ntfs-mft

Retrieve information such as file path and name, file volume, disk allocation volume, file creation/modification/access time, and the existence of directories in an NTFS master file. Using the retrieved data, you can analyze the entire file and folder structure, extract deleted files or folders and browse alternate data stream (ADS) hidden information.

Syntax

ntfs-mft [zipcharset=CHARSET] [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameter
FILE_PATH
Path to the NTFS MFT file. Using a wildcard (*) in the file name, you can retrieve all files containing a specific string pattern in the file name (e.g. D:\data\NTFS\*). If you provided the zippath option, input the NTFS MFT file path in the ZIP file.
Optional Parameter
zipcharset=CHARSET
Character set to be used to decode the ZIP entry name and comment that are not encoded by UTF-8 encoding. Use the preferred MIME name or aliases registered in the following document: http://www.iana.org/assignments/character-sets/character-sets.xhtml
zippath=ZIPFILE_PATH
Path to the ZIP file

Description

The output fields are as follows:

FieldTypeDescription
noIntegerFile number
file_nameStringFile name
file_pathStringFile path
file_sizeIntegerFile size
alloc_sizeIntegerAllocated size
in_useBooleanIn-use flag
is_dirBooleanDirectory flag
link_countIntegerNumber of hard links referencing the file
created_atDateCreation time of the $FILE_NAME attribute
modified_atDateLast modification time of the $FILE_NAME attribute
access_atDateLast access time of the $FILE_NAME attribute
mft_modified_atDateLast MFT modification time of the $FILE_NAME attribute
std_created_atDateCreation time of the $STANDARD_INFORMATION attribute
std_modified_atDateLast modification time of the $STANDARD_INFORMATION attribute
std_access_atDateLast access time of the $STANDARD_INFORMATION attribute
std_mft_modified_atDateLast MFT modification time of the $STANDARD_INFORMATION attribute
is_readonlyBooleanRead-only flag
is_hiddenBooleanHidden flag
is_systemBooleanSystem flag
is_archiveBooleanArchive flag
is_deviceBooleanDevice flag
is_normalBooleanNormal flag
is_tempBooleanTemporary flag
is_sparseBooleanSparse file flag
is_reparseBooleanReparse point flag
is_compressedBooleanCompression flag
is_offlineBooleanOffline flag
is_indexedBooleanIndex flag
is_encryptedBooleanEncryption flag
lsnIntegerLog sequence number
seqIntegerSequence
file_refIntegerFile reference
parent_file_refIntegerParent file reference
parent_noIntegerParent file number

Usage

  1. Retrieve information by providing the file path.

    ntfs-mft D:\data\NTFS\test_MFT
    
  2. Retrieve information when the zippath option is provided.

    ntfs-mft zippath=D:\data\NTFS.zip NTFS\test_MFT
    
  3. Load the list of deleted hidden files.

    ntfs-mft D:\data\NTFS\test_MFT
    | search not(in_use) and not(is_dir) and is_hidden