Linux NTFS - NTFSCAT (8)

NAME

ntfscat - print NTFS files and streams on the standard output

SYNOPSIS

ntfscat [ options ] device file

DESCRIPTION

ntfscat will read a file or stream from an NTFS volume and display the contents on the standard output.

The case of the filename passed to ntfscat is ignored.

OPTIONS

Below is a summary of all the options that ntfscat accepts. All options have two equivalent names. The short name is preceded by - and the long name is preceded by --. Any single letter options, that don’t take an argument, can be combined into a single command, e.g. -fv is equivalent to -f -v. Long named options can be abbreviated to any unique prefix of their name.

-a type
--attribute type
	Display the contents of a particular attribute type. By default, the unnamed $DATA attribute will be shown. The attribute can be specified by a number in decimal or hexadecimal, or by name. Hex Decimal Name 0x10 16 "$STANDARD_INFORMATION", 0x20 32 "$ATTRIBUTE_LIST", 0x30 48 "$FILE_NAME", 0x40 64 "$OBJECT_ID", 0x50 80 "$SECURITY_DESCRIPTOR", 0x60 96 "$VOLUME_NAME", 0x70 112 "$VOLUME_INFORMATION", 0x80 128 "$DATA", 0x90 144 "$INDEX_ROOT", 0xA0 160 "$INDEX_ALLOCATION", 0xB0 176 "$BITMAP", 0xC0 192 "$REPARSE_POINT", 0xD0 208 "$EA_INFORMATION", 0xE0 224 "$EA", 0xF0 240 "$PROPERTY_SET", 0x100 256 "$LOGGED_UTILITY_STREAM", Notes The attribute names may be given without the leading $ symbol. If you use the $ symbol, you must escape it from the shell.
-n name
--attribute-name name
	Display this named attribute, stream.
-i num
--inode num
	Specify a file by its inode number instead of its name.
-h
--help	Show a list of options with a brief description of each one.
-q
--quiet	Suppress some debug/warning/error messages.
-V
--version
	Show the version number, copyright and license ntfscat.
-v
--verbose
	Display more debug/warning/error messages.

EXAMPLES

Display the contents of a file in the root of an NTFS volume.

ntfscat /dev/hda1 boot.ini

Display the contents of a file in a subdirectory of an NTFS volume.

ntfscat /dev/hda1 /winnt/system32/drivers/etc/hosts

Display the contents of the $INDEX_ROOT attribute of the root directory (inode 5).

ntfscat /dev/hda1 -a INDEX_ROOT -i 5 | hexdump -C

KNOWN ISSUES

There are no known problems. If you think you had found any then please report it to linux-ntfs-dev@lists.sourceforge.net

AUTHOR

ntfscat was written by Richard Russon (FlatCap)

AVAILABILITY

ntfscat is part of the ntfsprogs package and is available from
http://linux-ntfs.sourceforge.net

SEE ALSO

ntfsls(8), ntfsprogs(8)