Sign In
In this section

NE Scenarios and Advanced Edge Cases

14 hours · Module 1 · Free
What you already know
Sections 1.1 through 1.6 taught MFT structure, parsing, timeline construction, timestomping detection, and deleted file recovery. This section applies every technique to the three Northgate Engineering scenarios and covers the edge cases you will encounter in real investigations.

Scenario

The insider threat investigation has 7 forensic questions (Module 0, Section 0.10). Four of them are answerable from MFT analysis alone: which files were copied (copy indicator), when were they copied ($SI Created timestamps), were files staged in a directory ($I30 + MFT timestamps), and did the subject attempt to delete evidence (deleted MFT entries + anti-forensic indicators).

MFT EVIDENCE ACROSS THREE NE INVESTIGATION SCENARIOS INC-NE-2026-0915 Insider Data Exfiltration MFT evidence targets: • Copy indicator: $SI M < $SI C on files in staging directories • File creation timeline: 6-week copying pattern (dates, volumes) • Parent directory references: which directories were used for staging • Deleted entries: files removed from staging after USB transfer • $I30 slack: evidence in cleaned staging directories Key question: What was copied, when? Legal hold — court-admissible standard INC-NE-2026-1022 Ransomware Attack MFT evidence targets: • Mass modification: $SI M timestamps in 4-minute encryption window • New executables: $SI C timestamps for attacker tools deployment • Timestomping: $SI/$FN comparison on attacker executables • Deleted tools: recovery of cleaned attack tools from freed entries • Ransom notes: $SI C timestamps confirm deployment timing Key question: Attack timeline and scope? Insurance claim + regulatory notification INC-NE-2026-1130 Unauthorized Access Dispute MFT evidence targets: • File access: $SI Accessed timestamps (limited by NtfsDisableLastAccess) • No modification: $SI M unchanged proves access without edit • Parent directory: $FN parent ref confirms file location in share • MFT limitations: MFT alone cannot prove WHO accessed the file • Requires: ShellBags, LNK, Event Logs for user attribution Key question: Did this person access it? HR legal proceeding — preponderance

Figure WF1.11 — MFT evidence targets for each NE investigation scenario. The insider threat investigation uses the copy indicator and staging directory analysis. The ransomware investigation uses mass modification timelines and timestomping detection. The access dispute uses timestamp analysis but requires corroboration from user activity artifacts (ShellBags, LNK, Event Logs) for attribution.

Scenario 1 — Insider data exfiltration (INC-NE-2026-0915)

The departing engineer at Northgate Engineering copied proprietary manufacturing specifications to USB and cloud storage over a 6-week period. MFT analysis targets the engineer's workstation (DESKTOP-NGE-ENG14) to answer three questions: what files were copied, when were they copied, and where were they staged.

Identifying copied files. The copy indicator ($SI Modified before $SI Created) identifies every file that was copied to the workstation. Filter MFTECmd output for the engineer's profile directories (C:\Users\[username]\), the Documents and Desktop folders, and any non-standard directories. Sort by Created0x10. Entries where LastModified0x10 is earlier than Created0x10 are copies. The Created0x10 timestamp is when the copy was made. The LastModified0x10 timestamp is when the file was last edited at its original location — potentially months or years ago, reflecting the file's production history.

The copy indicator analysis produces a complete list of files copied to the workstation during any time period. Filter to the 6-week investigation window to identify the relevant copies. Files copied before the investigation window may be routine work activity. Files copied during the 6-week window — particularly files from restricted network shares containing manufacturing specifications — are exfiltration candidates.

Staging directory analysis. Look for directories created during the investigation window that contain clusters of copied files. A directory named something innocuous ("Project Archive", "Backup", "Personal") that contains 50 files with copy indicators all dated within the investigation window is a staging directory. The directory's own MFT record shows its creation time (when the directory was created for staging) and the $I30 index entries show when files were added.

If the staging directory was cleaned up (files deleted after USB transfer), the deleted MFT entries may still be recoverable. If the MFT entries were reallocated, the $I30 slack in the directory's index records may still contain the filenames and timestamps of the deleted files (Section 1.5). Check the directory's $SI Entry Modified timestamp as well. A directory that was created, had 50 files added, then had all 50 files deleted will show a recent Entry Modified timestamp even if the directory itself is now empty. The gap between the directory's Created timestamp and its Entry Modified timestamp spans the entire staging operation.

