The following command line options are valid:
--drive= selected drive/partition to dump mft for (default: c:)
--filter= optional, pattern to filter files
--filename= optional, will use an offline mft dump
--first_record= optional, first mft record to start enumerating (default: 16)
--db3 optional, will dump records to mft.db3 sqlite DB
--dr optional, will display dataruns i.e clusters used by a file - needs filter flag
--dr_backup optional, will dump dataruns i.e clusters used by a file - needs dr flag
--dt optional, will display deleted files only
--mft_backup optional, will backup the mft to mft.dmp - not supported in offline mode or if mft is
fragmented
select.ps1 is a powershell example to query the mft.db3.
select-BIG25.ps1 will output top 25 biggest files.
select-OLD25.ps1 will output top 25 oldest files.
select-SIZEBEFORE2020.ps1 will output the sum of filesizes changed prior to 2020.
select-SIZEPERYEAR.ps1 will output the sum of filesizes per year.
select-COMPRESSED.ps1 will display files with flag=compressed.
you can download from here system.data.sqlite for powershell (recommanded : .net 4.6) : https://system.data.sqlite.org/index.html/doc/trunk/www/downloads-unsup.wiki
Some notes/thoughts:
If the MFT is fragmented, you will need to backup it with extents-win64 like this: extents-win64.exe c:$mft mft.dmp
Then use the --mft_filename parameter to dump the mft.
You can also backup a fragmented mft the followong way : mft-win32.exe --drive=c: --filter=$mft --first_record=0 --last_record=15 --dr --dr_backup
Both MBR and GPT partitions are supported.
FileCreationTime is the time that the file was created on a disk partition.
It will be updated if you move a file to a different partition/disk on your computer, but because the content hasn't changed, the LastWriteTime won't be.
So you can end up in a situation where your FileCreationTime is later than your FileChangeTime.
FileChangeTime is the time that the file content was updated.
LastWriteTime is the same as FileChangeTime except that it will also be updated when metadata is changed (r/w, acl, etc).
This date and time refers to when the MFT record itself was last changed. This date and time field is not displayed to a user.
LastAccessTime cannot be trusted as it can be disabled and not all windows OS's have the same settings here.
Simply cannot be trusted...
FileAttributes is also stored - below the possible values
Value Description
0x0001 Read only
0x0002 Hidden
0x0004 System
0x0020 Archive
0x0040 Device
0x0080 Normal
0x0100 Temporary
0x0200 Sparse file
0x0400 Reparse point
0x0800 Compressed
0x1000 Offline
0x2000 Content not indexed
0x4000 Encrypted