue or ask for a new feature!
Build
Vcpkg is the best way to install required third-party libs.
Install vcpkg as described here: vcpkg#getting-started
git clone https://github.com/microsoft/vcpkg
.\vcpkg\bootstrap-vcpkg.bat
Integrate it to your VisualStudio env:
vcpkg integrate install
At build time, VisualStudio will detect the vcpkg.json
file and install required packages automatically.
Current third-party libs:
- openssl: OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
- nlohmann-json: JSON for Modern C++
- distorm: Powerful Disassembler Library For x86/AMD64
- cppcoro: A library of C++ coroutine abstractions for the coroutines TS.
Examples
Info
info |
|
info disk=3 |
|
info disk=3 volume=1 |
|
MBR
mbr disk=2 |
|
GPT
gpt disk=1 |
|
VBR
vbr disk=3 volume=1 |
|
Extract
extract disk=3 volume=1 from=\bob.txt output=d:\bob.txt |
Volume:1 ———————————————– [+] Opening \\?\Volume{00023d5d-0000-0000-0002-000000000000}\ [-] Source : \bob.txt [-] Destination : d:\bob.txt [-] Record Num : 47 (0000002fh) [+] File extracted (42 bytes written) “>
|
extract disk=0 volume=4 –system output=d:\system |
Volume:4 ———————————————– [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [-] Source : c:\windows\system32\config\system [-] Destination : d:\system [-] Record Num : 623636 (00098414h) [+] File extracted (19398656 bytes written) “>
|
Image
image disk=2 volume=2 output=d:\imagevol.raw |
Volume:2 —————————————- [+] Opening \\?\Volume{f095dd1d-f302-4d17-bf68-7cc8c1de3965}\ [-] Size : 33520128 (31.97 MiBs) [-] BlockSize: 4096 [+] Copying : [################################] 100% 0s [+] Done “>
|
image disk=2 output=d:\image.raw |
|
MFT
Btree
btree disk=0 volume=1 inode=5 (root folder) |
Volume:1 ——————————————————— Attributes: ———– +——————————————————————————————-+ | Id | Type | Non-resident | Length | Overview | +——————————————————————————————-+ | 1 | $INDEX_ROOT | False | 56 | Attribute Type : Filename | | | | | | Collation Rule : 1 | | | | | | Index Alloc Entry Size : 4096 | | | | | | Cluster/Index Record : 1 | | | | | | —– | | | | | | First Entry Offset : 16 | | | | | | Index Entries Size : 40 | | | | | | Index Entries Allocated : 40 | | | | | | Flags : Large Index | +——————————————————————————————-+ | 2 | $INDEX_ALLOCATION | True | 20480 | First VCN : 0x000000000000 | | | | | | Last VCN : 0x000000000004 | +——————————————————————————————-+ $INDEX_ALLOCATION entries: ————————– +——————————————————————————————–+ | VCN | Raw address | Size | Entries | +——————————————————————————————–+ | 000000000000h | 000000024000h | 000000001000h | 000000000004: $AttrDef | | | | | 000000000008: $BadClus | | | | | 000000000006: $Bitmap | …. | | | | 000000000009: $Secure | | | | | 00000000000a: $UpCase | | | | | 000000000003: $Volume | +——————————————————————————————–+ | 000000000001h | 000000025000h | 000000001000h | 000000000098: randomfile – Copie (5).accdb | | | | | 000000000097: randomfile – Copie (5).bat | | | | | 000000000095: randomfile – Copie (5).psd | | | | | 000000000096: randomfile – Copie (5).txt | | | | | 00000000009b: randomfile – Copie (6).accdb | …. | | | | 000000000083: