Table of Contents
- Page 1 – Introduction, Screenshots, Usage Scenarios
- Page 2 – MFT Explorer – GUI
- Page 3 – MFTECmd – Command Line, Examining MFTECmd Output (CSV)
- Page 4 – Conclusion, Related Blogs Posts/Videos, Change Log
MFT Explorer/MFTECmd are essential tools for any digital forensic examiners toolkit. Most Windows systems are formatted in NTFS so there’s a high probability this tool will be useful on your next case. The $MFT is a treasure trove of artifacts that can help provide pivot points in your investigation. I use MFTECmd everyday in conjunction with Timeline Explorer to help identify evil that exists within the file system of a given workstation, server, etc. KAPE helps automate this by running the !EZParser module which will automatically run MFTECmd against an $MFT that is pulled using a variety of KAPE Targets. More on that in the KAPE Guide!
If you’re examining a system formatted in NTFS, the MFT is a treasure trove of metadata about files you find that are relevant to your investigation, be it criminal, IR, or just for practice. Combined with Timeline Explorer, you just can’t beat the functionality for the price.
MFT Explorer/MFTECmd-Related Blog Posts/Videos
- 12/17/2020 – Initial version published.