ntfs-mft
Retrieve information such as file path and name, file volume, disk allocation volume, file creation/modification/access time, and the existence of directories in an NTFS master file. Using the retrieved data, you can analyze the entire file and folder structure, extract deleted files or folders and browse alternate data stream (ADS) hidden information.
Syntax
ntfs-mft [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
FILE_PATH
- Path to the NTFS MFT file. Using a wildcard (
*
) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g.D:\data\NTFS\*
). If you provided thezippath
option, input the NTFS MFT file path in the ZIP file.
Optional Parameter
zipcharset=CHARSET
- Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding. Use the preferred MIME name or aliases registered in the following document: http://www.iana.org/assignments/character-sets/character-sets.xhtml
zippath=ZIPFILE_PATH
- Path to the ZIP file
Description
The output fields are as follows:
Field | Type | Description |
---|---|---|
no | Integer | File number |
file_name | String | File name |
file_path | String | File path |
file_size | Integer | File size |
alloc_size | Integer | Allocated size |
in_use | Boolean | In-use flag |
is_dir | Boolean | Directory flag |
link_count | Integer | Number of hard links referencing the file |
created_at | Date | Creation time of the $FILE_NAME attribute |
modified_at | Date | Last modification time of the $FILE_NAME attribute |
access_at | Date | Last access time of the $FILE_NAME attribute |
mft_modified_at | Date | Last MFT modification time of the $FILE_NAME attribute |
std_created_at | Date | Creation time of the $STANDARD_INFORMATION attribute |
std_modified_at | Date | Last modification time of the $STANDARD_INFORMATION attribute |
std_access_at | Date | Last access time of the $STANDARD_INFORMATION attribute |
std_mft_modified_at | Date | Last MFT modification time of the $STANDARD_INFORMATION attribute |
is_readonly | Boolean | Read-only flag |
is_hidden | Boolean | Hidden flag |
is_system | Boolean | System flag |
is_archive | Boolean | Archive flag |
is_device | Boolean | Device flag |
is_normal | Boolean | Normal flag |
is_temp | Boolean | Temporary flag |
is_sparse | Boolean | Sparse file flag |
is_reparse | Boolean | Reparse point flag |
is_compressed | Boolean | Compression flag |
is_offline | Boolean | Offline flag |
is_indexed | Boolean | Index flag |
is_encrypted | Boolean | Encryption flag |
lsn | Integer | Log sequence number |
seq | Integer | Sequence |
file_ref | Integer | File reference |
parent_file_ref | Integer | Parent file reference |
parent_no | Integer | Parent file number |
Usage
-
Retrieve information by providing the file path.
ntfs-mft D:\data\NTFS\test_MFT
-
Retrieve information when the
zippath
option is provided.ntfs-mft zippath=D:\data\NTFS.zip NTFS\test_MFT
-
Load the list of deleted hidden files.
ntfs-mft D:\data\NTFS\test_MFT | search not(in_use) and not(is_dir) and is_hidden