Timeline construction. Build a chronological timeline of copy operations by sorting the copied files by Created0x10. This shows the exfiltration pattern: which files were copied first, whether the copying occurred in sessions (clusters of copies separated by hours or days), and whether the pattern accelerated as the departure date approached. The timeline may show daily copying sessions during the engineer's lunch break, weekend access, or late-night sessions — each pattern provides evidence about the intent and method.

The nanosecond precision of the timestamps reveals whether the copies were performed manually (one file at a time, with gaps between copies as the user navigates) or by a tool (rapid sequential timestamps with consistent intervals). Manual copying produces irregular intervals. Scripted or drag-and-drop batch copying produces regular intervals. This distinction affects how you characterize the behavior in your report.

Scenario 2 — Ransomware attack (INC-NE-2026-1022)

The ransomware attack at Northgate Engineering involved 72 hours of activity from initial phishing access to encryption deployment. MFT analysis targets the patient zero workstation (DESKTOP-NGE-FIN01) and the encrypted server (SRV-NGE-FS01) to establish the attack timeline, identify attacker tools, and scope the encryption damage.

Mass modification timeline. The encryption event produces a characteristic MFT pattern: thousands of files with $SI Modified timestamps within a narrow time window (the encryption duration). Filter MFTECmd output for files with LastModified0x10 within the suspected encryption window. Sort by timestamp to determine the encryption start time, the encryption speed (files per second), and the encryption scope (which directories were affected, in what order).

The nanosecond precision of FILETIME timestamps reveals the encryption sequence: which directory was encrypted first, which was encrypted last, and how the ransomware traversed the filesystem. This information helps reconstruct the ransomware's directory walking algorithm and may identify directories that were skipped (perhaps the ransomware encountered an error or was terminated before completing).

Attacker tool detection. The attacker deployed tools (the ransomware executable, lateral movement tools, credential dumping utilities) in specific directories. Filter MFTECmd output for new executables (.exe, .dll, .bat, .ps1) created during the 72-hour intrusion window. Apply the timestomping detection methodology (Section 1.9) to every identified executable — attackers routinely timestomp their tools to blend with legitimate system files.

The $FN Created timestamps on attacker tools provide the real deployment timeline: when each tool was placed on the system, the sequence of tool deployment (reconnaissance tools first, then credential tools, then lateral movement tools, then the ransomware itself), and the time gaps between deployment stages. These gaps reveal the attacker's operational rhythm. A 12-hour gap between reconnaissance and credential dumping may indicate the attacker was operating from a different time zone and resumed work the next day. A 30-second gap suggests automated scripting.

Deleted tool recovery. After encryption, some attackers clean up their tools — deleting the deployment scripts, the lateral movement executables, and the credential dumping utilities. MFT analysis of freed entries in the attacker's staging directories may recover the deleted tools. The deployment batch script (if small enough to be resident) may be fully recoverable from its freed MFT entry, revealing the exact commands used to deploy the ransomware across the network.

Check $I30 slack in the attacker's staging directories as well. Even if the freed MFT entries have been reallocated, the directory's index slack may preserve the tool filenames and deployment timestamps. This evidence can establish the scope of the attacker's toolkit even when the tools themselves are unrecoverable.

Encryption scope assessment. The MFT provides a precise count of affected files. Filter for files with $SI Modified timestamps in the encryption window and group by parent directory. The result is a directory-by-directory encryption map: which shares were encrypted, how many files in each, and the total encrypted volume. This data feeds directly into the insurance claim (demonstrating the scope of damage) and the regulatory notification (identifying which data categories were affected).

Scenario 3 — Unauthorized access dispute (INC-NE-2026-1130)

The access dispute is the most constrained of the three scenarios from an MFT perspective. The employee claims they never accessed a restricted file share. MFT analysis alone cannot resolve this claim because MFT timestamps do not record which user performed a file operation — they record that the operation occurred. Resolving the access question requires correlating MFT evidence with user-specific artifacts: ShellBags (folder navigation), LNK files (file opening), Event Logs (authentication to the file server), and session data (logon/logoff times).

What the MFT can contribute to this investigation:

Accessed timestamp evidence (limited). On the file server (SRV-NGE-FS01), the files in the restricted share have $SI Accessed timestamps. If NtfsDisableLastAccessUpdate is not enabled on the server (servers often have this enabled by default on Windows Server 2019+), the Accessed timestamps may show when the files were last read. If the Accessed timestamp falls within the employee's authenticated session time, it is consistent with access — but not proof, because other users may have accessed the same files.

