# DFIR-01 : $MFT ## What is $MFT: Files that start with "$" are considered as metafiles, which are files that contain data about data and unlike FAT file system where some system metadata is stored as flat data tables in reserved system space, everything in NTFS is a file even metafiles. **$MFT**, Master File Table, tracks every file and directory on the entire NTFS volume and makes references to other index files like $I30 that is available for every directory. In the screenshot bellow, we extracted $MFT file using FTK Imager ![Extracting $MFT using FTK](/files/-MOlZCup6mALcUwfftZi) {% hint style="info" %} You won't be able to see this type of files unless you change the attributes : {% endhint %} ![](/files/-MOlb-vdUUo5CJ_2hJic) Let's make them visible ``` >attrib -s -h $MFT ``` There are several tools we can use to parse $MFT content so that we can analyze it. In my case I am using the awesome tools of [Eric Zimmerman](https://ericzimmerman.github.io/) particularly MFTECmd.exe tool ``` C:\Users\Administrateur\Documents\ForensicsTool>MFTECmd.exe MFTECmd version 0.5.0.0 Author: Eric Zimmerman (saericzimmerman@gmail.com) https://github.com/EricZimmerman/MFTECmd f File to process ($MFT | $J | $LogFile | $Boot | $SDS). Required json Directory to save JSON formatted results to. This or --csv required unless --de or --body is specified jsonf File name to save JSON formatted results to. When present, overrides default name csv Directory to save CSV formatted results to. This or --json required unless --de or --body is specified csvf File name to save CSV formatted results to. When present, overrides default name body Directory to save bodyfile formatted results to. --bdl is also required when using this option bodyf File name to save body formatted results to. When present, overrides default name bdl Drive letter (C, D, etc.) to use with bodyfile. Only the drive letter itself should be provided blf When true, use LF vs CRLF for newlines. Default is FALSE dd Directory to save exported FILE record. --do is also required when using this option do Offset of the FILE record to dump as decimal or hex. Ex: 5120 or 0x1400 Use --de or --vl 1 to see offsets de Dump full details for entry/sequence #. Format is 'Entry' or 'Entry-Seq' as decimal or hex. Example: 5, 624-5 or 0x270-0x5. fls When true, displays contents of directory specified by --de. Ignored when --de points to a file. ds Dump full details for Security Id as decimal or hex. Example: 624 or 0x270 dt The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff sn Include DOS file name types. Default is FALSE at When true, include all timestamps from 0x30 attribute vs only when they differ from 0x10. Default is FALSE vss Process all Volume Shadow Copies that exist on drive specified by -f . Default is FALSE dedupe Deduplicate -f & VSCs based on SHA-1. First file found wins. Default is FALSE debug Show debug information during processing trace Show trace information during processing Examples: MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" --csvf MyOutputFile.csv MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" MFTECmd.exe -f "C:\Temp\SomeMFT" --json "c:\temp\jsonout" MFTECmd.exe -f "C:\Temp\SomeMFT" --body "c:\temp\bout" --bdl c MFTECmd.exe -f "C:\Temp\SomeMFT" --de 5-5 Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes ``` Let's parse our $MFT file using the following command : ``` >MFTECmd.exe -f "C:\Users\Administrateur\Documents\ForensicsTool\$MFT" --csv "C:\Users\Administrateur\Documents\ForensicsTool" ``` After some data formatting using Excel we can have a table similar to this : ![Parsed $MFT File](/files/-MOlle9ttJ12Wn5YYnMK) Now that the $MFT file is parsed we can start looking for some goodies. ## Alternate Data Streams The NTFS file system includes support for alternate data streams to provide compatibility with files in the Macintosh file system. Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called `:$DATA`. (Read more here [OWASP](https://owasp.org/www-community/attacks/Windows_alternate_data_stream)). The `MFTECmd.exe` tool provides us with precooked information such as if a file has ADS or if it is an ADS like in the following columns ![ADS](/files/-MOlz1bINPH6X87pwgeP) This can help you during your investigation to detect usage of techniques such as : * ATT\&CK Tactic : **Defense Evasion** * ATT\&CK Technique : **Hide Artifacts** * ATT\&CK Sub-Technique : **NTFS File Attributes** ## Anti-Forensics : $SI, $FN timestamp $MFT file consists of fixed length entries and one entry holds metadata for one object(file/folder). Each entry begins with "FILE" signature or `x46x49x4Cx45`, and contains several information like number of links, flag(file/folder/unused) and ID in header. Then following area consists of attribute whose role and structure varies. ([Read more here](http://www.kazamiya.net/en/fte/MFT)) ![$MFT Entries](/files/-MOm-5-OtqWPwyg3W95s) Normal entry has one `$STANDARD_INFORMATION` attribute($SI) and one `$FILE_NAME` attribute($FN). Both $SI and $FN has 4 time stamps(crtime, mtime, ctime and atime). **We can read $SI time stamps via file's property or using Windows API**. Windows manages $SI time stamps but the behavior of $FN time stamps are unknown. So if an adversary is using anti-forensics tools such as [**Timestomp**](https://forensicswiki.xyz/wiki/index.php?title=Timestomp#:~:text=Timestomp%20is%20a%20utility%20co,timestamp%2Drelated%20information%20on%20files.) to modify the date of a given file, they can only modify the **$SI** timestamps and not **$FN**. MFTECmd.exe provides us with a quick win by comparing both attributes' creation timestamps : ![$SI vs $FN](/files/-MOm4QmKr3JMhnx9RRiQ) You can differentiate between both timestamps in the output file by the 0x10 or 0x30 attributes : * **Created0x10**: STANDARD\_INFO created timestamp * **Created0x30**: FILE\_NAME created timestamp ## Downloaded File for the internet The parsed file contains many other goodies explained [here ](https://binaryforay.blogspot.com/2018/06/introducing-mftecmd.html)by the author of the tool himself : > **EntryNumber**\ > **SequenceNumber**\ > **InUse**: Whether the record is free or not\ > **ParentEntryNumber**\ > **ParentSequenceNumber**\ > **ParentPath**: Full path to the parent directory (NOT the absolute path to the file itself)\ > **FileName**:\ > **Extension**: For non-directories, the file extension, if any.\ > **FileSize**: The size of the file, in bytes. For an ADS, it is the size of the ADS\ > **ReferenceCount**: This is NOT the value stored in the MFT record, as it is usually not correct at all. rather, this number is [calculated](https://github.com/EricZimmerman/MFT/blob/master/MFT/Other/ExtensionMethods.cs#L9) by looking at all non-DOS FILE\_NAME records and finding the total number of unique parent MFT references that exist (i.e. hard links)\ > **ReparseTarget**: Where a reparse point redirects to\ > **IsDirectory**: True if this entry is for a directory, false for a file\ > **HasAds**: True if this entry has one or more ADSs\ > **IsAds**: True if the details being displayed correspond to an ADS. While an ADS technically doesn't have any timestamp associated with it as far as created/modified, etc. the corresponding FILE\_NAME's details are used. This may change in the future and the timestamps will not be shown for ADSs\ > **SI\ **uSecZeros**: True if STANDARD\_INFO created, modified, or last access has 0s for sub-second precision\ > **Copied**: True if STANDARD\_INFO modified < STANDARD\_INFO created time\ > **SiFlags**: Things like "hidden" or "system", etc.\ > **NameType**: DOS, Windows, Posix, etc.\ > **Created0x10**: STANDARD\_INFO created timestamp\ > **Created0x30**: FILE\_NAME created timestamp\ > **LastModified0x10**\ > **LastModified0x30**\ > **LastRecordChange0x10**\ > **LastRecordChange0x30**\ > **LastAccess0x10**\ > **LastAccess0x30**\ > **UpdateSequenceNumber**\ > **LogfileSequenceNumber**\ > **SecurityId**: Offset pointing into $Secure\ > **ObjectIdFileDroid**\ > **LoggedUtilStream**\ > **ZoneIdContents**: For ADSs with a name of "Zone.Identifier", the contents of the ADS are extracted and saved to this column. This allows you to see the Zone ID and in some cases, the origin of where a particular file came from (URL will be included in the ADS). The last column can provide us with `zone.Identifier` ADS of a file, if any. We can then shift our focus on files with **`zoneID=3`** (Internet Zone) ADS. The tool also gives us information about whether the file was copied or not and its MACB timestamps. {% hint style="info" %} MACB dates are going to be the subject of a separate blog {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.unh4ck.com/dfir/dfir-01-usdmft.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.