The MFT: The Forensic Investigator’s Secret Weapon (2024)

The MFT: The Forensic Investigator’s Secret Weapon (2)

OVERVIEW
Master File Table (MFT) is a crucial component of Windows filesystems, serving as a central repository of information about all the files and folders stored on a drive. It’s like an index that keeps track of the names, locations, sizes, and security attributes of every file on your computer.
MFT is particularly important in the context of cybersecurity investigations, as it provides valuable insights into file system activities and potential security breaches. DFIR (Digital Forensics and Incident Response) professionals often examine MFT records to reconstruct events, track malware infections, and identify the origin of data breaches.

KEY TAKEAWAYS
1. Reconstructing the Timeline of Events: The MFT contains timestamps for every file creation, modification, or deletion, providing a chronological record of file system activities. By analysing these timestamps, investigators can piece together the sequence of events leading up to and during a security breach.

2. Identifying File Access and Modifications: The MFT logs every access to a file, including who accessed the file, when it was accessed, and the type of access (read, write, or execute). This information can reveal suspicious activity, such as unauthorized access to sensitive files or attempts to modify critical system components.

3. Tracking Malware Propagation: Malware infections often modify file timestamps, create new files, or delete existing ones. By analysing MFT records for these anomalies, investigators can trace the infection path and identify the malware’s entry point.

4. Locating Evidence and Artifacts: The MFT can serve as a treasure trove of evidence, including file metadata, deleted files, and timestamps that can be used to reconstruct the attack and identify potential suspects.

5. Gaining Insight into Attacker Tactics, Techniques, and Procedures (TTPs): The MFT can provide insights into the attacker’s methods, such as the tools they used, the files they targeted, and the techniques they employed to gain access or maintain persistence on the system.

6. Supporting Legal Investigations: MFT records can be used as evidence in legal proceedings, providing clear and verifiable timestamps and access details to support criminal investigations.

BLUF, investigating the MFT is a crucial step in any cybersecurity investigation, as it provides valuable insights into the activities of attackers, the timeline of events, and the potential impact of the breach. By understanding the MFT’s structure and analysing its records, investigators can reconstruct the attack, identify the source, and gather evidence to support legal actions.

EXTRACTING, VIEWING, and ANALYSING MFT — ACCESSDATA FTK

TECHNICAL STEPS

1. Run AccessData FTK Tool

2. Click File (source model Encase file: https://drive.google.com/file/d/1Fd1pX1r4waRkD6Z2O8J5cRZyeSNU5-SY/view)

3. Click Add Evidence Item

4. Click Image File

5. Locate and select the Artifact/Evidence file (E01, AFF, VMDK, DD)

The MFT: The Forensic Investigator’s Secret Weapon (3)

6. Processing the Image

· After adding the image, FTK will require you to process it. Choose the appropriate processing options. Make sure to select options that enable the parsing of the file system, which will include the MFT.

7. Viewing the MFT:

· Once processing is complete, navigate to the ‘File System’ tab. Locate the root of the drive contained within the E01 file. Here, you should find the MFT listed, typically as “$MFT”.

8. Analyze the MFT

The MFT: The Forensic Investigator’s Secret Weapon (4)

· You can view the details of the MFT, analyze file metadata, and perform other forensic examinations as required.

9. Export the MFT:

· Right click and select “Export the File”

The MFT: The Forensic Investigator’s Secret Weapon (5)

10. Download an MFT viewer tool:

· MFT to CSV (MFT2CSV) from https://code.google.com/archive/p/mft2csv/downloads

· Install and Run

11. Select the file and start processing to CSV file.

The MFT: The Forensic Investigator’s Secret Weapon (6)
The MFT: The Forensic Investigator’s Secret Weapon (7)

12. Open the CSV file and investigate the logs.

TIP:

· Convert the CSV to an EXCEL File for more organized and readable context.

o CSV To Excel/Delimited Converter (convertcsv.com)

EXTRACTING, VIEWING, and ANALYSING MFT — AUTOPSY

TECHNICAL STEPS
1. Open Autopsy:
• Launch Autopsy and create a new case or open an existing one.

