- Recreates the File/Directory tree structure based on an offline (extracted) $MFT file.
- 'Node Properties' right click option or Double clicking on any file/directory entry gets the full MFT details for that record
- Clicking on any detail of the record, shows the source of the detail in the Hex view grid.
- All timestamps are in UTC
You'll need a previously extracted $MFT or $MFTMirr file by another tool (eg. FTK Imager or Export-MFT.ps1)
Recreating the directory tree from large MFT files might take a lot of time, (possibly hour(s)), as it needs to map each child record to it's parent node, and as the structure grows, the time needed grows exponentially.
- Using MFTbrowser
- How to view a single record from a large MFT file
- Reparse point examples (pdf)
- Small test $MFT files to play with, can be found here and here
Based on $MFT Record Viewer
Note: WinHex/XWF templates were moved here