MFTECMD

This utility parses the Master File Table (MFT) from NTFS file systems. It extracts detailed information stored in the MFT entries, converts them into a CSV presenting them in a more digestible and analyzable format. This is the preferred method prior to conducting file system analysis. The converted file can then be imported into TimeLine Explorer.

GitHub - EricZimmerman/MFTECmd: Parses $MFT from NTFS file systemsGitHub

INSTALLATION

PS C:\> git clone https://github.com/EricZimmerman/MFTECmd.git
PS C:\> cd c:\Temp\MFTECmd\
PS C:\> dotnet publish -f net9.0 -r win-x64 -p:PublishSingleFile=true --self-contained true -p:IncludeNativeLibrariesForSelfExtract=true
PS C:\> C:\Temp\MFTECmd\MFTECmd\bin\Release\net9.0\win-x64\publish
 MFTECmd.exe
 MFTECmd.pdb

USAGE

PS C:\> MFTECMD.exe -f "C:\Your\Directory\$MFT" --csv "C:\Your\Output\Directory\" ---csvf mft.csv

PreviousFILE SYSTEM NextTIMELINE EXPLORER

Last updated 1 month ago