Breaking News



NTFSTool is a forensic tool captivated with NTFS volumes. It is helping learning partition knowledge (mbr, partition table, vbr) then again moreover wisdom on bitlocker encrypted amount, EFS encrypted knowledge and further.

See beneath for some examples of the choices!

Conceivable possible choices

Forensics

NTFSTool shows the entire development of grasp boot report, amount boot report, partition table and MFT report report. It is most often imaginable to dump any report (even $mft or SAM) or parse USN journals, LogFile in conjunction with streams from Business Knowledge Transfer (ADS). The undelete command will search for any report report marked as “not in use” and can will mean you can retrieve the report (or part of the report if it used to be as soon as already rewritten). It give a boost to input from image report or reside disk however you are able to moreover use apparatus like OSFMount to mount your disk image. Sparse and compressed knowledge are also supported.

Bitlocker give a boost to

For bitlocked partition, it’ll display FVE wisdom, check out a password and key (bek, password, recovery key), extract VMK and FVEK. There is not any bruteforce function because of GPU-based cracking is perfect imaginable (see Bitcracker and Hashcat) however you are able to get the hash for the ones apparatus.

EFS give a boost to

During the availability kind, masterkeys, non-public keys and certificates can also be listed, displayed and decrypted using sought after inputs (SID, password). Certificates with non-public keys can also be exported using the backup command. Reinmport the backup on each other tool to be able to be informed your encrypted report another time!

More information on Mimikatz Wiki

Decryption of EFS encrypted knowledge is coming!

Shell

There is a limited shell with few directions (pass out, cd, ls, cat, pwd, cp).

Be in agreement & Examples

Be in agreement command shows description and examples for each command. Alternatives can also be entered as decimal or hex amount with “0x” prefix (ex: inode).

ntfstool be in agreement [command]
CommandDescription
knowledgeDisplay wisdom for all disks and volumes
mbrDisplay MBR development, code and partitions for a disk
gptDisplay GPT development, code and partitions for a disk
vbrDisplay VBR development and code for a specidifed amount (ntfs, fat32, fat1x, bitlocker supported)
extractExtract a report from a amount.
imageCreate an image report of a disk or amount.
mftDisplay FILE report details for a specified MFT inode. With regards to all function sorts supported
btreeDisplay VCN content material subject matter matter subject matter matter matter subject matter and Btree index for an inode
bitlockerDisplay detailed wisdom and hash ($bitlocker$) for all VMK. It is imaginable to test a password or recovery key. If it is proper, the decrypted VMK and FVEK is displayed.
bitdecryptDecrypt a amount to a report using password, recovery key or bek.
efs.backupExport EFS keys in PKCS12 (pfx) building.
efs.certificateFile, display and export system certificates (SystemCertificates/My/Certificates).
efs.keyFile, display, decrypt and export non-public keys (Crypto/RSA).
efs.masterkeyFile, display and decrypt masterkeys (Offer protection to).
fveDisplay wisdom for the desired FVE block (0, 1, 2)
reparseParse and display reparse problems from $Lengthen$Reparse.
logfileDump $LogFile report in specified building: csv, json, raw.
usnDump $UsnJrnl report in specified building: csv, json, raw.
shadowFile amount shadow snapshots from determined on disk and amount.
streamsDisplay Business Knowledge Streams
undeleteSearch and extract deleted knowledge for a amount.
shellGet began a mini Unix-like shell
superbDisplay S.M.A.R.T knowledge

Hindrances

  • Some unsupported circumstances. WIP.
  • No documentation

Be happy to open a subject matter or ask for a brand spanking new function!

Bring together

Vcpkg is without doubt one of the perfect imaginable techniques to position in required third-party libs.

Prepare vcpkg as described proper right kind proper right here: vcpkg#getting-started

git clone https://github.com/microsoft/vcpkg
.vcpkgbootstrap-vcpkg.bat

Mix it in your VisualStudio env:

vcpkg mix arrange

At convey in combination time, VisualStudio will come around the vcpkg.json report and arrange required tactics robotically.

Provide third-party libs:

  • openssl: OpenSSL is an open provide problem that provides an impressive, commercial-grade, and full-featured toolkit for the Provide Layer Protection (TLS) and Protected Sockets Layer (SSL) protocols.
  • nlohmann-json: JSON for Trendy C++
  • distorm: Tricky Disassembler Library For x86/AMD64
  • cppcoro: A library of C++ coroutine abstractions for the coroutines TS.

Examples

Knowledge

knowledge
+-------------------------------------------------------------------------------------+
| Identity | Taste | Type | Partition | Size |
+-------------------------------------------------------------------------------------+
| 0 | Samsung SSD 850 EVO 500GB | Fixed SSD | GPT | 500107862016 (465.76 GiBs) |
| 1 | ST2000DM001-1ER164 | Fixed HDD | GPT | 2000398934016 (1.82 TiB) |
| 2 | 15EADS External | Fixed HDD | MBR | 1500301910016 (1.36 TiB) |
| 3 | osfdisk | Fixed HDD | MBR | 536870912 (512.00 MiBs) |
+-------------------------------------------------------------------------------------+
knowledge disk=3
Taste       : osfdisk
Style : 1
Serial :
Media Type : Fixed HDD
Size : 536870912 (512.00 MiBs)
Geometry : 512 bytes * 63 sectors * 255 tracks * 65 cylinders
Amount : MBR

+--------------------------------------------------------------------------------------------------+
| Identity | Boot | Label | Mounted | Filesystem | Offset | Size |
+--------------------------------------------------------------------------------------------------+
| 1 | No | NTFSDRIVE | F: | Bitlocker | 0000000000000200 | 000000001ffffe00 (512.00 MiBs) |
+--------------------------------------------------------------------------------------------------+
knowledge disk=3 amount=1
Serial Amount  : 0000aa60-00002eae
Filesystem : Bitlocker
Bootable : False
Type : Fixed
Label : NTFSDRIVE
Offset : 512 (512.00 bytes)
Size : 536870400 (512.00 MiBs)
Free : 519442432 (495.38 MiBs)
Mounted : True (F:)
Bitlocker : True (Unlocked)

MBR

mbr disk=2
MBR from .PhysicalDrive2
---------------------------

Disk signature : e4589462
Reserved bytes : 0000

Partition table :
+---------------------------------------------------------------------------------------------------+
| Identity | Boot | Flags | Filesystem | First sector | Final sector | Offset | Sectors | Size |
+---------------------------------------------------------------------------------------------------+
| 1 | No | Primary | NTFS / exFAT | 0 2 3 | 255 254 255 | 128 | 16771072 | 8.00 GiBs |
+---------------------------------------------------------------------------------------------------+

MBR signature : 55aa

Strings:
[63] : Invalid partition table
[7b] : Error loading running system
[9a] : Missing running system

Disassemble Bootstrap Code [y/N] ? y

0000 : 33c0 : xor ax, ax
0002 : 8ed0 : mov ss, ax
0004 : bc007c : mov sp, 0x7c00
0007 : 8ec0 : mov es, ax
0009 : 8ed8 : mov ds, ax
000b : be007c : mov si, 0x7c00
000e : bf0006 : mov di, 0x600
0011 : b90002 : mov cx, 0x200
...

GPT

gpt disk=1
Signature        : EFI PART
Revision : 1.0
Header Size : 92
Header CRC32 : cc72e4d3
Reserved : 00000000
Provide LBA : 1
Backup LBA : 3907029167
First Usable LBA : 34
Final Usable LBA : 3907029134
GUID : {a21d6495-cd58-4b8d-b968-dc337adcf6ac}
Get right to use LBA : 2
Entries Num : 128
Entries Size : 128
Partitions CRC32 : 0c9a0a25

Partition table : 2 entries
+------------------------------------------------------------------------------------------------------------------------+
| Identity | Get to the bottom of | GUID | First sector | Final sector | Flags |
+------------------------------------------------------------------------------------------------------------------------+
| 1 | Microsoft reserved partition | {da0ac4a1-a78c-4053-bab5-36c70a71fe63} | 34 | 262177 | 000000000000 |
| 2 | Basic knowledge partition | {4b4ea4b3-64a1-4c6d-bd4b-1c2b0e4e706f} | 264192 | 3907028991 | 000000000000 |
+------------------------------------------------------------------------------------------------------------------------+

VBR

vbr disk=3 amount=1
Building :
Bounce : eb5890 (jmp 0x7c5a)
OEM id : -FVE-FS-
BytePerSector : 512
SectorPerCluster : 8
Reserved Sectors : 0
Choice of FATs : 0
Root Max Entries : 0
Not unusual Sectors : 0
Media Type : f8
SectorPerFat : 8160
SectorPerTrack : 63
Head Depend : 255
FS Offset : 1
Not unusual Sectors : 0
FAT Flags : 0000
FAT Style : 0000
Root Cluster : 0
FS Knowledge Sector : 1
Backup BootSector: 6
Reserved : 00000000
Reserved : 00000000
Reserved : 00000000
Energy Amount : 80
Reserved : 00
Ext. Boot Sign : 29
Serial Nuumber : 00000000
Amount Get to the bottom of : NO NAME
FileSystem Type : FAT32
Amount GUID : {4967d63b-2e29-4ad8-8399-f6a339e3d001}
FVE Block 1 : 0000000002100000
FVE Block 2 : 00000000059e4000
FVE Block 3 : 00000000092c8000
End marker : 55aa

Strings:
[00] : Remove disks or other media. 
[1f] : Disk error 
[2c] : Press any key to restart

Disassemble Bootstrap Code [y/N] ? y

7c5a : eb58 : jmp 0x7cb4
7c5c : 90 : nop
7c5d : 2d4656 : sub ax, 0x5646
7c60 : 45 : inc bp
7c61 : 2d4653 : sub ax, 0x5346
7c64 : 2d0002 : sub ax, 0x200
[...]

