NTFSTool – Forensics Tool For NTFS (Parser, MTF, Bitlocker, Deleted Files)

NTFSTool is a forensic tool focused on NTFS volumes.
It supports reading partition info (mbr, partition table, vbr) but also information on bitlocker encrypted volume, EFS encrypted files and more.

See below for some examples of the features!

Features

Forensics

NTFSTool displays the complete structure of master boot record, volume boot record, partition table and MFT file record.
It is also possible to dump any file (even $mft or SAM) or parse USN journals, LogFile including streams from Alternate Data Stream (ADS).
The undelete command will search for any file record marked as “not in use” and allow you to retrieve the file (or part of the file if it was already rewritten).
It support input from image file or live disk but you can also use tools like OSFMount to mount your disk image.
Sparse and compressed files are also supported.

Bitlocker support

For bitlocked partition, it can display FVE records, check a password and key (bek, password, recovery key), extract VMK and FVEK.
There is no bruteforce feature because GPU-based cracking is better (see Bitcracker and Hashcat) but you can get the hash for these tools.

EFS support

In the current version, masterkeys, private keys and certificates can be listed, displayed and decrypted using needed inputs (SID, password).
Certificates with private keys can be exported using the backup command.
Reinmport the backup on another machine to be able to read your encrypted file again!

More information on Mimikatz Wiki

Decryption of EFS encrypted files is coming!

Shell

There is a limited shell with few commands (exit, cd, ls, cat, pwd, cp).

Help & Examples

Help command displays description and examples for each command.
Options can be entered as decimal or hex number with “0x” prefix (ex: inode).

ntfstool help [command]

Command	Description
info	Display information for all disks and volumes
mbr	Display MBR structure, code and partitions for a disk
gpt	Display GPT structure, code and partitions for a disk
vbr	Display VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported)
extract	Extract a file from a volume.
image	Create an image file of a disk or volume.
mft	Display FILE record details for a specified MFT inode. Almost all attribute types supported
btree	Display VCN content and Btree index for an inode
bitlocker	Display detailed information and hash ($bitlocker$) for all VMK. It is possible to test a password or recovery key. If it is correct, the decrypted VMK and FVEK is displayed.
bitdecrypt	Decrypt a volume to a file using password, recovery key or bek.
efs.backup	Export EFS keys in PKCS12 (pfx) format.
efs.certificate	List, display and export system certificates (SystemCertificates/My/Certificates).
efs.key	List, display, decrypt and export private keys (Crypto/RSA).
efs.masterkey	List, display and decrypt masterkeys (Protect).
fve	Display information for the specified FVE block (0, 1, 2)
reparse	Parse and display reparse points from $Extend$Reparse.
logfile	Dump $LogFile file in specified format: csv, json, raw.
usn	Dump $UsnJrnl file in specified format: csv, json, raw.
shadow	List volume shadow snapshots from selected disk and volume.
streams	Display Alternate Data Streams
undelete	Search and extract deleted files for a volume.
shell	Start a mini Unix-like shell
smart	Display S.M.A.R.T data

Limitations

Some unsupported cases. WIP.
No documentation

Feel free to open an issue or ask for a new feature!

Build

Vcpkg is the best way to install required third-party libs.

Install vcpkg as described here: vcpkg#getting-started

git clone https://github.com/microsoft/vcpkg
.\vcpkg\bootstrap-vcpkg.bat

Integrate it to your VisualStudio env:

vcpkg integrate install

At build time, VisualStudio will detect the vcpkg.json file and install required packages automatically.

Current third-party libs:

openssl: OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
nlohmann-json: JSON for Modern C++
distorm: Powerful Disassembler Library For x86/AMD64
cppcoro: A library of C++ coroutine abstractions for the coroutines TS.

Examples

Info

info

+-------------------------------------------------------------------------------------+
| Id | Model | Type | Partition | Size |
+-------------------------------------------------------------------------------------+
| 0 | Samsung SSD 850 EVO 500GB | Fixed SSD | GPT | 500107862016 (465.76 GiBs) |
| 1 | ST2000DM001-1ER164 | Fixed HDD | GPT | 2000398934016 (1.82 TiB) |
| 2 | 15EADS External | Fixed HDD | MBR | 1500301910016 (1.36 TiB) |
| 3 | osfdisk | Fixed HDD | MBR | 536870912 (512.00 MiBs) |
+-------------------------------------------------------------------------------------+

info disk=3

Model : osfdisk
Version : 1
Serial :
Media Type : Fixed HDD
Size : 536870912 (512.00 MiBs)
Geometry : 512 bytes * 63 sectors * 255 tracks * 65 cylinders
Volume : MBR+--------------------------------------------------------------------------------------------------+
| Id | Boot | Label | Mounted | Filesystem | Offset | Size |
+--------------------------------------------------------------------------------------------------+
| 1 | No | NTFSDRIVE | F:\ | Bitlocker | 0000000000000200 | 000000001ffffe00 (512.00 MiBs) |
+--------------------------------------------------------------------------------------------------+

info disk=3 volume=1

Serial Number : 0000aa60-00002eae
Filesystem : Bitlocker
Bootable : False
Type : Fixed
Label : NTFSDRIVE
Offset : 512 (512.00 bytes)
Size : 536870400 (512.00 MiBs)
Free : 519442432 (495.38 MiBs)
Mounted : True (F:\)
Bitlocker : True (Unlocked)

MBR

mbr disk=2

MBR from \\.\PhysicalDrive2
---------------------------Disk signature : e4589462
Reserved bytes : 0000
Partition table :
+---------------------------------------------------------------------------------------------------+
| Id | Boot | Flags | Filesystem | First sector | Last sector | Offset | Sectors | Size |
+---------------------------------------------------------------------------------------------------+
| 1 | No | Principal | NTFS / exFAT | 0 2 3 | 255 254 255 | 128 | 16771072 | 8.00 GiBs |
+---------------------------------------------------------------------------------------------------+
MBR signature : 55aa
Strings:
[63] : Invalid partition table
[7b] : Error loading operating system
[9a] : Missing operating system
Disassemble Bootstrap Code [y/N] ? y
0000 : 33c0 : xor ax, ax
0002 : 8ed0 : mov ss, ax
0004 : bc007c : mov sp, 0x7c00
0007 : 8ec0 : mov es, ax
0009 : 8ed8 : mov ds, ax
000b : be007c : mov si, 0x7c00
000e : bf0006 : mov di, 0x600
0011 : b90002 : mov cx, 0x200
...

GPT

gpt disk=1

Signature : EFI PART
Revision : 1.0
Header Size : 92
Header CRC32 : cc72e4d3
Reserved : 00000000
Current LBA : 1
Backup LBA : 3907029167
First Usable LBA : 34
Last Usable LBA : 3907029134
GUID : {a21d6495-cd58-4b8d-b968-dc337adcf6ac}
Entry LBA : 2
Entries Num : 128
Entries Size : 128
Partitions CRC32 : 0c9a0a25Partition table : 2 entries
+------------------------------------------------------------------------------------------------------------------------+
| Id | Name | GUID | First sector | Last sector | Flags |
+------------------------------------------------------------------------------------------------------------------------+
| 1 | Microsoft reserved partition | {da0ac4a1-a78c-4053-bab5-36c70a71fe63} | 34 | 262177 | 000000000000 |
| 2 | Basic data partition | {4b4ea4b3-64a1-4c6d-bd4b-1c2b0e4e706f} | 264192 | 3907028991 | 000000000000 |
+------------------------------------------------------------------------------------------------------------------------+

VBR

vbr disk=3 volume=1

Structure :
Jump : eb5890 (jmp 0x7c5a)
OEM id : -FVE-FS-
BytePerSector : 512
SectorPerCluster : 8
Reserved Sectors : 0
Number of FATs : 0
Root Max Entries : 0
Total Sectors : 0
Media Type : f8
SectorPerFat : 8160
SectorPerTrack : 63
Head Count : 255
FS Offset : 1
Total Sectors : 0
FAT Flags : 0000
FAT Version : 0000
Root Cluster : 0
FS Info Sector : 1
Backup BootSector: 6
Reserved : 00000000
Reserved : 00000000
Reserved : 00000000
Drive Number : 80
Reserved : 00
Ext. Boot Sign : 29
Serial Nuumber : 00000000
Volume Name : NO NAME
FileSystem Type : FAT32
Volume GUID : {4967d63b-2e29-4ad8-8399-f6a339e3d001}
FVE Block 1 : 0000000002100000
FVE Block 2 : 00000000059e4000
FVE Block 3 : 00000000092c8000
End marker : 55aaStrings:
[00] : Remove disks or other media. 
[1f] : Disk error 
[2c] : Press any key to restart
Disassemble Bootstrap Code [y/N] ? y
7c5a : eb58 : jmp 0x7cb4
7c5c : 90 : nop
7c5d : 2d4656 : sub ax, 0x5646
7c60 : 45 : inc bp
7c61 : 2d4653 : sub ax, 0x5346
7c64 : 2d0002 : sub ax, 0x200
[...]

Extract

extract disk=3 volume=1 from=\bob.txt output=d:\bob.txt

Volume:1
———————————————– [+] Opening \\?\Volume{00023d5d-0000-0000-0002-000000000000}\
[-] Source : \bob.txt
[-] Destination : d:\bob.txt
[-] Record Num : 47 (0000002fh)
[+] File extracted (42 bytes written) “>

Extract file from \\.\PhysicalDrive3 > Volume:1
-----------------------------------------------[+] Opening \\?\Volume{00023d5d-0000-0000-0002-000000000000}\
[-] Source : \bob.txt
[-] Destination : d:\bob.txt
[-] Record Num : 47 (0000002fh)
[+] File extracted (42 bytes written)

extract disk=0 volume=4 –system output=d:\system

Volume:4
———————————————– [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[-] Source : c:\windows\system32\config\system
[-] Destination : d:\system
[-] Record Num : 623636 (00098414h)
[+] File extracted (19398656 bytes written) “>

Extract file from \\.\PhysicalDrive0 > Volume:4
-----------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[-] Source : c:\windows\system32\config\system
[-] Destination : d:\system
[-] Record Num : 623636 (00098414h)
[+] File extracted (19398656 bytes written)

Image

image disk=2 volume=2 output=d:\imagevol.raw

Volume:2
—————————————- [+] Opening \\?\Volume{f095dd1d-f302-4d17-bf68-7cc8c1de3965}\
[-] Size : 33520128 (31.97 MiBs)
[-] BlockSize: 4096
[+] Copying : [################################] 100% 0s
[+] Done “>

