Install Now
ntfscat - print NTFS files and streams on the standard output
Contents
Availability
ntfscat is part of the ntfs-3g package and is available from:
https://github.com/tuxera/ntfs-3g/wiki/
Bugs
There are no known problems with ntfscat. If you find a bug please send an email describing the problem
to the development team:
ntfs-3g-devel@lists.sf.netDescription
ntfscat will read a file or stream from an NTFS volume and display the contents on the standard output.
The case of the filename passed to ntfscat is ignored.
Examples
Display the contents of a file in the root of an NTFS volume.
ntfscat/dev/hda1boot.ini
Display the contents of a file in a subdirectory of an NTFS volume.
ntfscat/dev/hda1/winnt/system32/drivers/etc/hosts
Display the contents of the $INDEX_ROOT attribute of the root directory (inode 5).
ntfscat/dev/hda1-aINDEX_ROOT-i5|hexdump-CName
ntfscat - print NTFS files and streams on the standard output
Options
Below is a summary of all the options that ntfscat accepts. Nearly all options have two equivalent
names. The short name is preceded by - and the long name is preceded by --. Any single letter options,
that don't take an argument, can be combined into a single command, e.g. -fv is equivalent to -f-v.
Long named options can be abbreviated to any unique prefix of their name.
-a, --attribute TYPE
Display the contents of a particular attribute type. By default, the unnamed $DATA attribute will
be shown. The attribute can be specified by a number in decimal or hexadecimal, or by name.
┌────────────────────────────────────────────┐
│ HexDecimalName │
│ 0x10 16 "$STANDARD_INFORMATION" │
│ 0x20 32 "$ATTRIBUTE_LIST" │
│ 0x30 48 "$FILE_NAME" │
│ 0x40 64 "$OBJECT_ID" │
│ 0x50 80 "$SECURITY_DESCRIPTOR" │
│ 0x60 96 "$VOLUME_NAME" │
│ 0x70 112 "$VOLUME_INFORMATION" │
│ 0x80 128 "$DATA" │
│ 0x90 144 "$INDEX_ROOT" │
│ 0xA0 160 "$INDEX_ALLOCATION" │
│ 0xB0 176 "$BITMAP" │
│ 0xC0 192 "$REPARSE_POINT" │
│ 0xD0 208 "$EA_INFORMATION" │
│ 0xE0 224 "$EA" │
│ 0xF0 240 "$PROPERTY_SET" │
│ 0x100 256 "$LOGGED_UTILITY_STREAM" │
└────────────────────────────────────────────┘
Notes The attribute names may be given without the leading $ symbol.
If you use the $ symbol, you must quote the name to prevent the shell interpreting the name.
-n, --attribute-name NAME
Display this named attribute, stream.
-i, --inode NUM
Specify a file by its inode number instead of its name.
-f, --force
This will override some sensible defaults, such as not using a mounted volume. Use this option
with caution.
-h, --help
Show a list of options with a brief description of each one.
-q, --quiet
Suppress some debug/warning/error messages.
-V, --version
Show the version number, copyright and license ntfscat.
-v, --verbose
Display more debug/warning/error messages.
See Also
Read libntfs(8) for details how to access encrypted files.
libntfs(8), ntfsls(8), ntfsprogs(8)
ntfs-3g 2022.10.3 September 2007 NTFSCAT(8)
Synopsis
[options] device [file]
PNG Icons