Extract

extract disk=3 amount=1 from=bob.txt output=d:bob.txt
Extract report from .PhysicalDrive3 > Amount:1
-----------------------------------------------

[+] Opening ?Amount{00023d5d-0000-0000-0002-000000000000}
[-] Provide : bob.txt
[-] Holiday spot : d:bob.txt
[-] Document Num : 47 (0000002fh)
[+] Document extracted (42 bytes written)
extract disk=0 amount=4 –system output=d:system
Extract report from .PhysicalDrive0 > Amount:4
-----------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[-] Provide : c:windowssystem32configsystem
[-] Holiday spot : d:system
[-] Document Num : 623636 (00098414h)
[+] Document extracted (19398656 bytes written)

Image

image disk=2 amount=2 output=d:imagevol.raw
Image from .PhysicalDrive2 > Amount:2
----------------------------------------

[+] Opening ?Amount{f095dd1d-f302-4d17-bf68-7cc8c1de3965}
[-] Size : 33520128 (31.97 MiBs)
[-] BlockSize: 4096
[+] Copying : [################################] 100% 0s
[+] Completed
image disk=2 output=d:image.raw
Image from .PhysicalDrive2
-----------------------------

[+] Opening .PhysicalDrive2
[-] Size : 67108864 (64.00 MiBs)
[-] BlockSize: 4096
[+] Copying : [################################] 100% 0s
[+] Completed

MFT

mft disk=2 amount=1 inode=5 (root folder)
Created Time : 2009-12-02 02:03:31 | | | | | | Final Document Write Time : 2020-02-24 19:42:23 | | | | | | FileRecord Changed Time : 2020-02-24 19:42:23 | | | | | | Final Get right to use Time : 2020-02-24 19:42:23 | | | | | | Permissions : | | | | | | read_only : 0 | | | | | | hidden : 1 | | | | | | system : 1 | | | | | | instrument : 0 | | | | | | not atypical : 0 | | | | | | transient : 0 | | | | | | sparse : 0 | | | | | | reparse_point : 0 | | | | | | compressed : 0 | | | | | | offline : 0 | | | | | | not_indexed : 1 | | | | | | encrypted : 0 | | | | | | Max Choice of Variations : 0 | | | | | | Style Amount : 0 | +——————————————————————————————————————+ | 2 | $FILE_NAME | False | 68 | Mom or father Dir Document Index : 5 | | | | | | Mom or father Dir Sequence Num : 5 | | | | | | Document Created Time : 2009-12-02 02:03:31 | | | | | | Final Document Write Time : 2011-12-24 03:13:12 | | | | | | FileRecord Changed Time : 2011-12-24 03:13:12 | | | | | | Final Get right to use Time : 1970-01-01 00:59:59 | | | | | | Allocated Size : 0 | | | | | | Exact Size : 0 | | | | | | —— | | | | | | Get to the bottom of : . | +——————————————————————————————————————+ | 3 | $OBJECT_ID | False | 16 | Object Unique ID : | +——————————————————————————————————————+ | 4 | $INDEX_ROOT | False | 152 | Feature Type : 00000030h | | | | | | Collation Rule : 1 | | | | | | Index Alloc Get right to use Size : 4096 | | | | | | Cluster/Index Document : 1 | | | | | | —– | | | | | | First Get right to use Offset : 16 | | | | | | Index Entries Size : 136 | | | | | | Index Entries Allocated : 136 | | | | | | Flags : Massive Index | +——————————————————————————————————————+ | 5 | $INDEX_ALLOCATION | True | 12288 | Index | | | | | | 0000000000000004 : $AttrDef | | | | | | 0000000000000008 : $BadClus | | | | | | 0000000000000006 : $Bitmap | | | | | | 0000000000000007 : $Boot | | | | | | 000000000000000b : $Lengthen | | | | | | 0000000000000002 : $LogFile | | | | | | 0000000000000000 : $MFT | | | | | | 0000000000000001 : $MFTMirr | | | | | | 000000000000002d : $RECYCLE.BIN | | | | | | 0000000000000009 : $Protected | | | | | | 000000000000000a : $UpCase | | | | | | 0000000000000003 : $Amount | | | | | | 0000000000000005 : . | | | | | | 000000000000240c : Dir1 | | | | | | 0000000000000218 : Dir2 | | | | | | 000000000000212a : Dir3 | | | | | | 0000000000000024 : Dir4 | | | | | | 0000000000000def : RECYCLER | | | | | | 000000000000001b : Software Amount Wisdom | | | | | | 000000000000001b : SYSTEM~1 | +——————————————————————————————————————+ | 6 | $BITMAP | False | 8 | Index Node Used : 2 | +——————————————————————————————————————+ “>

Signature         : FILE
Alternate Offset : 48
Alternate Amount : 3
$LogFile LSN : 274035114
Sequence Amount : 5
Hardlink Depend : 1
Feature Offset : 56
Flags : In_use | Report
Exact Size : 704
Allocated Size : 1024
Base Document Document : 0
Next Feature ID : 56
MFT Document Index : 5
Alternate Seq Amount : 4461
Alternate Seq Array : 00000000

Attributes:
-----------

+------------------------------------------------------------------------------------------------------------------+
| Identity | Type | Non-resident | Duration | Analysis |
+------------------------------------------------------------------------------------------------------------------+
| 1 | $STANDARD_INFORMATION | False | 72 | Document Created Time : 2009-12-02 02:03:31 |
| | | | | Final Document Write Time : 2020-02-24 19:42:23 |
| | | | | FileRecord Changed Time : 2020-02-24 19:42:23 |
| | | | | Final Get right to use Time : 2020-02-24 19:42:23 |
| | | | | Permissions : |
| | | | | read_only : 0 |
| | | | | hidden : 1 |
| | | | | system : 1 |
| | | | | instrument : 0 |
| | | | | not atypical : 0 |
| | | | | transient : 0 |
| | | | | sparse : 0 |
| | | | | reparse_point : 0 |
| | | | | compressed : 0 |
| | | | | offline : 0 |
| | | | | not_indexed : 1 |
| | | | | encrypted : 0 |
| | | | | Max Choice of Variations : 0 |
| | | | | Style Amount : 0 |
+------------------------------------------------------------------------------------------------------------------+
| 2 | $FILE_NAME | False | 68 | Mom or father Dir Document Index : 5 |
| | | | | Mom or father Dir Sequence Num : 5 |
| | | | | Document Created Time : 2009-12-02 02:03:31 |
| | | | | Final Document Write Time : 2011-12-24 03:13:12 |
| | | | | FileRecord Changed Time : 2011-12-24 03:13:12 |
| | | | | Final Get right to use Time : 1970-01-01 00:59:59 |
| | | | | Allocated Size : 0 |
| | | | | Exact Size : 0 |
| | | | | ------ |
| | | | | Get to the bottom of : . |
+------------------------------------------------------------------------------------------------------------------+
| 3 | $OBJECT_ID | False | 16 | Object Unique ID : |
+------------------------------------------------------------------------------------------------------------------+
| 4 | $INDEX_ROOT | False | 152 | Feature Type : 00000030h |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Get right to use Size : 4096 |
| | | | | Cluster/Index Document : 1 |
| | | | | ----- |
| | | | | First Get right to use Offset : 16 |
| | | | | Index Entries Size : 136 |
| | | | | Index Entries Allocated : 136 |
| | | | | Flags : Massive Index |
+------------------------------------------------------------------------------------------------------------------+
| 5 | $INDEX_ALLOCATION | True | 12288 | Index |
| | | | | 0000000000000004 : $AttrDef |
| | | | | 0000000000000008 : $BadClus |
| | | | | 0000000000000006 : $Bitmap |
| | | | | 0000000000000007 : $Boot |
| | | | | 000000000000000b : $Lengthen |
| | | | | 0000000000000002 : $LogFile |
| | | | | 0000000000000000 : $MFT |
| | | | | 0000000000000001 : $MFTMirr |
| | | | | 000000000000002d : $RECYCLE.BIN |
| | | | | 0000000000000009 : $Protected |
| | | | | 000000000000000a : $UpCase |
| | | | | 0000000000000003 : $Amount |
| | | | | 0000000000000005 : . |
| | | | | 000000000000240c : Dir1 |
| | | | | 0000000000000218 : Dir2 |
| | | | | 000000000000212a : Dir3 |
| | | | | 0000000000000024 : Dir4 |
| | | | | 0000000000000def : RECYCLER |
| | | | | 000000000000001b : Software Amount Wisdom |
| | | | | 000000000000001b : SYSTEM~1 |
+------------------------------------------------------------------------------------------------------------------+
| 6 | $BITMAP | False | 8 | Index Node Used : 2 |
+------------------------------------------------------------------------------------------------------------------+

Btree

btree disk=0 amount=1 inode=5 (root folder)
B-tree index (inode:5) from .PhysicalDrive3 > Amount:1
---------------------------------------------------------

Attributes:
-----------

+-------------------------------------------------------------------------------------------+
| Identity | Type | Non-resident | Duration | Analysis |
+-------------------------------------------------------------------------------------------+
| 1 | $INDEX_ROOT | False | 56 | Feature Type : Filename |
| | | | | Collation Rule : 1 |
| | | | | Index Alloc Get right to use Size : 4096 |
| | | | | Cluster/Index Document : 1 |
| | | | | ----- |
| | | | | First Get right to use Offset : 16 |
| | | | | Index Entries Size : 40 |
| | | | | Index Entries Allocated : 40 |
| | | | | Flags : Massive Index |
+-------------------------------------------------------------------------------------------+
| 2 | $INDEX_ALLOCATION | True | 20480 | First VCN : 0x000000000000 |
| | | | | Final VCN : 0x000000000004 |
+-------------------------------------------------------------------------------------------+

$INDEX_ALLOCATION entries:
--------------------------

+--------------------------------------------------------------------------------------------+
| VCN | Raw deal with | Size | Entries |
+--------------------------------------------------------------------------------------------+
| 000000000000h | 000000024000h | 000000001000h | 000000000004: $AttrDef |
| | | | 000000000008: $BadClus |
| | | | 000000000006: $Bitmap |
....
| | | | 000000000009: $Protected |
| | | | 00000000000a: $UpCase |
| | | | 000000000003: $Amount |
+--------------------------------------------------------------------------------------------+
| 000000000001h | 000000025000h | 000000001000h | 000000000098: randomfile - Copie (5).accdb |
| | | | 000000000097: randomfile - Copie (5).bat |
| | | | 000000000095: randomfile - Copie (5).psd |
| | | | 000000000096: randomfile - Copie (5).txt |
| | | | 00000000009b: randomfile - Copie (6).accdb |
....
| | | | 000000000083: randomfile.accdb |
| | | | 000000000082: randomfile.bat |
| | | | 000000000084: randomfile.psd |
| | | | 000000000081: randomfile.txt |
| | | | 000000000024: Software Amount Wisdom |
+--------------------------------------------------------------------------------------------+
| 000000000002h | 0000007d6000h | 000000001000h | |
+--------------------------------------------------------------------------------------------+
| 000000000003h | 0000007d7000h | 000000001000h | 000000000005: . |
| | | | 000000000092: randomfile - Copie (4).txt |
+--------------------------------------------------------------------------------------------+
| 000000000004h | 0000007d8000h | 000000001000h | 000000000027: random folder |
| | | | 00000000008c: randomfile - Copie (2).accdb |
| | | | 00000000008b: randomfile - Copie (2).bat |
| | | | 000000000089: randomfile - Copie (2).psd |
....
| | | | 00000000008e: randomfile - Copie (3).txt |
| | | | 000000000094: randomfile - Copie (4).accdb |
| | | | 000000000093: randomfile - Copie (4).bat |
| | | | 000000000091: randomfile - Copie (4).psd |
+--------------------------------------------------------------------------------------------+

B-tree index:
-------------

Root
|- 000000000000:
|---- VCN: 3
|- 000000000005: .
|---- VCN: 0
|- 000000000004: $AttrDef
|- 000000000008: $BadClus
|- 000000000006: $Bitmap
....
|- 000000000009: $Protected
|- 00000000000a: $UpCase
|- 000000000003: $Amount
|- 000000000092: randomfile - Copie (4).txt
|---- VCN: 4
|- 000000000027: random folder
|- 00000000008c: randomfile - Copie (2).accdb
|- 00000000008b: randomfile - Copie (2).bat
|- 000000000089: randomfile - Copie (2).psd
....
|- 000000000094: randomfile - Copie (4).accdb
|- 000000000093: randomfile - Copie (4).bat
|- 000000000091: randomfile - Copie (4).psd
|- 000000000000 (*)
|---- VCN: 1
|- 000000000098: randomfile - Copie (5).accdb
|- 000000000097: randomfile - Copie (5).bat
|- 000000000095: randomfile - Copie (5).psd
....
|- 000000000084: randomfile.psd
|- 000000000081: randomfile.txt
|- 000000000024: Software Amount Wisdom

Bitlocker

bitlocker disk=3 amount=1
FVE Style    : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17

Amount Clutch Keys:
-------------------

+--------------------------------------------------------------------------------------------------------------------+
| Identity | Type | GUID | Details |
+--------------------------------------------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | Nonce : 01d5ecbb00f7155000000003 |
| | | | MAC : daea96439babc5d1e7f20c8860ff1ee9 |
| | | | Encrypted Key : b76281568419ec3bee89d1eddccf3169 |
| | | | 59c466b6b392f40f0875e58168d868d7 |
| | | | 0788bd366bec117b11a9fd6e |
| | | | |
| | | | JtR Hash : $bitlocker$1$16$daea96439babc5d1 |
| | | | e7f20c8860ff1ee9$1048576$12$5015 |
| | | | f700bbecd50103000000$60$175ec23c |
| | | | d799e2bde9d24bf3697919feb7628156 |
| | | | 8419ec3bee89d1eddccf316959c466b6 |
| | | | b392f40f0875e58168d868d70788bd36 |
| | | | 6bec117b11a9fd6e |
+--------------------------------------------------------------------------------------------------------------------+
| 2 | Recovery Password | {19b4a3e2-94b3-452f-a614-6212faeb1b9d} | Nonce : 01d5ecbb00f7155000000006 |
| | | | MAC : b9963d29e1bad1f42e60c3bfb6e3bef5 |
| | | | Encrypted Key : 97a43d40c695c6d190eba3956ac7c7b1 |
| | | | f5fdbbc7f9a61a77c914fa347479c7ac |
| | | | 6124ff46865e805367f7bef1 |
| | | | |
| | | | JtR Hash : $bitlocker$1$16$b9963d29e1bad1f4 |
| | | | 2e60c3bfb6e3bef5$1048576$12$5015 |
| | | | f700bbecd50106000000$60$3a06a06f |
| | | | db044d850ecd6faf5cf2aec997a43d40 |
| | | | c695c6d190eba3956ac7c7b1f5fdbbc7 |
| | | | f9a61a77c914fa347479c7ac6124ff46 |
| | | | 865e805367f7bef1 |
+--------------------------------------------------------------------------------------------------------------------+
bitlocker disk=3 amount=1 password=badpassword
FVE Style    : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17

Tested Password:
----------------

+--------------------------------------------------------------------------------+
| Identity | Type | GUID | Password | Result |
+--------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | badpassword | Invalid |
+--------------------------------------------------------------------------------+
bitlocker disk=3 amount=1 password=123456789
FVE Style    : 2
State : ENCRYPTED
Size : 536870400 (512.00 MiBs)
Encrypted Size : 536870400 (512.00 MiBs)
Algorithm : AES-XTS-128
Timestamp : 2020-02-26 16:39:17

Tested Password:
----------------

+--------------------------------------------------------------------------------------------------------------+
| Identity | Type | GUID | Password | Result |
+--------------------------------------------------------------------------------------------------------------+
| 1 | Password | {2dd368f3-37d7-414f-94e6-3c5b86fadd50} | 123456789 | Loyal |
| | | | | |
| | | | | VMK : 751bf363db63ba6f1b36fb2ecd5ff1d8 |
| | | | | f5eab77e8754a848f2743978c7615f9f |
| | | | | FVEK : 35b8197e6d74d8521f49698d5f556589 |
| | | | | 2cf286ae5323c65631965c905a9d7da4 |
+--------------------------------------------------------------------------------------------------------------+

