ntfscat

reads a file from an NTFS volume and outputs it to stdout

TLDR

Extract file from NTFS

$ ntfscat /dev/[sda1] [path/to/file] > [output]

Extract by inode number

$ ntfscat /dev/[sda1] -i [12345] > [output]

Extract named data stream

$ ntfscat /dev/[sda1] [file]:stream > [output]

Force extraction

$ ntfscat -f /dev/[sda1] [file] > [output]

ntfscat reads a file from an NTFS volume and outputs its contents to standard output. Files can be referenced by their path within the volume or by MFT inode number, and named alternate data streams can be accessed using the `filename:stream` syntax.Useful for forensics and data recovery from NTFS partitions without mounting the volume.

PARAMETERS

-i, --inode num

Use inode number.

-a, --attribute type

Attribute type.

-n, --attr-name name

Attribute name.

-f, --force

Force operation.

-q, --quiet

Quiet mode.

CAVEATS

Requires ntfs-3g package. Device should be unmounted or mounted read-only. Windows paths use backslash.

HISTORY

ntfscat is part of ntfs-3g, the open-source NTFS driver and utilities, providing read access to NTFS filesystems.

ntfscat

reads a file from an NTFS volume and outputs it to stdout

TLDR

SYNOPSIS

DESCRIPTION

PARAMETERS

CAVEATS

HISTORY

SEE ALSO