What is Master File Table (MFT)?
The Master File Table (MFT) is a valuable database that retains the record of every file and directory in an NTFS volume. Moreover, the MFT retains the metadata of the file system for every file on the volume. NTFS deploys the MFT to keep a record of files.
Essentially, the MFT is a unique system file that is labelled $MFT and is unobtainable through user mode APIs.
All entries in the MFT hold information regarding a file on the volume such as the file name, file size, location of the files on disk, date stamps, read time of the file, creation time of the file, and modification time of the file.
Keep in mind that all of this vital information can be saved not solely in MFT entries, but also in the space residing out externally of the MFT.
When the suspect deletes a file, the file isn’t really gone. The data itself is merely unallocated. Hence, the information which the file data is no longer allocated is additionally retained in the $MFT entry for the file. Evidently, the $MFT entry is not gone because it is solely unallocated, not deleted. Every $MFT entry is 1024 bytes long.
The Master File Table may be observed when a digital forensic examiner possesses raw access to the disk via imaging or the use of certain tools.
Forensic examiners may use the Master File Table to find comprehensive information about the suspect’s files
This tutorial demonstrates how to find file artifacts and metadata residing in the Master File Table ($MFT). Furthermore, we illustrate the procedures for extracting NTFS data from a suspect’s seized physical device.
We have also illustrated how to use FTK Imager to recover data from files that can be hard to locate or have been deleted deliberately by a suspect under investigation by digital forensic professionals.
We also have another useful tutorial on using FTK Imager to create a precise disk image of a local hard drive.
1. Install Latest Version Of FTK Imager
Ensure that you have the latest FTK Imager software installed from AccessData’s official site.
2. Start FTK Imager From Your Windows PC
On your Windows PC, double-click the icon labelled “AccessData FTK Imager”.
FTK Imager will start.
3. Add Physical Drive As Evidence Item (“File” > “Add Evidence Item”)
Click on “File” and select “Add Evidence Item” to select our physical drive in the next step.
4. Select “Physical Drive” In “Select Source” Window
Proceed by choosing “Physical Drive” as our source evidence type and click “Next”.
5. Select Physical Drive In “Select Drive” Window
Choose the physical drive on our computer in the “Select Drive” window.
Thus, our tutorial is interested in examining the contents of “PHYSICALDRIVE0”
Click “Finish”.
6. Click And Expand The Physical Drive In The Evidence Tree Pane Located On The Left
Click on the “+” block in the Evidence Tree Pane located on the left of the FTK Imager.
7. Click To Expand “Partition 1” (Or Another Partition You Are Interested In Examining) And Click To Expand “Windows 10 [NTFS]”
Under “Partition 1” (Or another partition you are in) of “PHYSICALDRIVE0”, click on the “+” block of “Windows 10 [NTFS]” to expand the contents.”
8. Click To Expand The “[root]” Folder Under The “Windows 10 [NTFS]” File System
To view the various files under the “Windows 10 [NTFS]” file system and in the File List Pane, click on the “+” block of the “[root]” folder.
9. Scroll Down In The File List Pane While In The “[root]” folder And Select “$MFT” In The File List Pane
Make sure you are in the “[root]” folder in the Evidence Tree Pane on your left.
On the right, scroll down in the File List Pane until you see the “$MFT” file. Select “$MFT”. The Viewer Pane below the File List Pane will appear to display the contents of “$MFT”.
10. Click On The Viewer Pane And Press “CTRL +F” On Keyboard To Open Up “Find” Window
Proceed by clicking the Viewer Pane and press the shortcut keys “CTRL + F” on your keyboard to open up the “Find” window.
We can search for numerous files. For this tutorial, we will look for an image (JPEG) file.
For example, let’s go ahead and type in the word “SunnyHoi” into the “Find” search box. Proceed by clicking “Find”.
11. FTK Imager successfully locates a file named “SunnyHoi.jpg”
In a moment, FTK Imager will successfully locate a file named “SunnyHoi.jpg” during the search.
Keep in mind that every MFT record holds a magic marker which is considered a record header (FILE0).
Significantly, the magic market is located above our search word “SunnyHoi”
12. To Check Creation Time Of File, Select Magic Marker (FILE0) By Highlighting It In Viewer Pane
Select the magic marker (FILE0) which is located above our search word “SunnyHoi” by highlighting it in the Viewer Pane.
13. Press Shortcut Keys “CTRL” + “G” To Show Creation Time Of File While Magic Marker “FILE0” Is Selected And Type “80” In “Go To Offset” Window”
To check the creation time of our file, press the shortcut keys “CTRL” + “G” while magic marker “FILE0” is selected.
Note that we have to find byte offset 80 after the magic marker to display the creation time of our file which is 8 bytes in length.
Therefore, type “80” in “Byte Offset” of the “Go To Offset” window.
Ensure that “Origin” is set to “Current Position”. Proceed by pressing “OK”.
14. Select 8 Bytes At Byte Offset 80 After Magic Marker
After the magic marker at byte offset 80, select 8 bytes by highlighting the bytes. (On the left).
15. Look At Hex Value Interpreter To Determine File’s Creation Time
At the bottom left of FTK Imager, examine the “Hex Value Interpreter” which will show the file’s creation time in both UTC and local formats.
As we can see, the file’s creation time is 1/31/2019 4:51:46 AM (UTC) and 1/30/2019 8:51:46 PM (Local).
16. To Check File’s Alternation Time, Select The Next 8 Bytes
If we want to find out the file’s alternation time, we have to select the next 8 bytes.
Examine the “Hex Value Interpreter” again which will show the file’s alternation time in both UTC and local formats.
As we can see, the file’s alternation time is 1/31/2019 3:00:00 AM (UTC) and 1/30/2019 7:00:00 PM (Local).
17. To Check File’s Change Time, Select The Next 8 Bytes
If we want to find out the file’s change time, we have to select the next 8 bytes.
Examine the “Hex Value Interpreter” again which will show the file’s change time in both UTC and local formats.
As we can see, the file’s change time is 1/31/2019 4:53:52 AM (UTC) and 1/30/2019 8:53:52 PM (Local).
18. To Check File’s Read Time, Select The Next 8 Bytes
If we want to find out the file’s read time, we have to select the next 8 bytes.
Examine the “Hex Value Interpreter” again which will show the file’s read time in both UTC and local formats.
As we can see, the file’s read time is 1/31/2019 4:51:46 AM (UTC) and 1/30/2019 8:51:46 PM (Local).
Conclusion
We were able to use FTK Imager to find file artifacts and metadata in the Master File Table ($MFT). Such information including the timestamps and date stamps can be extremely useful in a forensic investigation.
Our next complementary tutorial focuses on successfully recovering data using FTK Imager and particularly on recovering the image (JPEG) file that we briefly mentioned in this tutorial. In that tutorial, we also reveal what the image SunnyHoi.jpg looks like.
We also have another helpful tutorial on how to use FTK Imager to create a disk image of a local drive using FTK Imager.