randomfile.accdb | | | | | 000000000082: randomfile.bat | | | | | 000000000084: randomfile.psd | | | | | 000000000081: randomfile.txt | | | | | 000000000024: System Volume Information | +——————————————————————————————–+ | 000000000002h | 0000007d6000h | 000000001000h | | +——————————————————————————————–+ | 000000000003h | 0000007d7000h | 000000001000h | 000000000005: . | | | | | 000000000092: randomfile – Copie (4).txt | +——————————————————————————————–+ | 000000000004h | 0000007d8000h | 000000001000h | 000000000027: random folder | | | | | 00000000008c: randomfile – Copie (2).accdb | | | | | 00000000008b: randomfile – Copie (2).bat | | | | | 000000000089: randomfile – Copie (2).psd | …. | | | | 00000000008e: randomfile – Copie (3).txt | | | | | 000000000094: randomfile – Copie (4).accdb | | | | | 000000000093: randomfile – Copie (4).bat | | | | | 000000000091: randomfile – Copie (4).psd | +——————————————————————————————–+ B-tree index: ————- Root |- 000000000000: |—- VCN: 3 |- 000000000005: . |—- VCN: 0 |- 000000000004: $AttrDef |- 000000000008: $BadClus |- 000000000006: $Bitmap …. |- 000000000009: $Secure |- 00000000000a: $UpCase |- 000000000003: $Volume |- 000000000092: randomfile – Copie (4).txt |—- VCN: 4 |- 000000000027: random folder |- 00000000008c: randomfile – Copie (2).accdb |- 00000000008b: randomfile – Copie (2).bat |- 000000000089: randomfile – Copie (2).psd …. |- 000000000094: randomfile – Copie (4).accdb |- 000000000093: randomfile – Copie (4).bat |- 000000000091: randomfile – Copie (4).psd |- 000000000000 (*) |—- VCN: 1 |- 000000000098: randomfile – Copie (5).accdb |- 000000000097: randomfile – Copie (5).bat |- 000000000095: randomfile – Copie (5).psd …. |- 000000000084: randomfile.psd |- 000000000081: randomfile.txt |- 000000000024: System Volume Information “>
|
Bitlocker
bitlocker disk=3 volume=1 |
|
bitlocker disk=3 volume=1 password=badpassword |
|
bitlocker disk=3 volume=1 password=123456789 |
|
Bitdecrypt
bitdecrypt disk=3 volume=1 output=decrypted.img fvek=35b8197e6d74d8521f49698d5f5565892cf286ae5323c65631965c905a9d7da4 |
|
EFS-backup
efs.backup disk=0 volume=4 password=123456 |
Volume:4 ————————————————————— [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [+] Listing user directories 8 directories found [+] Searching for certificates – 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B [+] Finding corresponding private keys – 5f2870d8a6f1ef6487be2e1aee746fb5_bbc401c6-854a-4d12-9b65-8d52ca66cb6a [+] Finding corresponding masterkeys – 9ac19509-54d3-48bc-8c67-4cfb01d73498 [+] Exporting 1 certificates and keys (pass: backup) – ef456e5b-43e4-4eda-a80b-e234611306d4 : Ok Exported to 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B.pfx “>
|
EFS-certificate
efs.certificate disk=0 volume=4 |
