The $MFT: A Comprehensive Guide

 

The $MFT, or Master File Table, plays a crucial role in the NTFS (New Technology File System) utilized by Windows operating systems. Essentially acting as a master index for all files and directories on an NTFS volume, understanding the nuances of the $MFT file is vital for various professionals, including forensic investigators, system administrators, and security experts. In this blog post, we'll thoroughly explore the $MFT file, examining its structure, functions, and its applications in both normal and potentially malicious scenarios. Additionally, we'll touch upon tools such as MFTECmd.exe by Eric Zimmerman and MACTIME in Linux, highlighting how these tools can be utilized in forensic analysis to parse the $MFT.

Understanding the $MFT File

The Master File Table is a system file that resides at the heart of NTFS volumes. It contains records for every file and directory on the volume, providing a hierarchical structure and metadata for each entry. The $MFT file is divided into fixed-size entries, each representing a file or directory. These entries include information such as file name, timestamps, permissions, and pointers to the actual data clusters on the disk.

$MFT File Size and Structure

The size of the $MFT file can vary based on factors such as the size of the volume and the number of files and directories it contains. Generally, the $MFT starts small but expands as more files and directories are created on the NTFS volume. The $MFT file is organized into fixed-size entries, typically 1024 bytes each, and it grows in increments known as MFT records. Understanding the size and structure of the $MFT is crucial for forensic investigators seeking to extract meaningful information from this integral component of the NTFS file system. As of this article, a typical size for a $MFT that is on a regularly used computer tends to be around 250MB to 350MB. The Windows 11 computer I use as an example, is comically huge at a size of 1GB!!!

Relevant Information within $MFT on NTFS

The $MFT on NTFS contains a wealth of information essential for file system operations and forensic analysis. Each MFT entry holds metadata such as timestamps (creation, modification, and access), file attributes, security descriptors, and pointers to the actual data clusters on the disk. This rich set of data allows investigators to reconstruct timelines, understand file interactions, and delve into the details of file permissions and attributes, providing a comprehensive view of file system activities.

MFT Zone: A Critical Region

The MFT Zone is a dedicated region on the NTFS volume reserved for the initial placement of $MFT records. This area ensures that the $MFT file remains contiguous, optimizing performance by reducing fragmentation. Forensic analysts often focus on the MFT Zone during investigations, as it can provide valuable insights into the recent file system activities. Analyzing this critical region allows investigators to identify patterns and anomalies, aiding in the detection of suspicious activities.

Where to Find the $MFT File

Locating the $MFT file is a fundamental step in forensic analysis. In Windows systems, the $MFT is typically found in the root directory of each NTFS volume and is a super hidden system file. The absolute path to the $MFT on the C: drive, and should look like "C:\$MFT". Forensic investigators often create disk images to preserve the state of the file system, and tools like MFTECmd.exe can be employed to parse these images for analysis.

At a deep level, you can find the $MFT file sitting on Logical Sector 1 (Which is the second one after the boot sector) of the each of the NTFS Volume. To help demonstrate this, see below for how to put it together, find it manually using FTKImager and HXD.

1. Even with Super Hidden Files Enabled in Windows 11, the MFT cannot be seen. Using FTKImager or other tools can help you find and or extract the file. 

Carving Out the $MFT File: From Start to End

Carving out the $MFT file involves extracting its content from a disk image or live file system for further analysis. Forensic tools and techniques are employed to carve out the $MFT, starting from its initial location on the disk. Analysts can use specialized tools like dd (disk dump) or forensic suites to create a copy of the $MFT file. This process involves identifying the signature of the $MFT and extracting its content byte by byte, ensuring the integrity of the data for subsequent forensic analysis. Carving out the $MFT file is a critical step in unraveling the mysteries it holds, allowing investigators to meticulously examine each entry for insights into file system activities.

2. This part is more detailed than you really need and will be it's own post, but I'll add this version here. 

• In the screenshot below, you can see PHYSICALDRIVE1, in Sector 1 of the drive we have the EFI part section. This is the Partition manager, for the GPT and tracks where all the partitions are on disk.
• 
  
• These are partitions start being listed on at offset 400 or 1024 bytes. Each Partition header is 128 Bytes long (0x80).

3. The break down of how these are built will be on a new page once I create one, and I will replace this text when it's ready to be linked.

