The American Society of

          Digital Forensics & eDiscovery, Inc

          For Digital Evidence Experts™


.

.



.


Master File Table - MFT and Computer Forensics.

In computer forensics, the Master File Table (MFT) is a crucial component of the Windows operating system. It is a database that contains essential information about every file and directory on a computer's hard drive. The MFT keeps track of a file's location on the hard drive and manages other attributes. It contains metadata about each file, such as its name, size, creation date, and access permissions. They understand this data is critical for any computer forensics examination.


The MFT stores information about large numbers of files efficiently. Because it is a database, it can be easily searched and accessed by the operating system. It allows the operating system to quickly locate and access files, even when millions of them are on the hard drive.


The MFT is essential for ensuring the integrity and reliability of the file system. It keeps track of all the changes made to the files and directories on the hard drive so that if something goes wrong, the operating system can use the information in the MFT to restore the file system to a previous state. These changes provide the computer forensics / digital forensics examiner with critical information.


Each MFT entry is exactly 1024 bytes. Setting your computer forensics software to display the data in 1024-byte chunks is easy. It includes the file name, file extension, creation date, modification date, last accessed date, the date the MFT entry modified, and much more information. It also includes a data area. If a file is tiny, it is possible for it to only exist within the MFT. In this case, the file is called a resident file. When the file is large, its data is on a cluster on the hard drive. This location is stored within the MFT. 


Another critical function of the MFT is to manage the allocation of space on the hard drive. When a new file is created, the operating system uses information in the MFT to find an area of the hard drive where the file can be stored and organized in an efficient manner. The MFT stores tiny files within itself, while larger files are in specific locations on the hard drive.


In summary, the Windows Master File Table is an essential component of the operating system, and it is critical to examine this information as part of a computer forensics review. It provides crucial information about the files and directories on the hard drive and uses the operating system to access and manage those files quickly. It also helps to ensure the integrity and reliability of the file system and manages the allocation of space on the hard drive. Without the MFT, the operating system would not be able to function correctly.


Tools to extract MFT

Jeff Bryner - MFT Grabber

NTFS Walk

Eric Zimmerman - MFTECmd


Here is a helpful YouTube video, which  walks through the MFT.

Click here


J

O

I

N


A

S

D

F

E

D


Click here

CONTACT US

The American Society of

     Digital Forensics & eDiscovery, Inc

     For Digital Evidence Experts™

       2451 Cumberland Parkway, Suite 3382 

       Atlanta, GA 30339-6157

       (866) 534-9734

       Contact us online.




 PRIVACY

TERMS OF USE


Copyright 2023

All Rights Reserved

Powered by Wild Apricot Membership Software