NTFS Index Attributes ($I30)

The $I30 index is NTFS's internal directory listing mechanism. Every folder on an NTFS volume maintains a B-tree index of its contents, and this index is stored within an attribute named $I30. What makes this powerful for forensics is that when files are deleted from a directory, their index entries are not immediately overwritten — they persist in the index slack space, leaving behind recoverable evidence of files that no longer appear in the active directory listing.

Imagine a public library that keeps an alphabetically sorted card index for every book on each shelf. When a book is removed, the librarian pulls the card but leaves the card slot open. If you look carefully at those empty slots, you can still see the faint impression of where the old card was. The $I30 index works the same way. Deleted file entries leave ghostly impressions in the directory's index that a forensic analyst can recover.

General

NTFS stores directory contents as a B-tree structure within the $INDEX_ROOT and $INDEX_ALLOCATION attributes of a folder's MFT record, both carrying the name $I30. The B-tree is built from $FILE_NAME attribute entries allowing fast sorted lookups. When a file is removed from a directory, its $FILE_NAME entry is removed from the active B-tree nodes — but the physical pages backing the index are not zeroed. The unallocated index page areas, known as index slack, retain full or partial copies of old $FILE_NAME records including their four embedded MACB timestamps. These kernel-written timestamps are significantly more resistant to tampering than standard $STANDARD_INFORMATION timestamps.

Traces

Carving the $I30 slack from directory index pages reveals the following data from deleted entries:

Filename: The name of a file that previously existed in the directory.
$FILE_NAME Timestamps: Four kernel-written MACB timestamps from the moment the file last modified its directory entry.
MFT Reference Number: The MFT record number of the deleted file allowing cross-referencing with the $MFT.
File Size at Deletion: The logical and physical file size recorded at the time the last index update occurred.
and more.

Forensic Use Cases

We carve $I30 slack to recover ghost evidence of deleted files and detect timestamp manipulation:

Deleted File Recovery: Proving that a specific file existed in a directory even when its MFT entry has been reused and its filename evidence destroyed.
Time Stomping Validation: Using the kernel-controlled $FILE_NAME timestamps preserved in index slack to cross-validate against potentially manipulated $STANDARD_INFORMATION times.
Attacker Tool Detection: Identifying traces of hacking tools or staging directories that an attacker created and then wiped before leaving.
Sequencing Activity: Reconstructing the rough chronological order of file creation and deletion events within specific directories.
and more.