A Journey into NTFS: Part 6

For today’s post, I’m finally going to get to the head honcho of NTFS files: the MFT. This is without a doubt the most important NTFS metadata file, as it is the “pointer of pointers”. Short for “Master File Table”, the MFT, or $MFT file, contains an entry for every file and directory on a file system.

In the interest of brevity, I’m going to refer to this file as either $MFT or MFT going forward.


istat output for MFT entry 0, the $MFT itself

Let’s start from the top:

  • As with every other file, this file has a $LogFile sequence number.
  • This file has $STANDARD_INFORMATION and $FILE_NAME attributes, both of which display timestamps we are already familiar with.
  • The MFT has Hidden and System flags, which again line up with other NTFS files we’ve analyzed before.
  • The MFT itself has four attributes; unfortunately the fourth gets buried at the “end” of our istat output, but here’s a screenshot:
Snippet of istat output showing $BITMAP attribute for MFT entry 0, the $MFT itself
  • As seen from above, the MFT also has a $BITMAP attribute, which is used to manage MFT allocations (aka deleted vs. active files). Due to the size of the file, the $BITMAP attribute itself large and also non-resident.
  • Lastly, we can see that the $DATA attribute is also sizeable, which speaks to the size of the disk.

MFT Size

MFT Entries

Let’s break this down:

  • Bytes 0–3 (46 49 4c 45) contain the MFT entry signature, FILE. This will be marked as BAAD if an error was found in the entry.
  • Bytes 4–5 (30 00) provide the offset to the fixup array, which is 48 bytes in the entry.
  • Bytes 6–7 (03 00) provide the number of entries in the fixup array; 3 in this case.
  • Bytes 8–15 (c6 55 43 d7 01 00 00 00) provide the $LogFile sequence number (this converts to 7906481606)
  • Bytes 16–17 (01 00) provide the MFT sequence value; 01 in this case.
  • Bytes 18–19 (01 00) provide the link count; a value of 01 means this file has only one name.
  • Bytes 20–21 (38 00) provide the offset to the first attribute; 56 bytes.
  • Bytes 22–23 (01 00) provide the flags (is the file in-use and/or is this a directory?); a value of 01 says this is a file
  • Bytes 24–27 (A8 01 00 00) provide the used size of the MFT entry, where as
  • Bytes 28–31 (00 04 00 00) provide the allocated size of the MFT entry. The allocated size is 16,384 bytes.
  • Bytes 32–39 (00 00 00 00 00 00 00 00) determine whether this entry is a base entry or not; a value of zero means it is.
  • Bytes 40–41 (06 00) provide the next attribute ID to be assigned; 06 means that there are already five attributes.
  • Bytes 42+ contain attributes and fixup values.

Attributes within the MFT

Let’s break this down:

  • Bytes 0–3 (10 00 00 00) provide the attribute type ID; 16, in this case, represents $STANDARD_INFORMATION
  • Bytes 4–7 (60 00 00 00) provide the length of the attribute; 96 bytes.
  • Byte 8 (00) determines whether the attribute is resident or not
  • Byte 9 (00) provides the length of the object’s name; this value means there is no name.
  • Byte 10–11 (18 00) provide the offset to the object’s name; byte 24.
  • Bytes 12–13 (00 00) provide attribute flags; in this case, there are none.
  • Bytes 14–15 (00 00) provide the attribute ID, which is unique to each MFT record.

IF the attribute is resident, we then have the following values:

  • Bytes 16–19 provide the size of the content
  • Bytes 20–21 provide the offset to the content

MFT Base Entries

Resident vs Non-Resident

Until tomorrow, Happy Forensicating!

Be selective with your battles.