Updated on Feb 17,2025
Introduction:
In the intricate world of digital forensics, every byte of data tells a story. Within the NTFS file system, "$I30" files stand as silent witnesses, holding valuable insights into file and directory indexing
Understanding "$I30" Files:
$I30 files function as indexes within NTFS directories, providing a structured layout of files and directories. They contain duplicate sets of $File_Name timestamps, offering a comprehensive view of file metadata stored within the Master File Table (MFT).
Utilizing "$I30" Files as Forensic Resources:
$I30 files provide an additional forensic avenue for accessing MACB timestamp data. Even deleted files, whose remnants linger in unallocated slack space, can often be recovered from these index files.
-------------------------------------------------------------------------------------------------------------
If you're into digital forensics, you've probably come across Joakim Schicht’s tools. They’re free, powerful, and packed with features for analyzing different forensic artifacts.
One such tool, Indx2Csv, is a lifesaver when it comes to parsing INDX records like $I30 (directory indexes), $O (object IDs), and $R (reparse points).
The cool thing about Indx2Csv is that it doesn’t just look at active records; it also digs up deleted entries that are still hanging around due to file system operations. Plus, it can even scan for partial entries, which means you might be able to recover metadata for deleted files or folders, even if their complete records are gone.
How Does Indx2Csv Work?
Indx2Csv processes INDX records that have been exported from forensic tools like FTK Imager or The Sleuth Kit’s icat. If you've used FTK Imager before, you might have seen files labeled as $I30 in directories. These aren’t actual files but representations of the $INDEX_ALLOCATION attribute for that directory. You can export them and analyze them with Indx2Csv.
Output: (GUI Mode of Ind2xcsv
if you're using The Sleuth Kit, you can extract the $INDEX_ALLOCATION attribute with this command:
icat DiskImage MFT#-160-AttributeID > $I30(Just remember, the attribute type for $INDEX_ALLOCATION is always 160 in decimal.)
Once you’ve got the file, running Indx2Csv is straightforward:
Indx2Csv.exe -i exported_I30_file -o output.csvIndx2Csv has several command-line options for tweaking how it scans and outputs data. You can check out the tool’s GitHub page for a complete list of commands.
-------------------------------------------------------------------------------------------------------------
Alternative Tools: Velociraptor & INDXparse.py
While Indx2Csv is great, it’s not the only tool in the game. Here are two other options worth mentioning:
Velociraptor
Velociraptor is an advanced threat-hunting and incident response tool that can also be used for forensic analysis. Unlike Indx2Csv, which works with exported INDX files, Velociraptor can analyze live file systems and mounted volumes. That means you don’t have to manually locate and export the $I30 file—just point Velociraptor to a directory, and it’ll handle the rest.
For example, if you've mounted a disk image and want to analyze the directory, you can run:
velociraptor.exe artifacts collect Windows.NTFS.I30 --args \
DirectoryGlobs="<Directory Name> <\\Windows\\Dean\\>" --format=csv --nobanner > C:\output\I30-Dean.csvThis will save both active and deleted entries in a CSV file, which you can then analyze with Timeline Explorer or any spreadsheet app.
INDXparse.py
Another great option is INDXparse.py, a Python-based tool created by Willi Ballenthin. Like Indx2Csv, it focuses on $I30 index files, but since it's written in Python, it works on multiple operating systems, not just Windows.
Collection:
You can use FTK Imager to collect Artifact like $I30.
Parsing:
INDXParse-master Can be used for Parsing:
Below screenshot is example of INDXParse-master
You can use -c or -d (Parameter) based on needs
Note: To use INDXParse-master you need have to Python installed on windows as I have do so its easy for me.
Wrapping Up
Indx2Csv is a powerful, easy-to-use tool for forensic investigators who need to dig into INDX records. Whether you’re analyzing active files, recovering deleted entries, or scanning for hidden metadata, it gets the job done. And if you need alternatives, Velociraptor and INDXparse.py offer additional flexibility for different situations.
So, if you haven’t tried Indx2Csv yet, give it a shot—you might be surprised at what you uncover!
--------------------------------------------Dean--------------------------------------------
Comments