Grok-NTFS

Grok-NTFS is an NTFS file system analysis tool with powerful data recovery and visualization features.

Grok-NTFS runs on Windows, linux and Macintosh.

 

Grok-NTFS will accept all types of “forensic” images (Expert Witness / EnCase E01, FTK Imager, SMART, SAW, etc.) as well as dd images and VMWare disk images. Of course, Grok-NTFS can look directly at physical disks and RAID arrays too.

When used in conjunction with our Remote Forensic Client software, Grok-NTFS may be used to securely examine and document NTFS file systems over the network.

Grok-NTFS provides a familiar tabbed interface, able to display lots of information without clutter. The tabs are connected, so when you switch from one view to another, you don’t “lose focus”.

Above is a screenshot of the Volume information. Next, we see a screenshot of top-level file system information. This allows us to navigate to any location in the file system. Notice that the highlighted item’s File Record and $MFT sequence number is displayed and linked when an item is selected.

The “FILE Records” tab shows us all the metadata related to the selected object, whether it is a file, deleted file, directory, deleted directory or orphaned item. Notice that all parent objects are linked for quick review.

Grok-NTFS provides exceptional data visualization features. A picture really is worth a thousand words and can help clarify and illustrate technical issues in reports and trial exhibits.

In the Cluster Visualization mode, we can see that cluster 1,041,618 is referenced in two $MFT entries. We are presented with information and links to each $MFT record that references this cluster. This is a powerful feature that enables an analyst to rapidly identify not only deleted file system objects, but their relationships with other file system objects. Grok-NTFS provides both FILE and Cluster visualization modes.