NTFS forensic parser for raw physical disk analysis. Extract $MFT records, $UsnJrnl, $Logfile, $ObjID, $I30 and partially $Secure with built-in Anomaly-Detection.
⭐ Star this project if you found it useful.
VortexMFT Plus is a standalone forensic utility built to parse core NTFS structures directly from raw disk. By correlating the Master File Table with the $UsnJrnl and $LogFile, it provides a complete timeline of file system activity. During every parse, the engine simultaneously evaluates the data against 27 forensic anomaly rules to identify hidden threats.
Fully decodes the USN Journal ($UsnJrnl:$J) including all 19 reason flags to derive primary user actions. It further extends visibility by parsing the NTFS LogFile ($LogFile), exposing LSNs, transaction IDs, and redo/undo operation codes for low-level disk state analysis.
- Standalone EXE: Fully portable with all forensic dependencies embedded.
- Raw Physical Access: Read $MFT, $UsnJrnl, $Logfile, $ObjID and $I30 directly from the disk.
- Multidimensional Correlation: Links USN reasons to MFT records and Transaction Log sequences.
- Automated Triage: Scans for 27 unique anomaly types (timestomping, script & malware behaviors, wiping, etc.) during the parsing process.
- .NET Framework 4.6.2
- Windows 10 or Windows 11
- Administrator privileges (Required for raw disk access)