analyzing-slack-space-and-file-system-artifacts

Featured

Examine file system slack space, MFT entries, USN journal, and alternate data streams to recover hidden data and reconstruct file activity on NTFS volumes.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Analyzing Slack Space and File System Artifacts ## When to Use - When searching for hidden or residual data in file system slack space - For analyzing NTFS Master File Table (MFT) entries for deleted file metadata - When reconstructing file operations from the USN Change Journal - For detecting Alternate Data Streams (ADS) used to hide data or malware - During deep forensic analysis requiring examination beyond standard file recovery ## Prerequisites - Forensic disk image with NTFS file system - The Sleuth Kit (TSK) tools: istat, icat, fls, blkls, blkstat - MFTECmd (Eric Zimmerman) for MFT parsing - MFTExplorer for interactive MFT analysis - Understanding of NTFS structures (MFT, $UsnJrnl, $LogFile, ADS) - Python with analyzeMFT or mft library for automated parsing ## Workflow ### Step 1: Identify and Extract NTFS File System Artifacts ```bash # Determine partition layout mmls /cases/case-2024-001/images/evidence.dd # Extract key NTFS system files # $MFT - Master File Table icat -o 2048 /cases/case-2024-001/images/evidence.dd 0 > /cases/case-2024-001/ntfs/MFT # $UsnJrnl:$J - USN Change Journal icat -o 2048 /cases/case-2024-001/images/evidence.dd 62-128 > /cases/case-2024-001/ntfs/UsnJrnl_J # $LogFile - Transaction log icat -o 2048 /cases/case-2024-001/images/evidence.dd 2 > /cases/case-2024-001/ntfs/LogFile # Extract all slack space from the volume blkls -s -o 2048 /cases/case-2024-001/images/evidence.dd > /cases/case-2024-001/ntfs/slack_space.raw # Get file syste...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

analyzing-mft-for-deleted-file-recovery

Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.

12,642 Updated today
mukul975
Data & Documents Listed

analyzing-mft-for-deleted-file-recovery

Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record entries, $LogFile, $UsnJrnl, and MFT slack space using MFTECmd, analyzeMFT, and X-Ways Forensics.

6 Updated today
26zl
AI & Automation Featured

hunting-for-defense-evasion-via-timestomping

Detect NTFS timestamp manipulation (MITRE T1070.006) by comparing $STANDARD_INFORMATION vs $FILE_NAME timestamps in the MFT. Uses analyzeMFT and Python to identify files with anomalous temporal patterns indicating anti-forensic timestomping activity.

12,642 Updated today
mukul975
AI & Automation Featured

analyzing-linux-system-artifacts

Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover evidence of compromise or unauthorized activity.

12,642 Updated today
mukul975
AI & Automation Featured

performing-disk-forensics-investigation

Conducts disk forensics investigations using forensic imaging, file system analysis, artifact recovery, and timeline reconstruction to support incident response cases. Utilizes tools such as FTK Imager, Autopsy, and The Sleuth Kit for evidence acquisition, deleted file recovery, and artifact examination. Activates for requests involving disk forensics, hard drive analysis, forensic imaging, file recovery, evidence acquisition, or digital forensic investigation.

12,642 Updated today
mukul975