• If we do the math by looking at the Offset for the first partition, it brings us to the below image. You can see in the image that I havn't clicked a partition yet and scrolled down / searched for it. The first and typically the mostly likely area for the first partition is to be at sector 2,048 (0x800).
• The following partitions start and end at Hex:
• Partition 1: 
• Start: 0x0800
• End: 0x827FF
• Partition 2: (feel free to try this on the other partitions if you want)
• Start: 0x082800
• End: 0x08A7FF
• Size: 16,776,704 Bytes (16.7 MB)
• ( End Sector Minus Start Sector = Sector Size * 512 for Total Size)
• 576,295 Minus 534,528 = 41,767
• 41,767 * 512 bytes = 16,776,704
• Partition 3:
• Start: 0x08A800
• End: 0x38BB528E
• Partition 4:
• Start: 0x38BB5800
• End: 0x38D7C7FF
• Partition 5:
• Start: 0x38D7D000
• End: 0x3B97CFFF

For now you can click on the appropriate partion in FTKimager to logically navigate to where you want to go.

4. Where we want to go is to one of the NTFS partitions. You might notice that in my example, the largest one which is C: Drive is encrypted. This may dampen your style, depending on your scenarios. 

• What can be seen by looking at this partition is the encrypted value showing eX FVE-FS which is a nice way to say BitLocker Encrypted.
• Because I am using the drive, it can be seen unencrypted.
• You will have to mount Encrypted ones separately or use an unencrypted partition for your testing.

5. Here you can see Partition 4 is not encrypted and allows me to go to the MFT. (FILE0)

• Each MFT Entry starts with FILE0 and the $MFT will always be the very first entry.
• Starting at Logical Sector 10 (0x2000) of the partition, not the disk.
• You can see from the image the physical sector is actually 0x38bb5810 (or Sector 951,801,872
• If you look back at the Start and End Partition in step 3 you can see that the Partition Starts at 0x38BB5800, which is hex 10 or 16 sectors in difference. Everything appears to line up, which is nice.

Looking at a more Expanded view with 128 Bytes across. You can see in the image below that each line consist of a total length of x0400 (1024 Bytes) which is the maximum amount of space each entry gets before witting the file specifically to disk. See Resident files for more information on that.

• In this image we can see the common files that are first written such as:
1. $MFT
2. $MFTMirr
3. $LogFile
4. $AttrDer
5. $I30
6. $Bitmap

• The $MFT does grow in size as needed. In this scenario while looking at a smaller one, the file is as small as seen in the bottom of the file. 
• Hex Value 0x 03FF80 (+0x80 / 128 Bytes)
• DEC: 262,016 bytes in length 
• Add 128 if you actually plan to calculate from the given number since there are still 128 Bits tailing. (262,144)

Structure of $MFT Entries

Each $MFT entry has a standardized structure, comprising various attributes that store specific information about the file or directory. Common attributes include:

1. Standard Information (SI):

• Description: The Standard Information attribute is an integral part of the $MFT entry, containing essential metadata about the associated file or directory. This metadata includes information such as timestamps and file attributes. 
• Timestamps:
•  Creation Timestamp: Indicates the date and time when the file or directory was created.
•  Modification Timestamp: Reflects the last time the file's content or attributes were modified.
•  Access Timestamp: Represents the most recent time the file or directory was accessed.
• File Attributes:
•   Read-Only: Indicates whether the file is read-only or can be modified.
•   Hidden: Determines whether the file is visible or hidden in the file system.
•   System: Marks the file as a system file, crucial for the functioning of the operating system.
•   Archive: Flags the file as requiring archiving; typically used by backup software.

 2. File Name (FN):

• Description: The File Name attribute is responsible for storing the name of the file or directory associated with the $MFT entry.
• Unicode Character Encoding:
• UTF-16: The file name is stored in Unicode format (UTF-16), allowing for the representation of a wide range of characters from different languages.
• Naming Conventions:
• Long File Names: Supports long file names, allowing for more descriptive and human-readable file and directory names.
• Short File Names (8.3): Accommodates the traditional 8.3 naming convention for compatibility with older systems.
• Directory Structure:
• Full Path: In the case of directories, the File Name attribute can store the full path, indicating the location of the directory within the file system.

 3. Data (D):

• Description: The Data attribute points to the actual data clusters on the disk where the content of the file is stored. It plays a pivotal role in linking the $MFT entry to the physical location of the file's data.
• Cluster Allocation:
•  Cluster Pointers: The Data attribute contains pointers to clusters on the disk, indicating the storage locations of the file's data. These clusters may be non-contiguous due to fragmentation.
• File Size:
•  Size Information: The Data attribute also stores information about the size of the file, allowing the operating system to allocate the appropriate amount of disk space for the file's content.

