Print ntfs files and streams on the standard output
[options] device [file]
ntfscat will read a file or stream from an NTFS volume and display the contents on the standard output.
The case of the filename passed to ntfscat is ignored.
Below is a summary of all the options that ntfscat accepts. Nearly all options have two equivalent names. The short name is preceded by - and the long name is preceded by --. Any single letter options, that don't take an argument, can be combined into a single command, e.g. -fv is equivalent to -f -v. Long named options can be abbreviated to any unique prefix of their name.
-a, --attribute TYPE
Display the contents of a particular attribute type. By default, the unnamed $DATA attribute will be shown. The attribute can be specified by a number in decimal or hexadecimal, or by name.
Hex | Decimal | Name |
---|---|---|
0x10 | 16 | "$STANDARD_INFORMATION" |
0x20 | 32 | "$ATTRIBUTE_LIST" |
0x30 | 48 | "$FILE_NAME" |
0x40 | 64 | "$OBJECT_ID" |
0x50 | 80 | "$SECURITY_DESCRIPTOR" |
0x60 | 96 | "$VOLUME_NAME" |
0x70 | 112 | "$VOLUME_INFORMATION" |
0x80 | 128 | "$DATA" |
0x90 | 144 | "$INDEX_ROOT" |
0xA0 | 160 | "$INDEX_ALLOCATION" |
0xB0 | 176 | "$BITMAP" |
0xC0 | 192 | "$REPARSE_POINT" |
0xD0 | 208 | "$EA_INFORMATION" |
0xE0 | 224 | "$EA" |
0xF0 | 240 | "$PROPERTY_SET" |
0x100 | 256 | "$LOGGED_UTILITY_STREAM" |
Notes The attribute names may be given without the leading $ symbol.
If you use the $ symbol, you must quote the name to prevent the shell interpreting the name.
-n, --attribute-name NAME
Display this named attribute, stream.
-i, --inode NUM
Specify a file by its inode number instead of its name.
-f, --force
This will override some sensible defaults, such as not using a mounted volume. Use this option with caution.
-h, --help
Show a list of options with a brief description of each one.
-q, --quiet
Suppress some debug/warning/error messages.
-V, --version
Show the version number, copyright and license ntfscat.
-v, --verbose
Display more debug/warning/error messages.
Display the contents of a file in the root of an NTFS volume.
ntfscat /dev/hda1 boot.ini
Display the contents of a file in a subdirectory of an NTFS volume.
ntfscat /dev/hda1 /winnt/system32/drivers/etc/hosts
Display the contents of the $INDEX_ROOT attribute of the root directory (inode 5).
ntfscat /dev/hda1 -a INDEX_ROOT -i 5 | hexdump -C
There are no known problems with ntfscat. If you find a bug please send an email describing the problem to the development team:
ntfscat was written by Richard Russon, Anton Altaparmakov and Szabolcs Szakacsits. It was ported to ntfs-3g by Erik Larsson.
ntfscat is part of the ntfs-3g package and is available from:
http://www.tuxera.com/community/
Read libntfs(8) for details how to access encrypted files.
libntfs(8), ntfsls(8), ntfsprogs(8)