ntfsinfo

ntfsinfo [options] device
ntfsinfo [options] device path

-m, --mft-record MFT_RECORD_NUMBER
    Display the contents of a specific MFT record by its number. Useful for examining file system metadata directly.

-i, --inode INODE
    Show information about a specific file or directory identified by its inode number. This provides details like file size, attributes, and security IDs.

-s, --security-id SID
    Display a security descriptor by its security ID. This allows inspection of access control lists associated with security objects.

-a, --attribute MFT_RECORD_NUMBER:ATTR_TYPE:ATTR_NAME:ATTR_ID
    Inspect a specific attribute of an MFT record. Requires detailed knowledge of NTFS attribute types for precise use.

-q, --quiet
    Suppress verbose output, showing only essential information.

-v, --verbose
    Produce more detailed output, showing additional file system and debugging information.

-h, --help
    Display a help message and exit.

-V, --version
    Show version information and exit.

The ntfsinfo command is a utility from the ntfs-3g project, designed to display comprehensive information about an NTFS file system or specific files and directories residing on an NTFS volume. It allows users to inspect low-level details such as the volume's boot sector, file system version, cluster size, Master File Table (MFT) record size, and total MFT records. For individual files or directories, ntfsinfo can provide details like their inode number, size, attributes, security IDs, and data streams. This tool is invaluable for forensic analysis, troubleshooting NTFS volumes, or simply understanding the underlying structure of an NTFS partition on a Linux system. It operates in a read-only manner, ensuring data integrity during inspection.

ntfsinfo typically requires root privileges to access block devices directly (e.g., /dev/sda1). While it is a read-only tool and safe for inspection, incorrect interpretation of its low-level output without proper understanding of the NTFS file system can be misleading. It is strictly for NTFS volumes; it will not work with other file systems like ext4 or XFS.

To inspect the boot sector and general volume information of an NTFS partition, you would typically run ntfsinfo /dev/sdXN, where /dev/sdXN is your NTFS partition.

To get information about a specific file or directory on a mounted NTFS volume, you would use ntfsinfo /dev/sdXN /path/to/file. Remember that the path must be relative to the root of the NTFS partition if the partition is not mounted, or the full path if mounted.

One of the key strengths of ntfsinfo is its ability to delve into low-level NTFS structures. Options like --mft-record and --attribute are particularly useful for forensic investigators or developers who need to understand the precise layout and contents of the Master File Table (MFT) and its associated attributes, which define files, directories, and their metadata.

ntfsinfo is an integral part of the ntfs-3g project, which began development in the early 2000s to provide robust and reliable read/write support for NTFS file systems on Linux and other Unix-like operating systems. Prior to ntfs-3g, NTFS support on Linux was often limited to read-only capabilities or unstable write support. ntfsinfo, along with other utilities like ntfsfix and ntfsundelete, was developed to give users comprehensive tools for managing and diagnosing NTFS volumes, filling a critical gap in Linux's file system utility suite.

ntfs-3g(8), mkntfs(8), ntfsfix(8), fdisk(8), parted(8), lsblk(8)