MFT Forensics Investigator

Raw MFT Record View

Offset: 1024 (Record 12)

Hover buttons to highlight bytes

0001020304050607 08090A0B0C0D0E0F

Select an Attribute

Click on the buttons in the left panel to inspect specific parts of the MFT record and reveal their forensic significance.

MFT Record Header

The first 48 bytes of the entry.

Signature: "FILE" (0x46494C45)
Offset to Update Sequence
Flags: 0x01 (In Use) or 0x00 (Deleted)

Forensic Significance

Deleted Files

If the flags byte is 0x00 (or 0x02 for deleted directory), the file is deleted but the MFT record still exists until overwritten.

Sequence Number

Incremented every time the MFT slot is reused. A mismatch between $LogFile and MFT sequence numbers can indicate wiping.

$STANDARD_INFORMATION (0x10)

Contains the primary timestamps (MACB) and file flags (Read-only, Hidden, Archive).

Created (M)
Modified (A)
MFT Modified (C)
Accessed (B)

Forensic Significance

Timestomping!

This attribute is easily modified by user-level tools (like SetFileTime API). Attackers modify these times to hide their tracks.

Anomaly Detection

Compare these times with $FILE_NAME times. If $SI times are before $FN times, or perfectly rounded, suspect manipulation.

$FILE_NAME (0x30)

Stores the file name (Unicode), size, parent directory reference, and another set of timestamps.

Note: A file can have multiple $FN attributes (e.g., DOS 8.3 short name).

Forensic Significance

The "Truth" Attribute

Timestamps here are updated by the OS kernel, not user APIs. They are updated only when the file is renamed, moved, or copied. They often retain the original creation time even if $SI is timestomped.

Parent Directory Index

Contains the MFT Reference to the parent folder. Crucial for reconstructing file paths of deleted files.

$DATA (0x80)

The actual content of the file.

Resident

Small files (< ~700 bytes). Data is stored directly inside the MFT record.

Non-Resident

Larger files. This attribute stores "Runlists" (pointers to clusters on disk).

Forensic Significance

Resident Data

Forensic Goldmine! Even if the clusters on disk are wiped, if the file was small enough to be Resident, the content might still exist in the MFT Entry slack.

Alternate Data Streams (ADS)

A file can have multiple $DATA attributes. Malware often hides in an ADS (e.g., file.txt:malicious.exe).

MFT System Files

The first 16 records (0-15) are reserved. These are the "VIP" files that manage the filesystem.

Key Distinction: These are FILES. They contain Attributes (like $DATA).

Select a System File

Explore the critical files that make NTFS work and learn why forensic analysts check them first.

$MFT (Master File Table)

The heart of NTFS. It is a database that contains a record for every single file and directory on the volume.

Forensic Use Case

We parse this file to list all files on the drive, including deleted ones (marked with 0x00 flags). Tools like "MFT2CSV" parse this specific file.

$MFTMirr (Mirror)

A backup of the first 4 records of the MFT. Located in the middle of the disk for safety.

Forensic Use Case

If the main $MFT is corrupt or wiped by an attacker, we can carve $MFTMirr to at least recover the system file structure information.

$LogFile

The transaction journal. NTFS writes changes here before committing them to the disk to prevent corruption during crashes.

Forensic Use Case

Essential for proving "Intent". It records file operations (rename, create, delete). Even if a file is wiped, the transaction log might still show the user creating and then deleting it.

$Bitmap

A map of every cluster on the volume. Each bit represents a cluster:
1 = Allocated 0 = Free.

Forensic Use Case

Used to verify "Hidden" data. If a cluster is marked as "Allocated" (1) in $Bitmap but no file in the MFT claims it, someone might be hiding data there (Volume Shadow Copy or malicious hiding).

$BadClus

Tracks physical sectors on the hard drive that are damaged and should not be used.

Forensic Use Case

Attackers sometimes manually mark good clusters as "Bad" in this file to hide malware, because the OS will refuse to read/write to them.

The Classifier Challenge

Distinguish between Attributes (internal data) and System Files (MFT Records).

System File
(Record 0-15)

Header / Meta
(Internal)

$STANDARD_INFO
(Attribute)

$FILE_NAME
(Attribute)

$DATA
(Attribute)

All evidence correctly sorted! Great work, Investigator.

Raw MFT Record View

Select an Attribute

MFT Record Header

Forensic Significance

Deleted Files

Sequence Number

$STANDARD_INFORMATION (0x10)

Forensic Significance

Timestomping!

Anomaly Detection

$FILE_NAME (0x30)

Forensic Significance

The "Truth" Attribute

Parent Directory Index

$DATA (0x80)

Resident

Non-Resident

Forensic Significance

Resident Data

Alternate Data Streams (ADS)

MFT System Files

Select a System File

$MFT (Master File Table)

Forensic Use Case

$MFTMirr (Mirror)

Forensic Use Case

$LogFile

Forensic Use Case

$Bitmap

Forensic Use Case

$BadClus

Forensic Use Case

The Classifier Challenge

System File(Record 0-15)

Header / Meta(Internal)

$STANDARD_INFO(Attribute)

$FILE_NAME(Attribute)

$DATA(Attribute)

System File
(Record 0-15)

Header / Meta
(Internal)

$STANDARD_INFO
(Attribute)

$FILE_NAME
(Attribute)

$DATA
(Attribute)