ntfs-mft

Retrieve information such as file path and name, file volume, disk allocation volume, file creation/modification/access time, and the existence of directories in the NTFS master file. You can use the data you retrieved to analyze the entire file and folder structure, extract deleted files or folders, and browse alternate data stream (ADS) hidden information.

Syntax

ntfs-mft [zippath=ZIPFILE_PATH] FILE_PATH
Required Parameters
FILE_PATH
Path to NTFS MFT file. If you provided the zippath option, input the file path in the ZIP file.
Optional Parameters
zippath=ZIPFILE_PATH
Path to the ZIP file.

Description

After running the ntfs-mft command, the output fields are as follows:

FieldTypeDescription
noIntegerFile number
file_nameStringFile name
file_pathStringFile path
file_sizeIntegerFile size
alloc_sizeIntegerAllocated size
in_useBooleanIn-use flag
is_dirBooleanDirectory flag
link_countIntegerNumber of hard links referencing the file
created_atDateCreation time of the $FILE_NAME attribute
modified_atDateLast modification time of the $FILE_NAME attribute
access_atDateLast access time of the $FILE_NAME attribute
mft_modified_atDateLast MFT modification time of the $FILE_NAME attribute
std_created_atDateCreation time of the $STANDARD_INFORMATION attribute
std_modified_atDateLast modification time of the $STANDARD_INFORMATION attribute
std_access_atDateLast access time of the $STANDARD_INFORMATION attribute
std_mft_modified_atDateLast MFT modification time of the $STANDARD_INFORMATION attribute
is_readonlyBooleanRead-only flag
is_hiddenBooleanHidden flag
is_systemBooleanSystem flag
is_archiveBooleanArchive flag
is_deviceBooleanDevice flag
is_normalBooleanNormal flag
is_tempBooleanTemporary flag
is_sparseBooleanSparse file flag
is_reparseBooleanReparse point flag
is_compressedBooleanCompression flag
is_offlineBooleanOffline flag
is_indexedBooleanIndex flag
is_encryptedBooleanEncryption flag
lsnIntegerLog sequence number
seqIntegerSequence
file_refIntegerFile reference
parent_file_refIntegerParent file reference
parent_noIntegerParent file number

Usage

  1. Retrieve by providing the file path.

    ntfs-mft /opt/logpresso/testdata/ntfs/test_MFT
    
  2. Retrieve when the zippath option is provided.

    ntfs-mft zippath=/opt/logpresso/testdata/NTFS.zip NTFS/test_MFT
    
  3. Load a list of deleted hidden files.

    ntfs-mft /opt/logpresso/testdata/ntfs/test_MFT
    | search not(in_use) and not(is_dir) and is_hidden