RawCopy is a file copier for NTFS that uses low-level disk reading and resolves data clusters by parsing the $MFT.
RawCopy is a file copier for NTFS that uses low-level disk reading and resolves data clusters by parsing the $MFT.It should be able to copy any file off the volume. Even those locked by the system like the registry hives, or the NTFS system files like $MFT and $LogFile etc. It effectively bypasses all filesystem security. Source file can be given file path and filename. Or it can be reference by the IndexNumber (MFT reference number/inode). Output directory must exist. Also there is an option to also extract all attributes, not just $DATA. This is nice if you want to look at non-resident $Bitmap, $EA, $INDEX_ALLOCATION etc, that may also be fragmented, meaning not many tools will let you extract these.Here are the available commands:Example copying C:file.ext to E ut:RawCopy C:file.ext E utExample copying C:WINDOWSsystem32configSAM to F:reg with all attributes including $DATARawCopy C:WINDOWSsystem32configSAM F:reg -AllAttrExample copying IndexNumber 20112 from C: volume to D:bak only $DATA attributeRawCopy C:20112 D:bakDownload