ntfscluster

ntfscluster [OPTIONS] device cluster_number [cluster_number...]

-q, --quiet
    Suppress verbose output during the scan, showing only essential information.

-f, --force
    Force ntfscluster to run even if the volume is marked dirty, has a reparse point, or is hibernated. Use this option with extreme caution as it may lead to data inconsistencies or incorrect results if the volume is not in a consistent state.

-h, --help
    Display a help message and exit, showing available options and their brief descriptions.

-V, --version
    Output version information, copyright, and license details, then exit.

ntfscluster is a utility from the ntfsprogs suite designed to identify which files on an NTFS volume occupy one or more specified cluster numbers. This command is particularly useful for debugging and forensic purposes when filesystem errors are reported by tools like ntfsfix or chkdsk, pinpointing corruption to specific clusters. By providing the device path of the NTFS volume and the cluster numbers, ntfscluster scans the Master File Table (MFT) to map these clusters back to the files that own them.

It helps administrators and data recovery specialists understand the extent of data corruption or to trace specific data blocks to their associated files, aiding in recovery or detailed analysis of the filesystem state. Its primary function is to resolve cluster numbers to filenames, providing crucial information for diagnosing NTFS volume issues.

Accessing raw disk devices typically requires root privileges. Using the --force option on a dirty or hibernated NTFS volume can potentially lead to inconsistencies or incorrect results if the volume is not in a stable state. Always ensure the volume is unmounted or in a consistent state before performing operations unless absolutely necessary with --force.

In addition to the options, ntfscluster requires the following arguments for its operation:

• device: The path to the NTFS volume (e.g., /dev/sda1). This specifies which disk partition to analyze.
• cluster_number: One or more cluster numbers to search for. These are typically block addresses reported by other filesystem utilities or error messages, indicating specific data locations on the volume.

The command can return the following exit codes to indicate the result of its execution:

• 0: Success. The command completed its operation without errors.
• 1: Failure (e.g., syntax or usage error, an invalid device was specified, or a filesystem error prevented proper operation).
• 2: An internal error occurred within the program itself, indicating an unexpected condition.

To identify files using cluster 12345 on the NTFS partition /dev/sda1:
ntfscluster /dev/sda1 12345

To check multiple clusters at once, simply list them after the device path:
ntfscluster /dev/sda1 12345 12346 12347

ntfscluster is a utility developed by Anton Altaparmakov and is part of the ntfsprogs (now often distributed as part of ntfs-3g) suite. This suite provides a collection of robust tools for interacting with NTFS filesystems on Linux, including read, write, and repair functionalities. Its development has been crucial for robust NTFS support in the Linux ecosystem, allowing for detailed analysis and manipulation of Microsoft's proprietary filesystem.

ntfsprogs(8), ntfsinfo(8), ntfsfix(8), mkntfs(8), ntfsresize(8)