Integrate it to your VisualStudio env: vcpkg integrate installĪt build time, VisualStudio will detect the vcpkg.json file and install required packages automatically. Install vcpkg as described here: vcpkg#getting-started git clone
Vcpkg is the best way to install required third-party libs.
Search and extract deleted files for a volume.įeel free to open an issue or ask for a new feature! Build List volume shadow snapshots from selected disk and volume. Parse and display reparse points from $Extend$Reparse.ĭump $LogFile file in specified format: csv, json, raw.ĭump $UsnJrnl file in specified format: csv, json, raw. List, display and decrypt masterkeys (Protect).ĭisplay information for the specified FVE block (0, 1, 2) List, display, decrypt and export private keys (Crypto/RSA). List, display and export system certificates (SystemCertificates/My/Certificates). If it is correct, the decrypted VMK and FVEK is displayed.ĭecrypt a volume to a file using password, recovery key or bek.
It is possible to test a password or recovery key. Almost all attribute types supportedĭisplay VCN content and Btree index for an inodeĭisplay detailed information and hash ($bitlocker$) for all VMK.
ntfstool help Commandĭisplay information for all disks and volumesĭisplay MBR structure, code and partitions for a diskĭisplay GPT structure, code and partitions for a diskĭisplay VBR structure and code for a specidifed volume (ntfs, fat32, fat1x, bitlocker supported)Ĭreate an image file of a disk or volume.ĭisplay FILE record details for a specified MFT inode. Options can be entered as decimal or hex number with “0x” prefix (ex: inode). Help command displays description and examples for each command. There is a limited shell with few commands (exit, cd, ls, cat, pwd, cp). Reinmport the backup on another machine to be able to read your encrypted file again!ĭecryption of EFS encrypted files is coming! Shell Certificates with private keys can be exported using the backup command. In the current version, masterkeys, private keys and certificates can be listed, displayed and decrypted using needed inputs (SID, password). There is no bruteforce feature because GPU-based cracking is better (see Bitcracker and Hashcat) but you can get the hash for these tools. Bitlocker supportįor bitlocked partition, it can display FVE records, check a password and key (bek, password, recovery key), extract VMK and FVEK. Sparse and compressed files are also supported. It support input from image file or live disk but you can also use tools like OSFMount to mount your disk image. The undelete command will search for any file record marked as “not in use” and allow you to retrieve the file (or part of the file if it was already rewritten). It is also possible to dump any file (even $mft or SAM) or parse USN journals, LogFile including streams from Alternate Data Stream ( ADS). NTFSTool displays the complete structure of master boot record, volume boot record, partition table and MFT file record. See below for some examples of the features! Features Forensics It supports reading partition info (mbr, partition table, vbr) but also information on master file table, bitlocker encrypted volume, EFS encrypted files and more. NTFSTool is a forensic tool focused on NTFS volumes.