MFT Explorer
A forensic analysis tool for parsing the NTFS Master File Table to reconstruct file system activity and artifact timelines.
MFT Explorer is a Windows forensics utility developed by Eric Zimmerman for analyzing the NTFS Master File Table (MFT). The MFT is the core metadata structure of NTFS file systems and records detailed information about every file and directory, including those that have been deleted.
MFT Explorer is widely used in DFIR investigations, malware analysis, ransomware response, and legal forensics to reconstruct file activity with high accuracy.
First time seeing this?
What MFT Explorer Does
MFT Explorer parses raw MFT files to extract file system metadata such as file names, sizes, timestamps, attributes, and record states. It enables investigators to identify file creation, modification, execution, movement, and deletion activity, even when the actual file content is no longer present.
Because the MFT persists independently of file deletion, it provides one of the most reliable sources of evidence for file system activity on Windows systems.
Key Features of MFT Explorer
NTFS Master File Table Parsing
Extracts metadata from raw MFT files on NTFS volumes.Deleted File Visibility
Identifies files and directories that have been deleted from the file system.Comprehensive Timestamp Analysis
Parses standard and alternate timestamps used by NTFS.Attribute-Level Inspection
Displays detailed NTFS attributes including filenames, data streams, and flags.File and Directory Correlation
Reconstructs parent child relationships within the file system.Advanced Search and Filtering
Locate artifacts by filename, extension, record status, or timestamp.CSV Export Support
Outputs structured data for reporting and timeline correlation.Integration with DFIR Tooling
Works seamlessly with Timeline Explorer, KAPE, and related forensic tools.
Advanced Use Cases
Timeline Reconstruction
Rebuild detailed file system timelines to understand user or attacker activity.
Malware and Ransomware Investigations
Identify dropped payloads, encryption activity, and deleted artifacts.
Insider Threat Analysis
Detect unauthorized file access, copying, or deletion.
Incident Response
Confirm attacker actions related to staging, execution, or data exfiltration.
Legal and Compliance Investigations
Provide defensible evidence of file system activity and historical file presence.
Latest Updates (as of 2026)
Recent updates and ongoing maintenance include:
Continued compatibility with modern Windows versions
Improved parsing accuracy for complex NTFS attributes
Performance optimizations for large MFT datasets
Regular updates aligned with NTFS research
Ongoing maintenance within the Zimmerman forensic tool ecosystem
MFT Explorer remains actively maintained and trusted across professional forensic workflows.
Why It Matters
The NTFS Master File Table is one of the most authoritative sources of file system truth on Windows systems. MFT Explorer allows investigators to uncover file activity that survives deletion, wiping, and cleanup attempts.
For defenders and forensic analysts, it is essential for understanding what existed on a system, when it existed, and how it was used.
Requirements and Platform Support
MFT Explorer runs on:
Windows
It requires:
Raw MFT file extracted from an NTFS volume
Official site and documentation:
https://ericzimmerman.github.io/
https://github.com/EricZimmerman/MFTExplorer