ntfsdump

ntfsdump is a command-line tool written in Rust for Windows that copies protected system files by reading directly from the raw disk volume instead of going through the normal Windows file system. Windows locks certain files, such as registry hives, while the operating system is running, so they cannot be copied with ordinary file commands. This tool bypasses that restriction by opening the raw NTFS volume, parsing the file system metadata to locate a target file, and reading its bytes straight from disk. Administrator privileges are required.

The tool has four commands. The default dump command extracts the SAM and SYSTEM registry hives, which store local user account data and system configuration. An optional flag also pulls the SECURITY hive. The copy command lets you specify any absolute path on the file system to extract. The read command retrieves one file and either prints it as Base64 text or writes the raw bytes to an output path. The sam command parses a previously copied SAM hive and lists local user accounts with their password hash fields shown in a redacted form.

This is primarily a forensic acquisition tool. Security professionals working on Windows endpoint investigations or lab exercises use raw hive acquisition when they need to analyze credential or configuration data from a live system without triggering file locks. The README links to a lab write-up with screenshots showing the tool in use.

The project is built with Rust and cross-compiled for Windows using the MinGW toolchain. The README gives the single build command and several PowerShell usage examples. No pre-built binary is included; you compile it from source.