Linux command
ntfscat 命令
文件
涉及管道、覆盖或删除,执行前请先确认路径和参数。
常用示例
Extract file from NTFS
ntfscat /dev/[sda1] [path/to/file] > [output]
Extract by inode number
ntfscat /dev/[sda1] -i [12345] > [output]
Extract named data stream
ntfscat /dev/[sda1] [file]:stream > [output]
Force extraction
ntfscat -f /dev/[sda1] [file] > [output]
说明
ntfscat reads a file from an NTFS volume and outputs its contents to standard output. Files can be referenced by their path within the volume or by MFT inode number, and named alternate data streams can be accessed using the `filename:stream` syntax. Useful for forensics and data recovery from NTFS partitions without mounting the volume.
参数
- -i, --inode _num_
- Use inode number.
- -a, --attribute _type_
- Attribute type.
- -n, --attr-name _name_
- Attribute name.
- -f, --force
- Force operation.
- -q, --quiet
- Quiet mode.
FAQ
What is the ntfscat command used for?
ntfscat reads a file from an NTFS volume and outputs its contents to standard output. Files can be referenced by their path within the volume or by MFT inode number, and named alternate data streams can be accessed using the `filename:stream` syntax. Useful for forensics and data recovery from NTFS partitions without mounting the volume.
How do I run a basic ntfscat example?
Run `ntfscat /dev/[sda1] [path/to/file] > [output]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -i, --inode _num_ do in ntfscat?
Use inode number.