Getting Started
Learn the basic principles of exhuming an NTFS filesystem from a disk image.
The exhume NTFS module is helping the investigator to analyse the NT File System and extract specific artefacts and metadata. Unlike the FileSystem module, exhume ntfs can propose some advanced capabilities.
🛠️ Prerequisites
Installing Rust
The Exhume Toolkit is built with Rust and requires it for development or compilation.
- Linux and MacOs
- Windows
curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh
Visit https://www.rust-lang.org/tools/install to install rustup
You can also use winget to install rustup using the following command in PowerShell:
winget install --id Rustlang.Rustup
important
Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.
Installing Exhume NTFS
The following will install Exhume NTFS globally.
cargo install exhume_ntfs
🚀 Basic Usage
Options
Options:
-b, --body <body> The path to the body to exhume.
-f, --format <format> The format of the file, either 'raw' or 'ewf'.
-o, --offset <offset> The NTFS partition starts at address (decimal or hex).
-s, --size <size> The size of the NTFS partition in sectors (decimal or hex).
--usnjrnl Parse and display entries from $UsnJrnl:$J.
--mode <mode> Reuse detection: off | journal (USN only) | full (USN + current MFT) [default: journal] [possible values: off, journal, full]
--filter <filter> Filter USN records to those whose file_ref index matches this FRN index (decimal or hex).
--match_parent When filtering, also keep records whose parent_ref index matches.
--pbs Display the partition boot sector information.
--file <file_id> Display the metadata about a specific file identifier.
-d, --dir_entry If --file is specified and it is a directory, list its directory entries.
--bootstrap Display the dissasembled bootstrap code from the pbs.
--dump Dump the file content to file_<ID>.bin (requires --file)
-j, --json Output certain structures (pbs, file, mft) in JSON format.
-l, --log-level <log_level> Set the log verbosity level [default: info] [possible values: error, warn, info, debug, trace]
-h, --help Print help
-V, --version Print version
Usage:
exhume_ntfs [OPTIONS] --body <body> --offset <offset> --size <size>
📘 Examples
Exhume an MFT record
cargo run -- -b 4orensics.001 --offset 0x0 --size 0x448DC9400 --file 110349
This will:
- Open 4orensics.001 as a autodetected format file
- Start reading at offset 0x0 of size 0x448DC9400
- Display the metadata for file identifier 110349
Example output:
[2025-05-02T17:48:51Z INFO exhume_body] Detected RAW Data
[2025-05-02T17:48:51Z INFO exhume_ntfs] MFT entry 110349 read from LBA 0x448DC9400
+--------------------------+-----------+
| MFT Entry Header Values | |
+--------------------------+-----------+
| Sequence | 2 |
+--------------------------+-----------+
| $LogFile Sequence Number | 286210285 |
+--------------------------+-----------+
| Flags | None |
+--------------------------+-----------+
| Links | 2 |
+--------------------------+-----------+
+-------------------------------+------+----------+------+
| Attributes | Name | Status | Size |
+-------------------------------+------+----------+------+
| StandardInformation (0x10‑#0) | N/A | Resident | 72 |
+-------------------------------+------+----------+------+
| FileName (0x30‑#5) | N/A | Resident | 90 |
+-------------------------------+------+----------+------+
| FileName (0x30‑#4) | N/A | Resident | 120 |
+-------------------------------+------+----------+------+
| Data (0x80‑#1) | N/A | Resident | 384 |
+-------------------------------+------+----------+------+
+-----------------------+----------------------------------+
| $STANDARD_INFORMATION | |
+-----------------------+----------------------------------+
