A Journey into NTFS: Part 7

For today’s post, I’m going to focus on the file $MFTMirr. This is going to be a relatively short post as this file is not the most complex of NTFS artifacts, but may be extremely useful to file system recovery or DFIR analysts.

$MFTMirr

Continuing down our quest of extrapolating NTFS file purposes from abbreviated file names, it’s fairly straightforward to guess that this is a mirror of the MFT (which we discussed yesterday). However, it’s not a complete copy. Instead, this smaller file is used for recovery purposes.

The file $MFTMirr contains at least the first four entries of the MFT, in case something happens to the volume and data needs to be recovered. It is also statically-located at MFT entry 1. Here’s a snippet of istat output for $MFTMirr.

istat output for MFT entry 1, $MFTMirr

This file is not very flashy; it contains $STANDARD_INFORMATION, $FILE_NAME, and $DATA attributes; the $DATA attribute is 4,096 bytes, which we know is exactly 4KB, or 4 1,024-byte MFT entries. A few notes on this entry:

• As always, we have the file’s timestamps that point to the creation of the file system.
• The SID S-1–5–18 represents Local System.
• Being the size of a cluster, the $DATA attribute obviously only takes up one cluster. In this particular example, $MFTMirr can be found at cluster 2.

$MFTMirr Contents

As previously mentioned, the $DATA attribute of this file contains the first four MFT entries. By now, readers should be familiar with three of these:

1. $MFT
2. $MFTMirr
3. $LogFile (I’ll cover this in a later post)
4. $Volume

Here’s a screenshot of the first 1,024 bytes and a quick command to verify the MFT records present in $MFTMirr:

:/mnt/ewf# icat ewf1 1–128 | xxd -c 32

Screenshot of the first 1,024 bytes of the $DATA attribute from the file $MFTMirr, pointing to the NTFS file $MFT

:/mnt/ewf# icat ewf1 1 | strings -el
$MFT
$MFTMirr
$LogFile
$Volume@

We can also perform a quick hash of the first four records in both files just to verify:

:/mnt/ewf# icat ewf 0 | dd bs=4096 count=1 | md5sum
94cc1ddb0feb9073210df1b7abaa3d43
<snipped>
:/mnt/ewf# icat ewf 1-128 | md5sum
94cc1ddb0feb9073210df1b7abaa3d43

The purpose of the file $MFTMirr is for recovery. In an event where the $MFT could not be read or the file system could not be booted, this particular file is used by recovery tools to help determine where crucial parts of the file system resided, or previously resided. The purpose for preserving only the first four entries are:

• $MFT would provide the layout of the disk,
• $MFTMirr would provide a self-reference,
• $LogFile would provide transactional operating system information, and
• $Volume would obviously contain volume information.

Until tomorrow, Happy Forensicating!