Image from \\.\PhysicalDrive2 > Volume:2
----------------------------------------[+] Opening \\?\Volume{f095dd1d-f302-4d17-bf68-7cc8c1de3965}\
[-] Size : 33520128 (31.97 MiBs)
[-] BlockSize: 4096
[+] Copying : [################################] 100% 0s
[+] Done

image disk=2 output=d:\image.raw

Image from \\.\PhysicalDrive2
-----------------------------[+] Opening \\.\PhysicalDrive2
[-] Size : 67108864 (64.00 MiBs)
[-] BlockSize: 4096
[+] Copying : [################################] 100% 0s
[+] Done

MFT

mft disk=2 volume=1 inode=5 (root folder)

Signature : FILE
Update Offset : 48
Update Number : 3
$LogFile LSN : 274035114
Sequence Number : 5
Hardlink Count : 1
Attribute Offset : 56
Flags : In_use | Directory
Real Size : 704
Allocated Size : 1024
Base File Record : 0
Next Attribute ID : 56
MFT Record Index : 5
Update Seq Number : 4461
Update Seq Array : 00000000Attributes:
-----------
+------------------------------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+------------------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 72 | File Created Time : 2009-12-02 02:03:31 |
| | | | | Last File Write Time : 2020-02-24 19:42:23 |
| | | | | FileRecord Changed Time : 2020-02-24 19:42:23 |
| | | | | Last Access Time : 2020-02-24 19:42:23 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 1 |
| | | | | system : 1 |
| | | | | device : 0 |
| | | | | normal : 0 |
| | | | | temporary : 0 |
| | | | | sparse : 0 |
| | | | | reparse_point : 0 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 1 |
| | | | | encrypted : 0 |
| | | | | Max Number of Versions : 0 |
| | | | | Version Number : 0 |
+------------------------------------------------------------------------------------------------------------------+
| 2 | $FILE_NAME | False | 68 | Parent Dir Record Index : 5 |
| | | | | Parent Dir Sequence Num : 5 |
| | | | | File Created Time : 2009-12-02 02:03:31 |
| | | | | Last File Write Time : 2011-12-24 03:13:12 |
| | | | | FileRecord Changed Time : 2011-12-24 03:13:12 |
| | | | | Last Access Time : 1970-01-01 00:59:59 |
| | | | | Allocated Size : 0 |
| | | | | Real Size : 0 |
| | | | | ------ |
| | | | | Name : . |
+------------------------------------------------------------------------------------------------------------------+
| 3 | $OBJECT_ID | False | 16 | Object Unique ID : {cce8fec5-9a29-11df-be68-0017f29 |
| | | | | 8268d} |
+------------------------------------------------------------------------------------------------------------------+
| 4 | $INDEX_ROOT | False | 152 | Attribute Type : 00000030h |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Entry Size : 4096 |
| | | | | Cluster/Index Record : 1 |
| | | | | ----- |
| | | | | First Entry Offset : 16 |
| | | | | Index Entries Size : 136 |
| | | | | Index Entries Allocated : 136 |
| | | | | Flags : Large Index |
+------------------------------------------------------------------------------------------------------------------+
| 5 | $INDEX_ALLOCATION | True | 12288 | Index |
| | | | | 0000000000000004 : $AttrDef |
| | | | | 0000000000000008 : $BadClus |
| | | | | 0000000000000006 : $Bitmap |
| | | | | 0000000000000007 : $Boot |
| | | | | 000000000000000b : $Extend |
| | | | | 0000000000000002 : $LogFile |
| | | | | 0000000000000000 : $MFT |
| | | | | 0000000000000001 : $MFTMirr |
| | | | | 000000000000002d : $RECYCLE.BIN |
| | | | | 0000000000000009 : $Secure |
| | | | | 000000000000000a : $UpCase |
| | | | | 0000000000000003 : $Volume |
| | | | | 0000000000000005 : . |
| | | | | 000000000000240c : Dir1 |
| | | | | 0000000000000218 : Dir2 |
| | | | | 000000000000212a : Dir3 |
| | | | | 0000000000000024 : Dir4 |
| | | | | 0000000000000def : RECYCLER |
| | | | | 000000000000001b : System Volume Information |
| | | | | 000000000000001b : SYSTEM~1 |
+------------------------------------------------------------------------------------------------------------------+
| 6 | $BITMAP | False | 8 | Index Node Used : 2 |
+------------------------------------------------------------------------------------------------------------------+

Btree

btree disk=0 volume=1 inode=5 (root folder)

B-tree index (inode:5) from \\.\PhysicalDrive3 > Volume:1
---------------------------------------------------------Attributes:
-----------
+-------------------------------------------------------------------------------------------+
| Id | Type | Non-resident | Length | Overview |
+-------------------------------------------------------------------------------------------+
| 1 | $INDEX_ROOT | False | 56 | Attribute Type : Filename |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Entry Size : 4096 |
| | | | | Cluster/Index Record : 1 |
| | | | | ----- |
| | | | | First Entry Offset : 16 |
| | | | | Index Entries Size : 40 |
| | | | | Index Entries Allocated : 40 |
| | | | | Flags : Large Index |
+-------------------------------------------------------------------------------------------+
| 2 | $INDEX_ALLOCATION | True | 20480 | First VCN : 0x000000000000 |
| | | | | Last VCN : 0x000000000004 |
+-------------------------------------------------------------------------------------------+
$INDEX_ALLOCATION entries:
--------------------------
+--------------------------------------------------------------------------------------------+
| VCN | Raw address | Size | Entries |
+--------------------------------------------------------------------------------------------+
| 000000000000h | 000000024000h | 000000001000h | 000000000004: $AttrDef |
| | | | 000000000008: $BadClus |
| | | | 000000000006: $Bitmap |
....
| | | | 000000000009: $Secure |
| | | | 00000000000a: $UpCase |
| | | | 000000000003: $Volume |
+--------------------------------------------------------------------------------------------+
| 000000000001h | 000000025000h | 000000001000h | 000000000098: randomfile - Copie (5).accdb |
| | | | 000000000097: randomfile - Copie (5).bat |
| | | | 000000000095: randomfile - Copie (5).psd |
| | | | 000000000096: randomfile - Copie (5).txt |
| | | | 00000000009b: randomfile - Copie (6).accdb |
....
| | | | 000000000083: randomfile.accdb |
| | | | 000000000082: randomfile.bat |
| | | | 000000000084: randomfile.psd |
| | | | 000000000081: randomfile.txt |
| | | | 000000000024: System Volume Information |
+--------------------------------------------------------------------------------------------+
| 000000000002h | 0000007d6000h | 000000001000h | |
+--------------------------------------------------------------------------------------------+
| 000000000003h | 0000007d7000h | 000000001000h | 000000000005: . |
| | | | 000000000092: randomfile - Copie (4).txt |
+--------------------------------------------------------------------------------------------+
| 000000000004h | 0000007d8000h | 000000001000h | 000000000027: random folder |
| | | | 00000000008c: randomfile - Copie (2).accdb |
| | | | 00000000008b: randomfile - Copie (2).bat |
| | | | 000000000089: randomfile - Copie (2).psd |
....
| | | | 00000000008e: randomfile - Copie (3).txt |
| | | | 000000000094: randomfile - Copie (4).accdb |
| | | | 000000000093: randomfile - Copie (4).bat |
| | | | 000000000091: randomfile - Copie (4).psd |
+--------------------------------------------------------------------------------------------+
B-tree index:
-------------
Root
|- 000000000000:
|---- VCN: 3
|- 000000000005: .
|---- VCN: 0
|- 000000000004: $AttrDef
|- 000000000008: $BadClus
|- 000000000006: $Bitmap
....
|- 000000000009: $Secure
|- 00000000000a: $UpCase
|- 000000000003: $Volume
|- 000000000092: randomfile - Copie (4).txt
|---- VCN: 4
|- 000000000027: random folder
|- 00000000008c: randomfile - Copie (2).accdb
|- 00000000008b: randomfile - Copie (2).bat
|- 000000000089: randomfile - Copie (2).psd
....
|- 000000000094: randomfile - Copie (4).accdb
|- 000000000093: randomfile - Copie (4).bat
|- 000000000091: randomfile - Copie (4).psd
|- 000000000000 (*)
|---- VCN: 1
|- 000000000098: randomfile - Copie (5).accdb
|- 000000000097: randomfile - Copie (5).bat
|- 000000000095: randomfile - Copie (5).psd
....
|- 000000000084: randomfile.psd
|- 000000000081: randomfile.txt
|- 000000000024: System Volume Information

Bitlocker

bitlocker disk=3 volume=1

FVE Version : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17Volume Master Keys:
-------------------
+--------------------------------------------------------------------------------------------------------------------+
| Id | Type | GUID | Details |
+--------------------------------------------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | Nonce : 01d5ecbb00f7155000000003 |
| | | | MAC : daea96439babc5d1e7f20c8860ff1ee9 |
| | | | Encrypted Key : b76281568419ec3bee89d1eddccf3169 |
| | | | 59c466b6b392f40f0875e58168d868d7 |
| | | | 0788bd366bec117b11a9fd6e |
| | | | |
| | | | JtR Hash : $bitlocker$1$16$daea96439babc5d1 |
| | | | e7f20c8860ff1ee9$1048576$12$5015 |
| | | | f700bbecd50103000000$60$175ec23c |
| | | | d799e2bde9d24bf3697919feb7628156 |
| | | | 8419ec3bee89d1eddccf316959c466b6 |
| | | | b392f40f0875e58168d868d70788bd36 |
| | | | 6bec117b11a9fd6e |
+--------------------------------------------------------------------------------------------------------------------+
| 2 | Recovery Password | {19b4a3e2-94b3-452f-a614-6212faeb1b9d} | Nonce : 01d5ecbb00f7155000000006 |
| | | | MAC : b9963d29e1bad1f42e60c3bfb6e3bef5 |
| | | | Encrypted Key : 97a43d40c695c6d190eba3956ac7c7b1 |
| | | | f5fdbbc7f9a61a77c914fa347479c7ac |
| | | | 6124ff46865e805367f7bef1 |
| | | | |
| | | | JtR Hash : $bitlocker$1$16$b9963d29e1bad1f4 |
| | | | 2e60c3bfb6e3bef5$1048576$12$5015 |
| | | | f700bbecd50106000000$60$3a06a06f |
| | | | db044d850ecd6faf5cf2aec997a43d40 |
| | | | c695c6d190eba3956ac7c7b1f5fdbbc7 |
| | | | f9a61a77c914fa347479c7ac6124ff46 |
| | | | 865e805367f7bef1 |
+--------------------------------------------------------------------------------------------------------------------+

bitlocker disk=3 volume=1 password=badpassword

FVE Version : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17Tested Password:
----------------
+--------------------------------------------------------------------------------+
| Id | Type | GUID | Password | Result |
+--------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | badpassword | Invalid |
+--------------------------------------------------------------------------------+

bitlocker disk=3 volume=1 password=123456789

FVE Version : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17Tested Password:
----------------
+--------------------------------------------------------------------------------------------------------------+
| Id | Type | GUID | Password | Result |
+--------------------------------------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | 123456789 | Valid |
| | | | | |
| | | | | VMK : 751bf363db63ba6f1b36fb2ecd5ff1d8 |
| | | | | f5eab77e8754a848f2743978c7615f9f |
| | | | | FVEK : 35b8197e6d74d8521f49698d5f556589 |
| | | | | 2cf286ae5323c65631965c905a9d7da4 |
+--------------------------------------------------------------------------------------------------------------+

