Forensicswiki.org has moved to this site, forensicswiki.xyz. For information, please join the Google Group forensicswiki-reborn

$MFT

From Forensics Wiki
Revision as of 14:04, 20 October 2021 by Fuseki (talk | contribs) (→‎Tools)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

In an NTFS volume the $MFT metadata file keeps records of all file entries in the volume.

Note that analysis of a stand-alone $MFT (versus a full file system analysis) has limitations.

$MFT

The NTFS file system contains a file called the master file table, or MFT. There is at least one entry in the MFT for every file on an NTFS file system volume, including the MFT itself. All information about a file, including its size, time and date values, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries.

The NTFS file system reserves space for the MFT to keep the MFT as contiguous as possible as it grows. The space reserved by the NTFS file system for the MFT in each volume is called the MFT zone. Space for files and directories are also allocated from this space, but only after all of the volume space outside of the MFT zone has been allocated.

The first record of this table describes the master file table itself, followed by an MFT mirror record.

If the first MFT record is corrupted, NTFS reads the second record to find the MFT mirror file, whose first record is identical to the first record of the MFT. The locations of the data segments for both the MFT and MFT mirror files are recorded in the boot sector.

Structure

The master file table allocates a certain amount of space for each file record. The attributes of a file are written to the allocated space in the MFT. Small files and directories (typically 512 bytes or smaller), can entirely be contained within the master file table record. Mftentries.png

MFT Record for a Small File or Directory

This design makes file access very fast. Consider, for example, the FAT file system, which uses a file allocation table to list the names and addresses of each file. FAT directory entries contain an index in the file allocation table.

When you want to view a file, FAT first reads the file allocation table and assures that it exists. Then FAT retrieves the file by searching the chain of allocation units assigned to the file. As soon as you look up the file with NTFS, it's there for you to use.

Directory records are housed within the master file table just like file records. Instead of data, directories contain index information.

Small directory records reside entirely within the MFT structure. Large directories are organized into B-trees, have records with pointers to external clusters containing directory entries that could not be contained within the MFT structure.

Location

The $MFT file is located under the root of each volume and can be extracted using FTKImager.

FTKMFT.png

Also see

External Links

Tools