Skip to content

strozfriedberg/ntfs-linker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Author: Zack Weger

Copyright (c) 2015, Stroz Friedberg, LLC

Status: Alpha

License: LGPLv3

Description

NTFS Linker uses the $MFT, $LogFile, and $UsnJrnl to generate a "linked" history of file system activity on an NTFS volume. $LogFile and $UsnJrnl track changes to files and folders over time. Linking the records in these logs with $MFT allows for the construction of a timeline of activity: creates, moves/renames, and deletes. NTFS Linker produces records that can easily be filtered to review different types of activity. In addition, NTFS-Linker is able to run across all Volume Shadow Copies (VSCs) on a volume, and produce output in a unified and deduplicated manner.

Usage

ntfs-linker, Copyright (c) Stroz Friedberg, LLC
Version 0.1.1
Usage: ntfs_linker ntfs-dir output [options] 
Allowed options:
  --ntfs-dir arg        If no image specified, location of root directory 
                        containing input files. Otherwise, root directory in 
                        which to dump files extracted from image. See the docs 
                        for info about ntfs-dir structure.
  --output arg          directory in which to dump output files
  --image arg           Path to image file(s)
  --overwrite           overwrite files in the output directory. Default: 
                        append
  --extra               Outputs supplemental lower-level parsed data from 
                        $UsnJrnl and $LogFile
  --help                display help and exit
  --version             display version number and exit

Output

NTFS-Linker produces three TSV reports: events.txt, log.txt, and usn.txt.

  • log.txt: contains listing of log record headers. Does not contain the redo/undo operation data, so this report is of limited use.

  • usn.txt: contains a "raw" view of $UsnJrnl entries in more detail than what events.txt provides, including all of the Reason flags.

  • events.txt: contains a unified view of all file system events, as parsed from both $UsnJrnl and $LogFile, ordered by event time from most recent to oldest (approximately--see below).

NTFS-Linker also produces a SQLite database containing all of the above data. The database schema is designed for ease of querying, not full normalization.

Installation

The source is in C++ and uses autotools for building. C++11 compiler support is required. On a sane Unix, this should work:

./bootstrap.sh
./configure
make
sudo make install

NTFS-linker has dependencies on SQLite, Boost, libtsk, libewf, libbfio, libcerror, and libvshadow. The configure script should detect these dependencies on your system and warn you if any are missing.

libewf should be installed before building and installing libtsk.

Note that libvshadow must be compiled with libbfio enabled, and The Sleuthkit must be compiled with --disable-multithreading (which is only available in version 4.3).

After installing the dependencies you may need to run:

sudo ldconfig

With sufficient wizardry, NTFS-linker can be built for Windows using mingw. For the impatient, prebuilt binaries can be downloaded.