Volume:4 —————————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [+] Listing user directories 8 directories found [+] Searching for certificates 8 certificate(s) found [+] Certificates +———————————————————————————————————————————–+ | Id | User | File | Certificate | +———————————————————————————————————————————–+ | 0 | Bobby | Name : 02728B6DF5573C5955A4DFF22319441C889C367B | Friendly Name : APNS certificate Direct | | | | Record : 00000001d2d5h | | | | | Size : 850.00 bytes | | | | | | | | | | Creation : 2019-05-11 15:59:29 | | +———————————————————————————————————————————–+ | 1 | Bobby | Name : 14BB7663C51C77FF5CAD89B4DC34495864338C67 | Friendly Name : APNS certificate | | | | Record : 00000000b5a4h | | | | | Size : 824.00 bytes | | | | | | | | | | Creation : 2021-03-03 18:02:33 | | +———————————————————————————————————————————–+ | 2 | Bobby | Name : 564481148D4DBDD09AA1FF467ED71F0F28ACF61B | Container : ef456e5b-36e4-4eda-a80b-e234611306d4 | | | | Record : 00000000ab23h | Provider : Microsoft Enhanced Cryptographic Provider v1.0 | | | | Size : 1.15 KiB | Type : PROV_RSA_FULL | | | | | KeySpec : AT_KEYEXCHANGE | | | | Creation : 2020-08-17 13:20:03 | | +———————————————————————————————————————————–+ ………. “>
|
efs.certificate disk=0 volume=4 inode=0xb5a4 |
Volume:4 —————————————————— [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [+] Reading certificate file record: 46500 [+] Certificate +—————————————————————————————————————————-+ | Id | Property | Value | +—————————————————————————————————————————-+ | 0 | File | Creation : 2021-03-03 18:02:33 | | | | Size : 824.00 bytes | +—————————————————————————————————————————-+ | 1 | CERT_SHA1_HASH_PROP_ID | 14A67663C51C66FF5CAD89B4DC34495864338C67 | +—————————————————————————————————————————-+ | 2 | CERT_FRIENDLY_NAME_PROP_ID | APNS certificate | +—————————————————————————————————————————-+ | 3 | CERT_KEY_IDENTIFIER_PROP_ID | 82B87AE4F2251242252A2644D98169F34F909CA8 | +—————————————————————————————————————————-+ | 4 | CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID | DB532C4794A15E5D0392C7C605FCBCA8 | +—————————————————————————————————————————-+ | 5 | CERT_CERTIFICATE_FILE | Data: | | | | Version: 3 (0x2) | | | | Serial Number: | | | | 01:20:cb:ab:28:8a:97:ee:99:cc | | | | Signature Algorithm: sha1WithRSAEncryption | | | | Issuer: C=US, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA | | | | Validity | | | | Not Before: Mar 3 15:57:33 2021 GMT | | | | Not After : Mar 3 16:02:33 2022 GMT | | | | Subject: CN=1A6032AA-91A2-4B1D-B6AF-5509FC173686 | | | | Subject Public Key Info: | | | | Public Key Algorithm: rsaEncryption | | | | RSA Public-Key: (1024 bit) | | | | Modulus: | | | | 00:a2:75:db:69:8d:c9:b3:fd:96:4d:28:b9:43:94: | | | | db:7d:73:53:88:c9:79:e9:fa:de:e4:12:14:2c:de: | … | | | a7:6b:d0:01:9e:dc:66:27:ef:2e:20:7e:e5:2a:42: | | | | 9e:6f:85:9c:b6:8f:be:d3:05 | | | | Exponent: 65537 (0x10001) | | | | X509v3 extensions: | | | | X509v3 Authority Key Identifier: | | | | keyid:B2:FE:21:23:44:86:95:6A:79:D5:81:26:8E:73:10:D | | | | 8:A7:4C:8E:74 | | | | X509v3 Subject Key Identifier: | | | | 82:B8:7A:E4:F2:25:12:42:25:2A:26:44:D9:81:69:F3:4F:9 | | | | 0:9C:A8 | | | | X509v3 Basic Constraints: critical | | | | CA:FALSE | | | | X509v3 Key Usage: critical | | | | Digital Signature, Key Encipherment | | | | X509v3 Extended Key Usage: critical | | | | TLS Web Server Authentication, TLS Web Client Authen | | | | tication | | | | 1.2.840.113635.100.6.10.6: | | | | .. | | | | Signature Algorithm: sha1WithRSAEncryption | | | | 28:54:6c:d9:4e:97:f5:dd:1f:79:4a:6a:74:42:ad:6e:a1:11: | … | | | 27:58:3b:d5:1e:c3:71:af:6b:bd:fe:5d:ad:4d:bd:82:fa:53: | | | | ff:0c | +—————————————————————————————————————————-+ “>
