Skip to content

ToolsHive/CCFA

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
MFT.ps1
MFT.ps1
 
 
Readme.md
Readme.md
 
 

Repository files navigation

🕵️‍♂️ Certified Computer Forensic Analyst (CCFA)

Status License Made With PowerShell
Learning Path Repo Size

Welcome to the Certified Computer Forensic Analyst (CCFA) repository — a curated collection of notes, methodologies, procedures, and resources for mastering digital forensics and preparing for professional forensic analysis in real-world environments.

This repository serves as both a personal knowledge base and a practical toolkit, designed to support learning, research, and reference in the field of computer forensics and cybersecurity investigations.

🛠️ Tools and Usage

This repository contains various PowerShell scripts and resources to assist with forensic analysis and digital investigations.
Each script is self-contained with its own purpose, workflow, and usage details.

📂 Scripts

🔍 NTFS $MFT & $MFTMirr Analysis (MFT.ps1)

This script automates the process of analyzing NTFS Master File Table ($MFT) and $MFTMirr files using Eric Zimmerman's MFTECmd.

Features:

  • Automatically downloads and installs MFTECmd if not already present
  • Ensures the tool’s directory is added to the system PATH
  • Prompts the user to choose between analyzing $MFT or $MFTMirr
  • Accepts user-provided file paths
  • Generates structured CSV output for further analysis
  • Runs with administrative privileges when required

Workflow:

  1. Extract $MFT or $MFTMirr
    Use a forensic imaging tool such as FTK Imager to extract the $MFT or $MFTMirr file from the disk image.

  2. Download the Script
    Download MFT.ps1 from GitHub.

  3. Set Execution Policy

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Open PowerShell (Run as Administrator) and allow script execution:

  1. Unblock the file:
Unblock-File .\MFT.ps1

If you downloaded the script, unblock it to avoid security restrictions

  1. Run the script:
 ./MFT.ps1
  1. Quick One-Liner Execution
iex (iwr "https://raw.githubusercontent.com/ToolsHive/CCFA/refs/heads/main/MFT.ps1")

Run the script directly from GitHub without downloading

🤝 Contributing

This is primarily a personal learning repository, but contributions are always welcome! Feel free to fork, adapt, or expand the material for your own studies or to help others.

If you’d like to contribute:

  1. Fork the repo
  2. Create a feature branch git checkout -b <feature-name>
  3. Commit your changes
  4. Open a Pull Request

⚖️ License

This project is licensed under the MIT LICENSE.

About

No description, website, or topics provided.

Resources

Readme

License

View license
Activity
Custom properties

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Languages