No modification evidence. If the employee only browsed the restricted share without downloading or editing files, the $SI Modified timestamp on the share's files would be unchanged. This is consistent with both "the employee accessed the files (read-only)" and "the employee never accessed the files (someone else changed the Accessed timestamp)." The MFT evidence is ambiguous for read-only access. However, if the employee's workstation contains copies of the restricted files (identified via copy indicator), that is MFT evidence of data exfiltration from the restricted share, even if the server-side MFT is ambiguous about who performed the access.

Absence analysis. In access disputes, the absence of evidence can be as important as the presence of evidence. If the MFT shows no copy indicators for restricted files on the employee's workstation, no files from the restricted share in the employee's directories, and no deleted entries with restricted share parent paths, the MFT evidence is consistent with the employee's claim of no access. Document this absence explicitly: "MFT analysis of DESKTOP-NGE-HR03 found no files with parent paths matching the restricted share, no copy indicators for files from that share, and no deleted entries referencing that location. This absence is consistent with the employee's claim but does not conclusively prove it, because read-only server access without downloading would not create MFT evidence on the workstation."

Parent directory metadata. The restricted folder's MFT record has $SI Entry Modified and $SI Accessed timestamps. If the folder's metadata was updated during the employee's session, it is consistent with access. But again, the MFT timestamp does not record which authenticated session triggered the update. Multiple users may access the same folder within the same time window.

The key lesson: MFT analysis is necessary but not sufficient for the access dispute. It establishes the temporal framework (when files and directories were last accessed or modified) that other artifact sources corroborate with user-specific evidence. The ShellBag analysis (WF4) on the employee's workstation provides the user-specific folder navigation evidence that the MFT cannot.

Anti-Pattern

Analyzing only the MFT without corroboration

MFT analysis answers "what happened to files." It does not answer "who did it" (requires logon events), "how" (requires Prefetch and process execution evidence), or "how much data left the network" (requires SRUM). The MFT is one layer of a multi-artifact investigation. Document which questions the MFT answers and which require corroboration from other artifact sources covered in WF2-WF10.

MFT Analysis Focus by Scenario
INC-NE-2026-0915 (Insider): Copy indicator filter (Created0x10 > LastModified0x10), staging directory $I30 analysis, USB-related paths, deleted MFT entries in user directories
INC-NE-2026-1022 (Ransomware): Mass $SI Modified in short window, executable $FN Created during intrusion, timestomping on attacker tools, $I30 slack in ProgramData directories
INC-NE-2026-1130 (Access Dispute): $SI Accessed on restricted files (if NtfsDisableLastAccessUpdate=0), $FN timestamps on disputed files, absence analysis (no MFT evidence of access supports defense)

Investigation Principle

Each NE scenario has a different MFT analysis focus. Insider threat: copy indicators and staging directory analysis. Ransomware: mass file modification timeline and executable deployment. Access dispute: file access evidence and its absence. The MFT technique is the same. The investigative question determines which MFT patterns you search for.

Scenario

You encounter an MFT record where the $DATA attribute shows allocated size of 32KB but real size of 128KB. The allocated size is smaller than the real size, which is the opposite of normal (allocated >= real). This is a compressed file. The data run list contains sparse runs (zero-offset entries) representing space saved by compression. Raw cluster extraction produces compressed data that you must decompress before interpretation.

NTFS EDGE CASES — WHAT BREAKS STANDARD MFT ANALYSIS COMPRESSED $SI flag 0x0800 Allocated < Real size Data runs have sparse gaps Recovery requires decompress Pitfall: reporting allocated as file size ENCRYPTED (EFS) $SI flag 0x4000 $DATA content is ciphertext $LOGGED_UTILITY_STREAM attr Metadata (name, time) readable Pitfall: calling encrypted data "corrupt" SPARSE $SI flag 0x0200 Real size >> Allocated size Data runs with zero offsets Common: SRUM, event logs Pitfall: reading zero-filled regions as data HARD LINKS Link count > 1 in header Multiple $FN attributes Same $DATA, different names Multiple parent directories Pitfall: counting as separate files JUNCTIONS & SYMLINKS Reparse point attribute (0xC0) Redirect path to another location Junction: directory only, local volume Symlink: file or dir, can cross volumes EXTENSION RECORDS Base record ref (0x20) is non-zero File too many attrs for 1024 bytes Common: files with many ADS Or files with very long names + ACLs ReFS DIFFERENCES No MFT — uses B+ tree metadata No $FILE_NAME timestamps No $I30 slack recovery Limited forensic tooling (2026) DETECTION IN MFTECMD OUTPUT Compressed: AllocatedSize < RealSize + flag check | Encrypted: flag 0x4000 in $SI flags | Sparse: flag 0x0200 Hard links: same EntryNumber, multiple rows with different filenames | Junctions/Symlinks: ReparseTarget column populated Extension records: BaseRecordReference non-zero | ReFS: filesystem type check in boot sector (not NTFS signature)