| Created | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
| File Modified | 2016-06-21T11:20:16.702824+00:00 |
+-----------------------+----------------------------------+
| MFT Modified | 2016-06-21T11:20:16.703729+00:00 |
+-----------------------+----------------------------------+
| Accessed | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
| Flags | ARCHIVE |
+-----------------------+----------------------------------+
| Owner ID | 0 |
+-----------------------+----------------------------------+
| Security ID | 971 |
+-----------------------+----------------------------------+
| Quota Charged | 0 |
+-----------------------+----------------------------------+
| Last USN | 30882792 |
+-----------------------+----------------------------------+
+-----------------------+----------------------------------+
| $FILE_NAME Attributes | |
+-----------------------+----------------------------------+
| Name | STATUS~1.PYC |
+-----------------------+----------------------------------+
| Parent MFT | 110110 (seq 2) |
+-----------------------+----------------------------------+
| Allocated | 384 |
+-----------------------+----------------------------------+
| Actual | 384 |
+-----------------------+----------------------------------+
| Flags | None |
+-----------------------+----------------------------------+
| Timestamps | |
+-----------------------+----------------------------------+
| ‑ Created | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
| ‑ Modified | 2016-06-21T11:20:16.702824+00:00 |
+-----------------------+----------------------------------+
| ‑ MFT Mod | 2016-06-21T11:20:16.702824+00:00 |
+-----------------------+----------------------------------+
| ‑ Accessed | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
| | |
+-----------------------+----------------------------------+
| Name | status_codes.cpython-35.pyc |
+-----------------------+----------------------------------+
| Parent MFT | 110110 (seq 2) |
+-----------------------+----------------------------------+
| Allocated | 384 |
+-----------------------+----------------------------------+
| Actual | 384 |
+-----------------------+----------------------------------+
| Flags | None |
+-----------------------+----------------------------------+
| Timestamps | |
+-----------------------+----------------------------------+
| ‑ Created | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
| ‑ Modified | 2016-06-21T11:20:16.702824+00:00 |
+-----------------------+----------------------------------+
| ‑ MFT Mod | 2016-06-21T11:20:16.702824+00:00 |
+-----------------------+----------------------------------+
| ‑ Accessed | 2016-06-21T11:20:16.701926+00:00 |
+-----------------------+----------------------------------+
| | |
+-----------------------+----------------------------------+
Exhume UsnJrnl records
In this example we first identify the UsnJrnl file record typically located in the "$Extend" directory entry:
exhume_ntfs -b image.logical --offset 0x00000 --size 26474446848 --file 5 --dir_entry
[2025-09-21T07:49:25Z INFO exhume_body] Detected RAW Data
4 $AttrDef
8 $BadClus
8-1 $BadClus:$Bad
6 $Bitmap
7 $Boot
11 $Extend
2 $LogFile
0 $MFT
1 $MFTMirr
57 $Recycle.Bin
9 $Secure
10 $UpCase
10-4 $UpCase:$Info
3 $Volume
17687 bootmgr
17682 BOOTNXT
17684 Documents and Settings
[...]
exhume_ntfs -b image.logical --offset 0x00000 --size 26474446848 --file 11 --dir_entry
[2025-09-21T07:49:28Z INFO exhume_body] Detected RAW Data
25 $ObjId
24 $Quota
26 $Reparse
27 $RmMetadata
80976 $UsnJrnl
80976-3 $UsnJrnl:$J
80976-4 $UsnJrnl:$Max
The following example is displaying the UsnJrnl records linked to the file identifier 24138 with the journal reuse full crosscheck (journal + MFT).
