mft_timeline#
$ target-query <path/to/target> -f mft_timeline
Module |
|
Output |
|
Module documentation
No documentation
Function documentation
Return the MFT records of all NTFS filesystems in a human readable format (unsorted).
The Master File Table (MFT) contains metadata about every file and folder on a NFTS filesystem.
If the filesystem is part of a virtual NTFS filesystem (a VirtualFilesystem with the MFT properties
added to it through a “fake” NtfsFilesystem), the paths returned in the MFT records are based on the
mount point of the VirtualFilesystem. This ensures that the proper original drive letter is used when
available.
When no drive letter can be determined, the path will show as e.g. \$fs$\fs0.