LMTV | Are You Ready for 802.11ac? (by Jay Botelho)
The best simply stay around! The Netscout Legacy! (by Tim- The Oldcommguy®)

What is the Master File Table “MFT” (by Casey Mullis)

The internet is a great tool but before the internet there was the Public Library. The older generation had to go to the Public Library to do report’s and research. We were not afforded the ease of use of the internet. Which brings me to the point, how in the world did we find what we needed with all the books all over the place? We had the “Dewey Decimal System”! We were able to find a book anywhere in the largest of libraries.

Dewey decimal system

Now that we have digital books and files all over the place, how does one machine keep up with it all? Each device you carry with you, whether it be a cell phone, laptop, tablet, or iDevice; it has to have a way of knowing where you put what on its internal storage media. Much like the “Dewey Decimal System”. What about files you stored in the cloud? How does your device know to fetch that file from there?

This is where a MFT file comes in to play. Master File Table is where the information is kept. All data recovery programs parse this file up front, in most cases. Why, because this is where you will find the file locations as well as date and time stamps. Some of your deleted files can be found listed in here.

11-4-2014 3-15-22 PMYou first have to collect the MFT (Master File Table) which we do with Win-Fo. You then can parse the MFT, which will in turn give you back the information as if you have the hard drive or image of said hard drive.

11-4-2014 3-17-39 PM

After you parse the MFT you can find information like above image. Number of files, number of deleted, number of directories,, and number of deleted directories. You can see with the Total Run Time in Seconds, it does not take long to parse through a MFT. The great thing about this is you can also see the orphaned files.

11-4-2014 3-18-09 PMThe parsed MFT can give you files such as Email Files like below:

11-4-2014 4-43-18 PM

You can search the parsed data for many types of files or key words like “WiinBuilder”:

11-4-2014 4-46-13 PMAs you can see there are many aspects of the MFT that give you information about a system and what is located on that system. All done without having the hard drive or image of same in front of you. If you know what you are looking for and do not have time to image or sit in front of said machine, then grab the MFT and process it later. Let’s assume you are wanting to know if there are any files on this hard drive with a name such as “cmullis”… side note this would be great for the Lois Lerner emails. There is not tons of data to sift through as they originally said.

11-4-2014 4-43-57 PMAll things are possible in today’s world if one choices to take the effort to find the answer or solution to their problem. You want to dig through as if you had the hard drive in front of you? Then it is all possible with the MFT. The MFT is not the “Fix All” but will give you a head start without spending countless hours and dollars sifting through all the data.

11-4-2014 3-19-20 PMAssume a client has 10 computers and they know one machine was used to share a file that was not meant to be shared. The client is on a tight budget and wants to know if the file is on another one of the machines. They do not have time to shut down a worker but need to know. Can you get to the data without tying up their employees machine? Yes you can with Win-Fo.com.

11-4-2014 3-20-58 PMHow about looking through the MFT based on date and times? Yes that is possible also through the MFT file.

11-4-2014 3-18-39 PMWhat if you need to find a specific file type on many machines but your budget does not allow for imaging all hard drives for search or sifting through? No worries the MFT can be searched for file types as well.

11-4-2014 3-23-05 PM

“Master File Table

In NTFS, all file, directory and metafile data—file name, creation date, access permissions (by the use of access control lists), and size—are stored as metadata in the Master File Table (MFT). This abstract approach allowed easy addition of file system features during Windows NT's development—an interesting example is the addition of fields for indexing used by the Active Directory software. This also enables software like Everything or Ultrasearch to perform instantaneous real-time searches for file and folder names, without relying on an indexing service.

The MFT structure supports algorithms which minimize disk fragmentation.[42] A directory entry consists of a filename and a "file ID", which is the record number representing the file in the Master File Table. The file ID also contains a reuse count to detect stale references. While this strongly resembles the W_FID of Files-11, other NTFS structures radically differ.”

http://en.wikipedia.org/wiki/NTFS#Internals

Segment Number

File Name

Purpose

0

$MFT

Describes all files on the volume, including file names, timestamps, stream names, and lists of cluster numbers where data streams reside, indexes, security identifiers, and file attributes like "read only", "compressed", "encrypted", etc.

1

$MFTMirr

Duplicate of the first vital entries of $MFT, usually 4 entries (4 Kilobytes).

2

$LogFile

Contains transaction log of file system metadata changes.

