Codex

NTFSCAT

Section: Maintenance Commands (8)

Updated: September 2007

Index?action=index Return to Main Contents


NAME

ntfscat - print NTFS files and streams on the standard output

SYNOPSIS

[options] device [file]

DESCRIPTION

ntfscat will read a file or stream from an NTFS volume and display the contents on the standard output.

The case of the filename passed to ntfscat is ignored.

OPTIONS

Below is a summary of all the options that ntfscat accepts. Nearly all options have two equivalent names. The short name is preceded by and the long name is preceded by -. Any single letter options, that don't take an argument, can be combined into a single command, e.g. -fv is equivalent to -f -v. Long named options can be abbreviated to any unique prefix of their name.

-a, --attribute TYPE
Display the contents of a particular attribute type. By default, the unnamed $DATA attribute will be shown. The attribute can be specified by a number in decimal or hexadecimal, or by name.

<TABLE BORDER> <TR> <TD> <TABLE> <TR VALIGN="top| <TD CLASS="c1|Hex</TD> <TD CLASS="c1|Decimal</TD> <TD>Name

</TD> </TR> <TR VALIGN="top| <TD>0x10</TD> <TD>16</TD> <TD>"$STANDARD_INFORMATION"

</TD> </TR> <TR VALIGN="top| <TD>0x20</TD> <TD>32</TD> <TD>"$ATTRIBUTE_LIST"

</TD> </TR> <TR VALIGN="top| <TD>0x30</TD> <TD>48</TD> <TD>"$FILE_NAME"

</TD> </TR> <TR VALIGN="top| <TD>0x40</TD> <TD>64</TD> <TD>"$OBJECT_ID"

</TD> </TR> <TR VALIGN="top| <TD>0x50</TD> <TD>80</TD> <TD>"$SECURITY_DESCRIPTOR"

</TD> </TR> <TR VALIGN="top| <TD>0x60</TD> <TD>96</TD> <TD>"$VOLUME_NAME"

</TD> </TR> <TR VALIGN="top| <TD>0x70</TD> <TD>112</TD> <TD>"$VOLUME_INFORMATION"

</TD> </TR> <TR VALIGN="top| <TD>0x80</TD> <TD>128</TD> <TD>"$DATA"

</TD> </TR> <TR VALIGN="top| <TD>0x90</TD> <TD>144</TD> <TD>"$INDEX_ROOT"

</TD> </TR> <TR VALIGN="top| <TD>0xA0</TD> <TD>160</TD> <TD>"$INDEX_ALLOCATION"

</TD> </TR> <TR VALIGN="top| <TD>0xB0</TD> <TD>176</TD> <TD>"$BITMAP"

</TD> </TR> <TR VALIGN="top| <TD>0xC0</TD> <TD>192</TD> <TD>"$REPARSE_POINT"

</TD> </TR> <TR VALIGN="top| <TD>0xD0</TD> <TD>208</TD> <TD>"$EA_INFORMATION"

</TD> </TR> <TR VALIGN="top| <TD>0xE0</TD> <TD>224</TD> <TD>"$EA"

</TD> </TR> <TR VALIGN="top| <TD>0xF0</TD> <TD>240</TD> <TD>"$PROPERTY_SET"

</TD> </TR> <TR VALIGN="top| <TD>0x100</TD> <TD>256</TD> <TD>"$LOGGED_UTILITY_STREAM"

</TD> </TR> </TABLE> </TD> </TR> </TABLE>

Notes The attribute names may be given without the leading $ symbol.

If you use the $ symbol, you must quote the name to prevent the shell interpreting the name.

:

-n, --attribute-name NAME
Display this named attribute, stream.:
-i, --inode NUM
Specify a file by its inode number instead of its name.:
-f, --force
This will override some sensible defaults, such as not using a mounted volume. Use this option with caution.:
-h, --help
Show a list of options with a brief description of each one.:
-q, --quiet
Suppress some debug/warning/error messages.:
-V, --version
Show the version number, copyright and license ntfscat.:
-v, --verbose
Display more debug/warning/error messages.:

EXAMPLES

Display the contents of a file in the root of an NTFS volume.

:

ntfscat /dev/hda1 boot.ini

:

Display the contents of a file in a subdirectory of an NTFS volume.

:

ntfscat /dev/hda1 /winnt/system32/drivers/etc/hosts

:

Display the contents of the $INDEX_ROOT attribute of the root directory (inode 5).

:

ntfscat /dev/hda1 -a INDEX_ROOT -i 5 | hexdump -C

:

BUGS

There are no known problems with ntfscat. If you find a bug please send an email describing the problem to the development team:

[email protected]

AUTHORS

ntfscat was written by Richard Russon, Anton Altaparmakov and Szabolcs Szakacsits. It was ported to ntfs-3g by Erik Larsson.

AVAILABILITY

ntfscat is part of the ntfs-3g package and is available from:

http://www.tuxera.com/community/

SEE ALSO

Read libntfs?(8) for details how to access encrypted files.

libntfs?(8), ntfsls?(8), ntfsprogs?(8)


Index

NAME

SYNOPSIS

DESCRIPTION

OPTIONS

EXAMPLES

BUGS

AUTHORS

AVAILABILITY

SEE ALSO