Master File Table ($MFT) - The File Catalog

The Master File Table ($MFT) is the absolute heart and central database of an NTFS volume. It is itself a special file that contains at least one entry, known as an MFT record (or segment), for every single file and directory residing on that volume. Each MFT record acts like a detailed index card, storing crucial metadata about the corresponding file or directory. This metadata includes:

• Filename(s) (NTFS supports multiple names, e.g., short 8.3 names and long filenames)

• File size (logical and physical)

• File attributes (e.g., Read-Only, Hidden, System, Archive, Compressed, Encrypted)

• Security permissions (ACLs)

• The fundamental MACB timestamps (within specific attributes like $STANDARD_INFORMATION and $FILE_NAME)

• Pointers ($DATA attribute runs) indicating the physical location(s) (clusters) on the disk where the actual file content is stored. For very small files, the data might even be stored directly within the MFT record itself (known as a "resident" file).

Analyzing ("parsing") the $MFT provides a comprehensive catalog of nearly everything present (and often, recently deleted items whose records haven't been overwritten yet) on the volume. It's a cornerstone artifact for establishing file existence, timelines, and attributes. Any modification to a file's metadata recorded in its MFT entry updates the file's '(C) Changed' timestamp.