Alternatives and similar repositories for ntfstool

Users that are interested in ntfstool are comparing it to the libraries listed below

• libyal / libfsntfs

  View on GitHub
  Library and tools to access the Windows New Technology File System (NTFS)
  ☆226Feb 8, 2026Updated last week
• harelsegev / INDXRipper

  View on GitHub
  Carve file metadata from NTFS index ($I30) attributes
  ☆70Feb 3, 2024Updated 2 years ago
• kacos2000 / MFT_Browser

  View on GitHub
  $MFT directory tree reconstruction & FILE record info
  ☆325Oct 7, 2024Updated last year
• dwmetz / CyberPipe

  View on GitHub
  An easy to use PowerShell script to collect memory and disk forensics for DFIR investigations.
  ☆342Dec 3, 2025Updated 2 months ago
• msuhanov / dfir_ntfs

  View on GitHub
  An NTFS/FAT parser for digital forensics & incident response
  ☆217Oct 31, 2025Updated 3 months ago
• omerbenamram / mft

  View on GitHub
  A parser for the MFT (Master File Table) format
  ☆155Jan 3, 2026Updated last month
• ufrisk / MemProcFS

  View on GitHub
  MemProcFS
  ☆4,000Feb 7, 2026Updated last week
• kacos2000 / Prefetch-Browser

  View on GitHub
  Browse Windows Prefetch versions: 17,23,26,30v1/2,31 & some of SuperFetch .7db/.db's
  ☆64Dec 18, 2024Updated last year
• northloopforensics / Bitlocker_Key_Finder

  View on GitHub
  Search datasets for Bitlocker recovery files and triage live systems for Bitlocker keys.
  ☆51Jan 26, 2025Updated last year
• moaistory / WinSearchDBAnalyzer

  View on GitHub
  http://moaistory.blogspot.com/2018/10/winsearchdbanalyzer.html
  ☆127Jul 20, 2024Updated last year
• kacos2000 / MFT_Record_Viewer

  View on GitHub
  $MFT Record Viewer
  ☆23Nov 9, 2022Updated 3 years ago
• sumeshi / ntfsfind

  View on GitHub
  An efficient tool for search files, directories, and alternate data streams directly from NTFS image files.
  ☆28Feb 21, 2024Updated last year
• LETHAL-FORENSICS / MemProcFS-Analyzer

  View on GitHub
  MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR
  ☆694Oct 22, 2025Updated 3 months ago
• ydkhatri / jarp

  View on GitHub
  Just Another broken Registry Parser (JARP)
  ☆16May 23, 2024Updated last year
• zodiacon / TotalRegistry

  View on GitHub
  Total Registry - enhanced Registry editor/viewer
  ☆1,579Jan 2, 2026Updated last month
• rowingdude / analyzeMFT

  View on GitHub
  analyzeMFT.py is designed to fully parse the MFT file from an NTFS filesystem and present the results as accurately as possible in multip…
  ☆520Aug 13, 2025Updated 6 months ago
• kacos2000 / Win10LiveInfo

  View on GitHub
  Windows 10 Live Information viewer
  ☆37Jan 27, 2022Updated 4 years ago
• DamonMohammadbagher / ETWProcessMon2

  View on GitHub
  ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detecti…
  ☆319Mar 20, 2024Updated last year
• Yamato-Security / hayabusa

  View on GitHub
  Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
  ☆3,014Feb 4, 2026Updated last week
• AndrewRathbun / DFIRArtifactMuseum

  View on GitHub
  The goal of this repo is to archive artifacts from all versions of various OS's and categorizing them by type. This will help with artifa…
  ☆645Nov 7, 2025Updated 3 months ago
• sumeshi / mft2es

  View on GitHub
  A library for fast parse & import of Windows Master File Table($MFT) into Elasticsearch.
  ☆12Jun 23, 2025Updated 7 months ago
• Paul-Tew / lifer

  View on GitHub
  Windows link file (shortcuts) examiner
  ☆68Jun 9, 2024Updated last year
• dfir-dd / dfir-toolkit

  View on GitHub
  CLI tools for forensic investigation of Windows artifacts
  ☆349Jul 21, 2025Updated 6 months ago
• stuhli / awesome-event-ids

  View on GitHub
  Collection of Event ID ressources useful for Digital Forensics and Incident Response
  ☆643Jun 19, 2024Updated last year
• CrowdStrike / SuperMem

  View on GitHub
  A python script developed to process Windows memory images based on triage type.
  ☆264Nov 25, 2023Updated 2 years ago
• Yamato-Security / WELA-deprecated

  View on GitHub
  WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅（ウェラ）
  ☆780Feb 3, 2023Updated 3 years ago
• pathtofile / Sealighter

  View on GitHub
  Sysmon-Like research tool for ETW
  ☆384Nov 15, 2022Updated 3 years ago
• ufrisk / MemProcFS-plugins

  View on GitHub
  ☆62Oct 12, 2024Updated last year
• Yamato-Security / EnableWindowsLogSettings

  View on GitHub
  Documentation and scripts to properly enable Windows event logs.
  ☆671Oct 3, 2025Updated 4 months ago
• andreafortuna / autotimeliner

  View on GitHub
  Automagically extract forensic timeline from volatile memory dump
  ☆132May 7, 2024Updated last year
• kacos2000 / WinEDB

  View on GitHub
  Windows.EDB Browser
  ☆60Mar 6, 2023Updated 2 years ago
• zodiacon / ProcMonXv2

  View on GitHub
  Process Monitor X v2
  ☆648Jan 22, 2024Updated 2 years ago
• DFIR-ORC / dfir-orc

  View on GitHub
  Forensics artefact collection tool for systems running Microsoft Windows
  ☆431Mar 26, 2025Updated 10 months ago
• XaFF-XaFF / Cronos-Rootkit

  View on GitHub
  Cronos is Windows 10/11 x64 ring 0 rootkit. Cronos is able to hide processes, protect and elevate them with token manipulation.
  ☆933Mar 29, 2022Updated 3 years ago
• airbus-cert / Winshark

  View on GitHub
  A wireshark plugin to instrument ETW
  ☆579Jan 28, 2022Updated 4 years ago
• rsa9000 / ntfsheurecovery

  View on GitHub
  NT File System (NTFS) recovery tool
  ☆22Jul 30, 2020Updated 5 years ago
• hasherezade / pe-sieve

  View on GitHub
  Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-mem…
  ☆3,553Oct 31, 2025Updated 3 months ago
• Velocidex / velociraptor

  View on GitHub
  Digging Deeper....
  ☆3,747Feb 5, 2026Updated last week
• WithSecureLabs / chainsaw

  View on GitHub
  Rapidly Search and Hunt through Windows Forensic Artefacts
  ☆3,440Oct 12, 2025Updated 4 months ago