Artrebultan · Follow
5 min read · Jan 29, 2024
--
OVERVIEW
Master File Table (MFT) is a crucial component of Windows filesystems, serving as a central repository of information about all the files and folders stored on a drive. It’s like an index that keeps track of the names, locations, sizes, and security attributes of every file on your computer.
MFT is particularly important in the context of cybersecurity investigations, as it provides valuable insights into file system activities and potential security breaches. DFIR (Digital Forensics and Incident Response) professionals often examine MFT records to reconstruct events, track malware infections, and identify the origin of data breaches.
KEY TAKEAWAYS
1. Reconstructing the Timeline of Events: The MFT contains timestamps for every file creation, modification, or deletion, providing a chronological record of file system activities. By analysing these timestamps, investigators can piece together the sequence of events leading up to and during a security breach.
2. Identifying File Access and Modifications: The MFT logs every access to a file, including who accessed the file, when it was accessed, and the type of access (read, write, or execute). This information can reveal suspicious activity, such as unauthorized access to sensitive files or attempts to modify critical system components.
3. Tracking Malware Propagation: Malware infections often modify file timestamps, create new files, or delete existing ones. By analysing MFT records for these anomalies, investigators can trace the infection path and identify the malware’s entry point.
4. Locating Evidence and Artifacts: The MFT can serve as a treasure trove of evidence, including file metadata, deleted files, and timestamps that can be used to reconstruct the attack and identify potential suspects.
5. Gaining Insight into Attacker Tactics, Techniques, and Procedures (TTPs): The MFT can provide insights into the attacker’s methods, such as the tools they used, the files they targeted, and the techniques they employed to gain access or maintain persistence on the system.
6. Supporting Legal Investigations: MFT records can be used as evidence in legal proceedings, providing clear and verifiable timestamps and access details to support criminal investigations.
BLUF, investigating the MFT is a crucial step in any cybersecurity investigation, as it provides valuable insights into the activities of attackers, the timeline of events, and the potential impact of the breach. By understanding the MFT’s structure and analysing its records, investigators can reconstruct the attack, identify the source, and gather evidence to support legal actions.
EXTRACTING, VIEWING, and ANALYSING MFT — ACCESSDATA FTK
TECHNICAL STEPS
1. Run AccessData FTK Tool
2. Click File (source model Encase file: https://drive.google.com/file/d/1Fd1pX1r4waRkD6Z2O8J5cRZyeSNU5-SY/view)
3. Click Add Evidence Item
4. Click Image File
5. Locate and select the Artifact/Evidence file (E01, AFF, VMDK, DD)
6. Processing the Image
· After adding the image, FTK will require you to process it. Choose the appropriate processing options. Make sure to select options that enable the parsing of the file system, which will include the MFT.
7. Viewing the MFT:
· Once processing is complete, navigate to the ‘File System’ tab. Locate the root of the drive contained within the E01 file. Here, you should find the MFT listed, typically as “$MFT”.
8. Analyze the MFT
· You can view the details of the MFT, analyze file metadata, and perform other forensic examinations as required.
9. Export the MFT:
· Right click and select “Export the File”
10. Download an MFT viewer tool:
· MFT to CSV (MFT2CSV) from https://code.google.com/archive/p/mft2csv/downloads
· Install and Run
11. Select the file and start processing to CSV file.
12. Open the CSV file and investigate the logs.
TIP:
· Convert the CSV to an EXCEL File for more organized and readable context.
o CSV To Excel/Delimited Converter (convertcsv.com)
EXTRACTING, VIEWING, and ANALYSING MFT — AUTOPSY
TECHNICAL STEPS
1. Open Autopsy:
• Launch Autopsy and create a new case or open an existing one.
2. Add Data Source:
• Within the case, select ‘Add Data Source’.
• Choose ‘Disk Image or VM File’ and navigate to your E01 file.
• Select the file and add it to your case.
3. Configure Ingest Modules:
• As you add the E01 file, you will be prompted to configure ingest modules.
• Select the modules that are relevant to your investigation. Ensure that file system data parsing is enabled.
4. Processing Data Source:
• Allow Autopsy to process the data source. This might take some time depending on the size of the image and the modules selected.
5. Viewing the MFT:
• Once processing is complete, navigate to the ‘Tree View’ on the left side of the interface.
• Expand the data source and navigate to the file system.
• Locate the “$MFT” file which represents the Master File Table.
6. Analysing the MFT:
• Select the MFT and review the details in the right-hand pane.
• You can explore various attributes of files stored in the MFT, such as timestamps, file names, and file sizes.