Master File Table ($MFT)
The Master File Table is the absolute ground truth of an NTFS volume. Every single file and folder on the drive has an entry in the $MFT. It does not just track what exists right now — it retains entries for deleted files with their original attributes and timestamps intact. If you want to know what was ever on a drive, the $MFT is where you start.
Imagine a massive library where every single book has a numbered index card in a central filing cabinet. That card holds the book's title, location on the shelf, its size and when it was last checked out. Even if someone steals the book off the shelf, the index card remains in the cabinet. The $MFT is that filing cabinet for every file ever placed on a Windows hard drive.
General
Introduced alongside NTFS in Windows NT 3.1, the $MFT is itself a file — specifically MFT Entry 0. The file system organizes data as a series of 1024-byte records, one per file or directory. Inside each record, NTFS stores data as typed "attributes." The two forensically critical ones are $STANDARD_INFORMATION which holds the four timestamps visible to Windows Explorer and $FILE_NAME which holds a second independent set of timestamps updated by the kernel. For very small files, the actual file data can be stored directly inside the MFT record itself as resident data. The divergence between these two timestamp sets is the cornerstone of time stomping detection.
Traces
Parsing the $MFT produces an extensive spreadsheet of filesystem history. Here are the critical columns we analyze:
- Full File Path: The complete directory path and filename for each entry.
- $STANDARD_INFORMATION Timestamps: The four MACB times visible to the OS and users which are trivially modifiable.
- $FILE_NAME Timestamps: A second set of MACB times updated by the kernel which are significantly harder to forge.
- File Size: The logical and physical size of the file at time of last update.
- Allocation Status: Whether the entry is currently active or has been marked as deleted and is recoverable.
- and more.
Forensic Value
We use the $MFT to build authoritative timelines and expose anti-forensic manipulation:
- Time Stomping Detection: Comparing $STANDARD_INFORMATION timestamps against $FILE_NAME timestamps to identify files whose apparent age has been manipulated.
- Track low-level file movements: Pair MFT analysis with USN Journal logs for real-time operation history.
- Deleted File Recovery: Cross-reference unallocated MFT entries with $I30 index buffers to identify files that have been renamed or relocated.
- Transaction Logging: Leverage $LogFile to verify the integrity of file system operations during critical windows.
For more Info check out these Articles: USN Journal, i30, LogFile