exhume_ntfs -b image.logical --offset 0x00000 --size 26474446848 --offset 0x00000 --size 26474446848 --file 80976 --usnjrnl --mode full --filter 24138
+---------------------+------------------------------------------------------------------------------------------------------------------+
| USN Record Version | 2.0 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| USN | 5259504 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Timestamp | 2015-12-12T03:03:25.771913+00:00 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Reason | 0x00000800 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Reason (decoded) | SECURITY_CHANGE |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| File Attrs | 0x00002024 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| File Ref | 0x1000000005949 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Parent Ref | 0x1000000000ad2 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| File MFT record # | 22857 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Parent MFT record # | 2770 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Name | JSByteCodeCache_64 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Parent Path | \Windows\Camera\MICROS~1.MET\Autogen |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Full Path | \Windows\Camera\MICROS~1.MET\Autogen\JSByteCodeCache_64 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Reused records | +-------+-------------+-----------+-------------------------------------------------------+--------------------+ |
| | | Index | Current Seq | Seen Seqs | Reasons | Name | |
| | +-------+-------------+-----------+-------------------------------------------------------+--------------------+ |
| | | 22857 | 2 | 1,2 | CurrentSeqDiffersFromUsn | MultipleSequencesInJournal | JSByteCodeCache_64 | |
| | +-------+-------------+-----------+-------------------------------------------------------+--------------------+ |
+---------------------+------------------------------------------------------------------------------------------------------------------+
+---------------------+------------------------------------------------------------------------------------------------------------------+
| USN Record Version | 2.0 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| USN | 5259600 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Timestamp | 2015-12-12T03:03:25.771913+00:00 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Reason | 0x80000800 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Reason (decoded) | SECURITY_CHANGE | CLOSE |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| File Attrs | 0x00002024 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| File Ref | 0x1000000005949 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Parent Ref | 0x1000000000ad2 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| File MFT record # | 22857 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Parent MFT record # | 2770 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Name | JSByteCodeCache_64 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Parent Path | \Windows\Camera\MICROS~1.MET\Autogen |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Full Path | \Windows\Camera\MICROS~1.MET\Autogen\JSByteCodeCache_64 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Reused records | +-------+-------------+-----------+-------------------------------------------------------+--------------------+ |
| | | Index | Current Seq | Seen Seqs | Reasons | Name | |
| | +-------+-------------+-----------+-------------------------------------------------------+--------------------+ |
| | | 22857 | 2 | 1,2 | CurrentSeqDiffersFromUsn | MultipleSequencesInJournal | JSByteCodeCache_64 | |
| | +-------+-------------+-----------+-------------------------------------------------------+--------------------+ |
+---------------------+------------------------------------------------------------------------------------------------------------------+
+---------------------+------------------------------------------------------------------------------------------------------------------+
| USN Record Version | 2.0 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| USN | 5271232 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Timestamp | 2015-12-12T03:03:26.927805+00:00 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Reason | 0x80000200 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Reason (decoded) | FILE_DELETE | CLOSE |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| File Attrs | 0x00002024 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| File Ref | 0x1000000005949 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Parent Ref | 0x1000000000ad2 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| File MFT record # | 22857 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Parent MFT record # | 2770 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Name | JSByteCodeCache_64 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Parent Path | \Windows\Camera\MICROS~1.MET\Autogen |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Full Path | \Windows\Camera\MICROS~1.MET\Autogen\JSByteCodeCache_64 |
+---------------------+------------------------------------------------------------------------------------------------------------------+
| Reused records | +-------+-------------+-----------+-------------------------------------------------------+--------------------+ |
| | | Index | Current Seq | Seen Seqs | Reasons | Name | |
| | +-------+-------------+-----------+-------------------------------------------------------+--------------------+ |
| | | 22857 | 2 | 1,2 | CurrentSeqDiffersFromUsn | MultipleSequencesInJournal | JSByteCodeCache_64 | |
| | +-------+-------------+-----------+-------------------------------------------------------+--------------------+ |
+---------------------+------------------------------------------------------------------------------------------------------------------+