Bitdecrypt

bitdecrypt disk=3 amount=1 output=decrypted.img fvek=35b8197e6d74d8521f49698d5f5565892cf286ae5323c65631965c905a9d7da4
[+] Opening ?Amount{09a02598-0000-0000-0002-000000000000}
[+] Learning Bitlocker VBR
[-] Amount State : ENCRYPTED
[-] Size : 536870400 (512.00 MiBs)
[-] Encrypted Size : 536870400 (512.00 MiBs)
[-] Algorithm : AES-XTS-128
[+] Decrypting sectors
[-] Processed knowledge dimension : 512.00 MiBs (100%)
[+] Length : 7535ms
[+] Final Amount

EFS-backup

efs.backup disk=0 amount=4 password=123456
Backup certificates and keys from .PhysicalDrive0 > Amount:4
---------------------------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Checklist client directories
8 directories found out
[+] Searching for certificates
- 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B
[+] Finding corresponding non-public keys
- 5f2870d8a6f1ef6487be2e1aee746fb5_bbc401c6-854a-4d12-9b65-8d52ca66cb6a
[+] Finding corresponding masterkeys
- 9ac19509-54d3-48bc-8c67-4cfb01d73498
[+] Exporting 1 certificates and keys (transfer: backup)
- ef456e5b-43e4-4eda-a80b-e234611306d4 : Very good enough
Exported to 8BB98DE9ED4DBDD09AA1FF467ED71F0F28ACF61B.pfx

EFS-certificate

efs.certificate disk=0 amount=4
File certificates from .PhysicalDrive0 > Amount:4
----------------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Checklist client directories
8 directories found out
[+] Searching for certificates
8 certificate(s) found out
[+] Certificates
+-----------------------------------------------------------------------------------------------------------------------------------+
| Identity | Consumer | Document | Certificate |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 0 | Bobby | Get to the bottom of : 02728B6DF5573C5955A4DFF22319441C889C367B | Delightful Get to the bottom of : APNS certificate Direct |
| | | Document : 00000001d2d5h | |
| | | Size : 850.00 bytes | |
| | | | |
| | | Advent : 2019-05-11 15:59:29 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 1 | Bobby | Get to the bottom of : 14BB7663C51C77FF5CAD89B4DC34495864338C67 | Delightful Get to the bottom of : APNS certificate |
| | | Document : 00000000b5a4h | |
| | | Size : 824.00 bytes | |
| | | | |
| | | Advent : 2021-03-03 18:02:33 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
| 2 | Bobby | Get to the bottom of : 564481148D4DBDD09AA1FF467ED71F0F28ACF61B | Container : ef456e5b-36e4-4eda-a80b-e234611306d4 |
| | | Document : 00000000ab23h | Provider : Microsoft Enhanced Cryptographic Provider v1.0 |
| | | Size : 1.15 KiB | Type : PROV_RSA_FULL |
| | | | KeySpec : AT_KEYEXCHANGE |
| | | Advent : 2020-08-17 13:20:03 | |
+-----------------------------------------------------------------------------------------------------------------------------------+
..........
efs.certificate disk=0 amount=4 inode=0xb5a4
Display certificate from .PhysicalDrive0 > Amount:4
------------------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Learning certificate report report: 46500
[+] Certificate
+----------------------------------------------------------------------------------------------------------------------------+
| Identity | Belongings | Worth |
+----------------------------------------------------------------------------------------------------------------------------+
| 0 | Document | Advent : 2021-03-03 18:02:33 |
| | | Size : 824.00 bytes |
+----------------------------------------------------------------------------------------------------------------------------+
| 1 | CERT_SHA1_HASH_PROP_ID | 14A67663C51C66FF5CAD89B4DC34495864338C67 |
+----------------------------------------------------------------------------------------------------------------------------+
| 2 | CERT_FRIENDLY_NAME_PROP_ID | APNS certificate |
+----------------------------------------------------------------------------------------------------------------------------+
| 3 | CERT_KEY_IDENTIFIER_PROP_ID | 82B87AE4F2251242252A2644D98169F34F909CA8 |
+----------------------------------------------------------------------------------------------------------------------------+
| 4 | CERT_SUBJECT_PUBLIC_KEY_MD5_HASH_PROP_ID | DB532C4794A15E5D0392C7C605FCBCA8 |
+----------------------------------------------------------------------------------------------------------------------------+
| 5 | CERT_CERTIFICATE_FILE | Knowledge: |
| | | Style: 3 (0x2) |
| | | Serial Amount: |
| | | 01:20:cb:ab:28:8a:97:ee:99:cc |
| | | Signature Algorithm: sha1WithRSAEncryption |
| | | Issuer: C=US, O=Apple Inc., OU=Apple iPhone, CN=Apple iPhone Software CA |
| | | Validity |
| | | Now not Faster than: Mar 3 15:57:33 2021 GMT |
| | | Now not After : Mar 3 16:02:33 2022 GMT |
| | | Matter: CN=1A6032AA-91A2-4B1D-B6AF-5509FC173686 |
| | | Matter Public Key Knowledge: |
| | | Public Key Algorithm: rsaEncryption |
| | | RSA Public-Key: (1024 bit) |
| | | Modulus: |
| | | 00:a2:75:db:69:8d:c9:b3:fd:96:4d:28:b9:43:94: |
| | | db:7d:73:53:88:c9:79:e9:fa:de:e4:12:14:2c:de: |
...
| | | a7:6b:d0:01:9e:dc:66:27:ef:2e:20:7e:e5:2a:42: |
| | | 9e:6f:85:9c:b6:8f:be:d3:05 |
| | | Exponent: 65537 (0x10001) |
| | | X509v3 extensions: |
| | | X509v3 Authority Key Identifier: |
| | | keyid:B2:FE:21:23:44:86:95:6A:79:D5:81:26:8E:73:10:D |
| | | 8:A7:4C:8E:74 |
| | | X509v3 Matter Key Identifier: |
| | | 82:B8:7A:E4:F2:25:12:42:25:2A:26:44:D9:81:69:F3:4F:9 |
| | | 0:9C:A8 |
| | | X509v3 Basic Constraints: crucial |
| | | CA:FALSE |
| | | X509v3 Key Usage: crucial |
| | | Digital Signature, Key Encipherment |
| | | X509v3 Extended Key Usage: crucial |
| | | TLS Web Server Authentication, TLS Web Client Authen |
| | | tication |
| | | 1.2.840.113635.100.6.10.6: |
| | | .. |
| | | Signature Algorithm: sha1WithRSAEncryption |
| | | 28:54:6c:d9:4e:97:f5:dd:1f:79:4a:6a:74:42:ad:6e:a1:11: |
...
| | | 27:58:3b:d5:1e:c3:71:af:6b:bd:fe:5d:ad:4d:bd:82:fa:53: |
| | | ff:0c |
+----------------------------------------------------------------------------------------------------------------------------+
efs.certificate disk=0 amount=4 inode=0xb5a4 output=mycert building=pem
Display certificate from .PhysicalDrive0 > Amount:4
------------------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Learning certificate report report: 46500
[+] Certificate exported to mycert.pem

EFS-key

efs.key disk=0 amount=4
File keys from .PhysicalDrive0 > Amount:4
--------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Checklist client directories:
8 directories found out
[+] Searching for keys
9713 key(s) found out
[+] Keys
+------------------------------------------------------------------------------------------------------------------+
| Identity | Consumer | Keyfile | Get to the bottom of | Advent Date |
+------------------------------------------------------------------------------------------------------------------+
| 0 | User1 | Get to the bottom of : 0004f7ed30db...017ee8d52ca6 | {15676EB3-D258-410F-85CB-9AB29E642CB3} | 2021-05-19 14:10:15 |
| | | Document : 0000000246c5h | | |
| | | Size : 4.00 KiBs | | |
+------------------------------------------------------------------------------------------------------------------+
| 1 | User1 | Get to the bottom of : 0016875547ba...f7a9606b4177 | {BA4B66DC-8C1D-4FDF-A1EF-78B64411D1AD} | 2020-02-03 19:37:39 |
| | | Document : 000000019f19h | | |
| | | Size : 4.00 KiBs | | |
+------------------------------------------------------------------------------------------------------------------+
| 2 | User1 | Get to the bottom of : 002a02ec680e...9a0a8d52ca67 | {3A3E1CF2-5AC2-4717-8006-D7C0F2936435} | 2019-06-26 15:50:50 |
..........
efs.key disk=0 amount=4 inode=742107
Encryption Alg : CALG_AES_256 | | | | Hash Alg : CALG_SHA_512 | | | | | | | | Salt : ABABD5324CCE0254BC726C3BF5A777D38BC4D75CACC2360EF3276EB4DC42FF6A | | | | | | | | HMAC : – | | | | HMAC2 : D24F0B0AF684AE986F1328EAAFC01DA346D2BADE2B84CBE3C94CCB338D449EA6 | | | | | | | | Encrypted Knowledge : D7DAD9229C91DBC9608852A4411527D7 | | | | 58DB27E19596DD118F2D70F68CC7913C | … | | | 7870F6C68DA1B9139BF6E39725F4E72E | | | | 4EC435C947F127CA3E333CB5E2F43978 | | | | | | | | Signature Knowledge : 6077C027E6714A81C2710C5D334758F9AD463117DA4CBA8D0D05B5845A662E8F | | | | 5E38DCCAB05DA5DD6C8328F5CF925F378F229790D30A2BCC91D5E3370AE50FED | +——————————————————————————————————————+ | 6 | Hash | 0000000000000000000000000000000000000000 | +——————————————————————————————————————+ | 7 | ExportFlag | Style : 1 | | | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} | | | | MasterKey Style : 1 | | | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} | | | | | | | | Description : Export Flag | | | | Flags : 00000000h | | | | | | | | Encryption Alg : CALG_AES_256 | | | | Hash Alg : CALG_SHA_512 | | | | | | | | Salt : 772935C3582F625367716CE87D9626A524F15B9B7FF07166BB2C704B1223CB06 | | | | | | | | HMAC : – | | | | HMAC2 : 3BCA74ED2C83767F06D9FF907817FE85FBA65FDB72A94E9D8F2C7CF1D8E7DCA2 | | | | | | | | Encrypted Knowledge : 875A6429226F11DFD3690D43BE633287 | | | | | | | | Signature Knowledge : FD97F69A214C37D0DA968B5AA18EE7C80D475F72F650C8DCAE887C97E850DCD6 | | | | 9FA17D397A2375E362DE6F17193E3D084C06B0DCDB38E6C746150C1056145178 | +——————————————————————————————————————+ “>

