ntfscat

ntfscat [OPTIONS] DEVICE FILE

DEVICE
    The block device containing the NTFS filesystem (e.g., /dev/sda1).

FILE
    The path to the file on the NTFS filesystem, or its inode number when used with -i.

-a, --attribute ATTR
    Dump the specified attribute type (e.g., $DATA, $FILE_NAME). Uses $DATA by default. See also -t.

-b, --byte-range RANGE
    Only dump the specified byte range of the file. RANGE can be OFFSET-LENGTH or OFFSET..END.

-F, --force
    Forcefully access the filesystem, even if it's marked dirty or has inconsistencies.

-H, --no-action
    Do not perform any action. Just print information about the command's intended operation and the file.

-h, --help
    Show a summary of command options and exit.

-i, --inode
    Interpret FILE as an inode number instead of a path.

-l, --log-level LEVEL
    Set the logging level. Common levels include none, error, warning, info, debug, all.

-n, --named-attribute NAME
    Dump the contents of the named attribute NAME instead of the default unnamed data attribute. Useful for accessing Alternate Data Streams.

-o, --output FILE
    Output the file contents to FILE instead of standard output.

-q, --quiet
    Suppress verbose messages and warnings, printing only critical errors.

-s, --sector-size SIZE
    Specify the size of sectors on the device in bytes. This is usually detected automatically.

-S, --start-sector SECTOR
    Specify the start sector on the device where the NTFS partition begins. Useful for embedded NTFS volumes.

-t, --type TYPE
    Dump the specified attribute type by its numeric type ID or name (e.g., 0x80 or $DATA). See also -a.

-V, --version
    Show version information and exit.

The ntfscat command is a utility designed to read and dump the contents of a specified file from an NTFS filesystem directly to standard output. Unlike typical file utilities that operate on mounted filesystems, ntfscat works on the raw block device (e.g., /dev/sda1) containing the NTFS volume. This makes it particularly useful for scenarios where the NTFS filesystem is unmountable, corrupted, or when you need to access files without mounting the partition.

It can retrieve data from both the default unnamed data stream and named data streams (Alternate Data Streams) associated with a file. Its primary use cases include data recovery from damaged volumes, forensic analysis, or simply accessing files from an NTFS partition in a Linux environment without full mount permissions or stability concerns. It can also output directly to a file instead of stdout.

ntfscat has several known limitations. It may not correctly handle:
Files with non-resident attribute lists (complex file structures).
Compressed files (data will likely be dumped in its compressed form).
Encrypted files (dumped as raw encrypted data).
Sparse files (may dump full allocated space, not just actual data).
Files with reparse points (symbolic links, junction points, mount points).
For complex or unusual NTFS structures, results may be unreliable or incomplete.

The DEVICE argument must refer to the raw block device (e.g., /dev/sda1, /dev/nvme0n1p3) where the NTFS filesystem resides, not a mounted directory. Running ntfscat on a mounted partition is generally safe for read operations, but it's best practice to unmount the filesystem before using block-level tools to avoid potential inconsistencies, especially if the filesystem is actively being written to by another process.

The FILE argument specifies the path to the file within the NTFS filesystem (e.g., /path/to/document.docx). Alternatively, if you know the file's inode number, you can use the -i option to specify the inode directly. This is particularly useful in recovery scenarios where the file's path might be corrupted or unknown.

The ntfscat utility is part of the ntfsprogs suite, a collection of command-line tools for managing and accessing NTFS filesystems from Linux and other Unix-like operating systems. Originally developed by Anton Altaparmakov and a team of contributors, ntfsprogs aimed to provide robust support for read-write operations on NTFS before the widespread adoption of the more comprehensive ntfs-3g driver. While ntfs-3g provides full filesystem mounting capabilities, tools like ntfscat remain valuable for direct disk access and forensic purposes.

cat(1), ntfsinfo(8), ntfsfix(8), mkntfs(8), ntfsprogs(8)