+---------------------+---------------------------------------------------------------------------------------+
| USN Record Version | 2.0 |
+---------------------+---------------------------------------------------------------------------------------+
| USN | 5271328 |
+---------------------+---------------------------------------------------------------------------------------+
| Timestamp | 2015-12-12T03:03:26.927805+00:00 |
+---------------------+---------------------------------------------------------------------------------------+
| Reason | 0x00000100 |
+---------------------+---------------------------------------------------------------------------------------+
| Reason (decoded) | FILE_CREATE |
+---------------------+---------------------------------------------------------------------------------------+
| File Attrs | 0x00002024 |
+---------------------+---------------------------------------------------------------------------------------+
| File Ref | 0x2000000005949 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent Ref | 0x1000000000ad2 |
+---------------------+---------------------------------------------------------------------------------------+
| File MFT record # | 22857 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent MFT record # | 2770 |
+---------------------+---------------------------------------------------------------------------------------+
| Name | JSByteCodeCache_64 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent Path | \Windows\Camera\MICROS~1.MET\Autogen |
+---------------------+---------------------------------------------------------------------------------------+
| Full Path | \Windows\Camera\MICROS~1.MET\Autogen\JSByteCodeCache_64 |
+---------------------+---------------------------------------------------------------------------------------+
| Reused records | +-------+-------------+-----------+----------------------------+--------------------+ |
| | | Index | Current Seq | Seen Seqs | Reasons | Name | |
| | +-------+-------------+-----------+----------------------------+--------------------+ |
| | | 22857 | 2 | 1,2 | MultipleSequencesInJournal | JSByteCodeCache_64 | |
| | +-------+-------------+-----------+----------------------------+--------------------+ |
+---------------------+---------------------------------------------------------------------------------------+
+---------------------+---------------------------------------------------------------------------------------+
| USN Record Version | 2.0 |
+---------------------+---------------------------------------------------------------------------------------+
| USN | 5271424 |
+---------------------+---------------------------------------------------------------------------------------+
| Timestamp | 2015-12-12T03:03:26.927805+00:00 |
+---------------------+---------------------------------------------------------------------------------------+
| Reason | 0x00000102 |
+---------------------+---------------------------------------------------------------------------------------+
| Reason (decoded) | DATA_EXTEND | FILE_CREATE |
+---------------------+---------------------------------------------------------------------------------------+
| File Attrs | 0x00002024 |
+---------------------+---------------------------------------------------------------------------------------+
| File Ref | 0x2000000005949 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent Ref | 0x1000000000ad2 |
+---------------------+---------------------------------------------------------------------------------------+
| File MFT record # | 22857 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent MFT record # | 2770 |
+---------------------+---------------------------------------------------------------------------------------+
| Name | JSByteCodeCache_64 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent Path | \Windows\Camera\MICROS~1.MET\Autogen |
+---------------------+---------------------------------------------------------------------------------------+
| Full Path | \Windows\Camera\MICROS~1.MET\Autogen\JSByteCodeCache_64 |
+---------------------+---------------------------------------------------------------------------------------+
| Reused records | +-------+-------------+-----------+----------------------------+--------------------+ |
| | | Index | Current Seq | Seen Seqs | Reasons | Name | |
| | +-------+-------------+-----------+----------------------------+--------------------+ |
| | | 22857 | 2 | 1,2 | MultipleSequencesInJournal | JSByteCodeCache_64 | |
| | +-------+-------------+-----------+----------------------------+--------------------+ |
+---------------------+---------------------------------------------------------------------------------------+
+---------------------+---------------------------------------------------------------------------------------+
| USN Record Version | 2.0 |
+---------------------+---------------------------------------------------------------------------------------+
| USN | 5271552 |
+---------------------+---------------------------------------------------------------------------------------+
| Timestamp | 2015-12-12T03:03:26.927805+00:00 |
+---------------------+---------------------------------------------------------------------------------------+
| Reason | 0x00000103 |
+---------------------+---------------------------------------------------------------------------------------+
| Reason (decoded) | DATA_OVERWRITE | DATA_EXTEND | FILE_CREATE |
+---------------------+---------------------------------------------------------------------------------------+
| File Attrs | 0x00002024 |
+---------------------+---------------------------------------------------------------------------------------+
| File Ref | 0x2000000005949 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent Ref | 0x1000000000ad2 |
+---------------------+---------------------------------------------------------------------------------------+
