 |
|
 |
|
| Grok-NTFS Grok-NTFS is an NTFS file
system analysis tool with powerful data recovery and visualization
features.
Grok-NTFS will accept all types of "forensic" images (Expert Witness / EnCase E01, FTK Imager, SMART, SAW, etc.) as well as dd images and VMWare disk images. Of course, Grok-NTFS can look directly at physical disks and RAID arrays too. When used in conjunction with our Remote Forensic Client software, Grok-NTFS may be used to securely examine and document NTFS file systems over the network.
Grok-NTFS provides a familiar tabbed interface, able to display lots of information without clutter. The tabs are connected, so when you switch from one view to another, you don't "lose focus".
Above is a screenshot of the Volume information. Next, we see a screenshot of top-level file system information. This allows us to navigate to any location in the file system. Notice that the highlighted item's File Record and $MFT sequence number is displayed and linked when an item is selected.
The "FILE Records" tab
shows us all the metadata related to the selected object, whether it is a
file, deleted file, directory, deleted directory or orphaned item.
Notice that all parent objects are linked for quick
review.
Grok-NTFS provides exceptional data visualization features. A picture really is worth a thousand words and can help clarify and illustrate technical issues in reports and trial exhibits.
In the Cluster Visualization mode, we can see that cluster 1,041,618 is referenced in two $MFT entries. We are presented with information and links to each $MFT record that references this cluster. This is a powerful feature that enables an analyst to rapidly identify not only deleted file system objects, but their relationships with other file system objects. Grok-NTFS provides both FILE and Cluster visualization modes.
| |||||||||||||||||
|
 |
|
