NTFS forensic investigation
Previous Topic  Next Topic 

Home


NTFS is probably the most common disk format now used on a PC.  In recent years it has become the default format, replacing the much simpler FAT32 format. It is a complex format supporting features such as compression and encryption. There is scope for users to hide data, and also scope for CnW Recovery software to recover data that is otherwise invisible.


The two most useful modes to investigate NTFS disks is to a full recover, and a scan of MFTs.  The full recover, in particular when used with deleted files option, will show all the files on the hard drive, including recently deleted files. The scan MFTs will pick up all current files, and also files that have been left from a previous formatting of a disk. It can be very useful when an operating system has been reloaded, a many of the original files can still be recovered. An addition mode to the scan MFTs function is to scan the complete drive for MFTs. This will pick up more files, but sometimes the 'left over' MFTs will have rather odd subdirectory paths.


Features to assist with investigation


       Slack file recovery - for both files and directories

       Hashing of all files

       Full dates stored in logs for creation, modification, access

       The ability to discover which file a sector is used in

       Reads deleted files

       Checks file signature - useful when a file has been renamed to hide a file

       Recovers files even when the directory structure is incomplete

       Will scan disk for isolated / orphaned MFT entries

       Logs may be sorted in any date order

       Raw image scan of disk for unallocated space recovery

       MFT Parse - view elements of the MFT

       Recovers registry files, eg NTUSER.DAT, logfile, $usnjnrl



Third party tools

There are many third party tools to help with a disk investigation, some free, some chargable. Some examples below.  Can be downloaded from the web.  CnW does not have any connection with these tools, and the information is just information