Table of Contents
- Page 1 – Introduction, Screenshots, Usage Scenarios
- Page 2 – MFT Explorer – GUI
- Page 3 – MFTECmd – Command Line, Examining MFTECmd Output (CSV)
- Page 4 – Conclusion, Related Blogs Posts/Videos, Change Log
Conclusion
MFT Explorer/MFTECmd are essential tools for any digital forensic examiners toolkit. Most Windows systems are formatted in NTFS so there’s a high probability this tool will be useful on your next case. The $MFT is a treasure trove of artifacts that can help provide pivot points in your investigation. I use MFTECmd everyday in conjunction with Timeline Explorer to help identify evil that exists within the file system of a given workstation, server, etc. KAPE helps automate this by running the !EZParser module which will automatically run MFTECmd against an $MFT that is pulled using a variety of KAPE Targets. More on that in the KAPE Guide!
If you’re examining a system formatted in NTFS, the MFT is a treasure trove of metadata about files you find that are relevant to your investigation, be it criminal, IR, or just for practice. Combined with Timeline Explorer, you just can’t beat the functionality for the price.
MFT Explorer/MFTECmd-Related Blog Posts/Videos
KAPE + EZ Tools and Beyond – OSDFCon 2019 – Eric Zimmerman
Fast, Scalable Results with EZ Tools and the New Command line poster
13Cubed – NTFS Journal Forensics
Change Log
- 12/17/2020 – Initial version published
- 8/27/2022 – Updated dead links