FileSystemForensics

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

NTFSMaster File Table

Layout

NTFSMaster File Table

Layout

Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles

Data

$BOOT

$MFT

$MFTMirr

NTFS

Par

titi

on

NTFS Metafiles

Data

$BOOT

$MFT

Record MetaFile Name Description0 $MFT Self Reference to Master File Table

1 $MFTMirr Backup of first four MFT FILE Records

2 $LogFile Helps to preserve file system consistency if system error

3 $Volume Volume Information (name, number, etc.)

4 $AttrDef Definitions of supported file attributes

5 . (dot) Root Directory of Volume

6 $Bitmap Bit representation of used/free clusters on volume

7 $Boot Boot sector of volume (not encrypted on BitLocker volume)

8 $BadClus List of Bad Clusters on the volume

9 $Secure Security descriptors for all files

10 $UpCase Table of UNICODE uppercase characters for sorting

11 $Extend For optional extensions

12-14 Reserved for future use (not used or empty)

15-23 Extension records for MFT if it is heavily fragmented

24 + Records for regular files

$Volume

$AttrDef

$Bitmap

$BadClus

$LogFile

$UpCase

$Secure

. (dot)

$Extend

$Quota Disk space allocated and used by each user

$UsrJrnl Changes made to files

$Reparse Shortcuts, mount points and junctions

$ObjId Alternate way to reference a file

$MFTMirr

NTFS Metafiles Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles

- Each FILE record is usually 1024 bytes- MFT Header - first 42 bytes- Attributes - remaining bytes

Data

$BOOT

$MFT

$MFTMirr

NTFS

Par

titi

on

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpace

MFT Record Header

NTFS

Par

titi

on

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpace

Hex Dec Bytes Description0x00 0 4 Signature [46 49 4C 45] “FILE”

0x04 4 2 Offset to Fix-up Array

0x06 6 2 Number of Entires in Fix-up Array

0x08 8 8 Logfile Sequence Number (LSN)

0x10 16 2 Incremental Sequence Value

0x12 18 2 Hard Link Count

0x14 20 2 Offset to Start of Attributes

0x16 22 2 Flags (in-use and directory)

0x18 24 4 Used Size of MFT Entry

0x1C 28 4 Allocated Size of MFT Entry

0x20 32 8 File reference to Base Record

0x28 40 2 Next Attribute ID

0x2A 42 2 Fix-Up Codes and Attributes

0x2C 44 4 $MFT File Record Number

Bytes 42-1024Bytes 42-1024Bytes 42-1024 Fix-up Codes and Attributes

MFT Record Header

Other Possible Signatures:

INDXBAAD

Data

$BOOT

$MFT

$MFTMirr

MFT Record Header

46 49 4C 45 FILE49 4E 44 58 INDX42 41 41 44 BAAD

Fix-Up Data

MFT Record Header

NTFS

Par

titi

on

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpace

Hex Dec Bytes Description0x00 0 4 Signature [46 49 4C 45] “FILE”

0x04 4 2 Offset to Fix-up Array

0x06 6 2 Number of Entires in Fix-up Array

0x08 8 8 Logfile Sequence Number (LSN)

0x10 16 2 Incremental Sequence Value

0x12 18 2 Hard Link Count

0x14 20 2 Offset to Start of Attributes

0x16 22 2 Flags (in-use and directory)

0x18 24 4 Used Size of MFT Entry

0x1C 28 4 Allocated Size of MFT Entry

0x20 32 8 File reference to Base Record

0x28 40 2 Next Attribute ID

0x2A 42 2 Fix-Up Codes and Attributes

0x2C 44 4 $MFT File Record Number

Bytes 42-1024Bytes 42-1024Bytes 42-1024 Fix-up Codes and Attributes

MFT Record Header

Data

$BOOT

$MFT

$MFTMirr

MFT Record HeaderLogfile Sequence NumberIncremental Sequence

Value (Use Count)Hard Link CountOffset to First

Attribute00 00 Deleted File01 00 Exiting (in-use) File02 00 Deleted Directory 03 00 Exisiting (in-use) Directory

Number of bytes used in this

recordNumber of bytes allocated for this record

Reference to base MFT RecordOnly used if file attributes could

not fit into a single record

Next Attribute IDMFT Record ID

This is the only MFT record file this file.

There should be four attributes.

MFT Record Header

NTFS

Par

titi

on

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpace

Hex Dec Bytes Description0x00 0 4 Signature [46 49 4C 45] “FILE”

0x04 4 2 Offset to Fix-up Array

0x06 6 2 Number of Entires in Fix-up Array

0x08 8 8 Logfile Sequence Number (LSN)

0x10 16 2 Incremental Sequence Value

0x12 18 2 Hard Link Count

0x14 20 2 Offset to Start of Attributes

0x16 22 2 Flags (in-use and directory)

0x18 24 4 Used Size of MFT Entry

0x1C 28 4 Allocated Size of MFT Entry

0x20 32 8 File reference to Base Record

0x28 40 2 Next Attribute ID

0x2A 42 2 Fix-Up Codes and Attributes

0x2C 44 4 $MFT File Record Number

Bytes 42-1024Bytes 42-1024Bytes 42-1024 Fix-up Codes and Attributes

MFT Record Header

Data

$BOOT

$MFT

$MFTMirr

Master File TableMaster File Table $MFT- Location and attributes for all files on partition- Including other metafiles

- Each FILE record is usually 1024 bytes- MFT Header - first 42 bytes- Attributes - remaining bytes- Each attribute has - a header (16 bytes)

- location and size of content (8 or 56 bytes)- and content (size varies) - details of attribute

Data

$BOOT

$MFT

$MFTMirr

NTFS

Par

titi

on

Content is stored in this FILE record.

“Resident”

Content is stored at another location in

partition. “Non-Resident”

Content

Content

MFT File RecordMFT Header

AttributeAttribute Attribute Attribute UnusedSpaceContentContentAttr

HeaderAttr

Header

Loc/

Siz

Loc/

Siz

AttrHeader

AttrHeaderLo

c/Si

z

Loc/

Siz

A file may need more than one MFT record to

hold its attributes.

THINK BIG WE DO

U R Ihttp://www.forensics.cs.uri.edu

Digital Forensics CenterDepartment of Computer Science and Statics

NTFSMaster File Table

Layout

NTFSMaster File Table

Layout