TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.

Export Regulation

The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.

The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.

ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.

The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.

ntfsdir is a command line version of a tool that traverses files and directories of live NTFS partitions. This tool will list additional directory items that the built-in Windows directory command 'dir' will not.

The motivation to build this tool came from one of the graduate forensics classes taken in the fall semester of 2010 at GMU.

The objective for this project was to have a tool that could show 'all' the directories and files on a live NTFS system. While there are currently other tools that do this sort of thing for the unmounted NTFS volume, there were not any free tools that could do this on a live system.

The engine of this tool is Windows API agnostic, and therefore, was recompiled to run on Windows, Linux and Mac OSX. To do this, the internals of ntfsdir traverse the volume of the logical drive specified reading the raw sectors to enumerate the desired path. While the drive is only opened in 'read' mode (versus read/write), Windows requires ntfsdir to run with 'administrator' privileges to examine a live NTFS partition.

To use this tool, an authentication file is required to be in the same directory as the binary in order for the tool to run.

One can display the menu options by typing in the executable name without parameters. Below is the menu with the various options. Details of each option can be found here.

    Usage:

      ntfsdir <directory>    = enumerate a live volume
      ntfsdir <directory> -drivenum <num> -offset <volume offset>
      ntfsdir <directory> -image <disk image> [-offset <volume offset>]
      ntfsdir <volume> -mft <entry>
      ntfsdir -image <disk image> [-offset <volume offset>] -mft <entry>
      ntfsdir <directory> -vmdk "<file1> | <file2> | ..."
      ntfsdir <directory> -vss <#>
      ntfsdir -?             = this help msg

     Basic options
      -csv                   = output data in csv format
      -xml <xml file>        = output data in xml format
      -alldates              = output all the date/timestamps

     Additional options
      -recurse <levels>      = recurse down to the specified levels
      -base10                = output in base10 vice hex for csv or xml
      -indx                  = show INDX type records
      -objid                 = show object ID, if it exists
      -filepath_only         = show just the path/file [only w/ -recurse]
      -dateformat mm/dd/yyyy = "yyyy-mm-dd" is the default
      -timeformat hh:mm:ss   = "hh:mm:ss.xxx" is the default
      -pair_datetime         = combine date/time into 1 field for csv
      -no_whitespace         = remove whitespace between csv delimiter
      -csv_separator "|"     = use a pipe char for csv separator

1. To view a directory within a live (mounted) partition:

• Open a cmd prompt via "Run as administrator" to ensure the cmd prompt process has admin privileges and then
• Invoke the following cmd to enumerate the root directory on the 'c' partition

      ntfsdir c:\
  

To view a directory within an unmounted partition that is in the form of a file that was obtained by 'dd', use:

    ntfsdir \ -image "dd_file_of_partition_c"

Note: the backward slash '\' to denote that one wants to enumerate the root directory on the file that contains a 'dd' image of the c partition

3. To dump all the dates associated with files and directories to an xml or csv file, use the '-alldates' option, eg:

    ntfsdir c:\ -alldates -xml results.xml
    ntfsdir c:\ -alldates -csv > results.csv

This latter option (-alldates) will output 4 timestamps for the standard information, 4 timestamps for the filename, and if the file or directory name is greater than 8 characters, it will have two attributes for the name (one will be for the short name and one will be for the long name). If both short and long name attributes exist, another 4 timestamps will be outputted for a total of 12 timestamps.

4. To dump only selected records, pipe the output of ntfsdir into the built-in 'find' command. Below are some Windows examples:

    ntfsdir c:\ -indx | find "dir"    = extract the directories from the root volume
    ntfsdir c:\ -indx | find "indx"   = extract the indx type files from the root

5. Accessing Volume Shadow Copies. To dump directories from within a volume shadow copy, one uses the -vss <index of Volume Shadow> option and then specifies the directory to enumerate. For example, if we wanted to look at the Users directory recursively 2 levels deep at Volume Shadow Copy specified by index one, one would use the following:

    ntfsdir -vss 1 \Users -recurse 2 > out.txt

To determine which indexes are available from the various Volume Shadows, one can use the Windows built-in utility vssadmin, as follows:

    vssadmin list shadows

    -- or to filter out extraneous detail --
    
    vssadmin list shadows | find /i "volume"

While the amount of data can be voluminous from that above command, the keywords one needs to look for are names that look like this:

    Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
    Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
    ...

From the example above, notice the number after the word HarddiskvolumeShadowCopy. This would be the number that is passed as an argument to the previous option.

When specifying directories to enumerate, one should use the forward slash when separating subdirectories versus the backslash that is used in Windows... eg.

When running in Linux [or OSX] to list the contents of the drivers directory

   <location of app>/ntfsdir /Windows/system32/drivers -image <some_partition_image>

When specifying directories that start with a dollar sign '$', it needs to be escaped w/ a backslash. For example $Extend is a directory in the root directory of an NTFS partition. To list the contents of this directory, one needs to use the following notation:

     <location of app>/ntfsdir /\$Extend -image <some_partition_image>

The first slash in '/\$Extend' specifies the root directory. The next character is a backslash to specify the $ is included after the first slash, and the rest of the characters are normal.

