fatcousin
// evidence type

mft / usn journal / ntfs metadata

$MFT export · USN journal csv · NTFS logfile. file creation, rename bursts, timestomp conflicts, and slack-space residue without mounting the image.

tools
14
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. mft parserdrop a raw $MFT file · parse every file record · timestamps · attributes · flags · resident vs non-resident data · export CSV · runs locally
  2. ntfs journal readerdrop an NTFS image or raw $UsnJrnl · parse the update sequence number journal · list file create · modify · delete · rename events · export CSV · runs locally
  3. NTFS USN journal wrap and evidence loss detectordrop usn journal csv · detect journal wrap events where oldest records were overwritten · estimate how much file activity history was lost · identify intentionally triggered journal wraps destroying evidence · runs locally
  4. USN journal vs MFT timestamp conflict detectordrop usn journal csv and mft csv · detect timestamp values in usn journal that contradict current mft timestamps · surface files whose timestamps were modified after they were last journaled · runs locally
  5. mft sequence vs timestamp conflict analyzerdrop mft csv · detect conflicts between mft entry sequence and file timestamps · impossible ordering · reused entries · runs locally
  6. MFT record slack residue deep extractordrop mft binary or mft slack csv · extract and analyze residual data from mft record slack fields · recover previous attribute fragments from unused record space · surface historical file metadata hidden in mft slack · runs locally
  7. mft entry reuse anomaly detectordrop mft csv · detect abnormally high mft entry reuse rates · identify evidence of mass file deletion and creation in entry slots · surface patterns indicating attacker file staging and cleanup · runs locally
  8. ntfs file born-time consensus enginedrop mft csv · usn journal csv · logfile operation export · indx csv · correlate all four timestamp sources for every file · produce consensus born-time with confidence score · expose disagreements that prove tampering · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. ntfs journal gap analyzerdrop usn journal csv or ntfs logfile csv · detect gaps in journal sequence numbers · identify windows where filesystem activity was not recorded · surface journal clearing or rollover events · runs locally
  2. MFT slack space artifact detectordrop mft binary or slack extraction csv · detect artifacts hidden in mft record slack · identify residual data from previous file occupants · surface hidden data and historical file metadata in unused mft space · runs locally
  3. recycle bin restoration and bypass artifact detectordrop mft csv and usn journal csv · detect files restored from the recycle bin · identify files sent to recycle bin then immediately restored (suspicious cycling) · surface recycle bin bypass using shift-delete · runs locally
  4. mass rename detectordrop a file listing or dir output · detect bulk renames within short time windows · flag ransomware extension patterns · visualize rename timeline · export CSV · runs locally
  5. secure deletion detectordrop disk image · wipe patterns · zero ff aa55 fills · high entropy · sdelete eraser hints · heat map · chunked worker scan · runs locally
  6. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready