Uncover hidden PC activity with Mft2Csv

Mft2Csv

Wondering what other users might be doing on your PC? Checking browser or application histories might give you some clues, and monitoring software can also help.

But the simplest route is probably to build a file timeline, something which shows you when files were created or modified on your PC.

You could do this in a basic form with Explorer. Just browse to a user folder, or some other key area, click the "Date modified" column, and run a search.

Browsing the list will show you documents, logs, temporary files and plenty of other clues about how -- and when -- your system was being used.

A smart user might clear their tracks, of course, deleting key files to hide exactly what they’re doing.

But if you really want to dig deep, the open source Mft2Csv can produce a timeline which also includes deleted files, to uncover activity going back weeks, months, maybe even years.

The program works by parsing the Master File Table (MFT), the NTFS index used to store every detail of your files: name, location, size, attributes, dates and much, much more.

Mft2Csv has a vast number of options, but if you simply want to scan your main system drive then fortunately they can all be ignored. Launch it, make sure your volume is displayed, and hit Start Processing (or use Mft2Csv /volume:c:  from the command line).

The scan and export process can take a very long time, maybe an hour or more, but that’s just because there’s so much to do (our test PC’s CSV was 615MB).

When it’s finished, the completed CSV displays an entry for every file, along with all the related NTFS information.

Most of this is too low-level and technical for even expert users to care about, but there’s the file name, size, attributes, creation, access and modified times, and more (there’s an explanation of some fields here).

Now all you have to do is sort your CSV by the CTime field (Creation Time) and the list becomes a timeline, showing which files were created, and when. As this includes deleted files you may find you’ve got activity records stretching back years.

You could also use your CSV viewer’s Search function to locate files by name, again even if they’ve been deleted.

Mft2Csv isn’t a program you’ll use every day -- the parsing process just takes too long -- but if you ever need some real low-level forensics it’s hard to beat.

2 Responses to Uncover hidden PC activity with Mft2Csv

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.