File Systems - AboutDFIR - The Definitive Compendium Project

File Systems Tools

Tool	Description
Active Disk Editor	BtrFS SuperBlock, exFAT, Ext2/Ext3 Superblock, NTFS, ReFS, XFS
Indx2Csv	An advanced parser for INDX records.
INDXParse	Tool suite for inspecting NTFS artifacts.
INDXRipper	Carve file metadata from NTFS index ($I30) attributes.
ISO Buster	CD, DVD, Blu Ray, UDF, ISO9660, Joilet, IFO, BUP, VOB file systems
KAPE	Kroll Artifact Parser And Extractor (KAPE)
MFTECmd	Eric Zimmeran Tool - $MFT, $Boot, $J, $SDS, $I30, and $LogFile (coming soon) parser. Handles locked files.
X-Ways

File Systems Artifacts

File System	Artifact	Resource
FAT32	File Carving	FAT32 File Carving
HFS+		MacOS File Movements
HFS+		HFS+ Overview
NTFS	$Deleted	The “\$Extend\$Deleted” directory
NTFS	$I30 Files	13Cubed - Windows NTFS Index Attributes ($I30 Files)
NTFS	$I30 Files	$I30 Parsers Output False Entries. Here's Why - RAT in Mi Kitchen
NTFS	$J	USN Journal: Where have you been all my life
NTFS	$J	The Windows USN Journal
NTFS	$J	Carving $USN journal entries
NTFS	$J	13Cubed - NTFS Journal Forensics
NTFS	$J	Investigating USN Journal - Forensafe
NTFS	$MFT	Parsing the $MFT NTFS metadata file
NTFS	$MFT	Resolving File Paths Using The MFT - RAT in Mi Kitchen
NTFS	$MFT	Bring Out The Body File - TrustedSec
NTFS	$Security	Exploring Windows Artifacts : $Security Artifact
NTFS	Alternate Data Streams	[CQURElabs] Alternate Data Streams
NTFS	Alternate Data Streams	Alternate Data Streams (ADS)
NTFS	MACB Timestamps	13Cubed - Windows MACB Timestamps (NTFS Forensics)
NTFS	NTFS Attributes	$STANDARD_INFORMATION vs. $FILE_NAME
NTFS	NTFS Attributes	What I wish someone had told me when I started learning about File System Forensics
NTFS	NTFS Artifacts	NTFS Artifacts Analysis
NTFS	Short File Names	Deceptive NTFS short file names
NTFS/FAT32/exFAT	Timestamps	Filesystem Timestamps: What Makes Them Tick?
Various	Master Boot Record	Beginning File System Forensics - learning about the disk and the Master Boot Record (MBR)