Archive for March, 2011

Introducing MFTDump Forensic Tool

I have been looking for a forensic tool that dumps the contents of an NTFS Volume $MFT file for some time. Unable to find one that suits my needs, I decided to dig into the internal structures of NTFS and write one.  Today, I am releasing MFTDumpto the forensic community.

The tool is designed for forensic examiners and incident responders who need a quick method to extract and examine file metadata from an NTFS volume.

The tool has the following features:

  • Lightweight, fast, and flexible command line tool.
  • Extracts NTFS file metadata from an $MFT file.
  • Dumps filenames to stdout for fast searches.
  • Dumps alternate data streams to stdout.
  • Has three output report formats: short, standard, and long.
  • Zip feature reduces size of output report on disk.
  • Self-contained binary – no other dependencies.
  • Runs on Windows 2000, XP, Vista, 7, Server 2003 and 2008.
  • FAQ and Quick-Start Guide documentation

Common uses include:

  • Searching an NTFS volume for specific file name(s).
  • Identifying alternate data streams (ADS).
  • Identifying file attributes such as deleted, hidden, system, etc.
  • Searching and sorting files based on MAC times (Modified, Accessed, and Created).
  • Creating a timeline of activity on a filesystem.

Download the tool and let me know how it works for you.