Display key from .PhysicalDrive0 > Amount:4
----------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Learning key report report: 742107
[+] Key
+------------------------------------------------------------------------------------------------------------------+
| Identity | Belongings | Worth |
+------------------------------------------------------------------------------------------------------------------+
| 0 | Document | Advent : 2021-09-23 22:16:43 |
| | | Size : 4.00 KiBs |
+------------------------------------------------------------------------------------------------------------------+
| 1 | Style | 0 |
+------------------------------------------------------------------------------------------------------------------+
| 2 | Get to the bottom of | ef456e5b-43e4-4eda-a80b-e234611306d4 |
+------------------------------------------------------------------------------------------------------------------+
| 3 | Flags | 00000000h |
+------------------------------------------------------------------------------------------------------------------+
| 4 | PublicKey | Magic : 31415352h (RSA1) |
| | | Size : 2048 |
| | | Exponent : 65537 |
| | | |
| | | Permissions : CRYPT_ENCRYPT |
| | | CRYPT_DECRYPT |
| | | CRYPT_EXPORT |
| | | CRYPT_READ |
...
| | | |
| | | Modulus : 96883F07FF78DA8354D037A94F897BD7 |
...
| | | FA77A3D04DD10D044761E65355B335B5 |
+------------------------------------------------------------------------------------------------------------------+
| 5 | Encrypted PrivateKey | Style : 1 |
| | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} |
| | | MasterKey Style : 1 |
| | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} |
| | | |
| | | Description : Clé privée CryptoAPI |
| | | Flags : 00000000h |
| | | |
| | | Encryption Alg : CALG_AES_256 |
| | | Hash Alg : CALG_SHA_512 |
| | | |
| | | Salt : ABABD5324CCE0254BC726C3BF5A777D38BC4D75CACC2360EF3276EB4DC42FF6A |
| | | |
| | | HMAC : - |
| | | HMAC2 : D24F0B0AF684AE986F1328EAAFC01DA346D2BADE2B84CBE3C94CCB338D449EA6 |
| | | |
| | | Encrypted Knowledge : D7DAD9229C91DBC9608852A4411527D7 |
| | | 58DB27E19596DD118F2D70F68CC7913C |
...
| | | 7870F6C68DA1B9139BF6E39725F4E72E |
| | | 4EC435C947F127CA3E333CB5E2F43978 |
| | | |
| | | Signature Knowledge : 6077C027E6714A81C2710C5D334758F9AD463117DA4CBA8D0D05B5845A662E8F |
| | | 5E38DCCAB05DA5DD6C8328F5CF925F378F229790D30A2BCC91D5E3370AE50FED |
+------------------------------------------------------------------------------------------------------------------+
| 6 | Hash | 0000000000000000000000000000000000000000 |
+------------------------------------------------------------------------------------------------------------------+
| 7 | ExportFlag | Style : 1 |
| | | Provider GUID : {df9d8cd0-1501-11d1-8c7a-00c04fc297eb} |
| | | MasterKey Style : 1 |
| | | MasterKey GUID : {9ac19509-54d3-48bc-8c67-4cfb01d73498} |
| | | |
| | | Description : Export Flag |
| | | Flags : 00000000h |
| | | |
| | | Encryption Alg : CALG_AES_256 |
| | | Hash Alg : CALG_SHA_512 |
| | | |
| | | Salt : 772935C3582F625367716CE87D9626A524F15B9B7FF07166BB2C704B1223CB06 |
| | | |
| | | HMAC : - |
| | | HMAC2 : 3BCA74ED2C83767F06D9FF907817FE85FBA65FDB72A94E9D8F2C7CF1D8E7DCA2 |
| | | |
| | | Encrypted Knowledge : 875A6429226F11DFD3690D43BE633287 |
| | | |
| | | Signature Knowledge : FD97F69A214C37D0DA968B5AA18EE7C80D475F72F650C8DCAE887C97E850DCD6 |
| | | 9FA17D397A2375E362DE6F17193E3D084C06B0DCDB38E6C746150C1056145178 |
+------------------------------------------------------------------------------------------------------------------+
efs.key disk=0 amount=4 inode=742107 masterkey=34fac126105ce30…178c5bff4979eb
Decrypt key from .PhysicalDrive0 > Amount:4
----------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Learning key report report: 742107
[-] Key
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A
[+] Decrypting key
[+] Clear key (2048bits):
+----------------------------------------------------------+
| Identity | Belongings | Worth |
+----------------------------------------------------------+
| 0 | Magic | RSA2 |
+----------------------------------------------------------+
| 1 | Bitsize | 2048 |
+----------------------------------------------------------+
| 2 | Permissions | CRYPT_ENCRYPT |
| | | CRYPT_DECRYPT |
| | | CRYPT_EXPORT |
| | | CRYPT_READ |
| | | CRYPT_WRITE |
| | | CRYPT_MAC |
| | | CRYPT_EXPORT_KEY |
| | | CRYPT_IMPORT_KEY |
+----------------------------------------------------------+
| 3 | Exponent | 65537 |
+----------------------------------------------------------+
| 4 | Modulus | 96883F07FF78DA8354D037A94F897BD7 |
...
| | | FA77A3D04DD10D044761E65355B335B5 |
+----------------------------------------------------------+
| 5 | Prime1 | C02F585644ED6326FF82368B0AD9ECD4 |
...
| | | 65F7DE6D173FEBEF95BE491FB222E07B |
+----------------------------------------------------------+
| 6 | Prime2 | C884376BBC50C2A14C495894FBF980DE |
...
| | | 6759E812B6385B9151EBED8DCD65238F |
+----------------------------------------------------------+
| 7 | Exponent1 | 0E33B17876918051427271EB667AE238 |
...
| | | 69349EF83ACE9B75D20004D155CDA3FF |
+----------------------------------------------------------+
| 8 | Exponent2 | 5BF265077E1EFA60C47E8DA423B751A4 |
...
| | | E7008F2EA5684A74E4BFEEFAAB48C979 |
+----------------------------------------------------------+
| 9 | Coefficient | 7D68AA3844F096959C23BD59E4BE3147 |
...
| | | 592ABC1BEDEBA6F5B4BDE3D0F9BEF7C5 |
+----------------------------------------------------------+
| 10 | Private Exponent | 2462A061AD85A7C3B0DF7764CC5DDDFA |
| | | 40D83B3FBF0D9D016C419E6B6744AD73 |
...
| | | 47685BDEB0FABDC21AF5CABBA13D138D |
| | | F39FC063F1F20323E3220229E29FA42D |
+----------------------------------------------------------+
efs.key disk=0 amount=4 inode=742107 masterkey=34…eb output=mykey building=pem
Decrypt key from .PhysicalDrive0 > Amount:4
----------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Learning key report report: 742107
[-] Key
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Salt : ABABD5324CCE0254BC726C33F5A777D38BC4D75CACC2360EF3276EB4DC42FF6A
[+] Decrypting key
[+] Public key exported to mykey.pub.pem.
[+] Private key exported to mykey.priv.pem.