|
efs.certificate disk=0 volume=4 inode=0xb5a4 output=mycert format=pem |
Volume:4 —————————————————— [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [+] Reading certificate file record: 46500 [+] Certificate exported to mycert.pem “>
|
EFS-key
efs.key disk=0 volume=4 |
Volume:4 ——————————————– [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b} [+] Listing user directories: 8 directories found [+] Searching for keys 9713 key(s) found [+] Keys +——————————————————————————————————————+ | Id | User | Keyfile | Name | Creation Date | +——————————————————————————————————————+ | 0 | User1 | Name : 0004f7ed30db…017ee8d52ca6 | {15676EB3-D258-410F-85CB-9AB29E642CB3} | 2021-05-19 14:10:15 | | | | Record : 0000000246c5h | | | | | | Size : 4.00 KiBs | | | +——————————————————————————————————————+ | 1 | User1 | Name : 0016875547ba…f7a9606b4177 | {BA4B66DC-8C1D-4FDF-A1EF-78B64411D1AD} | 2020-02-03 19:37:39 | | | | Record : 000000019f19h | | | | | | Size : 4.00 KiBs | | | +——————————————————————————————————————+ | 2 | User1 | Name : 002a02ec680e…9a0a8d52ca67 | {3A3E1CF2-5AC2-4717-8006-D7C0F2936435} | 2019-06-26 15:50:50 | ………. “>
|
efs.key disk=0 volume=4 inode=742107 |
Volume:4 ———————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [+] Reading key file record: 742107 [+] Key +——————————————————————————————————————+ | Id | Property | Value | +——————————————————————————————————————+ | 0 | File | Creation : 2021-09-23 22:16:43 | | | | Size : 4.00 KiBs | +——————————————————————————————————————+ | 1 | Version | 0 | +——————————————————————————————————————+ | 2 | Name | ef456e5b-43e4-4eda-a80b-e234611306d4 | +——————————————————————————————————————+ | 3 | Flags | 00000000h | +——————————————————————————————————————+ | 4 | PublicKey | Magic : 31415352h (RSA1) | | | | Size : 2048 | | | | Exponent : 65537 | | | | | | | | Permissions : CRYPT_ENCRYPT | | | | CRYPT_DECRYPT | | | | CRYPT_EXPORT | | | | CRYPT_READ | … | | | | | | | Modulus : 96883F07FF78DA8354D037A94F897BD7 | … | | | FA77A3D04DD10D044761E65355B335B5 | +——————————————————————————————————————+ | 5 | Encrypted PrivateKey | Version : 1 | | | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} | | | | MasterKey Version : 1 | | | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} | | | | | | | | Description : Clé privée CryptoAPI | | | | Flags : 00000000h | | | | | | | | Encryption Alg : CALG_AES_256 | | | | Hash Alg : CALG_SHA_512 | | | | | | | | Salt : ABABD5324CCE0254BC726C3BF5A777D38BC4D75CACC2360EF3276EB4DC42FF6A | | | | | | | | HMAC : – | | | | HMAC2 : D24F0B0AF684AE986F1328EAAFC01DA346D2BADE2B84CBE3C94CCB338D449EA6 | | | | | | | | Encrypted Data : D7DAD9229C91DBC9608852A4411527D7 | | | | 58DB27E19596DD118F2D70F68CC7913C | … | | | 7870F6C68DA1B9139BF6E39725F4E72E | | | | 4EC435C947F127CA3E333CB5E2F43978 | | | | | | | | Signature Data : 