One item we hear repeatedly is a request to provide a GUI (Graphical User Interface) front end to some of the TZWorks command line tools. While we internally prefer command line tools for automated processing, we do have a handful of GUI based tools that we develop for internal use only, primarily for reversing and analyzing new artifacts. So we decided to take one of our internal tools, take out some of the more arcane options, and merge the backend processing with ntfswalk and some other tools to come up with gena.
The name gena is short for Graphical Engine for NTFS Analysis.
Along the way, we made some significant additions to ntfswalk, as
well, to allow gena to be used as a flexible tool for data
extraction. (note: gena only works with ntfswalk version 0.45 or
above). We also incorporated some capabilities from ntfscopy,
ntfsdir, and wisp into gena. So while this subject is about gena,
there are references to some of these other tools throughout.
Similar to the other TZWorks tools that were mentioned, gena is designed to work with live (mounted) NTFS volumes. There is also functionality for traversing either NTFS images (a) created with the dd utility or (b) from a monolithic volume consisting of VMWare VMDK files. Whether gena is being used for live incident response collection or to process an image in an off-line manner, there are options to filter on: (a) file extensions, (b) a timestamp range, © various binary signatures, (d) partial filenames and (e) directory contents. For targeted files found, one can list the summary metadata, extract the header bytes of the file data, or extract the entire file contents into a designated directory.