EFS-masterkey

efs.masterkey disk=0 amount=4
File masterkeys from .PhysicalDrive0 > Amount:4
--------------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Checklist client directories
8 directories found out
[+] Searching for keys
19 key(s), 2 maximum up-to-the-minute report(s) found out
[+] MasterKeys
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| Identity | Consumer | Keyfile | Key(s) | Advent Date |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 0 | DefaultAppPool | Get to the bottom of : e4ed144f-6522-4471-8893-a6e29e175ba6 | MasterKey | 2021-08-17 14:54:41 |
| | | Document : 000000031848h | Style : 2 | |
| | | Size : 468.00 bytes | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : FA737C82899CC3F61A3B332B15FDC241 | |
| | | | Rounds : 8000 | |
| | | | BackupKey | |
| | | | Style : 2 | |
| | | | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : DF0651C903763132BC3043BF144A7DDD | |
| | | | Rounds : 8000 | |
| | | | CredHist | |
| | | | Style : 3 | |
| | | | GUID : {00000000-0000-0000-0000-000000000000} | |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | DefaultAppPool | Get to the bottom of : Freshest | Freshest | 2021-08-17 14:54:41 |
| | | Document : 00000003184ah | GUID : {e4ed144f-6522-4471-8893-a6e29e175ba6} | |
| | | Size : 24.00 bytes | Renew : 2021-11-15 12:54:41 | |
+--------------------------------------------------------------------------------------------------------------------------------------------------+
| 2 | Bob | Get to the bottom of : 26bd8b3d-e87f-4df3-a1af-18f434788090 | MasterKey | 2021-03-05 01:16:42 |
| | | Document : 000000004f4ah | Style : 2 | |
| | | Size : 468.00 bytes | Algo : CALG_SHA_512 - CALG_AES_256 | |
| | | | Salt : 39B575D1816DE8224B9E11C38E35EB34 | |
| | | | Rounds : 8000 | |
| | | | BackupKey | |
..........
efs.masterkey disk=0 amount=4 inode=0x80544
Display masterkey from .PhysicalDrive0 > Amount:4
----------------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Learning masterkey report report: 525636
[+] MasterKey
+--------------------------------------------------------------------+
| Identity | Belongings | Worth |
+--------------------------------------------------------------------+
| 0 | Document | Advent : 2020-07-06 05:56:06 |
| | | Size : 468.00 bytes |
+--------------------------------------------------------------------+
| 1 | Style | 2 |
+--------------------------------------------------------------------+
| 2 | GUID | 9ac19509-54d3-48bc-8c67-4cfb01d73498 |
+--------------------------------------------------------------------+
| 3 | Protection | 00000005h |
+--------------------------------------------------------------------+
| 4 | MasterKey | Style : 2 |
| | | Salt : 3ED4CDBCC4073D6724A512061D0597E1 |
| | | Rounds : 8000 |
| | | Hash Alg : CALG_SHA_512 |
| | | Enc Alg : CALG_AES_256 |
| | | Enc Key : 3610946FE1A7B9099D0AFA7658325014 |
| | | 296D1F0E5BA93249858BE3ACCC8FD7A8 |
| | | F62DB6808833FC303095C6588BDE3826 |
| | | 80ABF391222CD77661BCCB637DDAC490 |
| | | B5FC02C854EF45490EE10851EF524DE2 |
| | | 85DD508F905216D528D3DC3336830FF9 |
| | | 690472730A03D64CF892E06B9AA35692 |
| | | AB7679E908D487119030B73CB87E6F9F |
| | | 731F65609CB8ACA972BCC9042B27B9B4 |
+--------------------------------------------------------------------+
| 5 | BackupKey | Style : 2 |
| | | Salt : B60E21F9578D02A97964D7B10151BE69 |
| | | Rounds : 8000 |
| | | Hash Alg : CALG_SHA_512 |
| | | Enc Alg : CALG_AES_256 |
| | | Enc Key : CD5D3684873D6A1D66520FB1642779E1 |
| | | D78A649F02DDFE7C069F9B5F8FF9F005 |
| | | 7DC01E0A6AA9A815C8887BC1BF5B88E6 |
| | | E797DC5F4A3A0535B3217BADC7FAD38E |
| | | 798C1846423C8631DE472D790B308B2D |
| | | F15340B87FCD55A98DAEE92196235CF9 |
| | | B328FAF475C05A911DF19C99D54D5A3C |
+--------------------------------------------------------------------+
| 6 | CredHist | Style : 3 |
| | | GUID : {20e0b482-797f-429e-b4a0-30020731ef0a} |
+--------------------------------------------------------------------+
efs.masterkey disk=0 amount=4 inode=0x80544 sid=”S-1-5-21-1521398…3175218-1001″ password=”ntfst00l”
Decrypt masterkey from .PhysicalDrive0 > Amount:4
----------------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Learning masterkey report report: 525636
[-] Masterkey
Encryption Algorithm : CALG_AES_256
Hash Algorithm : CALG_SHA_512
Rounds : 8000
Salt : 3ED4CDBCC4073D6724A512061D0597E1
[+] Decrypting masterkey
[+] Clear masterkey (256bits):
34FAC126105CE302421A0FC7E3933FEC5639AA6BFF95000E6DA83AE67522EAB6
0AF58A27D834883B65611878B258AAAECD8983E3718E00F276178C5BFF4979EB

FVE

fve disk=3 amount=1 fve_block=2
Signature             : -FVE-FS-
Size : 57
Style : 2
Provide State : ENCRYPTED (4)
Next State : ENCRYPTED (4)
Encrypted Size : 536870400 (512.00 MiBs)
Convert Size : 0
Backup Sectors : 16
FVE Block 1 : 0000000002100000
FVE Block 2 : 00000000059e4000
FVE Block 3 : 00000000092c8000
Backup Sectors Offset : 0000000002110000

FVE Metadata Header
-------------------

Size : 840
Style : 1
Header Size : 48
Copy Size : 840
Amount GUID : {70a57ea3-9b98-4034-8b6a-645f731e2d1e}
Next Counter : 10
Algorithm : AES-XTS-128 (8004)
Timestamp : 2020-02-26 16:39:17

FVE Metadata Entries (5)
------------------------

+----------------------------------------------------------------------------------------------------------------+
| Identity | Style | Size | Get right to use Type | Worth Type | Worth |
+----------------------------------------------------------------------------------------------------------------+
| 1 | 1 | 72 | Energy Label | Unicode | String : TWN NTFSDRIVE 26/02/2020 |
+----------------------------------------------------------------------------------------------------------------+
| 2 | 1 | 224 | VMK | VMK | Key ID : add50 |
| | | | | | Final Business : 2020-02-26 16:40:00 |
| | | | | | Protection : Password |
| | | | | | |
| | | | | | Belongings #1 - Stretch Key - 108 |
| | | | | | -------- |
| | | | | | Encryption : STRETCH KEY |
| | | | | | MAC : daea96439babc5d1e7f20c8860ff1ee9 |
| | | | | | |
| | | | | | Belongings #1.1 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000002 |
| | | | | | MAC : 1dfebdc79a966e72ca806d6a83d8c7ba |
| | | | | | Key : eb51a188df981b54f51698c76d76a8bb |
| | | | | | d22afbbe27603ea6afc34c077726262e |
| | | | | | 5ba07482053d3c36fdecf80f |
| | | | | | |
| | | | | | Belongings #2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000003 |
| | | | | | MAC : 175ec23cd799e2bde9d24bf3697919fe |
| | | | | | Key : b76281568419ec3bee89d1eddccf3169 |
| | | | | | 59c466b6b392f40f0875e58168d868d7 |
| | | | | | 0788bd366bec117b11a9fd6e |
+----------------------------------------------------------------------------------------------------------------+
| 3 | 1 | 316 | VMK | VMK | Key ID :
|
| | | | | | Final Business : 2020-02-26 16:40:07 |
| | | | | | Protection : Recovery Password |
| | | | | | |
| | | | | | Belongings #1 - Stretch Key - 172 |
| | | | | | -------- |
| | | | | | Encryption : STRETCH KEY |
| | | | | | MAC : b9963d29e1bad1f42e60c3bfb6e3bef5 |
| | | | | | |
| | | | | | Belongings #1.1 - AES-CCM - 64 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000004 |
| | | | | | MAC : 8064d679c7d8d1fa8ae548b0844882c7 |
| | | | | | Key : 18d21021d40e3dc99d38c8dd84faed10 |
| | | | | | 370c32095f4f63261ad8ec40 |
| | | | | | |
| | | | | | Belongings #1.2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000005 |
| | | | | | MAC : 3d40f2b5fc0091b894b438763fcdf4cd |
| | | | | | Key : a0af0aeda32d977d26ac76f9fc429668 |
| | | | | | 955d2a6a49fe4e2323751924e47e6c39 |
| | | | | | 8c22f7fcd2d4272003cb7a4e |
| | | | | | |
| | | | | | Belongings #2 - AES-CCM - 80 |
| | | | | | -------- |
| | | | | | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000006 |
| | | | | | MAC : 3a06a06fdb044d850ecd6faf5cf2aec9 |
| | | | | | Key : 97a43d40c695c6d190eba3956ac7c7b1 |
| | | | | | f5fdbbc7f9a61a77c914fa347479c7ac |
| | | | | | 6124ff46865e805367f7bef1 |
| | | | | | |
| | | | | | Belongings #3 - Unknown (00000015) |
| | | | | | - 28 |
| | | | | | -------- |
| | | | | | Unknown Worth Type (21) |
+----------------------------------------------------------------------------------------------------------------+
| 4 | 1 | 80 | FKEV | AES-CCM | Nonce as Hex : 01d5ecbb00f71550 |
| | | | | | Nonce as Time : 2020-02-26 16:39:59 |
| | | | | | Nonce Counter : 00000008 |
| | | | | | MAC : 2ff7d7f79920e3509fb8d20cb15b62c8 |
| | | | | | Key : 097169b9a5c41420ed2353a4a4210763 |
| | | | | | a8833d1a4a88c6f7c0c45ec7c0959f25 |
| | | | | | 2c8eac3f306e9fd1e693784a |
+----------------------------------------------------------------------------------------------------------------+
| 5 | 1 | 100 | Amount Header Block | Offset and Size | Offset : 0000000002110000 |
| | | | | | Size : 0000000000002000 |
+----------------------------------------------------------------------------------------------------------------+

