$MFT- The Master File Table

The Master File Table

What is it?

Utilised by NTFS (New Technology File System), the Master File Table is a database which stores information about every file and directory on the NTFS system.

Useful for forensics?

Absolutely! As will be explained below, different attributes will nearly always contain useful information for a digital forensic examiner.

The individual attributes have their own header and size which identifies them. Attributes can be resident or non-resident.

Resident attributes- exist within a MFT record.

Non-Resident- exist elsewhere and are only referenced by their starting clusters.

Why may this information be useful?

Can be used to show that the computer did at some point have a particular document.

Example: A CEO is being questioned about having a document called salaries.docx on the computer, however an initial investigation could not find it as he had deleted it, BUT it will still be referenced in the MFT and as such it can be shown the CEO interacted with the document. Further to this, if small enough, it may even be recoverable from the MFT.

What does it contain?

Three useful attributes can be found within the Master File Table.

These are:

Standard Information Attribute (SIA)

File Name Attribute (FNA)

Data Attribute

Standard Information Attribute (SIA)

How to identify?

Hexadecimal sequence \x10\ x00\x00\x00.

What information does it hold?

Date-time stamps in reference to a particular file or folder

Offset 22 will show either:

00 00 which means deleted (unallocated) file

01 00 which means allocated file

02 00 which means deleted directory

03 00 which means allocated directory

The next 32 bytes make up the file created, last

modified, entry modified and last accessed date-time stamps. All of which are in FILETIME format.

Filename Attribute- FNA

How to identify?

Hexadecimal sequence \x30\ x00\x00\x00

What information does it hold?

Reference to a files parent folder, physical and logical size and dates and times.

Begins at offset 32, the next 32 make up file created, last modified, entry modified and last accessed date-time stamps.

HOWEVER: The FNA is not changed every time a user accesses and modifies a file, instead the dates and times are set when the referenced file is first created on the volume and generally is not updated through normal usage of the

system.

Why is this useful? Suspects can tamper with the SIA easily, however the FNA not so much, which is useful for trying to create a timeline, as well as knowing when a file was created.

Example; Imagine a case where an employee has been accused of installing a keylogger on to the computer, but claims that this was there before they joined the company. On inspection, the SIA date of the keylogger is before their joining, however it is also before the FNA, showing tampering has occurred.

Data attribute

Where is it found?

hexadecimal sequence \x80\x00\x00\x00

What information does it hold?

The actual data itself, or points towards where said data is held in the form of the starting cluster(s).

How to know if the file is resident or not?

Resident files first byte does not occur at beginning of a sector and it has no file slack

Below is an image taken from the Handbook of Digital Forensics, showing all of above.

 

Taken from Casey, E. (2009). Handbook of digital forensics and investigation. Academic Press.