$MFT can be dumped as csv or json with Zone.Identifier parsing to quickly identify downloaded files. It is also possible to dump any file (even $MFT or SAM) or parse and analyze USN journal, LogFile including streams from Alternate Data Stream ( ADS). NTFSTool displays the complete structure of master boot record, volume boot record, partition table and $MFT file record.
See below for some examples of the features! Features Forensics
It supports reading partition info (MBR, partition table, VBR) but also information on Master File Table, Bitlocker encrypted volume, EFS encrypted files, USN journal and more.Äownload the latest binaries on AppVeyor. NTFSTool is a forensic tool focused on NTFS volumes.