SQLite Forensics Book, now available on Amazon

More information here


Pauls blogs/ramblings


Rate this Entry
A little application I knocked up a while ago to look at the additional dates recorded in an MFT entry.

You need to extract the MFT from an image and then point MFTView at it - it then loads the complete MFT into a database (this can take a few minutes) and allows you to navigate it as you would any file system.


Submit "MFTView" to Facebook Submit "MFTView" to Twitter Submit "MFTView" to Digg Submit "MFTView" to del.icio.us Submit "MFTView" to StumbleUpon Submit "MFTView" to Google

Tags: None Add / Edit Tags


  1. Paul's Avatar
    I am actively working on this at the moment and I am incorporating a LinkAlyzer/PmExplorer type hex view that will allow you to step through every single byte of an MFT entry and see where in the raw hex the data is stored.

    Watch this space.

  2. jpascoe's Avatar
    Looks great! Will it also show if the data is resident or non-resident? Will it identify the clusters/data runs for each file?
  3. Paul's Avatar
    Thanks for the feedback - not yet, but this sort of feedback is exactly what I want to see for all of my software.

    MFTView is a freebie though and so development is as and when Ican afford the time. But your observations are important and these features should be included soon.
  4. Magis's Avatar
    Hello Paul. MFTView was referenced in SANS FOR508 as a good tool for parsing $FILE_NAME timestamps. I can't access the download. Is the tool still available and supported through ongoing development? I can see the posts are quite a few years old so I'm thinking probably not?

    Thank you for your ongoing support of the forensics community.
  5. Paul's Avatar
    Hi Magis

    I removed access to the download because the program has not been updated since 2010. I was not aware that SANS referred to it on any of their courses