When it comes to forensic tools, MFTECmd.exe is one of my go-to choices. It’s part of the KAPE suite and an incredibly efficient tool for parsing NTFS artifacts like $MFT, $J, $Boot, $SDS, and $I30. While I’ve always relied on it, many have requested a detailed guide, so here we are.
---------------------------------------------------------------------------------------------------------
Before we dive into the details of this tool, I want to let you know that there are already articles available on parsing $J, $MFT, . You can check them out here:
-------------------------------------------------------------------------------------------------------
MFTECmd: Parsing the Master File Table (MFT)
As the name suggests, MFTECmd is designed to parse the NTFS Master File Table (MFT). Developed by Eric Zimmerman, the tool converts MFT records into human-readable formats, making it easier to analyze files, including deleted ones, alternate data streams, copied files, and more.
Here’s what makes MFTECmd stand out:
Fast Processing: It generates CSV or JSON output in under 40 seconds, even for large MFT files.
Support for Volume Shadow Copies: With the --vss option, you can parse older versions of the MFT from Volume Shadow Copies.
Deduplication: The --dedupe option helps eliminate duplicate entries, simplifying analysis.
Command-Line Interface: While it may seem intimidating at first, its straightforward commands provide unparalleled flexibility.
Command : MFTECmd.exe -f F:\C\$MFT --csv C:\Users\User\Downloads --csvf mft.csvOnce you executed MFTECmd Output will look like below
An Alternative: MFT Explorer
If you prefer a graphical user interface (GUI), MFT Explorer, also by Eric Zimmerman, is an alternative to MFTECmd.
Tree View: MFT Explorer presents parsed MFT data in a Windows Explorer-like structure, making it easier to visualize files and folders.
Rich Metadata: It provides detailed information for each MFT record, including raw hex contents.
Slower Performance: Due to its GUI and the sheer size of modern MFT files, loading can take up to an hour . While slower, it’s an excellent tool for learning about the MFT.
It took me almost 10 minutes to get $MFT opened in MFTEExplorer.
But once loaded, it created a complete Windows-like structure for us.
This is expected because the $MFT (Master File Table) organizes the file system. See the screenshot above for a clear view.
-------------------------------------------------------------------------------------------------------
What Did We Find?
In this instance, I wanted to show you how to identify a file downloaded from the internet and retrieve the link it was downloaded from. This is also possible through NTFS Alternate Data Streams (ADS), specifically the Zone.Identifier.
If you’re new to the concept, I recommend reading this article:Unveiling File Origins: The Role of Alternate Data Streams (ADS) - Zone Identifier in Forensic Investigations
-------------------------------------------------------------------------------------------------------------
Choosing the Right Tool
I suggest trying both tools and deciding what works best for you. Personally, I find MFTECmd.exe to be the best tool—it’s quick, easy to use, and highly efficient. But who knows, you might prefer MFTEExplorer for its graphical interface. The choice is yours!
Final Thoughts
MFTECmd is a powerful, fast, and efficient tool that simplifies NTFS artifact parsing, helping forensic analysts uncover critical insights in record time. While MFT Explorer offers a more visual approach, MFTECmd remains my top choice for its speed and flexibility. Experiment with both to find what works best for you. Remember, the ultimate goal is to keep learning and refining your forensic skills.
Keep learning, exploring, and experimenting with different tools. They all offer unique benefits and can deepen your forensic capabilities. See you in the next article!
--------------------------------------------------Dean------------------------------------------
Comments