AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Table of Contents


MFT Explorer/MFTECmd are essential tools for any digital forensic examiners toolkit. Most Windows systems are formatted in NTFS so there’s a high probability this tool will be useful on your next case. The $MFT is a treasure trove of artifacts that can help provide pivot points in your investigation. I use MFTECmd everyday in conjunction with Timeline Explorer to help identify evil that exists within the file system of a given workstation, server, etc. KAPE helps automate this by running the !EZParser module which will automatically run MFTECmd against an $MFT that is pulled using a variety of KAPE Targets. More on that in the KAPE Guide!

If you’re examining a system formatted in NTFS, the MFT is a treasure trove of metadata about files you find that are relevant to your investigation, be it criminal, IR, or just for practice. Combined with Timeline Explorer, you just can’t beat the functionality for the price.

MFT Explorer/MFTECmd-Related Blog Posts/Videos

MFTECmd released

KAPE + EZ Tools and Beyond – OSDFCon 2019 – Eric Zimmerman

Fast, Scalable Results with EZ Tools and the New Command line poster

13Cubed – NTFS Journal Forensics

Hands on USN Journal Analysis

Change Log

  • 12/17/2020 – Initial version published
  • 8/27/2022 – Updated dead links