Use of backslashes and quotes. When passing in a directory and using quotes around the directory path, ensure you don't use a backslash at the end of the directory, since it will be interpreted as an escape sequence for the quote that follows:

For example:

    ntfsdir  "c:\windows"   <==  correct
    ntfsdir  "c:\windows\"  <==  incorrect, since the ending \" will be interpreted incorrectly.

Option	Description
-drivenum	Extract artifacts from a mounted disk specified by a drive number and volume offset. The syntax is -drivenum <#> -offset <volume offset>.
-image	Extract artifacts from a volume specified by an image and volume offset. The syntax is -image <filename> -offset <volume offset>.
-vmdk	Extract artifacts from a VMWare monolithic NTFS formatted volume. The syntax is -vmdk <disk name>. For a collection of VMWare disks that include snapshots, one can use the following syntax: -vmdk "disk1 | disk2 | ..."
-mft	Process the MFT entry specified. The syntax is -mft <entry>.
-vss	Experimental. Extract artifacts from a Volume shadow. The syntax is -vss <index of volume shadow>. Only applies to Windows Vista, Win7, Win8 and beyond. Does not apply to Windows XP.
-csv	Outputs the data fields delimited by commas. Since filenames can have commas, to ensure the fields are uniquely separated, any commas in the filenames get converted to spaces.
-xml	Output the data in XML format. The syntax is -xml <filename>.
-alldates	Include all the dates/timestamps in the output.
-level	[or -recurse] recurse down to the specified levels. The syntax is -recurse <# levels>.
-base10	Ensure all size/address outputs are displayed in base-10 format versus hexadecimal format. Default is hexadecimal format.
-indx	Include INDX type records in the output.
-objid	Include the object ID (if it exists) in the output.
-filepath_only	Show just the path/file as the output. This option is only available with the -recurse option.
-no_whitespace	Used in conjunction with -csv option to remove any whitespace between the field value and the CSV separator.
-csv_separator	Used in conjunction with the -csv option to change the CSV separator from the default comma to something else. Syntax is -csv_separator "|" to change the CSV separator to the pipe character.
-dateformat	Output the date using the specified format. Default behavior is -dateformat "yyyy-mm-dd". Using this option allows one to adjust the format to mm/dd/yy, dd/mm/yy, etc. The restriction with this option is the forward slash (/) or dash (-) symbol needs to separate month, day and year and the month is in digit (1-12) form versus abbreviated name form.
-timeformat	Output the time using the specified format. Default behavior is -timeformat "hh:mm:ss.xxx" One can adjust the format to microseconds, via "hh:mm:ss.xxxxxx" or nanoseconds, via "hh:mm:ss.xxxxxxxxx", or no fractional seconds, via "hh:mm:ss". The restrictions with this option is that a colon (:) symbol needs to separate hours, minutes and seconds, a period (.) symbol needs to separate the seconds and fractional seconds, and the repeating symbol 'x' is used to represent number of fractional seconds. (Note: the fractional seconds applies only to those time formats that have the appropriate precision available. The Windows internal filetime has, for example, 100 nsec unit precision available. The DOS time format and the UNIX 'time_t' format, however, have no fractional seconds). Some of the times represented by this tool may use a time format without fractional seconds and therefore will not show a greater precision beyond seconds when using this option.
-pair_datetime	combine date/time into 1 field for csv
-split_pathfile	Put path and filename into separate fields with csv

This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary (Windows and macOS).

The other mechanism is the runtime authentication, which applies to all the versions of the tools (Windows, Linux and macOS). The runtime authentication ensures that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.

Limited versus Demo versus Full in the tool's output banner

The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.