Bitdecrypt

bitdecrypt disk=3 volume=1 output=decrypted.img fvek=35b8197e6d74d8521f49698d5f5565892cf286ae5323c65631965c905a9d7da4

[+] Opening \\?\Volume{09a02598-0000-0000-0002-000000000000}\
[+] Reading Bitlocker VBR
[-] Volume State : ENCRYPTED
[-] Size : 536870400 (512.00 MiBs)
[-] Encrypted Size : 536870400 (512.00 MiBs)
[-] Algorithm : AES-XTS-128
[+] Decrypting sectors
[-] Processed data size : 512.00 MiBs (100%)
[+] Duration : 7535ms
[+] Closing Volume

EFS-backup

efs.backup disk=0 volume=4 password=123456

Volume:4
————————————————————— [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories 8 directories found
[+] Searching for certificates – 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B
[+] Finding corresponding private keys – 5f2870d8a6f1ef6487be2e1aee746fb5_bbc401c6-854a-4d12-9b65-8d52ca66cb6a
[+] Finding corresponding masterkeys – 9ac19509-54d3-48bc-8c67-4cfb01d73498
[+] Exporting 1 certificates and keys (pass: backup) – ef456e5b-43e4-4eda-a80b-e234611306d4 : Ok Exported to 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B.pfx “>

Backup certificates and keys from \\.\PhysicalDrive0 > Volume:4
---------------------------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories
8 directories found
[+] Searching for certificates
- 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B
[+] Finding corresponding private keys
- 5f2870d8a6f1ef6487be2e1aee746fb5_bbc401c6-854a-4d12-9b65-8d52ca66cb6a
[+] Finding corresponding masterkeys
- 9ac19509-54d3-48bc-8c67-4cfb01d73498
[+] Exporting 1 certificates and keys (pass: backup)
- ef456e5b-43e4-4eda-a80b-e234611306d4 : Ok
Exported to 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B.pfx

EFS-certificate

efs.certificate disk=0 volume=4

Volume:4
—————————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories 8 directories found
[+] Searching for certificates 8 certificate(s) found
[+] Certificates +———————————————————————————————————————————–+ | Id | User | File | Certificate | +———————————————————————————————————————————–+ | 0 | Bobby | Name : 02728B6DF5573C5955A4DFF22319441C889C367B | Friendly Name : APNS certificate Direct | | | | Record : 00000001d2d5h | | | | | Size : 850.00 bytes | | | | | | | | | | Creation : 2019-05-11 15:59:29 | | +———————————————————————————————————————————–+ | 1 | Bobby | Name : 14BB7663C51C77FF5CAD89B4DC34495864338C67 | Friendly Name : APNS certificate | | | | Record : 00000000b5a4h | | | | | Size : 824.00 bytes | | | | | | | | | | Creation : 2021-03-03 18:02:33 | | +———————————————————————————————————————————–+ | 2 | Bobby | Name : 564481148D4DBDD09AA1FF467ED71F0F28ACF61B | Container : ef456e5b-36e4-4eda-a80b-e234611306d4 | | | | Record : 00000000ab23h | Provider : Microsoft Enhanced Cryptographic Provider v1.0 | | | | Size : 1.15 KiB | Type : PROV_RSA_FULL | | | | | KeySpec : AT_KEYEXCHANGE | | | | Creation : 2020-08-17 13:20:03 | | +———————————————————————————————————————————–+ ………. “>

List certificates from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories
8 directories found
[+] Searching for certificates
8 certificate(s) found
[+] Certificates
+-----------------------------------------------------------------------------------------------------------------------------------+
| Id | User | File | Certificate |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 0 | Bobby | Name : 02728B6DF5573C5955A4DFF22319441C889C367B | Friendly Name : APNS certificate Direct |
| | | Record : 00000001d2d5h | |
| | | Size : 850.00 bytes | |
| | | | |
| | | Creation : 2019-05-11 15:59:29 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 1 | Bobby | Name : 14BB7663C51C77FF5CAD89B4DC34495864338C67 | Friendly Name : APNS certificate |
| | | Record : 00000000b5a4h | |
| | | Size : 824.00 bytes | |
| | | | |
| | | Creation : 2021-03-03 18:02:33 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 2 | Bobby | Name : 564481148D4DBDD09AA1FF467ED71F0F28ACF61B | Container : ef456e5b-36e4-4eda-a80b-e234611306d4 |
| | | Record : 00000000ab23h | Provider : Microsoft Enhanced Cryptographic Provider v1.0 |
| | | Size : 1.15 KiB | Type : PROV_RSA_FULL |
| | | | KeySpec : AT_KEYEXCHANGE |
| | | Creation : 2020-08-17 13:20:03 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
..........

efs.certificate disk=0 volume=4 inode=0xb5a4

Volume:4
—————————————————— [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading certificate file record: 46500
[+] Certificate +—————————————————————————————————————————-+ | Id | Property | Value | +—————————————————————————————————————————-+ | 0 | File | Creation : 2021-03-03 18:02:33 | | | | Size : 824.00 bytes | +—————————————————————————————————————————-+ | 1 | CERT_SHA1_HASH_PROP_ID | 14A67663C51C66FF5CAD89B4DC34495864338C67 | +—————————————————————————————————————————-+ | 2 | CERT_FRIENDLY_NAME_PROP_ID | APNS certificate | +—————————————————————————————————————————-+ | 3 | CERT_KEY_IDENTIFIER_PROP_ID | 82B87AE4F2251242252A2644D98169F34F909CA8 | +—————————————————————————————————————————-+ | 4 | CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID | DB532C4794A15E5D0392C7C605FCBCA8 | +—————————————————————————————————————————-+ | 5 | CERT_CERTIFICATE_FILE | Data: | | | | Version: 3 (0x2) | | | | Serial Number: | | | | 01:20:cb:ab:28:8a:97:ee:99:cc | | | | Signature Algorithm: sha1WithRSAEncryption | | | | Issuer: C=US, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA | | | | Validity | | | | Not Before: Mar 3 15:57:33 2021 GMT | | | | Not After : Mar 3 16:02:33 2022 GMT | | | | Subject: CN=1A6032AA-91A2-4B1D-B6AF-5509FC173686 | | | | Subject Public Key Info: | | | | Public Key Algorithm: rsaEncryption | | | | RSA Public-Key: (1024 bit) | | | | Modulus: | | | | 00:a2:75:db:69:8d:c9:b3:fd:96:4d:28:b9:43:94: | | | | db:7d:73:53:88:c9:79:e9:fa:de:e4:12:14:2c:de: | … | | | a7:6b:d0:01:9e:dc:66:27:ef:2e:20:7e:e5:2a:42: | | | | 9e:6f:85:9c:b6:8f:be:d3:05 | | | | Exponent: 65537 (0x10001) | | | | X509v3 extensions: | | | | X509v3 Authority Key Identifier: | | | | keyid:B2:FE:21:23:44:86:95:6A:79:D5:81:26:8E:73:10:D | | | | 8:A7:4C:8E:74 | | | | X509v3 Subject Key Identifier: | | | | 82:B8:7A:E4:F2:25:12:42:25:2A:26:44:D9:81:69:F3:4F:9 | | | | 0:9C:A8 | | | | X509v3 Basic Constraints: critical | | | | CA:FALSE | | | | X509v3 Key Usage: critical | | | | Digital Signature, Key Encipherment | | | | X509v3 Extended Key Usage: critical | | | | TLS Web Server Authentication, TLS Web Client Authen | | | | tication | | | | 1.2.840.113635.100.6.10.6: | | | | .. | | | | Signature Algorithm: sha1WithRSAEncryption | | | | 28:54:6c:d9:4e:97:f5:dd:1f:79:4a:6a:74:42:ad:6e:a1:11: | … | | | 27:58:3b:d5:1e:c3:71:af:6b:bd:fe:5d:ad:4d:bd:82:fa:53: | | | | ff:0c | +—————————————————————————————————————————-+ “>

Display certificate from \\.\PhysicalDrive0 > Volume:4
------------------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading certificate file record: 46500
[+] Certificate
+----------------------------------------------------------------------------------------------------------------------------+
| Id | Property | Value |
+----------------------------------------------------------------------------------------------------------------------------+
| 0 | File | Creation : 2021-03-03 18:02:33 |
| | | Size : 824.00 bytes |
+----------------------------------------------------------------------------------------------------------------------------+
| 1 | CERT_SHA1_HASH_PROP_ID | 14A67663C51C66FF5CAD89B4DC34495864338C67 |
+----------------------------------------------------------------------------------------------------------------------------+
| 2 | CERT_FRIENDLY_NAME_PROP_ID | APNS certificate |
+----------------------------------------------------------------------------------------------------------------------------+
| 3 | CERT_KEY_IDENTIFIER_PROP_ID | 82B87AE4F2251242252A2644D98169F34F909CA8 |
+----------------------------------------------------------------------------------------------------------------------------+
| 4 | CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID | DB532C4794A15E5D0392C7C605FCBCA8 |
+----------------------------------------------------------------------------------------------------------------------------+
| 5 | CERT_CERTIFICATE_FILE | Data: |
| | | Version: 3 (0x2) |
| | | Serial Number: |
| | | 01:20:cb:ab:28:8a:97:ee:99:cc |
| | | Signature Algorithm: sha1WithRSAEncryption |
| | | Issuer: C=US, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Device CA |
| | | Validity |
| | | Not Before: Mar 3 15:57:33 2021 GMT |
| | | Not After : Mar 3 16:02:33 2022 GMT |
| | | Subject: CN=1A6032AA-91A2-4B1D-B6AF-5509FC173686 |
| | | Subject Public Key Info: |
| | | Public Key Algorithm: rsaEncryption |
| | | RSA Public-Key: (1024 bit) |
| | | Modulus: |
| | | 00:a2:75:db:69:8d:c9:b3:fd:96:4d:28:b9:43:94: |
| | | db:7d:73:53:88:c9:79:e9:fa:de:e4:12:14:2c:de: |
...
| | | a7:6b:d0:01:9e:dc:66:27:ef:2e:20:7e:e5:2a:42: |
| | | 9e:6f:85:9c:b6:8f:be:d3:05 |
| | | Exponent: 65537 (0x10001) |
| | | X509v3 extensions: |
| | | X509v3 Authority Key Identifier: |
| | | keyid:B2:FE:21:23:44:86:95:6A:79:D5:81:26:8E:73:10:D |
| | | 8:A7:4C:8E:74 |
| | | X509v3 Subject Key Identifier: |
| | | 82:B8:7A:E4:F2:25:12:42:25:2A:26:44:D9:81:69:F3:4F:9 |
| | | 0:9C:A8 |
| | | X509v3 Basic Constraints: critical |
| | | CA:FALSE |
| | | X509v3 Key Usage: critical |
| | | Digital Signature, Key Encipherment |
| | | X509v3 Extended Key Usage: critical |
| | | TLS Web Server Authentication, TLS Web Client Authen |
| | | tication |
| | | 1.2.840.113635.100.6.10.6: |
| | | .. |
| | | Signature Algorithm: sha1WithRSAEncryption |
| | | 28:54:6c:d9:4e:97:f5:dd:1f:79:4a:6a:74:42:ad:6e:a1:11: |
...
| | | 27:58:3b:d5:1e:c3:71:af:6b:bd:fe:5d:ad:4d:bd:82:fa:53: |
| | | ff:0c |
+----------------------------------------------------------------------------------------------------------------------------+

efs.certificate disk=0 volume=4 inode=0xb5a4 output=mycert format=pem

Volume:4
—————————————————— [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading certificate file record: 46500
[+] Certificate exported to mycert.pem “>