3

$Volume

Contains information about the volume, namely the volume object identifier, volume label, file system version, and volume flags (mounted, chkdsk requested, requested $LogFile resize, mounted on NT 4, volume serial number updating, structure upgrade request). This data is not stored in a data stream, but in special MFT attributes: If present, a volume object ID is stored in an $OBJECT_ID record; the volume label is stored in a $VOLUME_NAME record, and the remaining volume data is in a $VOLUME_INFORMATION record. Note: volume serial number is stored in file $Boot (below).

4

$AttrDef

A table of MFT attributes that associates numeric identifiers with names.

5

.

Root directory. Directory data is stored in $INDEX_ROOT and $INDEX_ALLOCATION attributes both named $I30.

6

$Bitmap

An array of bit entries: each bit indicates whether its corresponding cluster is used (allocated) or free (available for allocation).

7

$Boot

Volume boot record. This file is always located at the first clusters on the volume. It contains bootstrap code (see NTLDR/BOOTMGR) and a BIOS parameter block including a volume serial number and cluster numbers of $MFT and $MFTMirr. $Boot is usually 8192 bytes long.[citation needed]

8

$BadClus

A file that contains all the clusters marked as having bad sectors. This file simplifies cluster management by the chkdsk utility, both as a place to put newly discovered bad sectors, and for identifying unreferenced clusters. This file contains two data streams, even on volumes with no bad sectors: an unnamed stream contains bad sectors—it is zero length for perfect volumes; the second stream is named $Bad and contains all clusters on the volume not in the first stream.

9

$Secure

Access control list database that reduces overhead having many identical ACLs stored with each file, by uniquely storing these ACLs in this database only (contains two indices: $SII (Standard_Information ID) and $SDH (Security Descriptor Hash), which index the stream named $SDS containing actual ACL table).[2]

10

$UpCase

A table of unicode uppercase characters for ensuring case insensitivity in Win32 and DOS namespaces.

11

$Extend

A filesystem directory containing various optional extensions, such as $Quota, $ObjId, $Reparse or $UsnJrnl.

12–23

Reserved for $MFT extension entries. Extension entries are additional MFT records that contain additional attributes that do not fit in the primary record. This could occur if the file is sufficiently fragmented, has many streams, long filenames, complex security, or other rare situations.

24

$Extend\$Quota

Holds disk quota information. Contains two index roots, named $O and $Q.

25

$Extend\$ObjId

Holds link tracking information. Contains an index root and allocation named $O.

26

$Extend\$Reparse

Holds reparse point data (such as symbolic links). Contains an index root and allocation named $R.

27—

Beginning of regular file entries.

http://en.wikipedia.org/wiki/NTFS#Internals

We cannot end this article without telling you about Mark McKinnon over at Red Wolf Computer Forensics and the great tools or programs they offer to the world for use. Win-Fo hopes to partner with them to bring a Pro version of Win-Fo to the world in the near future. Until then you can take Win-Fo and the programs found there to find just about anything you need in minutes. Win-Fo collects all data in under ten minutes. On an i7 system it takes less than 3 minutes. Thanks Mark for all your hard work and sharing.

Let me sum it up for you. One does not need your hard drive to know what is on it, all they need is the MFT and files a like. My MFT is no bigger than 245 MB, so collecting it can take seconds if that is all I want to grab. Once a user has this then it is like having a map to your home or office. They can pin point files on your system. There is no way around this in the computer world. There has to be a way to keep up with where everything is located. It just so happens in the Windows environment we use MFT (Master File Table).

Casey

Author - Emory Mullis has been in Law Enforcement for roughly 19 years including military and civilian law enforcement. He started learning about computers back when Gateway 266 MHz was the top of the line and cost about $2000.00.Right out the box, I was compelled to take my new found 266 apart. Why I have no idea other than pure curiosity. Once I had the computer out the box and on the floor in pieces, my wife walked in. Trust me people; this was not a good thing! Either way I got a good understanding at this point on how a computer is put together and / or the components inside. This was my starting point with computers and I still hear my wife in the back ground “It better work when you put it back together!” That was my humble beginnings as a Cyber Investigator. Now with many Cyber cases under my belt, I have learned that you must question, challenge and test almost daily to keep up with all the new tools, software, computers and cell phone formats to be able to forensically acquire evidence and it is a real challenge. I enjoy the challenge and look forward to learning more every day!

Comments