The Master File Table — Deep Analysis

1.1: What this module covers

The Master File Table is the single most important forensic artifact in Windows. Every file and directory on an NTFS volume has at least one MFT record — a 1,024-byte structure containing the file's name, timestamps, size, security descriptor, data content (for small files), and cluster pointers (for large files). When a file is deleted, the MFT record is marked as available for reuse but the metadata persists until the entry is reallocated.

This module takes you inside the MFT record at the binary level. You will read raw hex, understand every byte offset, parse attribute headers, interpret timestamps with nanosecond precision, and correlate MFT data with other artifact sources. By the end, you can open an MFT record in a hex editor and extract more information than most practitioners get from parser output — including information the parser doesn't report.

1.2: What you will learn

Seven sections, each building a specific MFT analysis capability.

Section 1.1: MFT Record Structure, Allocation, and Sequence Numbers. The 1,024-byte record layout: header fields, fixup array, attribute chain. The allocation cycle, sequence number forensics, stale reference detection, and MFT growth.

Section 1.2: $STANDARD_INFORMATION and $FILE_NAME Attributes. The two timestamp attributes at the binary level. FILETIME format, the four MACE timestamps in $SI, permission flags, USN field. $FN parent reference, namespace flags, the $FN timestamp update rules, tunnel cache, and the $SI/$FN comparison that detects timestomping.

Section 1.3: $DATA, $INDEX, and Directory Analysis. Resident data inside the MFT record, non-resident data runs, Alternate Data Streams, Zone.Identifier. Directory B-tree structure, $I30 index entries, and recovering deleted filenames from index slack space.

Section 1.4: Extracting, Parsing, and Timeline Construction. KAPE extraction, MFTECmd parsing, Timeline Explorer analysis, the copy indicator pattern, nanosecond precision for event sequencing, and bodyfile output for super timelines.

Section 1.5: Detecting Timestomping Through MFT Analysis. Three independent methods ($SI/$FN comparison, nanosecond precision analysis, USN Journal correlation), the systematic detection workflow, classification system, and reporting.

Section 1.6: Deleted File Recovery from MFT. Identifying freed entries, recovering resident content, assessing non-resident recoverability on HDD vs SSD, Volume Shadow Copy recovery, Recycle Bin analysis, and documenting recovery methodology.

Section 1.7: NE Scenarios and Advanced Edge Cases. Applying MFT analysis to the three investigation scenarios. Compressed files, encrypted files, hard links, junction points, extension records, and ReFS differences.

1.3: Prerequisites

Complete Module 0 (The Forensic Artifact Landscape) before starting this module. Sections 0.3 (NTFS Architecture and Timestamps) is foundational for every section here. You should have your forensic analysis workstation configured (Section 0.6) with HxD and MFTECmd installed.

1.4: How to approach this module

This is the densest module in the course. Budget 14 hours across several sessions. Sections 1.1-1.2 (record structure, attributes) are the conceptual core — take these slowly with HxD open alongside the text. Sections 1.4-1.5 (extraction, timeline, timestomping) are the practical core — run every command and verify every output. Section 1.7 (edge cases) is reference material for when you encounter unusual records.

1.5: Module structure

• 1.1 MFT Record Structure, Allocation, and Sequence Numbers
• 1.2 $STANDARD_INFORMATION and $FILE_NAME Attributes
• 1.3 $DATA, $INDEX, and Directory Analysis
• 1.4 Extracting, Parsing, and Timeline Construction
• 1.5 Detecting Timestomping Through MFT Analysis
• 1.6 Deleted File Recovery from MFT
• 1.7 NE Scenarios and Advanced Edge Cases

Go to Section 1.1 to begin.