Display certificate from \\.\PhysicalDrive0 > Volume:4
------------------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading certificate file record: 46500
[+] Certificate exported to mycert.pem

EFS-key

efs.key disk=0 volume=4

Volume:4
——————————————– [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Listing user directories: 8 directories found
[+] Searching for keys 9713 key(s) found
[+] Keys
+——————————————————————————————————————+
| Id | User | Keyfile | Name | Creation Date |
+——————————————————————————————————————+
| 0 | User1 | Name : 0004f7ed30db…017ee8d52ca6 | {15676EB3-D258-410F-85CB-9AB29E642CB3} | 2021-05-19 14:10:15 |
| | | Record : 0000000246c5h | | |
| | | Size : 4.00 KiBs | | |
+——————————————————————————————————————+
| 1 | User1 | Name : 0016875547ba…f7a9606b4177 | {BA4B66DC-8C1D-4FDF-A1EF-78B64411D1AD} | 2020-02-03 19:37:39 |
| | | Record : 000000019f19h | | |
| | | Size : 4.00 KiBs | | |
+——————————————————————————————————————+
| 2 | User1 | Name : 002a02ec680e…9a0a8d52ca67 | {3A3E1CF2-5AC2-4717-8006-D7C0F2936435} | 2019-06-26 15:50:50 | ………. “>

List keys from \\.\PhysicalDrive0 > Volume:4
--------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Listing user directories: 
8 directories found
[+] Searching for keys
9713 key(s) found
[+] Keys
+------------------------------------------------------------------------------------------------------------------+
| Id | User | Keyfile | Name | Creation Date |
+------------------------------------------------------------------------------------------------------------------+
| 0 | User1 | Name : 0004f7ed30db...017ee8d52ca6 | {15676EB3-D258-410F-85CB-9AB29E642CB3} | 2021-05-19 14:10:15 |
| | | Record : 0000000246c5h | | |
| | | Size : 4.00 KiBs | | |
+------------------------------------------------------------------------------------------------------------------+
| 1 | User1 | Name : 0016875547ba...f7a9606b4177 | {BA4B66DC-8C1D-4FDF-A1EF-78B64411D1AD} | 2020-02-03 19:37:39 |
| | | Record : 000000019f19h | | |
| | | Size : 4.00 KiBs | | |
+------------------------------------------------------------------------------------------------------------------+
| 2 | User1 | Name : 002a02ec680e...9a0a8d52ca67 | {3A3E1CF2-5AC2-4717-8006-D7C0F2936435} | 2019-06-26 15:50:50 |
..........

efs.key disk=0 volume=4 inode=742107

Volume:4
———————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[+] Key
+——————————————————————————————————————+
| Id | Property | Value |
+——————————————————————————————————————+
| 0 | File | Creation : 2021-09-23 22:16:43 |
| | | Size : 4.00 KiBs |
+——————————————————————————————————————+
| 1 | Version | 0 |
+——————————————————————————————————————+
| 2 | Name | ef456e5b-43e4-4eda-a80b-e234611306d4 |
+——————————————————————————————————————+
| 3 | Flags | 00000000h |
+——————————————————————————————————————+
| 4 | PublicKey | Magic : 31415352h (RSA1) |
| | | Size : 2048 |
| | | Exponent : 65537 |
| | | |
| | | Permissions : CRYPT_ENCRYPT |
| | | CRYPT_DECRYPT |
| | | CRYPT_EXPORT |
| | | CRYPT_READ | …
| | | |
| | | Modulus : 96883F07FF78DA8354D037A94F897BD7 | …
| | | FA77A3D04DD10D044761E65355B335B5 |
+——————————————————————————————————————+
| 5 | Encrypted PrivateKey | Version : 1 |
| | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} |
| | | MasterKey Version : 1 |
| | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} |
| | | |
| | | Description : Clé privée CryptoAPI |
| | | Flags : 00000000h |
| | | |
| | | Encryption Alg : CALG_AES_256 |
| | | Hash Alg : CALG_SHA_512 |
| | | |
| | | Salt : ABABD5324CCE0254BC726C3BF5A777D38BC4D75CACC2360EF3276EB4DC42FF6A |
| | | |
| | | HMAC : – |
| | | HMAC2 : D24F0B0AF684AE986F1328EAAFC01DA346D2BADE2B84CBE3C94CCB338D449EA6 |
| | | |
| | | Encrypted Data : D7DAD9229C91DBC9608852A4411527D7 |
| | | 58DB27E19596DD118F2D70F68CC7913C | …
| | | 7870F6C68DA1B9139BF6E39725F4E72E |
| | | 4EC435C947F127CA3E333CB5E2F43978 |
| | | |
| | | Signature Data : 6077C027E6714A81C2710C5D334758F9AD463117DA4CBA8D0D05B5845A662E8F |
| | | 5E38DCCAB05DA5DD6C8328F5CF925F378F229790D30A2BCC91D5E3370AE50FED |
+——————————————————————————————————————+
| 6 | Hash | 0000000000000000000000000000000000000000 |
+——————————————————————————————————————+
| 7 | ExportFlag | Version : 1 |
| | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} |
| | | MasterKey Version : 1 |
| | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} |
| | | |
| | | Description : Export Flag |
| | | Flags : 00000000h |
| | | |
| | | Encryption Alg : CALG_AES_256 |
| | | Hash Alg : CALG_SHA_512 |
| | | |
| | | Salt : 772935C3582F625367716CE87D9626A524F15B9B7FF07166BB2C704B1223CB06 |
| | | |
| | | HMAC : – |
| | | HMAC2 : 3BCA74ED2C83767F06D9FF907817FE85FBA65FDB72A94E9D8F2C7CF1D8E7DCA2 |
| | | |
| | | Encrypted Data : 875A6429226F11DFD3690D43BE633287 |
| | | |
| | | Signature Data : FD97F69A214C37D0DA968B5AA18EE7C80D475F72F650C8DCAE887C97E850DCD6 |
| | | 9FA17D397A2375E362DE6F17193E3D084C06B0DCDB38E6C746150C1056145178 |
+——————————————————————————————————————+ “>

Display key from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[+] Key
+------------------------------------------------------------------------------------------------------------------+
| Id | Property | Value |
+------------------------------------------------------------------------------------------------------------------+
| 0 | File | Creation : 2021-09-23 22:16:43 |
| | | Size : 4.00 KiBs |
+------------------------------------------------------------------------------------------------------------------+
| 1 | Version | 0 |
+------------------------------------------------------------------------------------------------------------------+
| 2 | Name | ef456e5b-43e4-4eda-a80b-e234611306d4 |
+------------------------------------------------------------------------------------------------------------------+
| 3 | Flags | 00000000h |
+------------------------------------------------------------------------------------------------------------------+
| 4 | PublicKey | Magic : 31415352h (RSA1) |
| | | Size : 2048 |
| | | Exponent : 65537 |
| | | |
| | | Permissions : CRYPT_ENCRYPT |
| | | CRYPT_DECRYPT |
| | | CRYPT_EXPORT |
| | | CRYPT_READ |
...
| | | |
| | | Modulus : 96883F07FF78DA8354D037A94F897BD7 |
...
| | | FA77A3D04DD10D044761E65355B335B5 |
+------------------------------------------------------------------------------------------------------------------+
| 5 | Encrypted PrivateKey | Version : 1 |
| | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} |
| | | MasterKey Version : 1 |
| | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} |
| | | |
| | | Description : Clé privée CryptoAPI |
| | | Flags : 00000000h |
| | | |
| | | Encryption Alg : CALG_AES_256 |
| | | Hash Alg : CALG_SHA_512 |
| | | |
| | | Salt : ABABD5324CCE0254BC726C3BF5A777D38BC4D75CACC2360EF3276EB4DC42FF6A |
| | | |
| | | HMAC : - |
| | | HMAC2 : D24F0B0AF684AE986F1328EAAFC01DA346D2BADE2B84CBE3C94CCB338D449EA6 |
| | | |
| | | Encrypted Data : D7DAD9229C91DBC9608852A4411527D7 |
| | | 58DB27E19596DD118F2D70F68CC7913C |
...
| | | 7870F6C68DA1B9139BF6E39725F4E72E |
| | | 4EC435C947F127CA3E333CB5E2F43978 |
| | | |
| | | Signature Data : 6077C027E6714A81C2710C5D334758F9AD463117DA4CBA8D0D05B5845A662E8F |
| | | 5E38DCCAB05DA5DD6C8328F5CF925F378F229790D30A2BCC91D5E3370AE50FED |
+------------------------------------------------------------------------------------------------------------------+
| 6 | Hash | 0000000000000000000000000000000000000000 |
+------------------------------------------------------------------------------------------------------------------+
| 7 | ExportFlag | Version : 1 |
| | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} |
| | | MasterKey Version : 1 |
| | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} |
| | | |
| | | Description : Export Flag |
| | | Flags : 00000000h |
| | | |
| | | Encryption Alg : CALG_AES_256 |
| | | Hash Alg : CALG_SHA_512 |
| | | |
| | | Salt : 772935C3582F625367716CE87D9626A524F15B9B7FF07166BB2C704B1223CB06 |
| | | |
| | | HMAC : - |
| | | HMAC2 : 3BCA74ED2C83767F06D9FF907817FE85FBA65FDB72A94E9D8F2C7CF1D8E7DCA2 |
| | | |
| | | Encrypted Data : 875A6429226F11DFD3690D43BE633287 |
| | | |
| | | Signature Data : FD97F69A214C37D0DA968B5AA18EE7C80D475F72F650C8DCAE887C97E850DCD6 |
| | | 9FA17D397A2375E362DE6F17193E3D084C06B0DCDB38E6C746150C1056145178 |
+------------------------------------------------------------------------------------------------------------------+

