Project Name: How to recover Master File Table(MFT)
Description: Step by step guide to How to recover Master File Table. The master file table (MFT) is a storage point or centralize repository for each and every file and directory on an NTFS volume is stored.
Author: Rohit D Sadgune
Summary of Content
- How to recover Master File Table (MFT)
- Master File Table(MFT) forensics
- Concept behind Master File Table(MFT)
- Significance of Master File Table(MFT) with digital forensics
Moment you crate a file of directory on NTFS file system a recored gets created in Master File Table(MFT). The size of each record in the MFT is very important for master file table investigation. As per the experience of digital forensics expertise every record is equal to the cluster size of the volume,with a minimum of 1,024 bytes and a maximum of 4,096. However, some digital forensics experts claims that the size of each MFT record is fixed at either 1,024 or 2,048 bytes
In NTFS (New Technology File system) all physical and logical file, directory on HDD, MAC i.e modified, accessed, created time associated with files and directories along with this permission associated with each of them is stored in Master File Table(MFT) (MFT). This supreme feature enables fast and reliable file search without requiring any other indexing software. The Master File Table(MFT) framework helps to minimize disk fragmentation.
On your physical storage device 2 copies of the MFT are stored & that can be used scenarios where MSFT gets corrupted or lost. The second record of MFT is called mirror.MFT and both the files are stored in MBR (Master Boot Record).
Master File Table(MFT) Attributes
| Attribute Type | Master File Attribute Description |
| Standard Information | IT describes timestamp of files and associated link count. |
| Attribute List | Lists the address of all attribute records that do not fit in the Master File Table(MFT) record. |
| File Name | Finale attribute is applicable to short and long file name. Long file name is up to 255 character and shot file name is 8.3. |
| Security Descriptor | This attributes gives reference of who owns the file and who can access it. |
| Data | Contains file data. NTFS has one or more data attributes per file. Each file typically has one unnamed data attribute. |
| Object ID | A volume-unique file identifier. All the files may or may not have the object identifiers. |
| Logged Utility Stream | Identical to data stream, Files operations are tracked by NTFS log file just like NTFS metadata changes. This is used by EFS. |
| Reparse Point | This attribute is particularly for disk volume mount points. |
| Index Root | This attribute is particularly for implementation folders and other indexes. |
| Index Allocation | This attribute is particularly for implementation folders and other indexes. |
| Bitmap | This attribute is particularly for implementation folders and other indexes. |
| Volume Information | This attribute is particularly for $Volume system file. Contains the volume version. |
| Volume Name | This attribute is particularly for $Volume system file. Contains the volume label. |
Metadata associated with Master File Table(MFT)
For reference :- https://en.wikipedia.org/wiki/NTFS
| System File | File Name | MFT Record |
| Master File Table(MFT) | $Mft | 0 |
| Master File Table(MFT) 2 | $MftMirr | 1 |
| Log file | $LogFile | 2 |
| Volume | $Volume | 3 |
| Attribute definitions | $AttrDef | 4 |
| Root file name index | $ | 5 |
| Cluster bitmap | $Bitmap | 6 |
| Boot sector | $Boot | 7 |
| Bad cluster file | $BadClus | 8 |
| Security file | $Secure | 9 |
| Upcase table | $Upcase | 10 |
| NTFS extension file | $Extend | 11 |
| Quota management file | $Quota | 24 |
| Object Id file | $ObjId | 25 |
| Reparse point file | $Reparse | 26 |
Most of the digital forensics software are capable of showing Master File Table(MFT) Entities and its associated files. To recover Master File Table(MFT) we will be using ProDiscover Incident Response. ProDisover is having amazing functionality to export Master File Table(MFT) in human readable format.
Open a prodiscover incident response console. Create an new case or open existing case.
Now select appropriate disk volume from which you want recover Master File Table(MFT). Here I have selected PhysicalDrive0.
To the left side of prodiscover tree panel click in the “Content View” -> “Disk” -> “PhysicalDirve0” -> “C:”
In the last portion you can select the appropriate drive.
Now “Right Click” on respective drive
Select option “Export MFT”
As you will select this option a window will pop-up to select appropriate location where you want to save Master File Table(MFT).
Note :- Here Master File Table(MFT) gets stored in .csv format.
Now the exporting of Master File Table(MFT) from prodisvover will start
For your reference please find the sample layout of Master File Table(MFT). There are many digital forensics investigator and forensics researcher which are working daily on Master File Table(MFT) but hardly any one of them has released a layout of Master File Table(MFT).
Prodiscover incident response has helped us to export Master File Table(MFT) or to recover Master File Table in a human readable format.
The sample header of Master File Table(MFT) is.
Record Number, Good, Active, Record type, Parent Folder, Record Sequence, Filename#1, Std Info Creation date, Std Info Modify date, Std Info Access date, Std Info Entry date, FN Info Creation date, FN Info Modify date, FN Info Access date, FN Info Entry date, Object ID, Birth Volume ID, Birth Object ID, Birth Domain ID, Filename#2, FN Info Creation date, FN Info Modify date, FN Info Access date, FN Info Entry date, Filename#3, FN Info Creation date, FN Info Modify date, FN Info Access date, FN Info Entry date, Filename#4, FN Info Creation date, FN Info Modify date, FN Info Access date, FN Info Entry date, Standard Information, Attribute List, Filename, Object ID, Volume Name, Volume Info, Data, Index Root, Index Allocation, Bitmap, Reparse Point, EA Information, EA, Property Set, Logged Utility Stream
Note: – Entire demonstration of Master File Table(MFT) Recovery is developed on education license of ProDiscover Incident Response.
