Master File Table Basics

This is the final blog post in our Windows Essential Forensic blog series!

Arguably the most essential file in the NTFS file system is the Master File Table.  This database contains a comprehensive listing of all files and folders on the NTFS volume. For examiners, knowledge of how the Master File Table (MFT) works is essential to properly understand how their forensic tools display and recover data.

Master File Table Facts

The MFT tracks all the information about a file including its size, file name, date and time stamps, any permissions, and in some cases the data of the file.

When files are added to the file system the MFT grows in size, however as files are deleted from the system their entries within the MFT are marked as available for reuse; but the size of the MFT does not shrink.

The MFT resides at the root of the Windows volume.

Master File Table Structure

Each file on the volume has an entry contained within the MFT.  Each MFT entry is made up of a header and several attributes. Here is the complete list of all the attributes found in MFT entries as described by Microsoft’s MSDN site.

List of attributes from Microsoft MSDN site Figure 1: List of attributes from Microsoft MSDN site

Using BlackLight we are going to look at the MFT Record for an Excel Spreadsheet.  To view the MFT record for a file in BlackLight select the file, select the Record tab, then change the drop down under the Data Interpreter window to Data Structure.  From here you will be able to see BlackLight’s MFT templating feature.

BlackLight’s MFT template view

Figure 2:  BlackLight’s MFT template view, note drop down choosing Data Structure

MFT Header Attribute

It should be known that not all MFT entities contain all the attributes.  In fact some attributes are rarely found. The MFT Record Header contains several pieces of important information.

Records contained in the MFT Record Header

Figure 3: Showing some records contained in the MFT Record Header

View of MFT Record Header in BlackLight

Figure 4: View of MFT Record Header in BlackLight

The Standard Information Attribute

As seen in Figure 1 from above, this attribute is numbered with the MFT record 10 00 00 00.  It contains the dates and time attributes for the file along with DOS attributes that describe the file.

Standard Information Attribute shown in BlackLight

Figure 5: Standard Information Attribute shown in BlackLight

DOS Permissions describe the type of file.

DOS Permissions describing the file

Figure 6: DOS Permissions describing the file

The above listed DOS Permissions can be combined, and example of this would be 22 40 00 00 representing a file that is archived, hidden and encrypted.

The FileName Attribute

This attribute is identified as 30 00 00 00, and contains the name of the file, the date and time the file was named, and the physical and allocated size of the file.

FileName Attribute shown in BlackLight

Figure 7: FileName Attribute shown in BlackLight

Data Attribute

This MFT attribute contains information about where the data for the actual file exists on the volume.  As you may know, sometimes if the data is small enough the entire data of the file can be stored within the Master File Table.  However, in most cases the file’s data is too large to fit within the MFT.

Figure 8: Data Attribute shown in BlackLight

The non-resident flag indicates that the file’s data is not contained within the MFT, small files of less than 512 bytes can store data within the MFT.  Toward the end of the data attribute we find the total number of clusters that the data for this file occupies, and the starting cluster for the data.

This is just an introduction into the MFT.  These basic concepts are something every forensic examiner should know. Learn more on forensics by taking our Essential Forensic Techniques.

Leave a Reply

Sorry, you must be logged in to post a comment.