efs.key disk=0 volume=4 inode=742107 masterkey=34fac126105ce30…178c5bff4979eb

Volume:4
———————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[-] Key Encryption Algorithm : CALG_AES_256 Hash Algorithm : CALG_SHA_512 Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A
[+] Decrypting key
[+] Clear key (2048bits): +———————————————————-+ | Id | Property | Value | +———————————————————-+ | 0 | Magic | RSA2 | +———————————————————-+ | 1 | Bitsize | 2048 | +———————————————————-+ | 2 | Permissions | CRYPT_ENCRYPT | | | | CRYPT_DECRYPT | | | | CRYPT_EXPORT | | | | CRYPT_READ | | | | CRYPT_WRITE | | | | CRYPT_MAC | | | | CRYPT_EXPORT_KEY | | | | CRYPT_IMPORT_KEY | +———————————————————-+ | 3 | Exponent | 65537 | +———————————————————-+ | 4 | Modulus | 96883F07FF78DA8354D037A94F897BD7 | … | | | FA77A3D04DD10D044761E65355B335B5 | +———————————————————-+ | 5 | Prime1 | C02F585644ED6326FF82368B0AD9ECD4 | … | | | 65F7DE6D173FEBEF95BE491FB222E07B | +———————————————————-+ | 6 | Prime2 | C884376BBC50C2A14C495894FBF980DE | … | | | 6759E812B6385B9151EBED8DCD65238F | +———————————————————-+ | 7 | Exponent1 | 0E33B17876918051427271EB667AE238 | … | | | 69349EF83ACE9B75D20004D155CDA3FF | +———————————————————-+ | 8 | Exponent2 | 5BF265077E1EFA60C47E8DA423B751A4 | … | | | E7008F2EA5684A74E4BFEEFAAB48C979 | +———————————————————-+ | 9 | Coefficient | 7D68AA3844F096959C23BD59E4BE3147 | … | | | 592ABC1BEDEBA6F5B4BDE3D0F9BEF7C5 | +———————————————————-+ | 10 | Private Exponent | 2462A061AD85A7C3B0DF7764CC5DDDFA | | | | 40D83B3FBF0D9D016C419E6B6744AD73 | … | | | 47685BDEB0FABDC21AF5CABBA13D138D | | | | F39FC063F1F20323E3220229E29FA42D | +———————————————————-+ “>

Decrypt key from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[-] Key
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A
[+] Decrypting key
[+] Clear key (2048bits):
+----------------------------------------------------------+
| Id | Property | Value |
+----------------------------------------------------------+
| 0 | Magic | RSA2 |
+----------------------------------------------------------+
| 1 | Bitsize | 2048 |
+----------------------------------------------------------+
| 2 | Permissions | CRYPT_ENCRYPT |
| | | CRYPT_DECRYPT |
| | | CRYPT_EXPORT |
| | | CRYPT_READ |
| | | CRYPT_WRITE |
| | | CRYPT_MAC |
| | | CRYPT_EXPORT_KEY |
| | | CRYPT_IMPORT_KEY |
+----------------------------------------------------------+
| 3 | Exponent | 65537 |
+----------------------------------------------------------+
| 4 | Modulus | 96883F07FF78DA8354D037A94F897BD7 |
...
| | | FA77A3D04DD10D044761E65355B335B5 |
+----------------------------------------------------------+
| 5 | Prime1 | C02F585644ED6326FF82368B0AD9ECD4 |
...
| | | 65F7DE6D173FEBEF95BE491FB222E07B |
+----------------------------------------------------------+
| 6 | Prime2 | C884376BBC50C2A14C495894FBF980DE |
...
| | | 6759E812B6385B9151EBED8DCD65238F |
+----------------------------------------------------------+
| 7 | Exponent1 | 0E33B17876918051427271EB667AE238 |
...
| | | 69349EF83ACE9B75D20004D155CDA3FF |
+----------------------------------------------------------+
| 8 | Exponent2 | 5BF265077E1EFA60C47E8DA423B751A4 |
...
| | | E7008F2EA5684A74E4BFEEFAAB48C979 |
+----------------------------------------------------------+
| 9 | Coefficient | 7D68AA3844F096959C23BD59E4BE3147 |
...
| | | 592ABC1BEDEBA6F5B4BDE3D0F9BEF7C5 |
+----------------------------------------------------------+
| 10 | Private Exponent | 2462A061AD85A7C3B0DF7764CC5DDDFA |
| | | 40D83B3FBF0D9D016C419E6B6744AD73 |
...
| | | 47685BDEB0FABDC21AF5CABBA13D138D |
| | | F39FC063F1F20323E3220229E29FA42D |
+----------------------------------------------------------+

efs.key disk=0 volume=4 inode=742107 masterkey=34…eb output=mykey format=pem

Decrypt key from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading key file record: 742107
[-] Key
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A
[+] Decrypting key
[+] Public key exported to mykey.pub.pem. 
[+] Private key exported to mykey.priv.pem.

EFS-masterkey

efs.masterkey disk=0 volume=4

Volume:4
————————————————– [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories 8 directories found
[+] Searching for keys 19 key(s), 2 preferred file(s) found
[+] MasterKeys +————————————————————————————————————————————————–+ | Id | User | Keyfile | Key(s) | Creation Date | +————————————————————————————————————————————————–+ | 0 | DefaultAppPool | Name : e4ed144f-6522-4471-8893-a6e29e175ba6 | MasterKey | 2021-08-17 14:54:41 | | | | Record : 000000031848h | Version : 2 | | | | | Size : 468.00 bytes | Algo : CALG_SHA_512 – CALG_AES_256 | | | | | | Salt : FA737C82899CC3F61A3B332B15FDC241 | | | | | | Rounds : 8000 | | | | | | BackupKey | | | | | | Version : 2 | | | | | | Algo : CALG_SHA_512 – CALG_AES_256 | | | | | | Salt : DF0651C903763132BC3043BF144A7DDD | | | | | | Rounds : 8000 | | | | | | CredHist | | | | | | Version : 3 | | | | | | GUID : {00000000-0000-0000-0000-000000000000} | | +————————————————————————————————————————————————–+ | 1 | DefaultAppPool | Name : Preferred | Preferred | 2021-08-17 14:54:41 | | | | Record : 00000003184ah | GUID : {e4ed144f-6522-4471-8893-a6e29e175ba6} | | | | | Size : 24.00 bytes | Renew : 2021-11-15 12:54:41 | | +————————————————————————————————————————————————–+ | 2 | Bob | Name : 26bd8b3d-e87f-4df3-a1af-18f434788090 | MasterKey | 2021-03-05 01:16:42 | | | | Record : 000000004f4ah | Version : 2 | | | | | Size : 468.00 bytes | Algo : CALG_SHA_512 – CALG_AES_256 | | | | | | Salt : 39B575D1816DE8224B9E11C38E35EB34 | | | | | | Rounds : 8000 | | | | | | BackupKey | | ………. “>

List masterkeys from \\.\PhysicalDrive0 > Volume:4
--------------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Listing user directories
8 directories found
[+] Searching for keys
19 key(s), 2 preferred file(s) found
[+] MasterKeys
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| Id | User | Keyfile | Key(s) | Creation Date |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 0 | DefaultAppPool | Name : e4ed144f-6522-4471-8893-a6e29e175ba6 | MasterKey | 2021-08-17 14:54:41 |
| | | Record : 000000031848h | Version : 2 | |
| | | Size : 468.00 bytes | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : FA737C82899CC3F61A3B332B15FDC241 | |
| | | | Rounds : 8000 | |
| | | | BackupKey | |
| | | | Version : 2 | |
| | | | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : DF0651C903763132BC3043BF144A7DDD | |
| | | | Rounds : 8000 | |
| | | | CredHist | |
| | | | Version : 3 | |
| | | | GUID : {00000000-0000-0000-0000-000000000000} | |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | DefaultAppPool | Name : Preferred | Preferred | 2021-08-17 14:54:41 |
| | | Record : 00000003184ah | GUID : {e4ed144f-6522-4471-8893-a6e29e175ba6} | |
| | | Size : 24.00 bytes | Renew : 2021-11-15 12:54:41 | |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 2 | Bob | Name : 26bd8b3d-e87f-4df3-a1af-18f434788090 | MasterKey | 2021-03-05 01:16:42 |
| | | Record : 000000004f4ah | Version : 2 | |
| | | Size : 468.00 bytes | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : 39B575D1816DE8224B9E11C38E35EB34 | |
| | | | Rounds : 8000 | |
| | | | BackupKey | |
..........

efs.masterkey disk=0 volume=4 inode=0x80544

Volume:4
—————————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading masterkey file record: 525636
[+] MasterKey +——————————————————————–+ | Id | Property | Value | +——————————————————————–+ | 0 | File | Creation : 2020-07-06 05:56:06 | | | | Size : 468.00 bytes | +——————————————————————–+ | 1 | Version | 2 | +——————————————————————–+ | 2 | GUID | 9ac19509-54d3-48bc-8c67-4cfb01d73498 | +——————————————————————–+ | 3 | Policy | 00000005h | +——————————————————————–+ | 4 | MasterKey | Version : 2 | | | | Salt : 3ED4CDBCC4073D6724A512061D0597E1 | | | | Rounds : 8000 | | | | Hash Alg : CALG_SHA_512 | | | | Enc Alg : CALG_AES_256 | | | | Enc Key : 3610946FE1A7B9099D0AFA7658325014 | | | | 296D1F0E5BA93249858BE3ACCC8FD7A8 | | | | F62DB6808833FC303095C6588BDE3826 | | | | 80ABF391222CD77661BCCB637DDAC490 | | | | B5FC02C854EF45490EE10851EF524DE2 | | | | 85DD508F905216D528D3DC3336830FF9 | | | | 690472730A03D64CF892E06B9AA35692 | | | | AB7679E908D487119030B73CB87E6F9F | | | | 731F65609CB8ACA972BCC9042B27B9B4 | +——————————————————————–+ | 5 | BackupKey | Version : 2 | | | | Salt : B60E21F9578D02A97964D7B10151BE69 | | | | Rounds : 8000 | | | | Hash Alg : CALG_SHA_512 | | | | Enc Alg : CALG_AES_256 | | | | Enc Key : CD5D3684873D6A1D66520FB1642779E1 | | | | D78A649F02DDFE7C069F9B5F8FF9F005 | | | | 7DC01E0A6AA9A815C8887BC1BF5B88E6 | | | | E797DC5F4A3A0535B3217BADC7FAD38E | | | | 798C1846423C8631DE472D790B308B2D | | | | F15340B87FCD55A98DAEE92196235CF9 | | | | B328FAF475C05A911DF19C99D54D5A3C | +——————————————————————–+ | 6 | CredHist | Version : 3 | | | | GUID : {20e0b482-797f-429e-b4a0-30020731ef0a} | +——————————————————————–+ “>