reparse

reparse disk=0 amount=4
[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] Learning $Lengthen$Reparse
[+] 104 entries found out
+----------------------------------------------------------------------------------------------------------------+
| Identity | MFT Index | Filename | Type | Function/Knowledge |
+----------------------------------------------------------------------------------------------------------------+
| 0 | 00000eb3 | debian.exe | AppExecLink | TheDebianProject.DebianGNULinux_ |
| | | | | 76v4gfsz19hv4 |
| | | | | |
| | | | | TheDebianProject.DebianGNULinux_ |
| | | | | 76v4gfsz19hv4!debian |
| | | | | |
| | | | | C:Program FilesWindowsAppsThe |
| | | | | DebianProject.DebianGNULinux_1.2 |
| | | | | .0.0_x64__76v4gfsz19hv4debian.e |
| | | | | xe |
+----------------------------------------------------------------------------------------------------------------+
...
+----------------------------------------------------------------------------------------------------------------+
| 13 | 000007f9 | BaseLayer | Mount Degree | ??Amount 00-010000000000 |
+----------------------------------------------------------------------------------------------------------------+
| 14 | 00013e24 | Watchdog | Mount Degree | ??C:Program FilesNVIDIA Corp |
| | | | | orationNvContainerWatchdog |
+----------------------------------------------------------------------------------------------------------------+
...
+----------------------------------------------------------------------------------------------------------------+
| 102 | 00035861 | C2R64.dll | Symbolic Link | ??C:Program FilesCommon Document |
| | | | | sMicrosoft SharedClickToRunC2 |
| | | | | R64.dll |
+----------------------------------------------------------------------------------------------------------------+
| 103 | 000986b0 | All Consumers | Symbolic Link | ??C:ProgramData |
+----------------------------------------------------------------------------------------------------------------+

logfile

logfile disk=4 amount=1 output=logfile.csv building=csv
[+] Opening ?Amount{00000001-0000-0000-0000-000000000000}
[+] Learning $LogFile report
[-] $LogFile dimension : 4.14 MiBs
[+] Parsing $LogFile Restart Pages
[-] Newest Restart Internet web internet web page LSN : 5274485
[-] Amount marked as cleanly unmounted
[-] Client found out : [1] NTFS
[+] Parsing $LogFile Document Pages
[-] $LogFile Document Internet web internet web page Depend: 86
[+] Parsing $LogFile Knowledge: 601
[+] Final amount
Building of logfile.csv
    LSN,ClientPreviousLSN,UndoNextLSN,ClientID,RecordType,TransactionID,RedoOperation,UndoOperation,MFTClusterIndex,TargetVCN,TargetLCN
5269000,5268967,5268967,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269019,5269000,5269000,0,1,24,UpdateNonresidentValue,Noop,0,0,37594
5269044,5269019,5269019,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269063,5269044,5269044,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269082,5269063,5269063,0,1,24,UpdateNonresidentValue,Noop,0,0,37594
5269103,5269082,5269082,0,1,24,SetNewAttributeSizes,SetNewAttributeSizes,2,10,43700
5269122,5269103,0,0,1,24,ForgetTransaction,CompensationLogRecord,0,0,18446744073709551615
5269133,0,0,0,1,24,UpdateResidentValue,UpdateResidentValue,2,13,43703

usn

usn disk=4 amount=1 output=usn.csv building=csv
[+] Opening ?Amount{00000001-0000-0000-0000-000000000000}
[+] Finding $Lengthen$UsnJrnl report
[+] Found in report report : 41
[+] Knowledge go with the flow into $J dimension : 2.66 KiBs
[+] Learning $J
[+] Processing get right to use : 32
[+] Final amount
Building of usn.csv
MajorVersion,MinorVersion,FileReferenceNumber,FileReferenceSequenceNumber,ParentFileReferenceNumber,ParentFileReferenceSequenceNumber,Usn,Timestamp,Explanation why,SourceInfo,SecurityId,FileAttributes,Filename
2,0,53,4,5,5,0,2020-02-26 21:43:36,FILE_CREATE,0,0,DIRECTORY,Nouveau file
2,0,53,4,5,5,96,2020-02-26 21:43:36,FILE_CREATE+CLOSE,0,0,DIRECTORY,Nouveau file
2,0,53,4,5,5,192,2020-02-26 21:43:38,RENAME_OLD_NAME,0,0,DIRECTORY,Nouveau file
2,0,53,4,5,5,288,2020-02-26 21:43:38,RENAME_NEW_NAME,0,0,DIRECTORY,check out
2,0,53,4,5,5,360,2020-02-26 21:43:38,RENAME_NEW_NAME+CLOSE,0,0,DIRECTORY,check out
2,0,53,4,5,5,432,2020-02-26 21:43:39,OBJECT_ID_CHANGE,0,0,DIRECTORY,check out
2,0,53,4,5,5,504,2020-02-26 21:43:39,OBJECT_ID_CHANGE+CLOSE,0,0,DIRECTORY,check out
2,0,54,2,53,4,576,2020-02-26 21:43:41,FILE_CREATE,0,0,ARCHIVE,Nouveau file texte.txt

shadow

shadow disk=0 amount=4
[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[+] VSS header found out at 0x1e00

+---------------------------------------------------------------------------------------------------------------+
| SetID/ID | Depend | Date | Details |
+---------------------------------------------------------------------------------------------------------------+
| {857c9ac4-ee4f-4bc6-b822-59e935a7120f} | 1 | 2020-09-21 00:15:38 | Supplier Gadget : WORK-PC10 |
| | | | Originating Gadget: WORK-PC10 |
| {3d102db1-8de2-4e7d-8ba5-e0dd4f67740d} | | | State : Created |
| | | | Flags : 0x0042000d |
| | | | - Energy |
| | | | - Client To be had |
| | | | - No Auto Free up |
| | | | - Differential |
| | | | - Auto Recuperate |
+---------------------------------------------------------------------------------------------------------------+
| {83bc8af4-8802-4466-ae38-717f6474616a} | 1 | 2020-09-22 06:10:00 | Supplier Gadget : WORK-PC10 |
| | | | Originating Gadget: WORK-PC10 |
| {e668c329-66a2-4ebd-beef-3c6bca81cbf7} | | | State : Created |
| | | | Flags : 0x0042000d |
| | | | - Energy |
| | | | - Client To be had |
| | | | - No Auto Free up |
| | | | - Differential |
| | | | - Auto Recuperate |
+---------------------------------------------------------------------------------------------------------------+

streams

streams disk=0 amount=4 from=c:check out.pdf
Checklist streams from .PhysicalDrive0 > Amount:4
--------------------------------------------------

[+] Opening ?Amount{ee732b26-571c-4516-b8fd-32282aa8e66b}
[-] Provide : c:check out.pdf
[-] Document Num : 13525 (000034d5h)
[+] Business knowledge go with the flow into(s):
+-----------------------------+
| Identity | Get to the bottom of | Size |
+-----------------------------+
| 0 | Zone.Identifier | 27 |
+-----------------------------+

undelete

undelete disk=4 amount=1
[+] Opening ?Amount{00000001-0000-0000-0000-000000000000}
[+] Learning $MFT report
[+] $MFT dimension : 256.00 KiBs (~256 wisdom)
[+] Learning $BITMAP report
[+] $BITMAP dimension : 16.00 KiBs
[+] Taking a look out deleted knowledge
[+] Processed knowledge dimension : 262144 (100%)
[+] Length : 7ms

