Getting Started

Learn the basic principles of exhuming an NTFS filesystem from a disk image.

The exhume NTFS module is helping the investigator to analyse the NT File System and extract specific artefacts and metadata. Unlike the FileSystem module, exhume ntfs can propose some advanced capabilities.

🛠️ Prerequisites

Installing Rust

The Exhume Toolkit is built with Rust and requires it for development or compilation.

Linux and MacOs
Windows

curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh

Visit https://www.rust-lang.org/tools/install to install rustup You can also use winget to install rustup using the following command in PowerShell:

winget install --id Rustlang.Rustup

important

Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.

Installing Exhume NTFS

The following will install Exhume NTFS globally.

cargo install exhume_ntfs@0.1.1

🚀 Basic Usage

Options

Option	Description
`-b`, `--body <body>`	The path to the body to exhume.
`-f`, `--format <format>`	The format of the file, either `'raw'` or `'ewf'`.
`-o`, `--offset <offset>`	The NTFS partition start address (decimal or hex).
`-s`, `--size <size>`	The size of the NTFS partition in sectors (decimal or hex).
`--pbs`	Display the partition boot sector information.
`--file <file_id>`	Display the metadata about a specific file identifier.
`-d`, `--dir_entry`	If `--file` is specified and it is a directory, list its directory entries.
`--mft`	Display the high-level Master File Table (MFT) information.
`--dump`	Dump the file content to `file_<ID>.bin` (requires `--file`).
`-j`, `--json`	Output certain structures (`pbs`, `file`, `mft`) in JSON format.
`-l`, `--log-level <log_level>`	Set the log verbosity level. Default: `info`. Possible values: `error`, `warn`, `info`, `debug`, `trace`.
`-h`, `--help`	Print help.
`-V`, `--version`	Print version.

Usage:

exhume_ntfs [OPTIONS] --body <body> --offset <offset> --size <size>

📘 Example

cargo run -- -b 4orensics.001 --offset 0x0 --size 0x448DC9400 --file 110349

This will:

Open 4orensics.001 as a autodetected format file
Start reading at offset 0x0 of size 0x448DC9400
Display the metadata for file identifier 110349

Example output:

[2025-05-02T17:48:51Z INFO  exhume_body] Detected RAW Data
[2025-05-02T17:48:51Z INFO  exhume_ntfs] MFT entry 110349 read from LBA 0x448DC9400
+--------------------------+-----------+
| MFT Entry Header Values  |           |
+--------------------------+-----------+
| Sequence                 | 2         |
+--------------------------+-----------+
| $LogFile Sequence Number | 286210285 |
+--------------------------+-----------+
| Flags                    | None      |
+--------------------------+-----------+
| Links                    | 2         |
+--------------------------+-----------+


+-------------------------------+------+----------+------+
| Attributes                    | Name | Status   | Size |
+-------------------------------+------+----------+------+
| StandardInformation (0x10‑#0) | N/A  | Resident | 72   |
+-------------------------------+------+----------+------+
| FileName (0x30‑#5)            | N/A  | Resident | 90   |
+-------------------------------+------+----------+------+
| FileName (0x30‑#4)            | N/A  | Resident | 120  |
+-------------------------------+------+----------+------+
| Data (0x80‑#1)                | N/A  | Resident | 384  |
+-------------------------------+------+----------+------+

+-----------------------+----------------------------------+
| $STANDARD_INFORMATION |                                  |
+-----------------------+----------------------------------+
| Created               | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
| File Modified         | 2016-06-21T11:20:16.702824+00:00 |
+-----------------------+----------------------------------+
| MFT Modified          | 2016-06-21T11:20:16.703729+00:00 |
+-----------------------+----------------------------------+
| Accessed              | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
| Flags                 | ARCHIVE                          |
+-----------------------+----------------------------------+
| Owner ID              | 0                                |
+-----------------------+----------------------------------+
| Security ID           | 971                              |
+-----------------------+----------------------------------+
| Quota Charged         | 0                                |
+-----------------------+----------------------------------+
| Last USN              | 30882792                         |
+-----------------------+----------------------------------+

+-----------------------+----------------------------------+
| $FILE_NAME Attributes |                                  |
+-----------------------+----------------------------------+
| Name                  | STATUS~1.PYC                     |
+-----------------------+----------------------------------+
| Parent MFT            | 110110 (seq 2)                   |
+-----------------------+----------------------------------+
| Allocated             | 384                              |
+-----------------------+----------------------------------+
| Actual                | 384                              |
+-----------------------+----------------------------------+
| Flags                 | None                             |
+-----------------------+----------------------------------+
| Timestamps            |                                  |
+-----------------------+----------------------------------+
| ‑ Created             | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
| ‑ Modified            | 2016-06-21T11:20:16.702824+00:00 |
+-----------------------+----------------------------------+
| ‑ MFT Mod             | 2016-06-21T11:20:16.702824+00:00 |
+-----------------------+----------------------------------+
| ‑ Accessed            | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
|                       |                                  |
+-----------------------+----------------------------------+
| Name                  | status_codes.cpython-35.pyc      |
+-----------------------+----------------------------------+
| Parent MFT            | 110110 (seq 2)                   |
+-----------------------+----------------------------------+
| Allocated             | 384                              |
+-----------------------+----------------------------------+
| Actual                | 384                              |
+-----------------------+----------------------------------+
| Flags                 | None                             |
+-----------------------+----------------------------------+
| Timestamps            |                                  |
+-----------------------+----------------------------------+
| ‑ Created             | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
| ‑ Modified            | 2016-06-21T11:20:16.702824+00:00 |
+-----------------------+----------------------------------+
| ‑ MFT Mod             | 2016-06-21T11:20:16.702824+00:00 |
+-----------------------+----------------------------------+
| ‑ Accessed            | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
|                       |                                  |
+-----------------------+----------------------------------+

🛠️ Prerequisites​

Installing Rust​

Installing Exhume NTFS​

🚀 Basic Usage​

Options​

📘 Example​