| File MFT record # | 22857 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent MFT record # | 2770 |
+---------------------+---------------------------------------------------------------------------------------+
| Name | JSByteCodeCache_64 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent Path | \Windows\Camera\MICROS~1.MET\Autogen |
+---------------------+---------------------------------------------------------------------------------------+
| Full Path | \Windows\Camera\MICROS~1.MET\Autogen\JSByteCodeCache_64 |
+---------------------+---------------------------------------------------------------------------------------+
| Reused records | +-------+-------------+-----------+----------------------------+--------------------+ |
| | | Index | Current Seq | Seen Seqs | Reasons | Name | |
| | +-------+-------------+-----------+----------------------------+--------------------+ |
| | | 22857 | 2 | 1,2 | MultipleSequencesInJournal | JSByteCodeCache_64 | |
| | +-------+-------------+-----------+----------------------------+--------------------+ |
+---------------------+---------------------------------------------------------------------------------------+
+---------------------+---------------------------------------------------------------------------------------+
| USN Record Version | 2.0 |
+---------------------+---------------------------------------------------------------------------------------+
| USN | 5271888 |
+---------------------+---------------------------------------------------------------------------------------+
| Timestamp | 2015-12-12T03:03:26.959380+00:00 |
+---------------------+---------------------------------------------------------------------------------------+
| Reason | 0x80000103 |
+---------------------+---------------------------------------------------------------------------------------+
| Reason (decoded) | DATA_OVERWRITE | DATA_EXTEND | FILE_CREATE | CLOSE |
+---------------------+---------------------------------------------------------------------------------------+
| File Attrs | 0x00002024 |
+---------------------+---------------------------------------------------------------------------------------+
| File Ref | 0x2000000005949 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent Ref | 0x1000000000ad2 |
+---------------------+---------------------------------------------------------------------------------------+
| File MFT record # | 22857 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent MFT record # | 2770 |
+---------------------+---------------------------------------------------------------------------------------+
| Name | JSByteCodeCache_64 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent Path | \Windows\Camera\MICROS~1.MET\Autogen |
+---------------------+---------------------------------------------------------------------------------------+
| Full Path | \Windows\Camera\MICROS~1.MET\Autogen\JSByteCodeCache_64 |
+---------------------+---------------------------------------------------------------------------------------+
| Reused records | +-------+-------------+-----------+----------------------------+--------------------+ |
| | | Index | Current Seq | Seen Seqs | Reasons | Name | |
| | +-------+-------------+-----------+----------------------------+--------------------+ |
| | | 22857 | 2 | 1,2 | MultipleSequencesInJournal | JSByteCodeCache_64 | |
| | +-------+-------------+-----------+----------------------------+--------------------+ |
+---------------------+---------------------------------------------------------------------------------------+
+---------------------+---------------------------------------------------------------------------------------+
| USN Record Version | 2.0 |
+---------------------+---------------------------------------------------------------------------------------+
| USN | 5271984 |
+---------------------+---------------------------------------------------------------------------------------+
| Timestamp | 2015-12-12T03:03:26.959380+00:00 |
+---------------------+---------------------------------------------------------------------------------------+
| Reason | 0x80000000 |
+---------------------+---------------------------------------------------------------------------------------+
| Reason (decoded) | CLOSE |
+---------------------+---------------------------------------------------------------------------------------+
| File Attrs | 0x00002024 |
+---------------------+---------------------------------------------------------------------------------------+
| File Ref | 0x2000000005949 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent Ref | 0x1000000000ad2 |
+---------------------+---------------------------------------------------------------------------------------+
| File MFT record # | 22857 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent MFT record # | 2770 |
+---------------------+---------------------------------------------------------------------------------------+
| Name | JSByteCodeCache_64 |
+---------------------+---------------------------------------------------------------------------------------+
| Parent Path | \Windows\Camera\MICROS~1.MET\Autogen |
+---------------------+---------------------------------------------------------------------------------------+
| Full Path | \Windows\Camera\MICROS~1.MET\Autogen\JSByteCodeCache_64 |
+---------------------+---------------------------------------------------------------------------------------+
| Reused records | +-------+-------------+-----------+----------------------------+--------------------+ |
| | | Index | Current Seq | Seen Seqs | Reasons | Name | |
| | +-------+-------------+-----------+----------------------------+--------------------+ |
| | | 22857 | 2 | 1,2 | MultipleSequencesInJournal | JSByteCodeCache_64 | |
| | +-------+-------------+-----------+----------------------------+--------------------+ |
+---------------------+---------------------------------------------------------------------------------------+