Restore_FS

Restore file system structure from DFIR ORC triage. This tool is designed to process NTFSInfo CSV files generated by DFIR ORC and restore the filesystem structure.

WARNING: This tool only works on Linux.

Workflow

• Scans the input directory to find NTFSInfo CSV files.
• Allows customization of the NTFSInfo file pattern through a script argument.
• Processes each NTFSInfo file found:
  • Constructs a dataframe from each NTFSInfo file.
  • Scans the parent directory recursively (default is two levels up) for files with a specific naming pattern.
  • Constructs a dataframe with all the files found, extracting file paths, FRN, and ParentFRN.
  • Joins the NTFSInfo dataframe with the volstats dataframe to map volume IDs to mount points.
  • Joins the NTFSInfo dataframe with the scanned files dataframe on VolumeID, ParentFRN, and FRN.
  • Restores the filesystem structure using the joined dataframes.

Usage

Input

The input supplied should be a directory containing fully decompressed DFIR ORC archives. The input directory can contain multiple endpoints DFIR ORC archives.

Depth

This argument (default value is 2) is used to specify where is the parent directory containing all the DFIR ORC files from the NTFSInfo files path.

For example, the default depth of 2 allows to submit this kind of input (here the input dir is input_sample). It means it will scan ../.. from each directory containing containing NTFSInfo csv (extracted_files in this example):

├── input_sample
│   └── extract_orc
│       ├── Endpoint_SRV-A
│       │   └── extracted_files
│       │       ├── Browsers
│       │       │   ├── Browsers_artefacts
│       │       │   │   ├── Chrome_50_Artefacts
│       │       ├── General
│       │       │   ├── ADS
│       │       │   │   ├── ads
│       │       │   │   ├── GetThis.csv
│       │       │   ├── Listdlls.txt
│       │       │   ├── netstat.txt
│       │       │   ├── NTFSInfoFull_detail
│       │       │   │   ├── NTFSInfo_00000000_DiskInterface_0x625ad6bc5ad68c63_.csv
│       │       │   │   ├── NTFSInfo_00000001_PhysicalDrive_1_Offset_122683392_.csv
│       │       │   │   ├── NTFSInfo_00000002_PhysicalDrive_1_Offset_499569917952_.csv
│       ├── Endpoint_SRV-B
│       │   └── extracted_files
│       │       ├── Browsers
│       │       │   ├── Browsers_artefacts
│       │       │   │   ├── Chrome_50_Artefacts
│       │       ├── General
│       │       │   ├── ADS
│       │       │   │   ├── ads
│       │       │   │   ├── GetThis.csv
│       │       │   ├── Listdlls.txt
│       │       │   ├── netstat.txt
│       │       │   ├── NTFSInfoFull_detail
│       │       │   │   ├── NTFSInfo_00000000_DiskInterface_0x625ad6bc5ad68c63_.csv
│       │       │   │   ├── NTFSInfo_00000001_PhysicalDrive_1_Offset_122683392_.csv
│       │       │   │   ├── NTFSInfo_00000002_PhysicalDrive_1_Offset_499569917952_.csv

Command-Line Arguments

• -i, --input: Input directory path (required)
• -o, --output: Output directory path (required)
• -d, --depth: Optional scan depth for the parent directory (default is 2)
• --ntfs-info-pattern: Optional pattern for NTFSInfo files (default is ^NTFSInfo.*csv$)
• -e,--endpoint_name: Optional: Endpoint Name. Usefull for offline ORC collection. Will replace hosntame in volstats.csv. Work only for single triage.

Example Command

./Restore_FS -i /path/to/input -o /path/to/output 
RUST_LOG=debug ./Restore_FS -i /path/to/input -o /path/to/output