← Back to blog

How to extract $MFT from a live Windows system

· 2 min read

$MFT lives at the start of every NTFS volume, but Windows holds an exclusive lock on it for as long as the volume is mounted. You cannot just copy it with xcopy. You need a tool that reads the raw volume bypassing the file system lock. Here are three reliable options.

fsutil (built-in)

Windows ships a command that can locate $MFT on disk:

fsutil file queryextents C:\$Mft > mft-extents.txt

This gives you the cluster runs occupied by $MFT. A raw read of those clusters reproduces the file. It works on every modern Windows install, requires admin, and produces zero side effects on the target.

The downside is that you still have to assemble the cluster runs yourself. For most investigators it is a building block, not a final answer.

FTK Imager

FTK Imager is the standard free tool for forensic acquisition. To grab $MFT:

  1. File → Add Evidence Item → Physical Drive
  2. Pick the disk
  3. Navigate the tree to the NTFS volume's root and find $MFT
  4. Right-click → Export Files

That produces a copy of $MFT as a regular file you can take with you. FTK Imager also reads disk images (.dd, .E01), so the same workflow works on offline evidence.

KAPE

For broader collections, KAPE (Kroll Artifact Parser and Extractor) automates the entire artifact list. The KAPETargets library includes an MFT target that pulls $MFT, $LogFile, $UsnJrnl, and other supporting artifacts in one pass:

kape.exe --tsource C: --target MFT --tdest C:\triage

KAPE handles the locked-file problem under the hood, preserves timestamps on the collected files, and writes a tidy directory you can carry to analysis. It is the recommended path for any incident response collection.

Reading from a disk image

If you already have a disk image, you skip the locking problem entirely. Mount the image read-only or use a parser that consumes raw images directly. $MFT lives near the start of every NTFS volume — the boot sector at offset 0 points to it.

A note on integrity

Whichever path you choose, hash $MFT (SHA-256) immediately after acquisition and again before analysis. The file is large and analysis tools occasionally truncate. A pre-flight hash compare prevents hours of debugging the wrong evidence.

Related posts

External resources