Master File Table

The Master File Table (MFT) is the heart of the New Technology File System (NTFS). It is a special system file that functions as the central database or index for an entire volume. The MFT contains at least one record, known as a file record segment (FRS), for every single file and directory on that volume. This includes the MFT itself, which has its own entry.

From a DFIR perspective, the MFT is the ultimate source of truth for file system metadata. It provides a detailed and structured catalog of nearly everything that exists—or recently existed—on a disk. Analyzing the MFT is a foundational step in any file system forensic investigation.

Location and Structure

The MFT is a file itself, typically named $MFT, located at the root of the NTFS volume. It is usually hidden and inaccessible through standard user interfaces like File Explorer.

  • Structure: The MFT is composed of a series of fixed-size records (commonly 1024 bytes). The first records are reserved for NTFS metadata files (e.g., $MFT, $LogFile, $Volume, $AttrDef). Each subsequent record is allocated to a file or directory as it is created.

When a file is deleted, its MFT record is marked as inactive but is not immediately overwritten. The record's space becomes available for reuse by a new file. This "latency" in overwriting provides a critical window for forensic analysts to recover metadata about deleted files.

Stored Metadata and Attributes

Each MFT record acts as a detailed index card, storing crucial metadata about its corresponding file or directory in the form of attributes. Key attributes include:

  • $STANDARD_INFORMATION ($SI): This attribute contains a set of MACB timestamps (Modified, Accessed, Changed, Birth), file attributes (e.g., Read-Only, Hidden, System), and ownership information. These are the timestamps most commonly displayed by the operating system.

  • $FILE_NAME ($FN): This attribute stores the file's name (in Unicode), its parent directory's MFT reference, and, critically, a separate, independent set of MACB timestamps. These timestamps are often less susceptible to simple tampering than the $SI timestamps.

  • $DATA: This attribute contains the actual content of the file. For very small files ("resident" files), the data is stored directly within the MFT record itself. For larger files, this attribute contains pointers to the physical locations (clusters) on the disk where the data is stored.

  • Other Attributes: The MFT also stores information about security permissions ($SECURITY_DESCRIPTOR), Alternate Data Streams ($ATTRIBUTE_LIST), and more.

Forensic Value

The MFT is an indispensable artifact for reconstructing file system activity and detecting tampering.

  • Comprehensive File Catalog: Parsing the MFT provides a complete list of all active files and directories, along with their detailed metadata.

  • Recovery of Deleted Files: By analyzing inactive MFT records that have not yet been overwritten, analysts can recover critical metadata about deleted files, including their original names, sizes, and timestamps, proving their prior existence.

  • Detection of Timestomping: This is a key use case. Because the MFT stores two separate sets of timestamps ($SI and $FN), a discrepancy between them is a classic and strong indicator of timestomping. Many anti-forensic tools only modify the more accessible $SI timestamps, leaving the $FN timestamps untouched as evidence of the manipulation.

  • Tracking File Movement: The parent directory reference within the $FN attribute helps establish the file's location and can be used to track file movement within the same volume.

Specialized forensic tools like Eric Zimmerman's MFTECmd or forensic suites like FTK Imager are required to parse the raw MFT file and present its contents in a human-readable format.

Reflection points (SS Contest)

For a ScreenSharer, the MFT is the reference book for all files on the system and a primary tool for exposing advanced bypasses.

  • The Ground Truth: The MFT tells you what is truly on the disk. It can reveal hidden files or directories that are not visible in File Explorer.

  • Exposing Timestomping: The ability to compare $SI and $FN timestamps is one of the most powerful techniques in a ScreenSharer's arsenal. If a player claims a cheat file is old, but a check of the MFT reveals that the file's $SI timestamp (e.g., 2019) is completely different from its $FN timestamp (e.g., today's date), you have conclusive proof of tampering.

  • Recovering Deleted File Info: Even if a player shift-deletes a cheat, a quick parse of the MFT for inactive records might recover the cheat's filename and timestamps, proving it existed just moments before the screenshare.

  • Identifying Resident Files: Cheaters sometimes use very small tools or scripts. If these are "resident" within the MFT, they might not occupy a separate cluster on the disk, making them slightly harder to find with standard file carving tools. A full MFT parse will always find them.

PreviousFile System ActivityNextUSN Journal ($UsnJrnl)

Last updated