Is there a way to get the filename/location information from the MFT of an NTFS volume?

Question

I need to get the list of all the files on a drive. I am using a recursive solution. But it is taking a lot of time. I was wondering that, is it possible to get the names and location of all the files on a NTFS drive from it's Master File Table? I think it will be very fast. Any suggestions?

Answer 1

When you get a list of all the files on an NTFS-formatted drive using a recursive solution, you are getting them from the MFT. There should be little disk IO outside of the MFT when simply retrieving a list of filenames and directories.

Before going down the path of determining the format of the MFT (which is available from a variety of places on the Internet) and writing code to read it directly, you should probably profile your code and determine that you aren't already CPU or IO bound.

Answer 2

There is a tool that will search the mft directly, it's called ndff. I have used it before and it is very fast.

Presumably it is possible to do what you want - there is another tool called "Everything" which I guess does the same thing - it also uses the USN change journal to update it's index.

Answer 3

I have the impression you're imagining some kind of list-like structure in the MFT which you can read in one go with no or minimal seeking.

This is not the case. The MFT uses a type of b-tree to store pathnames. When you scan the directory structure on your disk, you are in fact walking the MFT b-tree; you are doing what you would have to do if you accessed the MFT directly.

Answer 4

Yes there is, and the program I just open-sourced does exactly this.

You can read the source to find out how it works, but basically, it just looks for FILE_NAME attributes inside the $MFT and then uses the ParentDirectory field to get the parent of every file.

That way it can completely avoid reading the contents of any directory.