NTFS filesystem is a gold mine for forensic analysis on Microsoft Windows systems. There are a lot of tools useful for extract a timeline of the activities on the filesystem, or for search anomalies that identify time stomping events. Recently I’ve discovered another useful tool, developed by Maxim Suhanov, named dfir_ntfs [1]: dfir_ntfs: an NTFS […]
The post dfir_ntfs: a forensic parser for NTFS filesystems first appeared on Andrea Fortuna.Article Link: https://www.andreafortuna.org/2021/06/05/dfir_ntfs-a-forensic-parser-for-ntfs-filesystems/