I have been looking for a forensic tool that dumps the contents of an NTFS Volume $MFT file for some time. Unable to find one that suits my needs, I decided to dig into the internal structures of NTFS and write one. Today, I am releasing MFTDumpto the forensic community.
The tool is designed for forensic examiners and incident responders who need a quick method to extract and examine file metadata from an NTFS volume.
The tool has the following features:
- Lightweight, fast, and flexible command line tool.
- Extracts NTFS file metadata from an $MFT file.
- Dumps filenames to stdout for fast searches.
- Dumps alternate data streams to stdout.
- Has three output report formats: short, standard, and long.
- Zip feature reduces size of output report on disk.
- Self-contained binary – no other dependencies.
- Runs on Windows 2000, XP, Vista, 7, Server 2003 and 2008.
- FAQ and Quick-Start Guide documentation
Common uses include:
- Searching an NTFS volume for specific file name(s).
- Identifying alternate data streams (ADS).
- Identifying file attributes such as deleted, hidden, system, etc.
- Searching and sorting files based on MAC times (Modified, Accessed, and Created).
- Creating a timeline of activity on a filesystem.
Download the tool and let me know how it works for you.