Display masterkey from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading masterkey file record: 525636
[+] MasterKey
+--------------------------------------------------------------------+
| Id | Property | Value |
+--------------------------------------------------------------------+
| 0 | File | Creation : 2020-07-06 05:56:06 |
| | | Size : 468.00 bytes |
+--------------------------------------------------------------------+
| 1 | Version | 2 |
+--------------------------------------------------------------------+
| 2 | GUID | 9ac19509-54d3-48bc-8c67-4cfb01d73498 |
+--------------------------------------------------------------------+
| 3 | Policy | 00000005h |
+--------------------------------------------------------------------+
| 4 | MasterKey | Version : 2 |
| | | Salt : 3ED4CDBCC4073D6724A512061D0597E1 |
| | | Rounds : 8000 |
| | | Hash Alg : CALG_SHA_512 |
| | | Enc Alg : CALG_AES_256 |
| | | Enc Key : 3610946FE1A7B9099D0AFA7658325014 |
| | | 296D1F0E5BA93249858BE3ACCC8FD7A8 |
| | | F62DB6808833FC303095C6588BDE3826 |
| | | 80ABF391222CD77661BCCB637DDAC490 |
| | | B5FC02C854EF45490EE10851EF524DE2 |
| | | 85DD508F905216D528D3DC3336830FF9 |
| | | 690472730A03D64CF892E06B9AA35692 |
| | | AB7679E908D487119030B73CB87E6F9F |
| | | 731F65609CB8ACA972BCC9042B27B9B4 |
+--------------------------------------------------------------------+
| 5 | BackupKey | Version : 2 |
| | | Salt : B60E21F9578D02A97964D7B10151BE69 |
| | | Rounds : 8000 |
| | | Hash Alg : CALG_SHA_512 |
| | | Enc Alg : CALG_AES_256 |
| | | Enc Key : CD5D3684873D6A1D66520FB1642779E1 |
| | | D78A649F02DDFE7C069F9B5F8FF9F005 |
| | | 7DC01E0A6AA9A815C8887BC1BF5B88E6 |
| | | E797DC5F4A3A0535B3217BADC7FAD38E |
| | | 798C1846423C8631DE472D790B308B2D |
| | | F15340B87FCD55A98DAEE92196235CF9 |
| | | B328FAF475C05A911DF19C99D54D5A3C |
+--------------------------------------------------------------------+
| 6 | CredHist | Version : 3 |
| | | GUID : {20e0b482-797f-429e-b4a0-30020731ef0a} |
+--------------------------------------------------------------------+

efs.masterkey disk=0 volume=4 inode=0x80544 sid=”S-1-5-21-1521398…3175218-1001″ password=”ntfst00l”

Volume:4
—————————————————- [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading masterkey file record: 525636
[-] Masterkey Encryption Algorithm : CALG_AES_256 Hash Algorithm : CALG_SHA_512 Rounds : 8000 Salt : 3ED4CDBCC4073D6724A512061D0597E1
[+] Decrypting masterkey
[+] Clear masterkey (256bits): 34FAC126105CE302421A0FC7E3933FEC5639AA6BFF95000E6DA83AE67522EAB6 0AF58A27D834883B65611878B258AAAECD8983E3718E00F276178C5BFF4979EB “>

Decrypt masterkey from \\.\PhysicalDrive0 > Volume:4
----------------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading masterkey file record: 525636
[-] Masterkey
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Rounds : 8000
Salt : 3ED4CDBCC4073D6724A512061D0597E1
[+] Decrypting masterkey
[+] Clear masterkey (256bits):
34FAC126105CE302421A0FC7E3933FEC5639AA6BFF95000E6DA83AE67522EAB6
0AF58A27D834883B65611878B258AAAECD8983E3718E00F276178C5BFF4979EB

FVE

fve disk=3 volume=1 fve_block=2

Signature : -FVE-FS-
Size : 57
Version : 2
Current State : ENCRYPTED (4)
Next State : ENCRYPTED (4)
Encrypted Size : 536870400 (512.00 MiBs)
Convert Size : 0
Backup Sectors : 16
FVE Block 1 : 0000000002100000
FVE Block 2 : 00000000059e4000
FVE Block 3 : 00000000092c8000
Backup Sectors Offset : 0000000002110000FVE Metadata Header
-------------------
Size : 840
Version : 1
Header Size : 48
Copy Size : 840
Volume GUID : {70a57ea3-9b98-4034-8b6a-645f731e2d1e}
Next Counter : 10
Algorithm : AES-XTS-128 (8004)
Timestamp : 2020-02-26 16:39:17
FVE Metadata Entries (5)
------------------------
+----------------------------------------------------------------------------------------------------------------+
| Id | Version | Size | Entry Type | Value Type | Value |
+----------------------------------------------------------------------------------------------------------------+
| 1 | 1 | 72 | Drive Label | Unicode | String : TWN NTFSDRIVE 26/02/2020 |
+----------------------------------------------------------------------------------------------------------------+
| 2 | 1 | 224 | VMK | VMK | Key ID : {2dd368f3-37d7-414f-94e6-3c5b86f |
| | | | | | add50} |
| | | | | | Last Change : 2020-02-26 16:40:00 |
| | | | | | Protection : Password |
| | | | | | |
| | | | | | Property #1 - Stretch Key - 108 |
| | | | | | -------- |
| | | | | | Encryption : STRETCH KEY |
| | | | | | MAC : daea96439babc5d1e7f20c8860ff1ee9 |
| | | | | | |
| | | | | | Property #1.1 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000002 |
| | | | | | MAC : 1dfebdc79a966e72ca806d6a83d8c7ba |
| | | | | | Key : eb51a188df981b54f51698c76d76a8bb |
| | | | | | d22afbbe27603ea6afc34c077726262e |
| | | | | | 5ba07482053d3c36fdecf80f |
| | | | | | |
| | | | | | Property #2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000003 |
| | | | | | MAC : 175ec23cd799e2bde9d24bf3697919fe |
| | | | | | Key : b76281568419ec3bee89d1eddccf3169 |
| | | | | | 59c466b6b392f40f0875e58168d868d7 |
| | | | | | 0788bd366bec117b11a9fd6e |
+----------------------------------------------------------------------------------------------------------------+
| 3 | 1 | 316 | VMK | VMK | Key ID : {19b4a3e2-94b3-452f-a614-6212fae |
| | | | | | b1b9d} |
| | | | | | Last Change : 2020-02-26 16:40:07 |
| | | | | | Protection : Recovery Password |
| | | | | | |
| | | | | | Property #1 - Stretch Key - 172 |
| | | | | | -------- |
| | | | | | Encryption : STRETCH KEY |
| | | | | | MAC : b9963d29e1bad1f42e60c3bfb6e3bef5 |
| | | | | | |
| | | | | | Property #1.1 - AES-CCM - 64 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000004 |
| | | | | | MAC : 8064d679c7d8d1fa8ae548b0844882c7 |
| | | | | | Key : 18d21021d40e3dc99d38c8dd84faed10 |
| | | | | | 370c32095f4f63261ad8ec40 |
| | | | | | |
| | | | | | Property #1.2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000005 |
| | | | | | MAC : 3d40f2b5fc0091b894b438763fcdf4cd |
| | | | | | Key : a0af0aeda32d977d26ac76f9fc429668 |
| | | | | | 955d2a6a49fe4e2323751924e47e6c39 |
| | | | | | 8c22f7fcd2d4272003cb7a4e |
| | | | | | |
| | | | | | Property #2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000006 |
| | | | | | MAC : 3a06a06fdb044d850ecd6faf5cf2aec9 |
| | | | | | Key : 97a43d40c695c6d190eba3956ac7c7b1 |
| | | | | | f5fdbbc7f9a61a77c914fa347479c7ac |
| | | | | | 6124ff46865e805367f7bef1 |
| | | | | | |
| | | | | | Property #3 - Unknown (00000015) |
| | | | | | - 28 |
| | | | | | -------- |
| | | | | | Unknown Value Type (21) |
+----------------------------------------------------------------------------------------------------------------+
| 4 | 1 | 80 | FKEV | AES-CCM | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000008 |
| | | | | | MAC : 2ff7d7f79920e3509fb8d20cb15b62c8 |
| | | | | | Key : 097169b9a5c41420ed2353a4a4210763 |
| | | | | | a8833d1a4a88c6f7c0c45ec7c0959f25 |
| | | | | | 2c8eac3f306e9fd1e693784a |
+----------------------------------------------------------------------------------------------------------------+
| 5 | 1 | 100 | Volume Header Block | Offset and Size | Offset : 0000000002110000 |
| | | | | | Size : 0000000000002000 |
+----------------------------------------------------------------------------------------------------------------+

reparse

reparse disk=0 volume=4

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] Reading $Extend\$Reparse
[+] 104 entries found
+----------------------------------------------------------------------------------------------------------------+
| Id | MFT Index | Filename | Type | Target/Data |
+----------------------------------------------------------------------------------------------------------------+
| 0 | 00000eb3 | debian.exe | AppExecLink | TheDebianProject.DebianGNULinux_ |
| | | | | 76v4gfsz19hv4 |
| | | | | |
| | | | | TheDebianProject.DebianGNULinux_ |
| | | | | 76v4gfsz19hv4!debian |
| | | | | |
| | | | | C:\Program Files\WindowsApps\The |
| | | | | DebianProject.DebianGNULinux_1.2 |
| | | | | .0.0_x64__76v4gfsz19hv4\debian.e |
| | | | | xe |
+----------------------------------------------------------------------------------------------------------------+
...
+----------------------------------------------------------------------------------------------------------------+
| 13 | 000007f9 | BaseLayer | Mount Point | \??\Volume{629458e4-0000-0000-00 |
| | | | | 00-010000000000}\ |
+----------------------------------------------------------------------------------------------------------------+
| 14 | 00013e24 | Watchdog | Mount Point | \??\C:\Program Files\NVIDIA Corp |
| | | | | oration\NvContainer\Watchdog |
+----------------------------------------------------------------------------------------------------------------+
...
+----------------------------------------------------------------------------------------------------------------+
| 102 | 00035861 | C2R64.dll | Symbolic Link | \??\C:\Program Files\Common File |
| | | | | s\Microsoft Shared\ClickToRun\C2 |
| | | | | R64.dll |
+----------------------------------------------------------------------------------------------------------------+
| 103 | 000986b0 | All Users | Symbolic Link | \??\C:\ProgramData |
+----------------------------------------------------------------------------------------------------------------+

logfile

logfile disk=4 volume=1 output=logfile.csv format=csv

[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Reading $LogFile record
[-] $LogFile size : 4.14 MiBs
[+] Parsing $LogFile Restart Pages
[-] Newest Restart Page LSN : 5274485
[-] Volume marked as cleanly unmounted
[-] Client found : [1] NTFS
[+] Parsing $LogFile Record Pages
[-] $LogFile Record Page Count: 86
[+] Parsing $LogFile Records: 601
[+] Closing volume

