MFTDump – Tool to Parse MFT Files

The MFT Master File Table files on NTFS file system are table that will store and provide information about file changes on the hard disk. information may include file size, file name, date and time stamps and more. If you are looking to analyze MFT files you can check MFTDump.

MFTDump is a tool provides a quick and easy way to extract forensic metadata from an NTFS volume $MFT file. It is designed to supplement some forensic tools such as EnCase, FTK, Hex-Ways Forensic, etc.

MFTDump NTFS Volume Metadata Forensic Tool

The tool has the following features:

  • Lightweight, fast, and flexible command line tool.
  • Extracts NTFS file metadata from an $MFT file.
  • Dumps filenames to stdout for fast searches.
  • Dumps alternate data streams to stdout.
  • Has three output report formats: short, standard, and long.
  • Zip feature reduces size of output report on disk.
  • Self-contained binary – no other dependencies.

The tool is used by forensic examiners and incident responders who need a quick method to extract and examine file metadata from an NTFS volume. Common uses include:

  • Searching an NTFS volume for specific file name(s).
  • Identifying alternate data streams (ADS).
  • Identifying file attributes such as deleted, hidden, system, etc.
  • Searching and sorting files based on MAC times (Modified, Accessed, and Created).
  • Creating a timeline of activity on a filesystem.

You can read more and download the tool over here: http://malware-hunters.net/freetools/

Share