Deleted Wisdom Came upon
-------------------

+---------------------------------------------------------------------------------------------------------------+
| Identity | MFT Index | Flag | Filename | Size | Deletion Date | % Recoverable |
+---------------------------------------------------------------------------------------------------------------+
| 0 | 00000029 | | .$RECYCLE.BIN[...]$RAV85W4.jpg | 5.10 KiBs | 2020-02-26 21:29:03 | 100.00 |
+---------------------------------------------------------------------------------------------------------------+
| 1 | 00000035 | | .$RECYCLE.BIN[...]$IAV85W4.jpg | 58.00 bytes | 2020-02-26 21:29:03 | 100.00 |
+---------------------------------------------------------------------------------------------------------------+
undelete disk=4 amount=1 inode=41 output=restored_kitten.jpg
[+] Opening ?Amount{00000001-0000-0000-0000-000000000000}
[+] Learning report report : 41
[+] Extracting $RAV85W4.jpg to restored_kitten.jpg
[+] 5219 bytes written

shell

shell disk=4 amount=1
disk4:volume1:> ls

Inode | Type | Get to the bottom of | Size | Advent Date | Attributes
---------------------------------------------------------------------------------------
4 | | $AttrDef | 2560 | 2020-02-26 16:35:29 | Hi Sy
8 | | $BadClus | 0 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $Unhealthy | 536866816 | |
6 | | $Bitmap | 16384 | 2020-02-26 16:35:29 | Hi Sy
7 | | $Boot | 8192 | 2020-02-26 16:35:29 | Hi Sy
11 | DIR | $Lengthen | | 2020-02-26 16:35:29 | Hi Sy
2 | | $LogFile | 4341760 | 2020-02-26 16:35:29 | Hi Sy
0 | | $MFT | 262144 | 2020-02-26 16:35:29 | Hi Sy
1 | | $MFTMirr | 4096 | 2020-02-26 16:35:29 | Hi Sy
50 | DIR | $RECYCLE.BIN | | 2020-02-26 16:40:34 | Hi Sy
9 | | $Protected | 0 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $SDS | 264200 | |
10 | | $UpCase | 131072 | 2020-02-26 16:35:29 | Hi Sy
| ADS | $Knowledge | 32 | |
3 | | $Amount | 0 | 2020-02-26 16:35:29 | Hi Sy
5 | DIR | . | | 2020-02-26 16:35:29 | Hi Sy
85010 | | 7z1900-x64.exe | 1447178 | 2020-07-29 17:19:49 | Ar
| ADS | Zone.Identifier | 123 | |
42 | | hello.txt | 5 | 2020-02-26 21:27:33 | Ar
39 | | kitten1.jpg | 23486 | 2020-02-26 16:37:23 | Ar
| ADS | Zone.Identifier | 154 | |
40 | | kitten2.jpg | 79678 | 2020-02-26 16:37:55 | Ar
| ADS | Zone.Identifier | 303 | |
41 | | kitten3.jpg | 5219 | 2020-02-26 16:38:16 | Ar
| ADS | Zone.Identifier | 262 | |
36 | DIR | Software Amount Wisdom | | 2020-02-26 16:35:29 | Hi Sy

disk4:volume1:> pwd

disk4:volume1:> cat hello.txt
Hi there !
disk4:volume1:> cat 7z1900-x64.exe:Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.7-zip.org/download.html
HostUrl=https://www.7-zip.org/a/7z1900-x64.exe

disk4:volume1:> pass out

superb

superb disk=1
Style          : 1 revision 1
Type : SATA/IDE Clutch on primary channel
Purposes : ATA, ATAPI, S.M.A.R.T

Status : Passed

-- Software ID
+---------------------------------------------------------------------------------------------------+
| Belongings | Worth |
+---------------------------------------------------------------------------------------------------+
| Elementary Configuration | 0040h |
| Choice of Cylinders | 16383 |
| Reserved | c837h |
| Amount Of Heads | 16 |
| Bytes In step with Apply | 0 |
| Bytes In step with Sector | 0 |
| Sectors In step with Apply | 63 |
| Provider Unique | |
| Seria Amount | S2RBNX0H606448W |
| Buffer Type | 0 |
| Buffer Size | 0 |
| ECC Size | 0 |
| Firmware Revision | EMT02B6Q |
| Taste Amount | Samsung SSD 850 EVO 500GB |
| Maximum Choice of Sectors On R/W | 32769 |
| Double Word IO | 16385 |
| Purposes | Reserved : 0000h |
| | DMA Make stronger : True |
| | LBA Make stronger : True |
| | DisIORDY : True |
| | IORDY : True |
| | Requires ATA at ease get began : False |
| | Overlap Operation give a boost to: True |
| | Command Queue Make stronger : False |
| | Interleaved DMA Make stronger : False |
| Reserved1 | 4000h |
| PIO Timing | 512 |
| DMA Timing | 512 |
| Field Validity | CHS Amount : True |
| | Cycle Amount : True |
| | Extraordinarily DMA : True |
| Provide numbers of cylinders | 16383 |
| Provide numbers of heads | 16 |
| Provide numbers of sectors consistent with practice | 63 |
| A couple of Sector Atmosphere | 16514064 |
| Not unusual Choice of Sectors Addressable (LBA) | 268435455 |
| Singleword DMA Transfer Make stronger | 0 |
| Multiword DMA Transfer Make stronger | Mode 0 (4.17Mb/s) |
| | Mode 1 (13.3Mb/s) |
| | Mode 2 (16.7Mb/s) |
| Advanced PIO Modes | 0003h |
| Minimum Multiword DMA Transfer Cycle Time consistent with Word | 120 |
| Actually helpful Multiword DMA Transfer Cycle Time consistent with Word | 120 |
| Minimum PIO Transfer Cycle Time (No Go with the flow Keep an eye on) | 120 |
| Minimum PIO Transfer Cycle Time (Go with the flow Keep an eye on) | 120 |
| ATA Make stronger | ATA-2 |
| | ATA-3 |
| | ATA-4 |
| | ATA/ATAPI-5 |
| | ATA/ATAPI-6 |
| | ATA/ATAPI-7 |
| | ATA/ATAPI-8 |
| | ATA/ATAPI-9 |
| Extraordinarily DMA Transfer Make stronger | Mode 0 (16.7MB/s) |
| | Mode 1 (25.0MB/s) |
| | Mode 2 (33.3MB/s) |
| | Mode 3 (44.4MB/s) |
| | Mode 4 (66.7MB/s) |
| | Mode 5 (100.0MB/s) (determined on) |
| | Mode 6 (133.0MB/s) |
+---------------------------------------------------------------------------------------------------+

-- Attributes
+-------------------------------------------------------------------------------------------------------------------+
| Index | Get to the bottom of | Flags | Raw | Worth | Worst | Threshold | Status |
+-------------------------------------------------------------------------------------------------------------------+
| 05h | Reallocated Sector Depend | 0033h | 000000000000h | 100 | 100 | 10 | Very good enough |
| 09h | Power-On Hours Depend | 0032h | 000000008d54h | 92 | 92 | 0 | Very good enough |
| 0ch | Power Cycle Depend | 0032h | 0000000000f5h | 99 | 99 | 0 | Very good enough |
| b1h | Placed on Range Delta | 0013h | 00000000005eh | 95 | 95 | 0 | Very good enough |
| b3h | Used Reserved Block Depend (Not unusual) | 0013h | 000000000000h | 100 | 100 | 10 | Very good enough |
| b5h | Program Fail Depend Not unusual | 0032h | 000000000000h | 100 | 100 | 10 | Very good enough |
| b6h | Erase Fail Depend | 0032h | 000000000000h | 100 | 100 | 10 | Very good enough |
| b7h | Sata Down Shift Error Depend | 0013h | 000000000000h | 100 | 100 | 10 | Very good enough |
| bbh | Reported Uncorrectable Errors | 0032h | 000000000000h | 100 | 100 | 0 | Very good enough |
| beh | Temperature Difference From 100 | 0032h | 000000000020h | 68 | 50 | 0 | Very good enough |
| c3h | {{{{Hardware}}}} Ecc Recovered | 001ah | 000000000000h | 200 | 200 | 0 | Very good enough |
| c7h | Udma Crc Error Worth | 003eh | 000000000000h | 100 | 100 | 0 | Very good enough |
| ebh | Excellent Block Depend And Software Free Block Depend | 0012h | 000000000071h | 99 | 99 | 0 | Very good enough |
| f1h | Lifetime Writes From Host Gib | 0032h | 00154bf298c9h | 99 | 99 | 0 | Very good enough |
+-------------------------------------------------------------------------------------------------------------------+


Leave a Reply

Your email address will not be published.

Donate Us

X