ntfscat

ntfscat [options] volume path

-f, --logfile filename
    Write messages to filename instead of stderr.

-h, --help
    Display help information and exit.

-n, --no-sparse
    Do not make the output sparse.

-o, --offset offset
    Start at byte offset into file.

-s, --size size
    Read size bytes only.

-V, --version
    Display version information and exit.

volume
    The device file (e.g., /dev/sda1) or mount point representing the NTFS volume.

path
    The path to the file on the NTFS volume (e.g., /path/to/file.txt).

ntfscat is a command-line utility that allows users to display the contents of files residing on NTFS (New Technology File System) partitions. Unlike simple cat, ntfscat is designed to access files on NTFS volumes directly, even if the system is not booted into Windows or if the NTFS partition is not mounted. It's part of the ntfs-3g package, a collection of tools for working with NTFS volumes on Linux and other operating systems.

This tool is particularly useful for recovering data from corrupted or inaccessible NTFS partitions, or for examining files without the need to mount the partition read-write, thereby avoiding potential data corruption. ntfscat can also be used to view files that might be inaccessible through the standard file system interface due to permission issues or other restrictions. The main advantage is direct access to file data.

ntfscat provides read-only access to the file content. It does not allow for modification of the file. It requires the user to have appropriate permissions to access the device file representing the NTFS volume.

Display the content of file.txt on /dev/sda1:
ntfscat /dev/sda1 /path/to/file.txt

Display 1024 bytes from offset 512 of file.txt:
ntfscat -o 512 -s 1024 /dev/sda1 /path/to/file.txt

ntfscat is part of the ntfs-3g project, an open-source implementation of an NTFS driver. The project was developed to provide reliable read/write support for NTFS file systems on non-Windows platforms. ntfscat's development is tightly coupled with the advancements in reverse engineering of the NTFS file system structure. It is widely used in forensic investigations and data recovery scenarios.

ntfs-3g(8), ntfsck(8), ntfsclone(8)