Forensics: What is the MFT Mirror?

June 5, 2009 — 585

What is the MFT Mirror?

The MFT Mirror, seen as $MFTMirror in computer forensics tools, is a partial backup of the MFT. It is not, as is sometimes reported a complete backup of the MFT.

The MFT Mirror contains a backup of the first 4 NTFS system files:

$MFT
$MFT Mirror
$Log
$Volume

The MFT Mirro is designed to allow for as error handling, and can allow for recovery of deleted/wiped partitions.

If the MFT is partially wiped, i.e the first few entries (which somes viruses have done in the past) then the MFT Mirror can be used to rebuild the MFT. EnCase, which is a forensic tool, rather than a data recovery tool, even has a function to allow for the rebuilding of a partition, using the MFT Mirror (as do other data recovery tools).

The MFT Mirror can be viewed, like the MFT in EnCase, using the correct text styles.

It should be noted, and this is where there is often confusion, the MFT Entry for the MFT Mirror is, as are all files, in the MFT. But the MFT Mirror itself, the actual file, like all other normal files, is out on the hard drive space and not in the MFT.

Posted in 0 - Forensics, File Systems. Tags: 0 - Forensics, computer forensics, Data Recovery, EnCase, MFT, MFT Mirror, NTFS. 3 Comments »

Forensics: What is $Boot? « Data – Where is it? Says:
June 6, 2009 at 9:48 am

[…] of the MFT mirror for the […]

shareingboothlunar Says:
October 26, 2011 at 4:28 am

if i have backup of $MFT Mirrorand how i can restor it ?

585 Says:
November 11, 2011 at 2:36 pm
Not really the MFT mirror is just the first few entries of the MFT. It may be useful in reparing the MFT itself

Where is Your Data?

Articles Categories