Figure WF1.12 — NTFS edge cases that affect MFT forensic analysis. Each case has a specific identifier in MFTECmd output and requires adjusted analysis methodology. Failure to recognize these cases leads to incorrect file size reporting, content misinterpretation, or evidence double-counting.

Compressed files

NTFS compression stores file data in compressed form on disk while presenting the uncompressed data to applications through the filesystem API. The compression operates on 16-cluster compression units — NTFS compresses each 16-cluster block independently, and if the compressed result is smaller than 16 clusters, the saved space is represented as sparse runs in the data run list.

In the MFT record, compressed files are identified by the flag 0x0800 in the $SI attribute's permission flags field. The $DATA attribute's allocated size is smaller than the real size (the opposite of the normal relationship, where allocated size is equal to or slightly larger than real size due to cluster rounding). The data run list contains runs with zero offsets — these represent the sparse (saved) space within compressed units.

Forensic implications: when recovering a compressed file's content, you must decompress the data after extracting it from the cluster ranges. Raw cluster extraction produces compressed data that is not directly interpretable. MFTECmd correctly reports both the allocated size and real size for compressed files, but examiners who work directly with raw data must account for the compression.

Compressed files are relatively uncommon on modern Windows installations — Windows 10/11 does not compress files by default, and NTFS compression is generally discouraged due to performance impact. However, older systems, servers with disk space constraints, and systems where an administrator enabled compression on specific folders may contain compressed files.

EFS-encrypted files

The Encrypting File System (EFS) encrypts file content at the NTFS level. The file's $DATA attribute contains ciphertext rather than plaintext — the data is encrypted with a file encryption key (FEK), which is itself encrypted with the user's public key and stored in a $LOGGED_UTILITY_STREAM attribute (type 0x100) on the MFT record.

In MFTECmd output, EFS-encrypted files are identified by the flag 0x4000 in the $SI flags. The filename, timestamps, parent directory, and file size are all readable — encryption only affects the $DATA content, not the metadata. This means MFT-based timeline construction and deleted file metadata recovery work normally on encrypted files. The limitation is content recovery: extracting the $DATA content produces encrypted bytes that require the user's decryption key.

For forensic analysis of EFS-encrypted files, three approaches: recover the user's EFS certificate from their Windows profile (the certificate is stored in the user's certificate store and can be exported if you have the user's password or a domain recovery agent certificate), use a domain EFS recovery agent certificate (if configured by the organization), or analyze the file metadata without accessing the content. In many investigations, the metadata alone (filename, timestamps, parent directory, file size) is sufficient — you can prove the file existed and was accessed without needing to read its content.

Hard links create multiple directory entries pointing to the same MFT record. The MFT record has a hard link count greater than 1 (header offset 0x12), and contains multiple $FILE_NAME attributes — one for each hard link. Each $FN attribute has a different parent directory reference and potentially a different filename, but they all share the same $DATA attribute.

In MFTECmd output, hard-linked files appear as multiple rows with the same EntryNumber but different FileName and ParentPath values. The key forensic consideration is not to count hard links as separate files — they are different names for the same data. If a file appears in both C:\Windows\System32\ and C:\Windows\SysWOW64\ with the same entry number, it is one file with two names, not two files.

Hard links are commonly used by Windows itself (many System32 files are hard-linked to their SysWOW64 counterparts on 64-bit systems) and by the Windows Component Store (WinSxS). They are also used by some installation frameworks and occasionally by attackers who create hard links to legitimate system files as a persistence mechanism.

Junctions and symbolic links are NTFS reparse points — special directory or file entries that redirect filesystem access to a different location. They are identified in the MFT by the presence of a $REPARSE_POINT attribute (type 0xC0) containing the target path.

Junctions are directory-only, local-volume-only redirects. C:\Users\Default User is a junction pointing to C:\Users\Default. Junctions are transparent to applications — accessing the junction is the same as accessing the target. Windows uses junctions extensively for backward compatibility paths.

