Listen to this Post
After four years of growth, challenges, and countless learning moments, Arwa Abdelaziz has officially concluded her university journey. As part of her final year, she built NTFS-Central, a modular forensic analysis tool designed to streamline investigations on NTFS-based systems. It supports extraction and analysis from key forensic artifacts like:
- ShellBags
- USN Journal
- Volume Shadow Copies
- Registry Hives
The tool aims to reduce investigative overhead, automate artifact correlation, and provide an open-source alternative to expensive commercial forensic suites.
You Should Know: Essential Commands & Techniques for NTFS Forensics
1. Extracting ShellBags (User Activity Traces)
ShellBags store user folder preferences and can reveal accessed directories. Use Registry Explorer or PowerShell:
reg query HKCU\Software\Microsoft\Windows\Shell /s
For automated parsing:
python3 shellbags.py -f NTUSER.DAT
2. Analyzing USN Journal (File System Changes)
The USN Journal logs file modifications. Extract it via:
fsutil usn readjournal C:
Or parse with AnalyzeMFT:
python AnalyzeMFT.py -f $MFT -o output.csv
3. Working with Volume Shadow Copies (VSS)
List shadow copies:
vssadmin list shadows
Extract files using ShadowCopy:
Copy-Item -FromSession (New-PSSession) -Path "C:\ShadowCopy\file.txt" -Destination "C:\Evidence"
4. Registry Hive Analysis
Dump registry hives with RegRipper:
rip.exe -r SYSTEM -f system rip.exe -r SAM -f sam
Or manually extract:
reg save HKLM\SYSTEM system.hiv
5. NTFS Metadata Extraction
Extract $MFT (Master File Table) using FTK Imager or dd:
dd if=/dev/sda1 of=mft.dd bs=4K count=1 skip=0
Parse with MFTECmd:
MFTECmd.exe -f "C:\$MFT" --csv "C:\output"
What Undercode Say
NTFS-Central represents a significant leap in open-source forensic tools, bridging gaps in automated artifact correlation. Future enhancements could integrate timeline analysis (via Plaso/Log2Timeline) and cloud forensics modules.
For hands-on practice, try these Linux-based forensic commands:
fls (The Sleuth Kit) - List files in a disk image icat (The Sleuth Kit) - Extract file content from an image autopsy - GUI-based forensic analysis volatility - Memory forensics (Windows/Linux)
Expected Output:
A structured forensic report detailing ShellBags, USN logs, registry keys, and file system metadata—enhancing investigative efficiency.
Prediction
As NTFS forensics evolves, expect AI-driven anomaly detection and blockchain-based evidence integrity to dominate next-gen forensic tools. Open-source projects like NTFS-Central will push industry standards, reducing reliance on costly proprietary solutions.
Relevant URLs (if applicable):
(No Telegram/WhatsApp links detected.)
References:
Reported By: Arwa Abdelaziz – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
