Vortex MFT Plus UI - NTFS Artifact Parsing and Anomaly Detection
SHA256 Hash
92c768429f5f5b03d0f13672424cceeff0f7abb198fc3e49ecfc17de2f1286df
Download

MFTPlus - NTFS Parser for $MFT, USN Journal, $LogFile, $ObjectID, $I30 and $Secure

Advanced Master File Table (MFT) & Filesystem Journal Utility

Deep-Level NTFS Meta-Data Interrogation


Advanced NTFS Master File Table (MFT) and filesystem journal parser. Correlate $MFT records with $UsnJrnl entries to detect time-stomping and reconstruct file activity — with raw physical disk access and 27 built-in anomaly rules. A free MFT Viewer and MFT Tool for DFIR professionals on Windows 10 and 11.

  • Raw Physical Access to NTFS structures
  • Automated Triage: 27 unique anomaly rules
  • Full USN Journal and Transaction decoding
Check the Source: Github
Check the Scan Results: Virustotal / HybridAnalysis

The Forensic Power of the Master File Table (MFT)

In the NTFS file system, the Master File Table ($MFT) is the most critical database. It contains a record for every file and directory on a volume, serving as the "map" that the operating system uses to manage data. For a digital forensic investigator, the $MFT is the ultimate source of truth. Vortex MFTPlus is a professional MFT Tool designed to extract and interpret these records, providing a granular view of file activity that is often invisible to standard system utilities.

By parsing the $MFT, Vortex reveals detailed metadata such as the "Standard Information" ($SI) and "File Name" ($FN) attributes. This dual-timestamp system is vital for detecting "timestomping"—a technique used by attackers to forge file creation dates. A professional MFT parser like Vortex can compare these attributes to identify discrepancies that prove a file's history has been tampered with.

$LogFile, $SDS, $ObjID & $I30 Analysis

Vortex MFTPlus recovers raw filesystem sequences and transaction undo-redo operations directly from the $LogFile, providing a forensic bridge between MFT snapshots. This enables investigators to reconstruct the "missing links" in file creation and deletion events.

  • $LogFile Analysis: Interrogate raw transaction logs to identify file operations that occurred between MFT updates.
  • $I30 Index Root Tool: Parse directory index buffers as an $I30 Index Analyzer to find evidence of file deletion.
  • $SDS & $Secure Parser: Dedicated sub-header parsing for Security Descriptors and Access Control Lists (ACLs).
  • $ObjID & $Reparse Utility: Track file movement via Object IDs and identify symbolic links or mount points.

Supported NTFS Forensic Artifacts

Artifact Forensic Value Vortex Support
$MFT Records Primary file metadata & timestamps Full Attribute Parsing
$LogFile Transaction logs / Undo-Redo ops Raw Sequence Recovery
$UsnJrnl Change journal / File history Real-time Triage
$I30 Indices Directory listing / Deleted names Index Root Carving
$SDS / $Secure Security & Permission data ACL Resolution

Note: For a technical breakdown of NTFS attributes and MFT record structures, visit our MFT Forensic Repository Article.

UTILITY

Vortex MFTPlus is a deep-level NTFS metadata parser. it enables investigators to interrogate the Master File Table and filesystem journals to uncover hidden file activity and detect timestamp manipulation.

CAPABILITIES

Performs comprehensive attribute analysis, journal correlation, and resident data extraction. Essential for reconstructing complex filesystem events and validating file integrity during forensic audits.

Explore More Forensic Utilities

Analyze Windows Prefetch Parse AmCache Hives Recover Deleted FAT Files Examine NTFS MFT Track PCA Launches Live Triage & IR Program Online Forensic Tools