Scrounge NTFS

Overview

Scrounge NTFS is a specialized data recovery and forensic analysis tool designed for NTFS file systems. It recovers deleted files, reconstructs file systems, and extracts data from unallocated clusters without requiring a working Windows system. Essential for digital forensics, incident response, and authorized data recovery operations on NTFS drives.

Key Capabilities:

• Recover deleted files from NTFS partitions
• Reconstruct file systems from damaged partitions
• Extract data from unallocated space
• Parse NTFS metadata and file records
• Support for various NTFS versions and configurations
• Non-destructive read-only analysis
• Batch file recovery operations

Installation

From Source on Linux

# Clone or download source
git clone https://github.com/gnuthor/scrounge-ntfs.git
cd scrounge-ntfs

# Compile from source
gcc -o scrounge-ntfs scrounge-ntfs.c

# Or with optimization
gcc -O2 -Wall -o scrounge-ntfs scrounge-ntfs.c

Via Package Manager

# Kali Linux (pre-installed)
scrounge-ntfs -h

# Debian/Ubuntu
apt-get update
apt-get install scrounge-ntfs

# Arch Linux
pacman -S scrounge-ntfs

Build from Source with Make

git clone https://github.com/gnuthor/scrounge-ntfs.git
cd scrounge-ntfs
make
sudo make install

Verify Installation

scrounge-ntfs
scrounge-ntfs -h
which scrounge-ntfs

Basic Usage

Analyze NTFS Partition

# Analyze an NTFS partition (read-only)
scrounge-ntfs /dev/sda1

# Analyze disk image file
scrounge-ntfs ntfs_image.dd

# Specify output directory
scrounge-ntfs -o /tmp/recovered /dev/sda1

List Recoverable Files

# List all recoverable files from partition
scrounge-ntfs /dev/sda1 | head -50

# Count total recoverable files
scrounge-ntfs /dev/sda1 | wc -l

Recover Specific File

# Recover file by inode number
scrounge-ntfs -r 42 /dev/sda1 > recovered_file.bin

# Recover multiple files
for inode in 42 43 44; do
  scrounge-ntfs -r $inode /dev/sda1 > file_$inode.bin
done

Common scrounge-ntfs Commands

Command	Purpose
DEVICE	NTFS device or image file (required)
-h	Display help message
-o DIR	Output directory for recovered files
-r INODE	Recover specific file by inode number
-i	List inodes (file records)
-a	Recover all files (batch mode)
-e	Extract unallocated space
-s	Safe mode (slower, more thorough)
-v	Verbose output
-d	Enable debug messages

Understanding NTFS Structure

NTFS File System Layout

Boot Sector
├── MBR / Partition Table
├── Volume Boot Record
├── MFT (Master File Table)
│   ├── File Records
│   ├── Directory Entries
│   └── Attribute Lists
├── Data Runs
├── Unallocated Space
└── File Data

MFT File Records

# NTFS stores file metadata in MFT
# Each file has a file record number (inode equivalent)
# Deleted files may still have recoverable MFT entries

# List MFT entries
scrounge-ntfs -i /dev/sda1

# Parse MFT structure
scrounge-ntfs -v /dev/sda1

Forensic Analysis Workflow

Step 1: Identify NTFS Partition

# List partitions on system
fdisk -l /dev/sda

# Or using parted
parted /dev/sda print

# Identify NTFS partitions
lsblk | grep -i ntfs

Step 2: Mount as Read-Only (Optional)