• 04/16/2025 - v1.46 - updated time library (affects all tools)
• 04/17/2024 - v1.45 - core c/c++ lib changes
• 04/03/2023 - v1.44 - fixed bug for the object id; added -pair_datetime option for -csv option. updated code-base to natively run Windows ARM64 processor in addition to Intel 32 or 64 bit
• 10/18/2022 - v1.43 - c-runtime library updates affecting Windows legacy builds
• 08/26/2022 - v1.42 - updated core libs during various bug fixes
• 08/15/2022 - v1.41 - updated nfts lib that affects this tool with bug fixes
• 05/12/2022 - v1.40 - updated build for new compiler. various changes to core libs
• 12/07/2021 - v1.39 - updated core libs during various bug fixes
• 08/05/2021 - v1.38 - updated core libs for Linux and OSX updates
• 03/01/2021 - v1.37 - updated build for MacOS, fixed bugs in shared libraries
• 11/09/2020 - v1.36 - updated core libs
• 09/10/2020 - v1.35 - updated the binary self check algorithm
• 01/15/2020 - v1.34 - updated ntfs lib
• 09/05/2019 - v1.33 - updated vmware libs
• 07/03/2019 - v1.32 - library updates
• 04/13/2019 - v1.31 - updated the time library which affects all tools
• 01/04/2019 - v1.30 - updated routines in ntfs library that affect this tool
• 10/17/2018 - v1.29 - updated routines in string library that affect this tool
• 08/28/2018 - v1.28 - fixed bug for very large and fragmented MFTs (ntfs lib that this tool uses)
• 07/28/2018 - v1.27 - library updates across all tools
• 04/11/2018 - v1.26 - bug fixes rolled into ntfs lib; including handling extremely large and fragmented $MFTs; cleaned up reporting for deleted FILE record metadata
• 02/11/2018 - v1.25 - bug fixes in shared libraries that affects this tool
• 12/05/2017 - v1.24 - Fixed Win10 issue with progress status display when redirecting output
• 08/22/2017 - v1.23 - bugfix to VMWare VMDK for loading snapshots
• 04/29/2017 - v1.22 - ntfs native compression bugfix
• 03/20/2017 - v1.21 - handle boundary condition for 'dd' image if partition type is incorrect
• 02/25/2017 - v1.20 - fixed bug with -drivenum option
• 11/14/2016 - v1.19 - updated ntfs lib with bug fixes
• 05/18/2016 - v1.18 - new build with updated libraries
• 03/12/2016 - v1.17 - fixed bug in recursion level
• 01/28/2016 - v1.16 - mods to allow for differences in VMWare 12
• 11/20/2015 - v1.15 - fixed boundary condition bug in NTFS engine
• 09/09/2015 - v1.14 - updated icon and libs
• 03/09/2015 - v1.13 - shared library updates
• 01/09/2015 - v1.12 - shared library updates and associated bug fixes
• 08/01/2014 - v1.11 - updated ntfs engine
• 04/05/2014 - v1.10 - fixed boundary condition with VMWare disk. made option -filepath_only option to be more useful for piping into another app.
• 01/16/2014 - v1.09 - auth update
• 11/18/2013 - v1.08 - tweaked authentication options for demo license
• 10/09/2013 - v1.07 - added the following options: -base10, -dateformat, -timeformat, -no_whitespace, -csv_separator
• 08/22/2013 - v1.06 - routine library maintenance updates
• 07/05/2013 - v1.05 - Updated the authentication routine and other fixes
• 11/03/2012 - v1.04 - maintenance update of core libraries w/ bug fixes
• 10/30/2012 - v1.03 - fixed bug w/ NTFS inadvertently added in previous version
• 09/24/2012 - v1.02 - added hash check to ensure binary integrity
• 07/16/2012 - v1.01 - fixed bug in -vmdk option
• 05/01/2012 - v1.00 - fixed bugs introduced in previously releases, Recursion option now fixed.
• 04/13/2012 - v0.99 - fixed [-alldates] switch
• 04/05/2012 - v0.98 - added license authentication.
• 03/17/2012 - v0.97 - maintenance updates
• 08/05/2011 - v0.96 - bug fixes. also changed the xml output option and made the all dates output available to csv as well.
• 06/10/2011 - v0.95 - allowed the -filepath_only option to include alternate data streams so they could be piped into the ntfscopy tool.
• 06/01/2011 - v0.94 - added 32 and 64 bit versions to the mix. collapsed the disk and partition image into one option '-image', since having two was confusing to users.
• 05/21/2011 - v0.93 - fixed bug in long name format. Added capability to just output path/filename per line. This is useful if wanting to pipe an absolute path/filename to another parsing engine.
• 03/19/2011 - v0.92 - fixed bug for handling condition in relative path
• 03/05/2011 - v0.91 - added capability to access VMWare Workstation created images (signatured with 'KDMV')
• 03/04/2011 - v0.9b - made fixup of symbolic links default behavior versus making it a cmdline parameter as was done previously
• 02/26/2011 - v0.9a - maintenance update
• 01/16/2011 - v0.9 - fixed bug in handling certain cluster boundary conditions.
• 01/01/2011 - v0.8d - bug fix on -mft option
• 12/21/2010 - v0.8c - maintenance updates
• 12/12/2010 - v0.8b - added the [-fixupdir] and [-drivenum] options
• 12/02/2010 - v0.8a - notational issues defined in the "Issues" section
• 12/01/2010 - v0.8 - added [-indx] option to allow one to display Index Allocation records associated with an MFT entry. also added [-objid] option to view and object id's associated with an mft entry.
• 11/22/2010 - v0.7 - handles issues with passing in drive image as opposed to partition image
• 10/24/2010 - v0.6 - bug fixes to xml output
• 10/20/2010 - v0.5 - Includes code changes for Linux and macOS port
• 10/08/2010 - v0.4 - added ability to handle relative paths as well as absolute paths for input.
• 09/25/2010 - v0.3 - added ability to recurse from a specified directory to a specific number of subdirectories
• 09/19/2010 - v0.2 - 1st prototype released for testing purposes

1. http://en.wikipedia.org/wiki/NTFS website
2. Brian Carrier's book, File System Forensic Analysis, sections on NTFS
3. Various Microsoft Technet articles