Name
ntfscat - print NTFS files and streams on the standard outputSynopsis
[options] device [file]Description
ntfscat will read a file or stream from an NTFS volume and display the contents on the standard output.The case of the filename passed to ntfscat is ignored.
Options
Below is a summary of all the options that ntfscat accepts. Nearly all options have two equivalent names. The short name is preceded by - and the long name is preceded by -- .Any single letter options, that don't take an argument, can be combined into a single command, e.g. -fv is equivalent to "-f -v" .Long named options can be abbreviated to any unique prefix of their name.-a, --attribute TYPE Display the contents of a particular attribute type. By default, the unnamed $DATA attribute will be shown. The attribute can be specified by a number in decimal or hexadecimal, or by name.
Hex | Decimal | Name |
0x10 | 16 | "$STANDARD_INFORMATION" |
0x20 | 32 | "$ATTRIBUTE_LIST" |
0x30 | 48 | "$FILE_NAME" |
0x40 | 64 | "$OBJECT_ID" |
0x50 | 80 | "$SECURITY_DESCRIPTOR" |
0x60 | 96 | "$VOLUME_NAME" |
0x70 | 112 | "$VOLUME_INFORMATION" |
0x80 | 128 | "$DATA" |
0x90 | 144 | "$INDEX_ROOT" |
0xA0 | 160 | "$INDEX_ALLOCATION" |
0xB0 | 176 | "$BITMAP" |
0xC0 | 192 | "$REPARSE_POINT" |
0xD0 | 208 | "$EA_INFORMATION" |
0xE0 | 224 | "$EA" |
0xF0 | 240 | "$PROPERTY_SET" |
0x100 | 256 | "$LOGGED_UTILITY_STREAM" |
-n, --attribute-name NAME Display this named attribute, stream.
-i, --inode NUM Specify a file by its inode number instead of its name.
-f, --force This will override some sensible defaults, such as not using a mounted volume. Use this option with caution.
-h, --help Show a list of options with a brief description of each one.
-q, --quiet Suppress some debug/warning/error messages.
-V, --version Show the version number, copyright and license ntfscat .
-v, --verbose Display more debug/warning/error messages.