ntfscmp

ntfscmp [OPTIONS] DEVICE1 DEVICE2

-q, --quiet
    Suppress all output; only set the exit status.

-a, --all
    Compare all MFT records, including currently unused ones. Default is only used records.

-A, --attribute-all
    Compare all attribute records, including unused ones. Default is only used records.

-b, --bad-sectors
    Compare bad sector data structures.

-B, --boot
    Compare boot sectors.

-d, --data
    Compare data streams of files. This implies -m and -D.

-D, --directory
    Compare directory structures. This implies -m.

-f, --file
    Compare file content, which implies -d.

-i, --info
    Compare filesystem information like volume serial, version, etc.

-I, --index
    Compare index buffers.

-J, --logjournal
    Compare logjournal (USN Journal).

-m, --mft
    Compare MFT records.

-M, --mft-mirror
    Compare MFT mirror.

-s, --security
    Compare security descriptors.

-S, --sector
    Compare raw sectors directly. This can be very slow for large disks.

-u, --unused
    Also show differences in unused MFT records.

-U, --unused-clusters
    Show differences in unused clusters.

-v, --verbose
    Print more detailed information about differences found.

-h, --help
    Show a help message and exit.

-V, --version
    Show version information and exit.

ntfscmp is a utility from the ntfs-3g project designed to compare two NTFS filesystems residing on different block devices or image files. It examines various aspects of the filesystems to detect discrepancies, including boot records, MFT (Master File Table) entries, file attributes, directory structures, and even raw sector data.

This command is invaluable for verifying the integrity of cloned drives, validating backups against live systems, or identifying silent data corruption. It operates in a read-only manner, ensuring no modifications are made to the filesystems being compared. Users can specify which components to compare using various options, allowing for granular control over the comparison process, from high-level filesystem information to detailed file content and unused clusters.

ntfscmp requires direct access to the block devices or image files. It does not modify the filesystems being compared, operating in a purely read-only mode. When comparing file content (-f or -d) on large filesystems, the operation can be time-consuming and resource-intensive. It is designed for comparing entire filesystems, not individual files within them.

Ensure that the filesystems are unmounted or not in use by other processes to get a consistent comparison, especially when comparing live systems.

The command returns 0 if the two filesystems are identical. It returns 1 if differences are found between the filesystems. An exit status of 2 indicates an error occurred during execution.

This tool is most often used after cloning an NTFS drive to verify the integrity of the clone, or to periodically check a backup volume against a primary volume for any unexpected changes or data degradation. It's also useful for forensic analysis or debugging filesystem issues by comparing a suspect volume with a known good image.

ntfscmp is part of the ntfs-3g project, an open-source initiative that provides a robust and full-featured read-write NTFS driver for Linux, macOS, FreeBSD, NetBSD, Solaris, and other operating systems. The utilities bundled with ntfs-3g, including ntfscmp, are designed to extend the functionality and management capabilities for NTFS volumes beyond basic mounting, focusing on data integrity and advanced operations.

ntfsinfo(8), ntfsfix(8), ntfsclone(8), ntfslabel(8), fdisk(8), mount(8)