Introducing MFTDump Forensic Tool

I have been looking for a forensic tool that dumps the contents of an NTFS Volume $MFT file for some time. Unable to find one that suits my needs, I decided to dig into the internal structures of NTFS and write one.  Today, I am releasing MFTDumpto the forensic community.

The tool is designed for forensic examiners and incident responders who need a quick method to extract and examine file metadata from an NTFS volume.

The tool has the following features:

  • Lightweight, fast, and flexible command line tool.
  • Extracts NTFS file metadata from an $MFT file.
  • Dumps filenames to stdout for fast searches.
  • Dumps alternate data streams to stdout.
  • Has three output report formats: short, standard, and long.
  • Zip feature reduces size of output report on disk.
  • Self-contained binary – no other dependencies.
  • Runs on Windows 2000, XP, Vista, 7, Server 2003 and 2008.
  • FAQ and Quick-Start Guide documentation

Common uses include:

  • Searching an NTFS volume for specific file name(s).
  • Identifying alternate data streams (ADS).
  • Identifying file attributes such as deleted, hidden, system, etc.
  • Searching and sorting files based on MAC times (Modified, Accessed, and Created).
  • Creating a timeline of activity on a filesystem.

Download the tool and let me know how it works for you.

MGS

2 Responses to “Introducing MFTDump Forensic Tool”

  • dw says:

    I have been using this tool for some diagnostics, but I find that it doesn’t always work. Files that I know are in the MFT are not listed in the output. Using verbose output, I see hundreds of lines saying

    $MFT file record has an invalid MAGIC number.

    At a guess, this may relate to the size of the drive, since it works correctly against my 32g and 320g drives, and fails on my 2tb.

    Are you still working on this tool? If not, is source code a possibility?

    • mspohn says:

      Hi David,

      Yes – I am actively maintaining this tool. It sounds like you have identified an issue with very large file systems. When the tool reads an $MFT record, it verifies the MAGIC value FILE0 is present. If the value is not found, the record is ignored. It is not unusual to find space at the end of the $MFT where this signature is not present. I will attempt to recreate this issue and report back.

      Thanks for bringing this to my attention.

      MGS

Leave a Reply