The MFT, as previously stated is the primary file in the NTFS file system. This file points to the locations of the other files on the computer.
Within the MFT are “entires”, each entry contains information about the file it points to. These entries provide a variety of information about file it points to – including:
File Name, File Size, dates about the file included – Created, Modified, Written and Accessed, location of the data of the file. Typically an MFT entry is 1024 bytes in size, or two sectors, and starts with “File0” or “File*”, with the information following that.
The first 16 MFT entries within the MFT are reserved, and as they point to key NTFS artefacts these include $BitMap and $Log. The first two entries of the MFT are $MFT – which desribes the MFT. This may seem odd, but it needs to be done. Everything with the NTFS is a “file”, so the MFT, which contains all the information about files, e.g word docuemtns and emails, is also a file. Therefore MFT has an entry within itself that desribes is size, location, etc. The second entry with in the MFT is the $Mirror. The MFT Mirror is a back up of the first 16 MFT entries, that are stored just in case there is a problem with the primary MFT entries.
A more detailed article on the MFT entries will follow.
A good resource on the MFT, and NTFS in general is book – File System Forensic Analysis