dfir_ntfs: an NTFS/FAT parser for digital forensics & incident response (Python 3 only.)

1. Project goals

• Parse $MFT, $UsnJrnl:$J, $LogFile files, extract as much data as possible.
• Parse volumes, volume images, and volume shadow copies.
• Parse FAT12/16/32, exFAT volumes.

2. Installation

pip3 install https://github.com/msuhanov/dfir_ntfs/archive/1.1.13.tar.gz

3. Timestamps

All timestamps reported by the tools are in UTC. (For FAT file systems, all timestamps are local or UTC, returned as is.)

The MACE notation is used:

• modified (M),
• last accessed (A),
• created (C),
• $MFT entry modified (E).

In the WSL set of timestamps (and FAT):

• inode changed (CH).

4. License

This project is made available under the terms of the GNU GPL, version 3. See the 'License' file.

The first exception is the "nist-hacking-case.mft" file. This file is from the NIST Hacking Case, which is distributed by NIST. See the 'Use of NIST Information' section here: https://www.nist.gov/disclaimer.

The second exception is boot code embedded in some test data. This code is not covered by the GNU GPL, version 3.

(All exceptions are in the "test_data" directory, which is not installed.)

(c) Maxim Suhanov