6077C027E6714A81C2710C5D334758F9AD463117DA4CBA8D0D05B5845A662E8F | | | | 5E38DCCAB05DA5DD6C8328F5CF925F378F229790D30A2BCC91D5E3370AE50FED | +——————————————————————————————————————+ | 6 | Hash | 0000000000000000000000000000000000000000 | +——————————————————————————————————————+ | 7 | ExportFlag | Version : 1 | | | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} | | | | MasterKey Version : 1 | | | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} | | | | | | | | Description : Export Flag | | | | Flags : 00000000h | | | | | | | | Encryption Alg : CALG_AES_256 | | | | Hash Alg : CALG_SHA_512 | | | | | | | | Salt : 772935C3582F625367716CE87D9626A524F15B9B7FF07166BB2C704B1223CB06 | | | | | | | | HMAC : – | | | | HMAC2 : 3BCA74ED2C83767F06D9FF907817FE85FBA65FDB72A94E9D8F2C7CF1D8E7DCA2 | | | | | | | | Encrypted Data : 875A6429226F11DFD3690D43BE633287 | | | | | | | | Signature Data : FD97F69A214C37D0DA968B5AA18EE7C80D475F72F650C8DCAE887C97E850DCD6 | | | | 9FA17D397A2375E362DE6F17193E3D084C06B0DCDB38E6C746150C1056145178 | +——————————————————————————————————————+ “>
|
efs.key disk=0 volume=4 inode=742107 masterkey=34fac126105ce30…178c5bff4979eb |
Volume:4 ———————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [+] Reading key file record: 742107 [-] Key Encryption Algorithm : CALG_AES_256 Hash Algorithm : CALG_SHA_512 Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A [+] Decrypting key [+] Clear key (2048bits): +———————————————————-+ | Id | Property | Value | +———————————————————-+ | 0 | Magic | RSA2 | +———————————————————-+ | 1 | Bitsize | 2048 | +———————————————————-+ | 2 | Permissions | CRYPT_ENCRYPT | | | | CRYPT_DECRYPT | | | | CRYPT_EXPORT | | | | CRYPT_READ | | | | CRYPT_WRITE | | | | CRYPT_MAC | | | | CRYPT_EXPORT_KEY | | | | CRYPT_IMPORT_KEY | +———————————————————-+ | 3 | Exponent | 65537 | +———————————————————-+ | 4 | Modulus | 96883F07FF78DA8354D037A94F897BD7 | … | | | FA77A3D04DD10D044761E65355B335B5 | +———————————————————-+ | 5 | Prime1 | C02F585644ED6326FF82368B0AD9ECD4 | … | | | 65F7DE6D173FEBEF95BE491FB222E07B | +———————————————————-+ | 6 | Prime2 | C884376BBC50C2A14C495894FBF980DE | … | | | 6759E812B6385B9151EBED8DCD65238F | +———————————————————-+ | 7 | Exponent1 | 0E33B17876918051427271EB667AE238 | … | | | 69349EF83ACE9B75D20004D155CDA3FF | +———————————————————-+ | 8 | Exponent2 | 5BF265077E1EFA60C47E8DA423B751A4 | … | | | E7008F2EA5684A74E4BFEEFAAB48C979 | +———————————————————-+ | 9 | Coefficient | 7D68AA3844F096959C23BD59E4BE3147 | … | | | 592ABC1BEDEBA6F5B4BDE3D0F9BEF7C5 | +———————————————————-+ | 10 | Private Exponent | 2462A061AD85A7C3B0DF7764CC5DDDFA | | | | 40D83B3FBF0D9D016C419E6B6744AD73 | … | | | 47685BDEB0FABDC21AF5CABBA13D138D | | | | F39FC063F1F20323E3220229E29FA42D | +———————————————————-+ “>
|
efs.key disk=0 volume=4 inode=742107 masterkey=34…eb output=mykey format=pem |
Volume:4 ———————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [+] Reading key file record: 742107 [-] Key Encryption Algorithm : CALG_AES_256 Hash Algorithm : CALG_SHA_512 Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A [+] Decrypting key [+] Public key exported to mykey.pub.pem. [+] Private key exported to mykey.priv.pem. “>
