mft.body

$ target-query <path/to/target> -f mft.body

Details

Module	dissect.target.plugins.filesystem.ntfs.mft.MftPlugin
Output	lines

Module documentation

NTFS MFT plugin.

Function documentation

Return the MFT records of all NTFS filesystems in bodyfile format.

The file mode is not accurate. This value was only added to indicate if a record is a file or directory.

The Master File Table (MFT) contains metadata about every file and folder on a NFTS filesystem.

If the filesystem is part of a virtual NTFS filesystem (a VirtualFilesystem with the MFT properties added to it through a “fake” NtfsFilesystem), the paths returned in the MFT records are based on the mount point of the VirtualFilesystem. This ensures that the proper original drive letter is used when available. When no drive letter can be determined, the path will show as e.g. \$fs$\fs0.

References:

• https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table

• https://wiki.sleuthkit.org/index.php?title=Body_file