Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Table of Contents

Conclusion

MFT Explorer/MFTECmd are essential tools for any digital forensic examiners toolkit. Most Windows systems are formatted in NTFS so there’s a high probability this tool will be useful on your next case. The $MFT is a treasure trove of artifacts that can help provide pivot points in your investigation. I use MFTECmd everyday in conjunction with Timeline Explorer to help identify evil that exists within the file system of a given workstation, server, etc. KAPE helps automate this by running the !EZParser module which will automatically run MFTECmd against an $MFT that is pulled using a variety of KAPE Targets. More on that in the KAPE Guide!

If you’re examining a system formatted in NTFS, the MFT is a treasure trove of metadata about files you find that are relevant to your investigation, be it criminal, IR, or just for practice. Combined with Timeline Explorer, you just can’t beat the functionality for the price.

MFT Explorer/MFTECmd-Related Blog Posts/Videos

MFTECmd 0.3.6.0 released

KAPE + EZ Tools and Beyond – OSDFCon 2019 – Eric Zimmerman

Fast, Scalable Results with EZ Tools and the New Command line poster

13Cubed – NTFS Journal Forensics

Hands on USN Journal Analysis

Change Log

  • 12/17/2020 – Initial version published.