Symbolic links can be files or directories and can cross volume boundaries. They function similarly to junctions but are more flexible. Symbolic links were introduced in Windows Vista and are used less frequently than junctions.

Forensic implications: when you encounter a junction or symlink in an investigation, the files "inside" the junction don't actually exist at that path — they exist at the target path. An examiner who reports finding suspicious files in a junction directory is actually reporting files at the target location. MFTECmd reports reparse points in its output — check the ReparseTarget column to identify the real file location.

Extension records

When a file has more attributes than fit in a single 1,024-byte MFT record (many Alternate Data Streams, very long filenames, complex security descriptors, or numerous hard links), NTFS creates extension records — additional MFT entries that hold the overflow attributes. The base record's header at offset 0x20 (base record reference) is zero, and the extension record's base record reference points back to the base entry.

MFTECmd handles extension records automatically — it consolidates the base and extension attributes into a single output. When working with raw hex, check the base record reference at offset 0x20: if non-zero, the record you're examining is an extension. Navigate to the base record (identified by the entry number in the base reference) to find the primary attributes ($SI, first $FN, primary $DATA).

Extension records are uncommon — most files fit comfortably in a single MFT record. Files most likely to have extensions: files with many ADS, files with extremely long paths, and files with complex access control lists. In forensic analysis, extension records rarely cause issues because MFTECmd handles them transparently, but recognizing them in raw hex prevents confusion when an MFT record appears to lack expected attributes.

ReFS — a different filesystem entirely

ReFS (Resilient File System) is Microsoft's successor to NTFS, designed for data integrity and resilience. ReFS is used on Windows Server Storage Spaces Direct volumes and is available as a formatting option on some Windows 11 configurations. ReFS does not use an MFT — it uses B+ tree metadata structures that are entirely different from NTFS.

If you encounter a ReFS volume in an investigation, MFT analysis does not apply. The forensic tooling for ReFS is significantly less mature than NTFS tooling — as of 2026, no equivalent of MFTECmd exists for ReFS metadata. Analysis of ReFS volumes typically requires X-Ways Forensics or EnCase, which have limited but growing ReFS support.

The key forensic considerations for ReFS: no $FILE_NAME timestamps (removing the primary timestomping detection method), no $I30 slack (removing directory-level deleted file recovery), and no resident data recovery (ReFS uses a different small-file storage mechanism). The loss of these forensic capabilities makes ReFS evidence significantly harder to analyze than NTFS evidence.

In practice, you will rarely encounter ReFS on workstation evidence. It is primarily used on server storage volumes. When you do encounter it, document the filesystem type in your report and note the limitations of the analysis compared to NTFS evidence.

Anti-Pattern

Assuming compressed file recovery works like normal file recovery

NTFS compression operates on 16-cluster compression units. Recovering compressed file content requires decompressing after extraction. Raw cluster reads produce compressed data, not readable content. MFTECmd and icat handle decompression automatically, but manual recovery from raw disk requires understanding the compression unit structure. Partial recovery from compressed files is unreliable because each 16-cluster unit is compressed independently.

Edge Case Recognition Guide
Compressed: Flag 0x0800 in $SI + allocated size < real size + sparse data runs. Decompress before interpreting content.
EFS Encrypted: Flag 0x4000 in $SI + $DATA contains encrypted content. Requires user's certificate/key for decryption.
Hard Links: Link count > 1 in header + multiple $FN attributes with different parent refs. Same data, different names.
Junction/Symlink: Reparse point flag + $REPARSE_POINT attribute. Target path may be different from apparent path.
Extension Records: $ATTRIBUTE_LIST present + base record ref != 0 on extension records. Walk the list for complete attributes.
ReFS: Different filesystem entirely. No MFT, different metadata, limited tool support. Boot volume is always NTFS.

Investigation Principle

Advanced MFT edge cases are reference material. You will encounter them occasionally in real investigations. The key is recognizing the indicators in MFTECmd output (compressed flag, allocated < real size for compression; encrypted flag for EFS; multiple $FN attributes for hard links; reparse point flag for junctions/symlinks) and knowing which edge case you are dealing with before attempting recovery or interpretation.

Next
The interactive lab in the next section applies MFT analysis techniques to a hands-on deep-dive exercise. After that, the Module Summary and Check My Knowledge consolidate everything from Module 1.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
Unlock the Full Course See Full Course Agenda
← Previous Next →