MFT_Browser
- Recreates the File/Directory tree structure from an (extracted) $MFT file.
- Able to carve FILE records & recreate a Directory tree from a Raw Image (v.60+)
- Able to extract the $MFT & recreate the Directory tree from a mounted NTFS volume (Volume must have a drive letter) (v.60+)
- Supports both 1024 & 4096 byte long records
==> Latest Version <==
[Dependencies]
- 'Node Properties' right click option or Double clicking on any file/directory entry gets the full MFT details for that record
- Clicking on any detail of the record, shows the source of the detail in the Hex view grid.
- All timestamps are in UTC
Note:
Recreating the directory tree from large MFT files might take a lot of time, (possibly hour(s)), as it needs to map each child record to it's parent node, and as the structure grows, the time needed grows exponentially.
- $MFT Structures (pdf)
- Using MFTbrowser (pdf)
- How to view a single record from a large MFT file (pdf)
- Reparse point examples (pdf)
- Small test $MFT files to play with, can be found here and here