# Create mount point
mkdir /mnt/ntfs_evidence

# Mount read-only for analysis (if not using raw device)
mount -o ro /dev/sda1 /mnt/ntfs_evidence

# Or analyze raw device directly
scrounge-ntfs /dev/sda1

Step 3: Create Disk Image

# Create forensic image (preserves evidence)
dd if=/dev/sda1 of=ntfs_image.dd bs=4096

# Or use with progress indicator
dd if=/dev/sda1 of=ntfs_image.dd bs=4096 status=progress

# Verify image integrity
md5sum ntfs_image.dd > ntfs_image.dd.md5

# Analyze from image instead of live device
scrounge-ntfs ntfs_image.dd

Step 4: Analyze File System

# List all files and file records
scrounge-ntfs -v ntfs_image.dd > file_listing.txt

# Count recoverable files
scrounge-ntfs -v ntfs_image.dd | grep "^[0-9]" | wc -l

# Extract specific file details
grep "deleted\|unallocated" file_listing.txt

Step 5: Recover Files of Interest

# Create recovery directory
mkdir -p /tmp/recovered_files

# Recover files matching pattern
scrounge-ntfs -o /tmp/recovered_files -v ntfs_image.dd

# Examine recovered files
ls -la /tmp/recovered_files/
file /tmp/recovered_files/*

Practical Examples

Basic File Recovery

# Recover all files from NTFS partition
scrounge-ntfs -o /tmp/recovery /dev/sda1

# Check recovered files
ls /tmp/recovery/
du -sh /tmp/recovery/

Recover Deleted Documents

# Search for deleted office documents
scrounge-ntfs /dev/sda1 | grep -E "\.doc|\.xlsx|\.pptx|\.pdf"

# Recover specific document types
scrounge-ntfs -o /tmp/docs /dev/sda1
find /tmp/docs -name "*.pdf" -o -name "*.doc*"

Unallocated Space Analysis

# Extract unallocated space (may contain deleted file data)
scrounge-ntfs -e /dev/sda1 > unallocated.bin

# Analyze for file signatures
strings unallocated.bin | head -100

# Search for keywords
strings unallocated.bin | grep -i "password\|secret\|admin"

Carving for File Types

# Use foremost to carve for specific file types from recovered data
foremost -i unallocated.bin -o /tmp/carved

# Or use scalpel
scalpel unallocated.bin -o /tmp/carved

# Find specific file types
find /tmp/carved -type f -name "*.jpg" -o -name "*.png"

Detailed File Recovery

Recover by Inode Number

# First, get list of inodes with details
scrounge-ntfs -i /dev/sda1 > inode_list.txt

# View inode list
cat inode_list.txt | head -20

# Extract specific inode
scrounge-ntfs -r 5 /dev/sda1 > recovered_file_5.bin

# Identify file type
file recovered_file_5.bin

Batch Recovery with Script

# Create recovery script
cat > bulk_recover.sh << 'EOF'
#!/bin/bash
DEVICE=$1
OUTPUT_DIR=$2
mkdir -p "$OUTPUT_DIR"

# Get list of inodes
scrounge-ntfs -i "$DEVICE" | while read line; do
  INODE=$(echo "$line" | awk '{print $1}')
  if [ ! -z "$INODE" ]; then
    scrounge-ntfs -r "$INODE" "$DEVICE" > "$OUTPUT_DIR/file_$INODE.bin"
    echo "Recovered inode $INODE"
  fi
done
EOF

chmod +x bulk_recover.sh
./bulk_recover.sh /dev/sda1 /tmp/recovered/

Verify File Integrity

# Calculate checksums for recovered files
cd /tmp/recovered_files
md5sum * > recovered.md5

# Verify integrity later
md5sum -c recovered.md5

# Check for file consistency
file * | sort | uniq -c

NTFS-Specific Techniques

Analyze Master File Table (MFT)

# MFT contains metadata for all files
# First file record (0) is MFT itself
scrounge-ntfs -r 0 /dev/sda1 > MFT.bin

# Analyze MFT structure
hexdump -C MFT.bin | head -50

Extract File Names from MFT

# Deleted file names may remain in MFT
strings unallocated.bin | grep -E "\.[a-z]{2,4}$"

# Extract from recovered MFT
strings MFT.bin | grep -v "^[[:space:]]*$" | sort -u

Recover Files by Extension

# Create script to recover specific file types
cat > recover_by_type.sh << 'EOF'
#!/bin/bash
DEVICE=$1
EXT=$2

scrounge-ntfs -v "$DEVICE" | grep -i "\.$EXT" | while read line; do
  INODE=$(echo "$line" | awk '{print $1}')
  if [ ! -z "$INODE" ]; then
    scrounge-ntfs -r "$INODE" "$DEVICE" > "recovered_$INODE.$EXT"
  fi
done
EOF

chmod +x recover_by_type.sh
./recover_by_type.sh /dev/sda1 pdf

Integration with Other Forensic Tools

Use with Sleuth Kit

# Mount NTFS image with Sleuth Kit
fls -r /dev/sda1 | head -50

# Combine with scrounge-ntfs for comprehensive recovery
scrounge-ntfs /dev/sda1 > scrounge_results.txt
fls -r /dev/sda1 > fls_results.txt

