DFIR-01 : $MFT
The Master File Table contains information about every file and folder on the system.
Last updated
The Master File Table contains information about every file and folder on the system.
Last updated
Files that start with "$" are considered as metafiles, which are files that contain data about data and unlike FAT file system where some system metadata is stored as flat data tables in reserved system space, everything in NTFS is a file even metafiles.
$MFT, Master File Table, tracks every file and directory on the entire NTFS volume and makes references to other index files like $I30 that is available for every directory.
In the screenshot bellow, we extracted $MFT file using FTK Imager
You won't be able to see this type of files unless you change the attributes :
Let's make them visible
There are several tools we can use to parse $MFT content so that we can analyze it. In my case I am using the awesome tools of Eric Zimmerman particularly MFTECmd.exe tool
Let's parse our $MFT file using the following command :
After some data formatting using Excel we can have a table similar to this :
Now that the $MFT file is parsed we can start looking for some goodies.
The NTFS file system includes support for alternate data streams to provide compatibility with files in the Macintosh file system. Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called :$DATA
. (Read more here OWASP).
The MFTECmd.exe
tool provides us with precooked information such as if a file has ADS or if it is an ADS like in the following columns
This can help you during your investigation to detect usage of techniques such as :
ATT&CK Tactic : Defense Evasion
ATT&CK Technique : Hide Artifacts
ATT&CK Sub-Technique : NTFS File Attributes
$MFT file consists of fixed length entries and one entry holds metadata for one object(file/folder). Each entry begins with "FILE" signature or x46x49x4Cx45
, and contains several information like number of links, flag(file/folder/unused) and ID in header. Then following area consists of attribute whose role and structure varies. (Read more here)
Normal entry has one $STANDARD_INFORMATION
attribute($SI) and one $FILE_NAME
attribute($FN). Both $SI and $FN has 4 time stamps(crtime, mtime, ctime and atime). We can read $SI time stamps via file's property or using Windows API. Windows manages $SI time stamps but the behavior of $FN time stamps are unknown.
So if an adversary is using anti-forensics tools such as Timestomp to modify the date of a given file, they can only modify the $SI timestamps and not $FN.
MFTECmd.exe provides us with a quick win by comparing both attributes' creation timestamps :
You can differentiate between both timestamps in the output file by the 0x10 or 0x30 attributes :
Created0x10: STANDARD_INFO created timestamp
Created0x30: FILE_NAME created timestamp
The parsed file contains many other goodies explained here by the author of the tool himself :
EntryNumber SequenceNumber InUse: Whether the record is free or not ParentEntryNumber ParentSequenceNumber ParentPath: Full path to the parent directory (NOT the absolute path to the file itself) FileName: Extension: For non-directories, the file extension, if any. FileSize: The size of the file, in bytes. For an ADS, it is the size of the ADS ReferenceCount: This is NOT the value stored in the MFT record, as it is usually not correct at all. rather, this number is calculated by looking at all non-DOS FILE_NAME records and finding the total number of unique parent MFT references that exist (i.e. hard links) ReparseTarget: Where a reparse point redirects to IsDirectory: True if this entry is for a directory, false for a file HasAds: True if this entry has one or more ADSs IsAds: True if the details being displayed correspond to an ADS. While an ADS technically doesn't have any timestamp associated with it as far as created/modified, etc. the corresponding FILE_NAME's details are used. This may change in the future and the timestamps will not be shown for ADSs SI<FN: True if the STANDARD_INFO created or last modified is less than the corresponding FILE_NAME time uSecZeros: True if STANDARD_INFO created, modified, or last access has 0s for sub-second precision Copied: True if STANDARD_INFO modified < STANDARD_INFO created time SiFlags: Things like "hidden" or "system", etc. NameType: DOS, Windows, Posix, etc. Created0x10: STANDARD_INFO created timestamp Created0x30: FILE_NAME created timestamp LastModified0x10 LastModified0x30 LastRecordChange0x10 LastRecordChange0x30 LastAccess0x10 LastAccess0x30 UpdateSequenceNumber LogfileSequenceNumber SecurityId: Offset pointing into $Secure ObjectIdFileDroid LoggedUtilStream ZoneIdContents: For ADSs with a name of "Zone.Identifier", the contents of the ADS are extracted and saved to this column. This allows you to see the Zone ID and in some cases, the origin of where a particular file came from (URL will be included in the ADS).
The last column can provide us with zone.Identifier
ADS of a file, if any. We can then shift our focus on files with zoneID=3
(Internet Zone) ADS.
The tool also gives us information about whether the file was copied or not and its MACB timestamps.
MACB dates are going to be the subject of a separate blog