MFT Parser — browser-side NTFS $MFT analyzer

An MFT parser that runs entirely in your browser. Drop an NTFS $MFT file and inspect every record — deleted entries, $STANDARD_INFORMATION and $FILE_NAME timestamps, alternate data streams, resident data — without uploading a byte. WebAssembly under the hood, the omerbenamram/mft Rust crate doing the parsing.

About this MFT parser

An MFT parser reads the NTFS Master File Table — the $MFT file at the start of every NTFS volume — and turns its 1,024-byte records into something a forensic analyst can act on: filenames, timestamps, parent directories, alternate data streams, deleted entries, and resident data. This site is one of those parsers. It runs in your browser.

Drop a $MFT file onto the area above. The file is read into the browser's memory, parsed by the omerbenamram/mft Rust crate compiled to WebAssembly, and rendered as a paginated, searchable table. Nothing is uploaded — you can verify by disconnecting your network before dropping the file. CSV export and a triage report are available for downstream analysis.

What it shows you

  • Every MFT record, allocated or deleted, with the in-use flag exposed.
  • Both timestamp sets — $STANDARD_INFORMATION and $FILE_NAME — so you can spot timestomping at a glance.
  • Alternate data streams attached to each record, including Zone.Identifier.
  • Resident $DATA bytes for small files — often the only recoverable version after deletion.
  • Full path reconstruction by walking parent references through the table.

How it compares to other MFT parsers

On a Windows analyst workstation, MFTECmd is the standard CLI and produces the CSV that Timeline Explorer and KAPE expect. For scripting on Linux, the omerbenamram/mft CLI and Rust crate emit JSON Lines. This browser parser fills the third slot: zero install, runs anywhere a browser does, suitable for quick triage and for situations where evidence cannot be sent to a cloud service. A full comparison is in the post MFT parser tools compared.

Getting an $MFT to parse

$MFT is locked while Windows is running. To extract a copy, use fsutilon a live system, FTK Imager against a physical drive, or KAPE's MFT target for a full triage collection. Step-by-step in how to extract $MFT from a live Windows system.

Forensics FAQ

What is the Master File Table?
The Master File Table ($MFT) is NTFS's metadata index. Every file and directory on the volume has at least one 1,024-byte record in $MFT describing its name, attributes, timestamps, and where its data lives on disk.
What does MFT stand for?
MFT stands for Master File Table. On disk it is written $MFT — the dollar sign is the NTFS convention for metadata files.
What file attributes are stored in the Master File Table?
Every record carries $STANDARD_INFORMATION (timestamps, DOS flags), $FILE_NAME (name and a second timestamp set), and $DATA (the file's contents or its cluster runs). Records can also carry $ATTRIBUTE_LIST, $OBJECT_ID, $SECURITY_DESCRIPTOR, $INDEX_ROOT, $INDEX_ALLOCATION, $BITMAP, $REPARSE_POINT, $EA, and $LOGGED_UTILITY_STREAM.
How do I extract $MFT from a Windows system?
$MFT is the first file on every NTFS volume and is normally locked while Windows runs. Use a forensics tool like FTK Imager, KAPE, or the Windows command 'fsutil' to export a copy from a live system, or read it directly from a disk image.
How do I fix a corrupt Master File Table?
Image the disk before doing anything else. Then run chkdsk /f against the image (fast, may discard unreadable records) or use a recovery tool that scans the raw volume for 'FILE' signatures and reassembles records (slow, preserves more evidence). Never run chkdsk against the original before imaging.
Does this tool upload my $MFT anywhere?
No. Parsing happens in a Web Worker using WebAssembly. The file is read into your browser's memory and never transmitted. Disconnect your network if you want to verify.
Why are some entries marked deleted?
Each MFT record has an in-use flag. When a file is deleted, the flag is cleared but the record stays in $MFT until reused. These deleted records often retain recoverable filenames, timestamps, and even resident data.
Can it parse very large $MFT files?
Parsing runs in a Web Worker thread. Memory scales linearly with file size. Multi-gigabyte $MFT files work in modern browsers, though the initial read into memory takes a moment.