Use with Autopsy

# Import NTFS image into Autopsy
autopsy

# Configure data source as NTFS image
# Set input image: ntfs_image.dd

# Use Autopsy's file recovery alongside scrounge-ntfs results

Use with PhotoRec

# PhotoRec is powerful for carving deleted files
photorec /d /tmp/recovery ntfs_image.dd

# Or automated mode
photorec /b /tmp/recovery ntfs_image.dd

Creating Forensic Reports

Document Recovery Results

# Create forensic report
cat > forensic_report.txt << 'EOF'
FORENSIC ANALYSIS REPORT
========================
Evidence: /dev/sda1
Date: $(date)
Analyst: [Your Name]
Chain of Custody: [Details]

PARTITION ANALYSIS
- File System: NTFS
- Size: $(blockdev --getsize64 /dev/sda1)
- Sectors: $(blockdev --getsz /dev/sda1)

RECOVERY SUMMARY
- Total Files Located: $(scrounge-ntfs /dev/sda1 | wc -l)
- Files Recovered: [Count]
- Data Recovered: $(du -sh /tmp/recovered/ | cut -f1)

FILES OF INTEREST
$(find /tmp/recovered -name "*.pdf" -o -name "*.doc*" | head -20)

FINDINGS
[Analysis of recovered files]

RECOMMENDATIONS
[Security improvements and next steps]
EOF

Hash All Recovered Files

# Create hash manifest for chain of custody
cd /tmp/recovered_files
find . -type f -exec md5sum {} \; > recovery_manifest.md5

# Create hash list for integrity verification
sha256sum * > recovery_manifest.sha256

# Store with forensic report
cp recovery_manifest.* /tmp/forensic_report/

Troubleshooting

Device Not Found

# Verify device exists
ls -la /dev/sda1

# Check if already mounted
mount | grep /dev/sda1

# Unmount if necessary
umount /dev/sda1

# Run as root if permission denied
sudo scrounge-ntfs /dev/sda1

Partition Not Recognized

# Verify NTFS filesystem
file -s /dev/sda1

# Should show "NTFS" in output
# If not NTFS, check partition type
fdisk -l /dev/sda | grep sda1

# Verify sector size
blockdev --getss /dev/sda1

Read Errors

# Enable verbose/debug output
scrounge-ntfs -v /dev/sda1

# Try safe mode (slower)
scrounge-ntfs -s /dev/sda1

# If using corrupted image, try different tools
testdisk /dev/sda1  # Partition recovery
ddrescue /dev/sda1 recovery.img  # Bad sector handling

Low Disk Space

# Check available space for recovery
df -h /tmp/

# Recovery to external drive
scrounge-ntfs -o /mnt/external_drive /dev/sda1

# Stream to USB or network
scrounge-ntfs /dev/sda1 | gzip > /mnt/usb/recovered.tar.gz

Performance Optimization

Speed Up Recovery

# Use larger block size for faster I/O
# (depends on scrounge-ntfs version)

# Parallelize recovery with multiple processes
scrounge-ntfs -v /dev/sda1 | parallel --pipe 'xargs -I{} scrounge-ntfs -r {} /dev/sda1'

# Monitor progress
pv -N "Recovery" < /dev/sda1 > /dev/null

Handle Large Partitions

# For very large partitions, split recovery
# Recover metadata first
scrounge-ntfs -i /dev/sda1 > metadata.txt

# Then recover files in batches
head -100 metadata.txt | awk '{print $1}' | while read inode; do
  scrounge-ntfs -r "$inode" /dev/sda1 > "file_$inode.bin"
done

Best Practices

Chain of Custody

# Document everything
cat > chain_of_custody.txt << 'EOF'
Evidence ID: NTFS_001
Description: Dell XPS Laptop Hard Drive - /dev/sda1
Date Acquired: 2026-05-02
Examiner: [Name]
Hash (MD5): [Calculate before analysis]
Hash (SHA-256): [Calculate before analysis]
Seal: [Document]
EOF

Non-Destructive Analysis

• Always analyze forensic copies, not original evidence
• Use read-only mounts and devices
• Document all tools and parameters used
• Maintain copies of all results

Comprehensive Documentation

# Log all commands executed
script forensic_session.log
# ... run all recovery commands ...
exit

# Review session log
cat forensic_session.log

Legal Considerations

• Only perform recovery on systems you own or have authorization to analyze
• Follow proper chain of custody procedures
• Maintain confidentiality of recovered sensitive data
• Document all findings and methodologies
• Comply with local laws regarding data handling and privacy

Additional Resources

• NTFS File System Structure Documentation
• Digital Forensics Standards (NIST, SWGIT)
• Evidence Handling and Chain of Custody Procedures
• File Carving and Recovery Tools