File System: MFT (technical)

MFT – The Master File Table, this is the first and key file, in an NTFS file system. For a very basic understanding of the MFT please read this post

All files are referenced through the MFT, including itself.

Within the MFT, the MFT itself is given position “0”, and the name $MFT. It is just above $MFT_Mirror, position “1”. The MFT Mirror, is a copy of the first 16 entries of the MFT, which is there to help the file system deal with errors/corruption.

Each MFT entry is (as standard) 1024 bytes long, or 2 sectors, and contains information about the file it references.

This includes:

  • The file name
  • Directory the file belongs to
  • Dates: Created, Modified, Access, Entry modified – the last time the MFT entry was modified for that file
  • File Size
  • File permissions
  • Physical location of the file. This gives the location or locations of the file within NTFS file system on the hard drive. Remember that a file within an NTFS system does not need to be contiguous, and it can be split into different sections around the hard drive. All of those different sections are referenced within the MFT entry, in a section called “Index” or “Data”.

If a file is very small, just a few bytes, e.g a cookie, there is no need for the the MFT entry to have a index directing the computer to the location of the cookie (as the directions could be longer than the file), instead it can fit the small file in the MFT entry – where the index or directions would normally be. This type of data is called “resident” data, other entries, where the data is stored elsewhere on in the NTFS are called “non-resident”.

Resident data can be very interesting, because it can allow for “slack” within an MFT entry. Here is how.

Example

A small text file is created on an windows XP computer, with an NTFS file system, This means that an MFT Entry is written, with resident data. Due to the size of the file, in this case, this takes up the whole of the 1024 bytes.

A few weeks later the text file is deleted, and a new file created. In this case the MFT entry is overwritten, therefore deleting all information about the original file (e.g date, location, size, etc). Other artifacts, link files, registry entries, etc, may tell you about the file, but the MFT entry has not been overwritten. However, the new file is a non-resident contiguous file. This means that the entry is relatively short, and does not take up much space, as such the entire MFT entry is now only 600 bytes long. This means there is 424 bytes remaining of the “old” entry – this is slack, or more specifically;y MFT slack. As the remaining area is at the end of the MFT entry, this will be the data of the original text file. This data could last there for a very long time, as nothing will write into that location until the new file is deleted, or becomes very large.

In the example give an investigator could only find that information with a keyword search, and if he did find it he would not be able to say what the name of the document was, or when it was created or deleted (unless there was other supporting information). However, if your lucky, it may be the perfect evidence.

Note:

The dates for the MFT do not change, i.e the creation, access, and modification date for $MFT are always the same – the date it was created/formatted.

A good resource on the MFT, and NTFS in general is the book – File System Forensic Analysis

About these ads

7 Responses to “File System: MFT (technical)”

  1. File System: MFT (basics) « Data - Where is it? Says:

    [...] data? Who collects, controls, and searches it? « New Home for Where is My Data File System: MFT (technical) [...]

  2. Forensics: Deleting and Wiping Data « Data - Where is it? Says:

    [...] where the file exists, etc.  However, in the most common file system on PCs (the Windows based NTFS), deletion does not destroy a file but merely prevents the user from accessing the file. Then using [...]

  3. MFT Slack « Data - Where is it? Says:

    [...] Posted on March 29, 2009 by Rob The MFT can have slack, though it is slightly different to file slack. As the slack is within the MFT, [...]

  4. Dates: NTFS Created, Modified, Accessed, Written « Data - Where is it? Says:

    [...] Entry Modified: A basic understanding of NTFS and the MFT is required for this section. This is date not shown by Windows Explorer or the average windows [...]

  5. Forensics: What does “Entry Modified” mean in EnCase? « Data - Where is it? Says:

    [...] Modified, in EnCase, refers to when the MFT entry for that file was last change. As the MFT entry contains a lot of information about the file, [...]

  6. Forensics: NTFS Deleted Entry « Data - Where is it? Says:

    [...] on April 28, 2009 by Rob When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that [...]

  7. Death of a Podplayer - Geekazine 2010 Says:

    [...] plus was that I can mount it in my Linux systems without having to change the file system from MFT (compatible with Windows Media Syncing) to MSC(UMS) (acts like a USB stick). MSC(UMS) is now the [...]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 32 other followers

%d bloggers like this: