DFIR-01 : $MFT

The Master File Table contains information about every file and folder on the system.

What is $MFT:

Files that start with "$" are considered as metafiles, which are files that contain data about data and unlike FAT file system where some system metadata is stored as flat data tables in reserved system space, everything in NTFS is a file even metafiles.

$MFT, Master File Table, tracks every file and directory on the entire NTFS volume and makes references to other index files like $I30 that is available for every directory.

In the screenshot bellow, we extracted $MFT file using FTK Imager

You won't be able to see this type of files unless you change the attributes :

Let's make them visible

>attrib -s -h $MFT

There are several tools we can use to parse $MFT content so that we can analyze it. In my case I am using the awesome tools of Eric Zimmerman particularly MFTECmd.exe tool


MFTECmd version

Author: Eric Zimmerman (saericzimmerman@gmail.com)

        f               File to process ($MFT | $J | $LogFile | $Boot | $SDS). Required

        json            Directory to save JSON formatted results to. This or --csv required unless --de or --body is specified
        jsonf           File name to save JSON formatted results to. When present, overrides default name
        csv             Directory to save CSV formatted results to. This or --json required unless --de or --body is specified
        csvf            File name to save CSV formatted results to. When present, overrides default name

        body            Directory to save bodyfile formatted results to. --bdl is also required when using this option
        bodyf           File name to save body formatted results to. When present, overrides default name
        bdl             Drive letter (C, D, etc.) to use with bodyfile. Only the drive letter itself should be provided
        blf             When true, use LF vs CRLF for newlines. Default is FALSE

        dd              Directory to save exported FILE record. --do is also required when using this option
        do              Offset of the FILE record to dump as decimal or hex. Ex: 5120 or 0x1400 Use --de or --vl 1 to see offsets

        de              Dump full details for entry/sequence #. Format is 'Entry' or 'Entry-Seq' as decimal or hex. Example: 5, 624-5 or 0x270-0x5.
        fls             When true, displays contents of directory specified by --de. Ignored when --de points to a file.
        ds              Dump full details for Security Id as decimal or hex. Example: 624 or 0x270

        dt              The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff
        sn              Include DOS file name types. Default is FALSE
        at              When true, include all timestamps from 0x30 attribute vs only when they differ from 0x10. Default is FALSE

        vss             Process all Volume Shadow Copies that exist on drive specified by -f . Default is FALSE
        dedupe          Deduplicate -f & VSCs based on SHA-1. First file found wins. Default is FALSE

        debug           Show debug information during processing
        trace           Show trace information during processing

Examples: MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" --csvf MyOutputFile.csv
          MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out"
          MFTECmd.exe -f "C:\Temp\SomeMFT" --json "c:\temp\jsonout"
          MFTECmd.exe -f "C:\Temp\SomeMFT" --body "c:\temp\bout" --bdl c
          MFTECmd.exe -f "C:\Temp\SomeMFT" --de 5-5

          Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes

Let's parse our $MFT file using the following command :

>MFTECmd.exe -f "C:\Users\Administrateur\Documents\ForensicsTool\$MFT" --csv "C:\Users\Administrateur\Documents\ForensicsTool"

After some data formatting using Excel we can have a table similar to this :

Now that the $MFT file is parsed we can start looking for some goodies.

Alternate Data Streams

The NTFS file system includes support for alternate data streams to provide compatibility with files in the Macintosh file system. Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called :$DATA. (Read more here OWASP).

The MFTECmd.exe tool provides us with precooked information such as if a file has ADS or if it is an ADS like in the following columns

This can help you during your investigation to detect usage of techniques such as :

  • ATT&CK Tactic : Defense Evasion

  • ATT&CK Technique : Hide Artifacts

  • ATT&CK Sub-Technique : NTFS File Attributes

Anti-Forensics : $SI, $FN timestamp

$MFT file consists of fixed length entries and one entry holds metadata for one object(file/folder). Each entry begins with "FILE" signature or x46x49x4Cx45, and contains several information like number of links, flag(file/folder/unused) and ID in header. Then following area consists of attribute whose role and structure varies. (Read more here)

Normal entry has one $STANDARD_INFORMATION attribute($SI) and one $FILE_NAME attribute($FN). Both $SI and $FN has 4 time stamps(crtime, mtime, ctime and atime). We can read $SI time stamps via file's property or using Windows API. Windows manages $SI time stamps but the behavior of $FN time stamps are unknown.

So if an adversary is using anti-forensics tools such as Timestomp to modify the date of a given file, they can only modify the $SI timestamps and not $FN.

MFTECmd.exe provides us with a quick win by comparing both attributes' creation timestamps :

You can differentiate between both timestamps in the output file by the 0x10 or 0x30 attributes :

  • Created0x10: STANDARD_INFO created timestamp

  • Created0x30: FILE_NAME created timestamp

Downloaded File for the internet

The parsed file contains many other goodies explained here by the author of the tool himself :

EntryNumber SequenceNumber InUse: Whether the record is free or not ParentEntryNumber ParentSequenceNumber ParentPath: Full path to the parent directory (NOT the absolute path to the file itself) FileName: Extension: For non-directories, the file extension, if any. FileSize: The size of the file, in bytes. For an ADS, it is the size of the ADS ReferenceCount: This is NOT the value stored in the MFT record, as it is usually not correct at all. rather, this number is calculated by looking at all non-DOS FILE_NAME records and finding the total number of unique parent MFT references that exist (i.e. hard links) ReparseTarget: Where a reparse point redirects to IsDirectory: True if this entry is for a directory, false for a file HasAds: True if this entry has one or more ADSs IsAds: True if the details being displayed correspond to an ADS. While an ADS technically doesn't have any timestamp associated with it as far as created/modified, etc. the corresponding FILE_NAME's details are used. This may change in the future and the timestamps will not be shown for ADSs SI<FN: True if the STANDARD_INFO created or last modified is less than the corresponding FILE_NAME time uSecZeros: True if STANDARD_INFO created, modified, or last access has 0s for sub-second precision Copied: True if STANDARD_INFO modified < STANDARD_INFO created time SiFlags: Things like "hidden" or "system", etc. NameType: DOS, Windows, Posix, etc. Created0x10: STANDARD_INFO created timestamp Created0x30: FILE_NAME created timestamp LastModified0x10 LastModified0x30 LastRecordChange0x10 LastRecordChange0x30 LastAccess0x10 LastAccess0x30 UpdateSequenceNumber LogfileSequenceNumber SecurityId: Offset pointing into $Secure ObjectIdFileDroid LoggedUtilStream ZoneIdContents: For ADSs with a name of "Zone.Identifier", the contents of the ADS are extracted and saved to this column. This allows you to see the Zone ID and in some cases, the origin of where a particular file came from (URL will be included in the ADS).

The last column can provide us with zone.Identifier ADS of a file, if any. We can then shift our focus on files with zoneID=3 (Internet Zone) ADS.

The tool also gives us information about whether the file was copied or not and its MACB timestamps.

MACB dates are going to be the subject of a separate blog

Last updated