RawCopy is a file copier for NTFS that uses low-level disk reading and resolves data clusters by parsing the $MFT.

It should be able to copy any file off the volume. Even those locked by the system like the registry hives, or the NTFS system files like $MFT and $LogFile etc. It effectively bypasses all filesystem security.

Source file can be given file path and filename. Or it can be reference by the IndexNumber (MFT reference number/inode).

Output directory must exist.

Also there is an option to also extract all attributes, not just $DATA. This is nice if you want to look at non-resident $Bitmap, $EA, $INDEX_ALLOCATION etc, that may also be fragmented, meaning not many tools will let you extract these.

Here are the available commands:

Example copying C:file.ext to E ut:

RawCopy C:file.ext E utExample copying C:WINDOWSsystem32configSAM to F:reg with all attributes including $DATA

RawCopy C:WINDOWSsystem32configSAM F:reg -AllAttrExample copying IndexNumber 20112 from C: volume to D:bak only $DATA attribute

RawCopy C:20112 D:bak