MFT – The Master File Table, this is the first and key file, in an NTFS file system. For a very basic understanding of the MFT please read this post
All files are referenced through the MFT, including itself.
Within the MFT, the MFT itself is given position “0”, and the name $MFT. It is just above $MFT_Mirror, position “1”. The MFT Mirror, is a copy of the first 16 entries of the MFT, which is there to help the file system deal with errors/corruption.
Each MFT entry is (as standard) 1024 bytes long, or 2 sectors, and contains information about the file it references.
- The file name
- Directory the file belongs to
- Dates: Created, Modified, Access, Entry modified – the last time the MFT entry was modified for that file
- File Size
- File permissions
- Physical location of the file. This gives the location or locations of the file within NTFS file system on the hard drive. Remember that a file within an NTFS system does not need to be contiguous, and it can be split into different sections around the hard drive. All of those different sections are referenced within the MFT entry, in a section called “Index” or “Data”.
If a file is very small, just a few bytes, e.g a cookie, there is no need for the the MFT entry to have a index directing the computer to the location of the cookie (as the directions could be longer than the file), instead it can fit the small file in the MFT entry – where the index or directions would normally be. This type of data is called “resident” data, other entries, where the data is stored elsewhere on in the NTFS are called “non-resident”.
Resident data can be very interesting, because it can allow for “slack” within an MFT entry. Here is how.
A small text file is created on an windows XP computer, with an NTFS file system, This means that an MFT Entry is written, with resident data. Due to the size of the file, in this case, this takes up the whole of the 1024 bytes.
A few weeks later the text file is deleted, and a new file created. In this case the MFT entry is overwritten, therefore deleting all information about the original file (e.g date, location, size, etc). Other artifacts, link files, registry entries, etc, may tell you about the file, but the MFT entry has not been overwritten. However, the new file is a non-resident contiguous file. This means that the entry is relatively short, and does not take up much space, as such the entire MFT entry is now only 600 bytes long. This means there is 424 bytes remaining of the “old” entry – this is slack, or more specifically;y MFT slack. As the remaining area is at the end of the MFT entry, this will be the data of the original text file. This data could last there for a very long time, as nothing will write into that location until the new file is deleted, or becomes very large.
In the example give an investigator could only find that information with a keyword search, and if he did find it he would not be able to say what the name of the document was, or when it was created or deleted (unless there was other supporting information). However, if your lucky, it may be the perfect evidence.
The dates for the MFT do not change, i.e the creation, access, and modification date for $MFT are always the same – the date it was created/formatted.
A good resource on the MFT, and NTFS in general is the book – File System Forensic Analysis