Sample of logfile.csv

 LSN,ClientPreviousLSN,UndoNextLSN,ClientID,RecordType,TransactionID,RedoOperation,UndoOperation,MFTClusterIndex,TargetVCN,TargetLCN
5269000,5268967,5268967,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269019,5269000,5269000,0,1,24,UpdateNonresidentValue,Noop,0,0,37594
5269044,5269019,5269019,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269063,5269044,5269044,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269082,5269063,5269063,0,1,24,UpdateNonresidentValue,Noop,0,0,37594
5269103,5269082,5269082,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269122,5269103,0,0,1,24,ForgetTransaction,CompensationLogRecord,0,0,18446744073709551615
5269133,0,0,0,1,24,UpdateResidentValue,UpdateResidentValue,2,13,43703

usn

usn disk=4 volume=1 output=usn.csv format=csv

[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Finding $Extend\$UsnJrnl record
[+] Found in file record : 41
[+] Data stream $J size : 2.66 KiBs
[+] Reading $J
[+] Processing entry : 32
[+] Closing volume

Sample of usn.csv

MajorVersion,MinorVersion,FileReferenceNumber,FileReferenceSequenceNumber,ParentFileReferenceNumber,ParentFileReferenceSequenceNumber,Usn,Timestamp,Reason,SourceInfo,SecurityId,FileAttributes,Filename
2,0,53,4,5,5,0,2020-02-26 21:43:36,FILE_CREATE,0,0,DIRECTORY,Nouveau dossier
2,0,53,4,5,5,96,2020-02-26 21:43:36,FILE_CREATE+CLOSE,0,0,DIRECTORY,Nouveau dossier
2,0,53,4,5,5,192,2020-02-26 21:43:38,RENAME_OLD_NAME,0,0,DIRECTORY,Nouveau dossier
2,0,53,4,5,5,288,2020-02-26 21:43:38,RENAME_NEW_NAME,0,0,DIRECTORY,test
2,0,53,4,5,5,360,2020-02-26 21:43:38,RENAME_NEW_NAME+CLOSE,0,0,DIRECTORY,test
2,0,53,4,5,5,432,2020-02-26 21:43:39,OBJECT_ID_CHANGE,0,0,DIRECTORY,test
2,0,53,4,5,5,504,2020-02-26 21:43:39,OBJECT_ID_CHANGE+CLOSE,0,0,DIRECTORY,test
2,0,54,2,53,4,576,2020-02-26 21:43:41,FILE_CREATE,0,0,ARCHIVE,Nouveau document texte.txt

shadow

shadow disk=0 volume=4

[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[+] VSS header found at 0x1e00+---------------------------------------------------------------------------------------------------------------+
| SetID/ID | Count | Date | Details |
+---------------------------------------------------------------------------------------------------------------+
| {857c9ac4-ee4f-4bc6-b822-59e935a7120f} | 1 | 2020-09-21 00:15:38 | Service Machine : WORK-PC10 |
| | | | Originating Machine: WORK-PC10 |
| {3d102db1-8de2-4e7d-8ba5-e0dd4f67740d} | | | State : Created |
| | | | Flags : 0x0042000d |
| | | | - Persistent |
| | | | - Client Accessible |
| | | | - No Auto Release |
| | | | - Differential |
| | | | - Auto Recover |
+---------------------------------------------------------------------------------------------------------------+
| {83bc8af4-8802-4466-ae38-717f6474616a} | 1 | 2020-09-22 06:10:00 | Service Machine : WORK-PC10 |
| | | | Originating Machine: WORK-PC10 |
| {e668c329-66a2-4ebd-beef-3c6bca81cbf7} | | | State : Created |
| | | | Flags : 0x0042000d |
| | | | - Persistent |
| | | | - Client Accessible |
| | | | - No Auto Release |
| | | | - Differential |
| | | | - Auto Recover |
+---------------------------------------------------------------------------------------------------------------+

streams

streams disk=0 volume=4 from=c:\test.pdf

Volume:4
————————————————– [+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[-] Source : c:\test.pdf
[-] Record Num : 13525 (000034d5h)
[+] Alternate data stream(s): +—————————–+ | Id | Name | Size | +—————————–+ | 0 | Zone.Identifier | 27 | +—————————–+ “>

Listing streams from \\.\PhysicalDrive0 > Volume:4
--------------------------------------------------[+] Opening \\?\Volume{ee732b26-571c-4516-b8fd-32282aa8e66b}\
[-] Source : c:\test.pdf
[-] Record Num : 13525 (000034d5h)
[+] Alternate data stream(s):
+-----------------------------+
| Id | Name | Size |
+-----------------------------+
| 0 | Zone.Identifier | 27 |
+-----------------------------+

undelete

undelete disk=4 volume=1

[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Reading $MFT record
[+] $MFT size : 256.00 KiBs (~256 records)
[+] Reading $BITMAP record
[+] $BITMAP size : 16.00 KiBs
[+] Searching deleted files
[+] Processed data size : 262144 (100%)
[+] Duration : 7msDeleted Files Found
-------------------
+---------------------------------------------------------------------------------------------------------------+
| Id | MFT Index | Flag | Filename | Size | Deletion Date | % Recoverable |
+---------------------------------------------------------------------------------------------------------------+
| 0 | 00000029 | | .\$RECYCLE.BIN\[...]\$RAV85W4.jpg | 5.10 KiBs | 2020-02-26 21:29:03 | 100.00 |
+---------------------------------------------------------------------------------------------------------------+
| 1 | 00000035 | | .\$RECYCLE.BIN\[...]\$IAV85W4.jpg | 58.00 bytes | 2020-02-26 21:29:03 | 100.00 |
+---------------------------------------------------------------------------------------------------------------+

undelete disk=4 volume=1 inode=41 output=restored_kitten.jpg

[+] Opening \\?\Volume{00000001-0000-0000-0000-000000000000}\
[+] Reading file record : 41
[+] Extracting $RAV85W4.jpg to restored_kitten.jpg
[+] 5219 bytes written

shell

shell disk=4 volume=1

ls Inode | Type | Name | Size | Creation Date | Attributes
————————————————————————————— 4 | | $AttrDef | 2560 | 2020-02-26 16:35:29 | Hi Sy 8 | | $BadClus | 0 | 2020-02-26 16:35:29 | Hi Sy | ADS | $Bad | 536866816 | | 6 | | $Bitmap | 16384 | 2020-02-26 16:35:29 | Hi Sy 7 | | $Boot | 8192 | 2020-02-26 16:35:29 | Hi Sy 11 | DIR | $Extend | | 2020-02-26 16:35:29 | Hi Sy 2 | | $LogFile | 4341760 | 2020-02-26 16:35:29 | Hi Sy 0 | | $MFT | 262144 | 2020-02-26 16:35:29 | Hi Sy 1 | | $MFTMirr | 4096 | 2020-02-26 16:35:29 | Hi Sy 50 | DIR | $RECYCLE.BIN | | 2020-02-26 16:40:34 | Hi Sy 9 | | $Secure | 0 | 2020-02-26 16:35:29 | Hi Sy | ADS | $SDS | 264200 | | 10 | | $UpCase | 131072 | 2020-02-26 16:35:29 | Hi Sy | ADS | $Info | 32 | | 3 | | $Volume | 0 | 2020-02-26 16:35:29 | Hi Sy 5 | DIR | . | | 2020-02-26 16:35:29 | Hi Sy
85010 | | 7z1900-x64.exe | 1447178 | 2020-07-29 17:19:49 | Ar | ADS | Zone.Identifier | 123 | | 42 | | hello.txt | 5 | 2020-02-26 21:27:33 | Ar 39 | | kitten1.jpg | 23486 | 2020-02-26 16:37:23 | Ar | ADS | Zone.Identifier | 154 | | 40 | | kitten2.jpg | 79678 | 2020-02-26 16:37:55 | Ar | ADS | Zone.Identifier | 303 | | 41 | | kitten3.jpg | 5219 | 2020-02-26 16:38:16 | Ar | ADS | Zone.Identifier | 262 | | 36 | DIR | System Volume Information | | 2020-02-26 16:35:29 | Hi Sy disk4:volume1:> pwd
\
disk4:volume1:> cat hello.txt
Hey !
disk4:volume1:> cat 7z1900-x64.exe:Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.7-zip.org/download.html
HostUrl=https://www.7-zip.org/a/7z1900-x64.exe disk4:volume1:> exit “>

disk4:volume1:> lsInode | Type | Name | Size | Creation Date | Attributes
---------------------------------------------------------------------------------------
4 | | $AttrDef | 2560 | 2020-02-26 16:35:29 | Hi Sy
8 | | $BadClus | 0 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $Bad | 536866816 | |
6 | | $Bitmap | 16384 | 2020-02-26 16:35:29 | Hi Sy
7 | | $Boot | 8192 | 2020-02-26 16:35:29 | Hi Sy
11 | DIR | $Extend | | 2020-02-26 16:35:29 | Hi Sy
2 | | $LogFile | 4341760 | 2020-02-26 16:35:29 | Hi Sy
0 | | $MFT | 262144 | 2020-02-26 16:35:29 | Hi Sy
1 | | $MFTMirr | 4096 | 2020-02-26 16:35:29 | Hi Sy
50 | DIR | $RECYCLE.BIN | | 2020-02-26 16:40:34 | Hi Sy
9 | | $Secure | 0 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $SDS | 264200 | |
10 | | $UpCase | 131072 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $Info | 32 | |
3 | | $Volume | 0 | 2020-02-26 16:35:29 | Hi Sy
5 | DIR | . | | 2020-02-26 16:35:29 | Hi Sy
85010 | | 7z1900-x64.exe | 1447178 | 2020-07-29 17:19:49 | Ar
| ADS | Zone.Identifier | 123 | | 
42 | | hello.txt | 5 | 2020-02-26 21:27:33 | Ar
39 | | kitten1.jpg | 23486 | 2020-02-26 16:37:23 | Ar
| ADS | Zone.Identifier | 154 | |
40 | | kitten2.jpg | 79678 | 2020-02-26 16:37:55 | Ar
| ADS | Zone.Identifier | 303 | |
41 | | kitten3.jpg | 5219 | 2020-02-26 16:38:16 | Ar
| ADS | Zone.Identifier | 262 | |
36 | DIR | System Volume Information | | 2020-02-26 16:35:29 | Hi Sy
disk4:volume1:> pwd
\
disk4:volume1:> cat hello.txt
Hey !
disk4:volume1:> cat 7z1900-x64.exe:Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.7-zip.org/download.html
HostUrl=https://www.7-zip.org/a/7z1900-x64.exe
disk4:volume1:> exit

smart

smart disk=1

Version : 1 revision 1
Type : SATA/IDE Master on primary channel
Capabilities : ATA, ATAPI, S.M.A.R.TStatus : Passed
-- Device ID
+---------------------------------------------------------------------------------------------------+
| Property | Value |
+---------------------------------------------------------------------------------------------------+
| General Configuration | 0040h |
| Number of Cylinders | 16383 |
| Reserved | c837h |
| Number Of Heads | 16 |
| Bytes Per Track | 0 |
| Bytes Per Sector | 0 |
| Sectors Per Track | 63 |
| Vendor Unique | |
| Seria Number | S2RBNX0H606448W |
| Buffer Type | 0 |
| Buffer Size | 0 |
| ECC Size | 0 |
| Firmware Revision | EMT02B6Q |
| Model Number | Samsung SSD 850 EVO 500GB |
| Maximum Number of Sectors On R/W | 32769 |
| Double Word IO | 16385 |
| Capabilities | Reserved : 0000h |
| | DMA Support : True |
| | LBA Support : True |
| | DisIORDY : True |
| | IORDY : True |
| | Requires ATA soft start : False |
| | Overlap Operation support: True |
| | Command Queue Support : False |
| | Interleaved DMA Support : False |
| Reserved1 | 4000h |
| PIO Timing | 512 |
| DMA Timing | 512 |
| Field Validity | CHS Number : True |
| | Cycle Number : True |
| | Ultra DMA : True |
| Current numbers of cylinders | 16383 |
| Current numbers of heads | 16 |
| Current numbers of sectors per track | 63 |
| Multiple Sector Setting | 16514064 |
| Total Number of Sectors Addressable (LBA) | 268435455 |
| Singleword DMA Transfer Support | 0 |
| Multiword DMA Transfer Support | Mode 0 (4.17Mb/s) |
| | Mode 1 (13.3Mb/s) |
| | Mode 2 (16.7Mb/s) |
| Advanced PIO Modes | 0003h |
| Minimum Multiword DMA Transfer Cycle Time per Word | 120 |
| Recommended Multiword DMA Transfer Cycle Time per Word | 120 |
| Minimum PIO Transfer Cycle Time (No Flow Control) | 120 |
| Minimum PIO Transfer Cycle Time (Flow Control) | 120 |
| ATA Support | ATA-2 |
| | ATA-3 |
| | ATA-4 |
| | ATA/ATAPI-5 |
| | ATA/ATAPI-6 |
| | ATA/ATAPI-7 |
| | ATA/ATAPI-8 |
| | ATA/ATAPI-9 |
| Ultra DMA Transfer Support | Mode 0 (16.7MB/s) |
| | Mode 1 (25.0MB/s) |
| | Mode 2 (33.3MB/s) |
| | Mode 3 (44.4MB/s) |
| | Mode 4 (66.7MB/s) |
| | Mode 5 (100.0MB/s) (selected) |
| | Mode 6 (133.0MB/s) |
+---------------------------------------------------------------------------------------------------+
-- Attributes
+-------------------------------------------------------------------------------------------------------------------+
| Index | Name | Flags | Raw | Value | Worst | Threshold | Status |
+-------------------------------------------------------------------------------------------------------------------+
| 05h | Reallocated Sector Count | 0033h | 000000000000h | 100 | 100 | 10 | Ok |
| 09h | Power-On Hours Count | 0032h | 000000008d54h | 92 | 92 | 0 | Ok |
| 0ch | Power Cycle Count | 0032h | 0000000000f5h | 99 | 99 | 0 | Ok |
| b1h | Wear Range Delta | 0013h | 00000000005eh | 95 | 95 | 0 | Ok |
| b3h | Used Reserved Block Count (Total) | 0013h | 000000000000h | 100 | 100 | 10 | Ok |
| b5h | Program Fail Count Total | 0032h | 000000000000h | 100 | 100 | 10 | Ok |
| b6h | Erase Fail Count | 0032h | 000000000000h | 100 | 100 | 10 | Ok |
| b7h | Sata Down Shift Error Count | 0013h | 000000000000h | 100 | 100 | 10 | Ok |
| bbh | Reported Uncorrectable Errors | 0032h | 000000000000h | 100 | 100 | 0 | Ok |
| beh | Temperature Difference From 100 | 0032h | 000000000020h | 68 | 50 | 0 | Ok |
| c3h | Hardware Ecc Recovered | 001ah | 000000000000h | 200 | 200 | 0 | Ok |
| c7h | Udma Crc Error Rate | 003eh | 000000000000h | 100 | 100 | 0 | Ok |
| ebh | Good Block Count And System Free Block Count | 0012h | 000000000071h | 99 | 99 | 0 | Ok |
| f1h | Lifetime Writes From Host Gib | 0032h | 00154bf298c9h | 99 | 99 | 0 | Ok |
+-------------------------------------------------------------------------------------------------------------------+

Source : KitPloit – PenTest Tools!

Huge security flaw in macOS lets hackers steal your passwords

Motorola Moto G (2nd Gen) gets Android Marshmallow update

WhatsApp down on New Year’s Eve: Users worldwide unable to connect as messaging app crashes repeatedly

WhatsApp for Windows Phone update brings starred messages, new camera interface

Microsoft Lumia 950 Dual SIM, Lumia 950 XL Dual SIM Launched in India

Nokia C1 Leak Tips Launch With Android and Windows 10 Mobile

A solar-powered “Lunar” smartwatch seems like a good idea — if it works

TV Service is being killed by Google Fiber; The Company wants to concentrate on High Speed Internet

Google Home now lets you set and manage your reminders

Hacker Steve Lord says Windows Phone is the”hardest nut to crack”

Google Makes Full-Disk Encryption Mandatory for New Android 6.0 Devices

Hike users can now send messages without internet

Social-Analyzer – API And Web App For Analyzing And Finding A Person Profile Across +300 Social Media Websites (Detections Are Updated Regularly)

Six Methods to Create a Secure Password You’ll Actually Remember [INFOGRAPHIC]

Here’s how to kick nazis off your Twitter right now

Twitter CEO promises to crack down on hate, violence and harassment with “more aggressive” rules

Twitter users join 24hr boycott to protest online harassment

Twitter says it may “refine” its policies after reversing position on Blackburn campaign ad

WhatsApp video calling feature, new design leaked

Microsoft Lumia 950 Dual SIM, Lumia 950 XL Dual SIM Launched in India

Flipkart Partners With Google to Launch App-Like Mobile Website

Google Makes Full-Disk Encryption Mandatory for New Android 6.0 Devices

Indian govt to launch its own operating system for official use

Google Makes Website Making Easy With “Material Design Lite” and Free Website Builder

Hoaxshell – An Unconventional Windows Reverse Shell, Currently Undetected By Microsoft Defender And Various Other AV Solutions, Solely Based On Http(S) Traffic

Puwr – SSH Pivoting Script For Expanding Attack Surfaces On Local Networks

Zap-Hud – The OWASP ZAP Heads Up Display (HUD)

PHoS Recommendation : Join these 2 hacking webinar by one of the best security experts in India.

Jaeles v0.9 – The Swiss Army Knife For Automated Web Application Testing

HomePwn – Swiss Army Knife for Pentesting of IoT Devices

FISSURE – Frequency Independent SDR-based Signal Understanding and Reverse Engineering

Masky – Python Library With CLI Allowing To Remotely Dump Domain User Credentials Via An ADCS Without Dumping The LSASS Process Memory

Packj – Large-Scale Security Analysis Platform To Detect Malicious/Risky Open-Source Packages

BinAbsInspector – Vulnerability Scanner For Binaries

Pocsploit – A Lightweight, Flexible And Novel Open Source Poc Verification Framework

EDRSandblast – Tool That Weaponize A Vulnerable Signed Driver To Bypass EDR Detections And LSASS Protections

Sri Lanka arrests 2 men over Taiwan bank hacking

Here’s the Facebook Hacking Tool that Can Really Hack Accounts, But…

3 Wipro employees arrested for hacking UK firm TalkTalk

Samsung agrees to pay Apple $548 million for copying its iPhone designs

Indian hackers ‘pay back’ Pakistan for 26/11

Boy, 15, arrested in Northern Ireland in connection with TalkTalk hack

Sri Lanka arrests 2 men over Taiwan bank hacking

324,000 Financial Records with CVV Numbers Stolen From A Payment Gateway

Over 800,000 Brazzers User Accounts Hacked

Aryabhatta college of Delhi University (DU) website hacked by Pakistani Hackers

Indian Railways page hacked by Al Qaeda. And this is the message they left for Indian Muslims

JNU’s Website Defaced by Indian Hackers

‘Pokémon Snap’ lives on through ‘Pokémon Go’ photography contest

Desk lamp transforms from notepad into a modern, stylish lamp

Nissan drove a GT-R around a racetrack using a PS4 controller

Razer’s first ever smartphone could be coming next month

Oculus Go solves VR’s two biggest problems

Truly driverless cars could soon be allowed on California’s roads

Deadfinder – Find Dead-Links (Broken Links)

Pmanager – Store And Retrieve Your Passwords From A Secure Offline Database. Check If Your Passwords Has Leaked Previously To Prevent Targeted Password Reuse Attacks

SpyCast – A Crossplatform mDNS Enumeration Tool

pyFlipper – Unoffical Flipper Zero Cli Wrapper Written In Python

SharpNamedPipePTH – Pass The Hash To A Named Pipe For Token Impersonation

PSAsyncShell – PowerShell Asynchronous TCP Reverse Shell

Your iPhone will Alert You if You are Being Monitored At Work

Warning! — Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System

WhatsApp down on New Year’s Eve: Users worldwide unable to connect as messaging app crashes repeatedly

WhatsApp video calling feature, new design leaked

Bad Santa! Microsoft Offers — ‘Upgrade now’ or ‘Upgrade tonight’ to Push Windows 10

Samsung agrees to pay Apple $548 million for copying its iPhone designs

Androidqf – (Android Quick Forensics) Helps Quickly Gathering Forensic Evidence From Android Devices, In Order To Identify Potential Traces Of Compromise

FireStorePwn – Firestore Database Vulnerability Scanner Using APKs

LibAFL – Advanced Fuzzing Library – Slot Your Fuzzer Together In Rust! Scales Across Cores And Machines. For Windows, Android, MacOS, Linux, No_Std, …

Cpufetch – Simplistic Yet Fancy CPU Architecture Fetching Tool

Umbrella_android – Digital And Physical Security Advice App

Ghost Framework – An Android Post-Exploitation Framework That Exploits The Android Debug Bridge To R emotely Access An Android Device