Use the following commands to perform the previously described actions.
⚙️Recovery of deleted files(--recover) from volume D(--drive d indicating the output path of saving the timestamped directory), --outfile path(if we want to save it there, then after the --outfile argument we don't need to write anything):
ANTfs.exe --drive d --recover --outfile X:\ZeroForensics
⚙️To erase the record from the system, use the following command (the --wipe argument to clear the record from the file):
ANTfs.exe --drive c --wipe file_to delete

Summing up, I would like to say that although the project is no longer supported, but it works quite well despite the use of the driver (in principle, not bad), for those who are really interested in using the project, I advise you to look at the generated artifacts in the process of work (not a big homework assignment).

#antiForensics #forensics #fileSystem #NTFS #MFT

It works clearly:
💾a volume descriptor is being created
💾next comes the reading from the MFT (https://learn.microsoft.com/en-us/windows/win32/medfound/basic-mft-processing-model)(examples of MFT parsers: MFTECmd (https://github.com/EricZimmerman/MFTECmd), MFT_Browser (https://github.com/kacos2000/MFT_Browser) and Analyze MFT (https://github.com/dkovar/analyzeMFT))
💾iterating over each file entry in the MFT(s), checking the allocation bit
💾If the record is not distributed, it is processed.
The user can restore data from the system, but in order to erase it, you will need the driver described earlier.
⚠️The contents of the basket are ignored!
To erase a record from the system, you first need to install the driver:
sc create antfs binPath= <path/to/driver>/antfs driver.sys type= kernel
sc start antfs

#antiForensics #forensics #fileSystem #NTFS