ntfscat - display NTFS files and streams on the standard output
ntfscat [options] device [file]
The ntfscat command reads a file or stream from an NTFS volume and display the contents on the standard output.
The case of the filename passed to ntfscat is ignored.
Supported options are listed below. Most options have both single-letter and full-name forms. Multiple single-letter options that do not take an argument can be combined. For example, –fv is the equivalent of –f –v. A full-name option can be abbreviated to a unique prefix of its name.
Display the contents of a particular attribute type. By default, the unnamed $DATA attribute will be shown. The attribute can be specified by a number in decimal or hexadecimal, or by name.
Hex Decimal Name 0x10 16 "$STANDARD_INFORMATION" 0x20 32 "$ATTRIBUTE_LIST" 0x30 48 "$FILE_NAME" 0x40 64 "$OBJECT_ID" 0x50 80 "$SECURITY_DESCRIPTOR" 0x60 96 "$VOLUME_NAME" 0x70 112 "$VOLUME_INFORMATION" 0x80 128 "$DATA" 0x90 144 "$INDEX_ROOT" 0xA0 160 "$INDEX_ALLOCATION" 0xB0 176 "$BITMAP" 0xC0 192 "$REPARSE_POINT" 0xD0 208 "$EA_INFORMATION" 0xE0 224 "$EA" 0xF0 240 "$PROPERTY_SET" 0x100 256 "$LOGGED_UTILITY_STREAM"
The attribute names can be specified without the leading dollar sign ($) symbol. If you use the $ symbol, you must quote the name to prevent the shell from interpreting the name.
Overrides some sensible defaults, such as not using a mounted volume. Use this option with caution.
Show a list of options with a brief description of each.
Specify a file by its inode number instead of its name.
Display the attribute identified by name.
Suppress some debug, warning, and error messages.
Show the version number, copyright, and license information.
Display more debug, warning, and error messages.
The following command displays the contents of a file in the root of an NTFS volume.
# ntfscat /dev/dsk/c0d0p1 boot.iniExample 2 Displaying Contents of File in Subdirectory
The following command displays the contents of a file in a subdirectory of an NTFS volume.
# ntfscat /dev/dsk/c0d0p1 /winnt/system32/drivers/etc/hostsExample 3 Display Contents of an Attribute
The following command displays the contents of the $INDEX_ROOT attribute of the root directory (inode 5).
# ntfscat /dev/dsk/c0d0p1 -a INDEX_ROOT -i 5
See attributes(7) for descriptions of the following attributes:
ntfscat was written by Richard Russon, Anton Altaparmakov and Szabolcs Szakacsits.