ntfscat - display NTFS files and streams on the standard output


ntfscat [options] device [file]


The ntfscat command reads a file or stream from an NTFS volume and display the contents on the standard output.

The case of the filename passed to ntfscat is ignored.


Supported options are listed below. Most options have both single-letter and full-name forms. Multiple single-letter options that do not take an argument can be combined. For example, –fv is the equivalent of –f –v. A full-name option can be abbreviated to a unique prefix of its name.

–a, –-attribute type

Display the contents of a particular attribute type. By default, the unnamed $DATA attribute will be shown. The attribute can be specified by a number in decimal or hexadecimal, or by name.

Hex     Decimal Name
0x10    16      "$STANDARD_INFORMATION"
0x20    32      "$ATTRIBUTE_LIST"
0x30    48      "$FILE_NAME"
0x40    64      "$OBJECT_ID"
0x50    80      "$SECURITY_DESCRIPTOR"
0x60    96      "$VOLUME_NAME"
0x70    112     "$VOLUME_INFORMATION"
0x80    128     "$DATA"
0x90    144     "$INDEX_ROOT"
0xA0    160     "$INDEX_ALLOCATION"
0xB0    176     "$BITMAP"
0xC0    192     "$REPARSE_POINT"
0xD0    208     "$EA_INFORMATION"
0xE0    224     "$EA"
0xF0    240     "$PROPERTY_SET"
0x100   256     "$LOGGED_UTILITY_STREAM"

The attribute names can be specified without the leading dollar sign ($) symbol. If you use the $ symbol, you must quote the name to prevent the shell from interpreting the name.

–f, –-force

Overrides some sensible defaults, such as not using a mounted volume. Use this option with caution.

–h, –-help

Show a list of options with a brief description of each.

–i, –-inode num

Specify a file by its inode number instead of its name.

–n, –-attribute-name name

Display the attribute identified by name.

–q, –-quiet

Suppress some debug, warning, and error messages.

–V, –-version

Show the version number, copyright, and license information.

–v, –-verbose

Display more debug, warning, and error messages.


Example 1 Displaying Contents of File in Root

The following command displays the contents of a file in the root of an NTFS volume.

# ntfscat /dev/dsk/c0d0p1 boot.ini
Example 2 Displaying Contents of File in Subdirectory

The following command displays the contents of a file in a subdirectory of an NTFS volume.

# ntfscat /dev/dsk/c0d0p1 /winnt/system32/drivers/etc/hosts
Example 3 Display Contents of an Attribute

The following command displays the contents of the $INDEX_ROOT attribute of the root directory (inode 5).

# ntfscat /dev/dsk/c0d0p1 -a INDEX_ROOT -i 5


See attributes(5) for descriptions of the following attributes:

Interface Stability

See also

ntfsls(1M), ntfsprogs(1M), parted(1M), attributes(5)



ntfscat was written by Richard Russon, Anton Altaparmakov and Szabolcs Szakacsits.