2. Add Data Source:
• Within the case, select ‘Add Data Source’.
• Choose ‘Disk Image or VM File’ and navigate to your E01 file.
• Select the file and add it to your case.

3. Configure Ingest Modules:
• As you add the E01 file, you will be prompted to configure ingest modules.
• Select the modules that are relevant to your investigation. Ensure that file system data parsing is enabled.

4. Processing Data Source:
• Allow Autopsy to process the data source. This might take some time depending on the size of the image and the modules selected.

5. Viewing the MFT:
• Once processing is complete, navigate to the ‘Tree View’ on the left side of the interface.
• Expand the data source and navigate to the file system.
• Locate the “$MFT” file which represents the Master File Table.

The MFT: The Forensic Investigator’s Secret Weapon (8)

6. Analysing the MFT:
• Select the MFT and review the details in the right-hand pane.
• You can explore various attributes of files stored in the MFT, such as timestamps, file names, and file sizes.

The MFT: The Forensic Investigator’s Secret Weapon (2024)

FAQs

What is the structure of master file table? ›

An MFT record consists of structured and unstructured data. The structured data relates to the record header which contains information relevant to the actual record. The unstructured data is an area to which attributes can be assigned. The attributes contain all the relevant file metadata.

What is stored in the MFT? ›

Master File Table (MFT) MFT or $MFT can be considered one of the most important files in the NTFS file system. It keeps records of all files in a volume, the files' location in the directory, the physical location of the files on the drive, and file metadata.

What is MFT in forensics? ›

In computer forensics, the Master File Table (MFT) is a crucial component of the Windows operating system. It is a database that contains essential information about every file and directory on a computer's hard drive. The MFT keeps track of a file's location on the hard drive and manages other attributes.

What is the one thing provided by the MFT and not the fat that makes it difficult to find small files? ›

One of the major differences between NTFS and FAT is that the MFT contains information about the file's physical location on the disk, while the FAT only contains information about the logical location of the file, making it difficult to find small files without manually searching through the MFT.

Does MFT show deleted files? ›

4. Locating Evidence and Artifacts: The MFT can serve as a treasure trove of evidence, including file metadata, deleted files, and timestamps that can be used to reconstruct the attack and identify potential suspects.

What does the MFT mirror contain? ›

The MFT Mirror contains a backup of the first 4 NTFS system files: $MFT.

What is an MFT table? ›

An MFT (Multi-Function Table) is a versatile woodworking station inspired by Festool's system. It's designed for tasks like cutting, sanding, and routing, offering precision and adaptability. Building one allows for a customizable workspace tailored to your specific needs.

What are master files in data structure? ›

A master file is the main that contains relatively permanent records about particular items or entries. For example a customer file will contain details of a customer such as customer ID, name and contact address.

What is a master file format? ›

Master files or base templates contain a standardized template for a Document or Presentation report. These documents contain standard definitions for word styles, designs, header/footer sections, and so on. Using master documents ensures uniform report generation every time.

What is the drug master file structure? ›

Types of DMFs
DMF TypeInformation Included
Type IIInformation related to the drug such as drug substances and intermediates, the materials involved in the manufacturing etc.
Type IIIInformation regarding the packaging material
Type IVInformation about the excipients, colorants, flavors etc.
2 more rows

What is the file format of master database? ›

As the backbone of SQL Server, an MDF file is the default file extension used by Microsoft SQL Server for its primary data files.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Reed Wilderman

Last Updated:

Views: 6740

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Reed Wilderman

Birthday: 1992-06-14

Address: 998 Estell Village, Lake Oscarberg, SD 48713-6877

Phone: +21813267449721

Job: Technology Engineer

Hobby: Swimming, Do it yourself, Beekeeping, Lapidary, Cosplaying, Hiking, Graffiti

Introduction: My name is Reed Wilderman, I am a faithful, bright, lucky, adventurous, lively, rich, vast person who loves writing and wants to share my knowledge and understanding with you.