|
EFS-masterkey
efs.masterkey disk=0 volume=4 |
Volume:4 ————————————————– [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [+] Listing user directories 8 directories found [+] Searching for keys 19 key(s), 2 preferred file(s) found [+] MasterKeys +————————————————————————————————————————————————–+ | Id | User | Keyfile | Key(s) | Creation Date | +————————————————————————————————————————————————–+ | 0 | DefaultAppPool | Name : e4ed144f-6522-4471-8893-a6e29e175ba6 | MasterKey | 2021-08-17 14:54:41 | | | | Record : 000000031848h | Version : 2 | | | | | Size : 468.00 bytes | Algo : CALG_SHA_512 – CALG_AES_256 | | | | | | Salt : FA737C82899CC3F61A3B332B15FDC241 | | | | | | Rounds : 8000 | | | | | | BackupKey | | | | | | Version : 2 | | | | | | Algo : CALG_SHA_512 – CALG_AES_256 | | | | | | Salt : DF0651C903763132BC3043BF144A7DDD | | | | | | Rounds : 8000 | | | | | | CredHist | | | | | | Version : 3 | | | | | | GUID : {00000000-0000-0000-0000-000000000000} | | +————————————————————————————————————————————————–+ | 1 | DefaultAppPool | Name : Preferred | Preferred | 2021-08-17 14:54:41 | | | | Record : 00000003184ah | GUID : {e4ed144f-6522-4471-8893-a6e29e175ba6} | | | | | Size : 24.00 bytes | Renew : 2021-11-15 12:54:41 | | +————————————————————————————————————————————————–+ | 2 | Bob | Name : 26bd8b3d-e87f-4df3-a1af-18f434788090 | MasterKey | 2021-03-05 01:16:42 | | | | Record : 000000004f4ah | Version : 2 | | | | | Size : 468.00 bytes | Algo : CALG_SHA_512 – CALG_AES_256 | | | | | | Salt : 39B575D1816DE8224B9E11C38E35EB34 | | | | | | Rounds : 8000 | | | | | | BackupKey | | ………. “>
|
efs.masterkey disk=0 volume=4 inode=0x80544 |
Volume:4 —————————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [+] Reading masterkey file record: 525636 [+] MasterKey +——————————————————————–+ | Id | Property | Value | +——————————————————————–+ | 0 | File | Creation : 2020-07-06 05:56:06 | | | | Size : 468.00 bytes | +——————————————————————–+ | 1 | Version | 2 | +——————————————————————–+ | 2 | GUID | 9ac19509-54d3-48bc-8c67-4cfb01d73498 | +——————————————————————–+ | 3 | Policy | 00000005h | +——————————————————————–+ | 4 | MasterKey | Version : 2 | | | | Salt : 3ED4CDBCC4073D6724A512061D0597E1 | | | | Rounds : 8000 | | | | Hash Alg : CALG_SHA_512 | | | | Enc Alg : CALG_AES_256 | | | | Enc Key : 3610946FE1A7B9099D0AFA7658325014 | | | | 296D1F0E5BA93249858BE3ACCC8FD7A8 | | | | F62DB6808833FC303095C6588BDE3826 | | | | 80ABF391222CD77661BCCB637DDAC490 | | | | B5FC02C854EF45490EE10851EF524DE2 | | | | 85DD508F905216D528D3DC3336830FF9 | | | | 690472730A03D64CF892E06B9AA35692 | | | | AB7679E908D487119030B73CB87E6F9F | | | | 731F65609CB8ACA972BCC9042B27B9B4 | +——————————————————————–+ | 5 | BackupKey | Version : 2 | | | | Salt : B60E21F9578D02A97964D7B10151BE69 | | | | Rounds : 8000 | | | | Hash Alg : CALG_SHA_512 | | | | Enc Alg : CALG_AES_256 | | | | Enc Key : CD5D3684873D6A1D66520FB1642779E1 | | | | D78A649F02DDFE7C069F9B5F8FF9F005 | | | | 7DC01E0A6AA9A815C8887BC1BF5B88E6 | | | | E797DC5F4A3A0535B3217BADC7FAD38E | | | | 798C1846423C8631DE472D790B308B2D | | | | F15340B87FCD55A98DAEE92196235CF9 | | | | B328FAF475C05A911DF19C99D54D5A3C | +——————————————————————–+ | 6 | CredHist | Version : 3 | | | | GUID : {20e0b482-797f-429e-b4a0-30020731ef0a} | +——————————————————————–+ “>
