In the previous article, we analyzed NTFS boot sector and we looked under the hood to understand some of the fields in this data structure. In this article, we are going to go deep into the Master File Table (MFT) data structure.

Link of PART1 | http://goo.gl/juur5f

Important Note

We are sorry to inform you that in the previous article and according to editing and printing mistakes, some parts of the article have been dropped. The following was supposed to be mentioned:
– I use a great tool (HxD – HexEditor) to access the hard disk different sectors. You can download it from http://mh-nexus.de/en/, it is free. Once you install the tool, go to “Extras” in the menu, go to “Open Disk…” and choose one of the logical bootable disks. Please make sure that “Open as Readonly” checkbox is checked.

References:

1. File System Forensic Analysis, Brian Carrier, 2005,ISBN-10: 0-32-126817-2

To start digging into the design of NTFS, it should be understood that all data stored on a volume is contained in files including NTFS metadata and administrative data, which makes it easy for the file system to locate and maintain such data.

The MFT is the core of the NTFS volume structure; it is implemented as an array of file records. The size of each MFT record or entry (as some text books used to call it) is fixed at 1 KB, regardless of the cluster size.

Each MFT entry contains of file system metadata files. A schematic diagram of the MFT structure is as the following:

There are 12 fields combine 42 bytes out of the 1024 allocated for each MFT entry, the remaining 982 bytes are empty and can be allocated to attributes

The following table shows the 12 fields of the NTFS file system metadata files:

Now, let us move on to the interesting part. From the previous article, please recall the following:

Starting cluster Address of MFT = 0x0c7fe9
Sectors per cluster = 8

Then, Starting sector address of MFT = 0x0c7fe9 * 8 = 0x63ff48,
which is 6553416 in decimal.

Running HxD – Hexeditor, please do the following steps:

– Click on “Extras”, “Open Disk…”

– Click on the “Logical disks”

– Choose “Local Disk”

– Make sure that “Open as Readonly” is selected.

– Type “6553416” in the “Sector” field to start accessing the MFT data.

Please note that the above mentioned sector number could be different from a machine to another.

Below is a dump of the sector “6553416” which represents the starting sector of the MFT

The following is an interpretation of some of the fields in the MFT:

– Bytes range 0x14-0x15 represent the offset to the first attribute which is 0x0038. The contents of this byte is 0x10 which means that the attribute header is “$Standard_Information”. Please refer back to the “MFT Entry Attributes” table.

– Bytes range 0x16-0x17 represent the MFT entry flag, if it is 0x0001, the entry is in use, and if it is 0x0002, the entry is for a directory.

– We’ll consider that byte offset 0x38 is the starting offset of “$Standard_Information” attribute in our case, and then we’ll deal with it as byte 0 in the data structure.

– Bytes range 4 – 7 represent the length of the attribute which in this case is 0x00000060

– Byte offset 0x08 has the value of 0x00 which means that the entry is fully resident in MFT. A resident attribute stores its contents in the MFT entry with the attribute header, while a non-resident attribute stores its content in an external cluster in the file system.

– Bytes offset range 16-19 represent the size of the attribute content, which is 0x00000048

– Bytes offset range 20-21 represent the offset to content which is 0x0018

– Bytes offset range 24-55 contain the time stamps for file creation, file alteration, MFT change, and file read.

– Bytes offset range 56-69 contain the file attribute which is in this case 0x00000006 (System + Hidden)

Below is a table represents the values of the file attributes:

References:

1. File System Forensic Analysis, Brian Carrier, 2005, ISBN-10: 0-32-126817-2

2. http://technet.microsoft.com/en-us/library/cc976808.aspx

3. http://msdn.microsoft.com/en-us/library/bb470038(VS.85).aspx

4. HxD – HexEditor) to access the hard disk different sectors. You can download it for free from http://mh-nexus.de/en/

5. You can download PhysicalDiskProp.exe from https://dub002.mail.live.com/default.aspx?id=64855&owa=1&owasuffix=owa%2f#!htt ps://skydrive.live.com/?cid=b106de1366bb1ddc!cid=B106DE1366BB1DDC&id=B106DE1366BB1DDC%21227

About The Author

Amr Amin, Chief Architect, IT Compliance Andromeda Labs