Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Table of Contents

MFT Explorer – GUI

How to Use MFT Explorer

MFT Explorer is a very powerful and easy to use tool for visualizing the $MFT.

First, you’re going to want to get a $MFT. If your system is NTFS, you can use your own! Extract it out using KAPE and examine with MFTECmd via the KAPE Module or via MFTECmd on its own. Alternatively, mount the Lone Wolf 2018 image and extract out the MFT with KAPE.

There’s honestly not much to the GUI that needs explanation once you get a $MFT loaded. It’s very similar to traversing a file system in Windows File Explorer (or an alternative like Directory Opus). All the information stored by the $MFT for each entry will be in the Overview tab on the right side.

This same output will be divided into columns in MFTECmd CSV output. You can see a preview of this when you scroll to the right, as seen below.

Be mindful, I am only showing it this size for the purpose of fitting these GIFs on this page. If I’m actually using MFT Explorer/MFTECmd in an everyday examination, I am making it full screen on a 34″ 1440p monitor. Your monitor doesn’t need to be that big or that resolution, or it can be bigger! I just want to stress normally the scrolling wouldn’t be necessary as all this data would be visible maximized while on a larger screen.

As with all of Eric’s tools, you can group by columns so you can slice the data in a way that helps you find answers quicker. Here is a demonstration of that feature solely and not for an actual use case in a forensic examination.

It cannot be overstated how useful MFT Explorer is to help visualize what a suspect’s file system looked like and peruse through their file system as if you were on the computer itself. The parsing takes longer than simply parsing an MFT with MFTECmd, but that’s because there’s other magic going on to display the file system in a graphical manner. Well worth the wait and definitely worth playing around with for educational purposes. I see MFT Explorer as a great tool for students and those wanting to learn about the MFT and how it works while also getting the benefit of seeing how all those bits and bytes are translated into something navigable within the GUI.