|
efs.masterkey disk=0 volume=4 inode=0x80544 sid=”S-1-5-21-1521398…3175218-1001″ password=”ntfst00l” |
Volume:4 —————————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [+] Reading masterkey file record: 525636 [-] Masterkey Encryption Algorithm : CALG_AES_256 Hash Algorithm : CALG_SHA_512 Rounds : 8000 Salt : 3ED4CDBCC4073D6724A512061D0597E1 [+] Decrypting masterkey [+] Clear masterkey (256bits): 34FAC126105CE302421A0FC7E3933FEC5639AA6BFF95000E6DA83AE67522EAB6 0AF58A27D834883B65611878B258AAAECD8983E3718E00F276178C5BFF4979EB “>
|
FVE
fve disk=3 volume=1 fve_block=2 |
|
reparse
reparse disk=0 volume=4 |
|
logfile
logfile disk=4 volume=1 output=logfile.csv format=csv |
|
Sample of logfile.csv |
|
usn
usn disk=4 volume=1 output=usn.csv format=csv |
|
Sample of usn.csv |
|
shadow
shadow disk=0 volume=4 |
|
streams
streams disk=0 volume=4 from=c:\test.pdf |
Volume:4 ————————————————– [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\ [-] Source : c:\test.pdf [-] Record Num : 13525 (000034d5h) [+] Alternate data stream(s): +—————————–+ | Id | Name | Size | +—————————–+ | 0 | Zone.Identifier | 27 | +—————————–+ “>
|
undelete
undelete disk=4 volume=1 |
|
undelete disk=4 volume=1 inode=41 output=restored_kitten.jpg |
|
shell
shell disk=4 volume=1 |
ls Inode | Type | Name | Size | Creation Date | Attributes ————————————————————————————— 4 | | $AttrDef | 2560 | 2020-02-26 16:35:29 | Hi Sy 8 | | $BadClus | 0 | 2020-02-26 16:35:29 | Hi Sy | ADS | $Bad | 536866816 | | 6 | | $Bitmap | 16384 | 2020-02-26 16:35:29 | Hi Sy 7 | | $Boot | 8192 | 2020-02-26 16:35:29 | Hi Sy 11 | DIR | $Extend | | 2020-02-26 16:35:29 | Hi Sy 2 | | $LogFile | 4341760 | 2020-02-26 16:35:29 | Hi Sy 0 | | $MFT | 262144 | 2020-02-26 16:35:29 | Hi Sy 1 | | $MFTMirr | 4096 | 2020-02-26 16:35:29 | Hi Sy 50 | DIR | $RECYCLE.BIN | | 2020-02-26 16:40:34 | Hi Sy 9 | | $Secure | 0 | 2020-02-26 16:35:29 | Hi Sy | ADS | $SDS | 264200 | | 10 | | $UpCase | 131072 | 2020-02-26 16:35:29 | Hi Sy | ADS | $Info | 32 | | 3 | | $Volume | 0 | 2020-02-26 16:35:29 | Hi Sy 5 | DIR | . | | 2020-02-26 16:35:29 | Hi Sy 85010 | | 7z1900-x64.exe | 1447178 | 2020-07-29 17:19:49 | Ar | ADS | Zone.Identifier | 123 | | 42 | | hello.txt | 5 | 2020-02-26 21:27:33 | Ar 39 | | kitten1.jpg | 23486 | 2020-02-26 16:37:23 | Ar | ADS | Zone.Identifier | 154 | | 40 | | kitten2.jpg | 79678 | 2020-02-26 16:37:55 | Ar | ADS | Zone.Identifier | 303 | | 41 | | kitten3.jpg | 5219 | 2020-02-26 16:38:16 | Ar | ADS | Zone.Identifier | 262 | | 36 | DIR | System Volume Information | | 2020-02-26 16:35:29 | Hi Sy disk4:volume1:> pwd \ disk4:volume1:> cat hello.txt Hey ! disk4:volume1:> cat 7z1900-x64.exe:Zone.Identifier [ZoneTransfer] ZoneId=3 ReferrerUrl=https://www.7-zip.org/download.html HostUrl=https://www.7-zip.org/a/7z1900-x64.exe disk4:volume1:> exit “>
|
smart
smart disk=1 |
|
Source : KitPloit – PenTest Tools!