 4. Object ID (OID):

• Description: The Object ID attribute provides a unique identifier for the file or directory. This identifier is generated when the file or directory is created and remains constant throughout its lifetime.
• Uniqueness:
• Globally Unique Identifier (GUID): The Object ID is a GUID, ensuring a high degree of uniqueness across different files and directories on the system.
• Use Cases:
• File Tracking: The Object ID is often used for tracking files and directories, especially in scenarios where file names may change.

 5. Security Descriptor (SD):

• Description: The Security Descriptor attribute contains information about access control and permissions for the associated file or directory.
• Access Control List (ACL):
• Discretionary ACL (DACL): Specifies the discretionary access control list, determining who can access the file and what level of access is granted.
• System ACL (SACL): Specifies the system access control list, governing auditing and security monitoring settings.
• Owner and Group Information:
• Owner SID: Identifies the security identifier (SID) of the user or group that owns the file.
• Group SID: Identifies the security identifier (SID) of the group associated with the file.
• Permission Settings:
• Read, Write, Execute Permissions: Defines the permissions granted to users or groups, specifying whether they can read, write, or execute the file.

Residual MFT Files and Concealed Operations

In some cases, small residual MFT files may remain even after a file is deleted. These residual files, often referred to as "slack space," can be small enough to escape immediate attention but still contain traces of the deleted file. Malicious actors may exploit this aspect by intentionally creating small files or manipulating existing ones to hide information within the MFT. This covert approach allows them to conceal files, making it challenging for standard file system analysis tools to detect their presence.

In the example below, you can see that I created a File which takes up no space on the disk since it is already taking up 1,024 bytes in the MFT and all data can fit within that 1,024 byte space. This has to include the stats and such as well. So your available writing space is less than 1,024 bytes.

MFT Record Deletion: What Happens?

When a file is deleted in the NTFS file system, the corresponding MFT record is not immediately wiped. Instead, it is marked as "unused," and the space it occupies becomes available for reuse. This process is part of NTFS's optimization strategy to avoid frequent expansion and contraction of the $MFT file. Forensic investigators can leverage this characteristic to recover deleted files by searching for unused MFT records that might still contain residual data from the deleted file.

Normal Use Case: How $MFT Facilitates File System Operations

In a typical, non-malicious scenario, the $MFT file plays a crucial role in facilitating file system operations. When a user creates, modifies, or deletes a file, the corresponding changes are reflected in the $MFT entries. For instance, if a user creates a new document, the $MFT entry for that file is updated with the relevant metadata, including the creation timestamp and file attributes. This seamless interaction with the $MFT ensures that the file system maintains accurate records and efficiently organizes data.

Malicious Use Case: Exploiting $MFT for Stealthy Activities

Unfortunately, the same features that make $MFT essential for normal file system operations can also be exploited for malicious purposes. Malware and attackers may manipulate $MFT entries to hide files, conceal their activities, or evade detection. For example, attackers may alter timestamps within the $MFT to mislead investigators about the timing of file creation or modification. They could also create hidden entries within the $MFT to store malicious payloads or sensitive information, flying under the radar of traditional file system analysis.

Forensic Analysis: Parsing $MFT with MFTECmd.exe and MACTIME

To unravel the mysteries hidden within the $MFT file, forensic investigators rely on specialized tools for parsing and analyzing its contents. One such tool is MFTECmd.exe, developed by digital forensics expert Eric Zimmerman. This command-line utility allows investigators to extract and analyze information from $MFT entries efficiently.

Using MFTECmd.exe

MFTECmd.exe offers a range of commands for parsing $MFT, including options to export data in various formats for further analysis. Investigators can use commands like mftecmd.exe $MFT -o timeline.csv to generate a timeline of file system activities based on $MFT timestamps. This timeline can be invaluable for reconstructing events and understanding the sequence of file-related operations.

From Windows Powershell or CMD:

.\MFTECmd.exe -f $MFT --bdl C --body c:\Blog_MFT\ --bodyf Example_MFT.body 

To make the times more readable, see the next paragraph for MACTIME in Linux.

MACTIME in Linux

For investigators working in a Linux environment, MACTIME is a powerful tool for timeline analysis, including $MFT-based timelines. MACTIME can process the output generated by MFTECmd.exe or directly parse $MFT images in Linux environments. This cross-platform compatibility makes it easier for forensic analysts to collaborate and share findings across different operating systems.

From Linux You can sort the data to be more readable using:

 mactime -d -y -b DC01_FLS_tln.body > DC01_FLS_tln.csv 

Alternatively you can use MFTExplorer if you want an easy way to load the data. It might take a while to process though.

EZ Mode

SANS / Zimmerman - MFT Explorer

Resources:

1. Get FTKImager
2. Get MFTEcmd
   
3. Get HxD