DFIR-01 : $MFT
The Master File Table contains information about every file and folder on the system.
Files that start with "$" are considered as metafiles, which are files that contain data about data and unlike FAT file system where some system metadata is stored as flat data tables in reserved system space, everything in NTFS is a file even metafiles.
$MFT, Master File Table, tracks every file and directory on the entire NTFS volume and makes references to other index files like $I30 that is available for every directory.
In the screenshot bellow, we extracted $MFT file using FTK Imager
Extracting $MFT using FTK
Let's make them visible
>attrib -s -h $MFT
MFTECmd version 0.5.0.0
Author: Eric Zimmerman ([email protected])
f File to process ($MFT | $J | $LogFile | $Boot | $SDS). Required
json Directory to save JSON formatted results to. This or --csv required unless --de or --body is specified
jsonf File name to save JSON formatted results to. When present, overrides default name
csv Directory to save CSV formatted results to. This or --json required unless --de or --body is specified
csvf File name to save CSV formatted results to. When present, overrides default name
body Directory to save bodyfile formatted results to. --bdl is also required when using this option
bodyf File name to save body formatted results to. When present, overrides default name
bdl Drive letter (C, D, etc.) to use with bodyfile. Only the drive letter itself should be provided
blf When true, use LF vs CRLF for newlines. Default is FALSE
dd Directory to save exported FILE record. --do is also required when using this option
do Offset of the FILE record to dump as decimal or hex. Ex: 5120 or 0x1400 Use --de or --vl 1 to see offsets
de Dump full details for entry/sequence #. Format is 'Entry' or 'Entry-Seq' as decimal or hex. Example: 5, 624-5 or 0x270-0x5.
fls When true, displays contents of directory specified by --de. Ignored when --de points to a file.
ds Dump full details for Security Id as decimal or hex. Example: 624 or 0x270
dt The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff
sn Include DOS file name types. Default is FALSE
at When true, include all timestamps from 0x30 attribute vs only when they differ from 0x10. Default is FALSE
vss Process all Volume Shadow Copies that exist on drive specified by -f . Default is FALSE
dedupe Deduplicate -f & VSCs based on SHA-1. First file found wins. Default is FALSE
debug Show debug information during processing
trace Show trace information during processing
Examples: MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" --csvf MyOutputFile.csv
MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out"
MFTECmd.exe -f "C:\Temp\SomeMFT" --json "c:\temp\jsonout"
MFTECmd.exe -f "C:\Temp\SomeMFT" --body "c:\temp\bout" --bdl c
MFTECmd.exe -f "C:\Temp\SomeMFT" --de 5-5
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes
Let's parse our $MFT file using the following command :
>MFTECmd.exe -f "C:\Users\Administrateur\Documents\ForensicsTool\$MFT" --csv "C:\Users\Administrateur\Documents\ForensicsTool"
After some data formatting using Excel we can have a table similar to this :
Parsed $MFT File
Now that the $MFT file is parsed we can start looking for some goodies.
The NTFS file system includes support for alternate data streams to provide compatibility with files in the Macintosh file system. Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called
:$DATA. (Read more here OWASP).
MFTECmd.exetool provides us with precooked information such as if a file has ADS or if it is an ADS like in the following columns
This can help you during your investigation to detect usage of techniques such as :
- ATT&CK Tactic : Defense Evasion
- ATT&CK Technique : Hide Artifacts
- ATT&CK Sub-Technique : NTFS File Attributes
$MFT file consists of fixed length entries and one entry holds metadata for one object(file/folder). Each entry begins with "FILE" signature or
x46x49x4Cx45, and contains several information like number of links, flag(file/folder/unused) and ID in header. Then following area consists of attribute whose role and structure varies. (Read more here)
Normal entry has one
$STANDARD_INFORMATIONattribute($SI) and one
$FILE_NAMEattribute($FN). Both $SI and $FN has 4 time stamps(crtime, mtime, ctime and atime). We can read $SI time stamps via file's property or using Windows API. Windows manages $SI time stamps but the behavior of $FN time stamps are unknown.
MFTECmd.exe provides us with a quick win by comparing both attributes' creation timestamps :
$SI vs $FN
You can differentiate between both timestamps in the output file by the 0x10 or 0x30 attributes :
- Created0x10: STANDARD_INFO created timestamp
- Created0x30: FILE_NAME created timestamp
EntryNumber SequenceNumber InUse: Whether the record is free or not ParentEntryNumber ParentSequenceNumber ParentPath: Full path to the parent directory (NOT the absolute path to the file itself) FileName: Extension: For non-directories, the file extension, if any. FileSize: The size of the file, in bytes. For an ADS, it is the size of the ADS ReferenceCount: This is NOT the value stored in the MFT record, as it is usually not correct at all. rather, this number is calculated by looking at all non-DOS FILE_NAME records and finding the total number of unique parent MFT references that exist (i.e. hard links) ReparseTarget: Where a reparse point redirects to IsDirectory: True if this entry is for a directory, false for a file HasAds: True if this entry has one or more ADSs IsAds: True if the details being displayed correspond to an ADS. While an ADS technically doesn't have any timestamp associated with it as far as created/modified, etc. the corresponding FILE_NAME's details are used. This may change in the future and the timestamps will not be shown for ADSs SI<FN: True if the STANDARD_INFO created or last modified is less than the corresponding FILE_NAME time uSecZeros: True if STANDARD_INFO created, modified, or last access has 0s for sub-second precision Copied: True if STANDARD_INFO modified < STANDARD_INFO created time SiFlags: Things like "hidden" or "system", etc. NameType: DOS, Windows, Posix, etc. Created0x10: STANDARD_INFO created timestamp Created0x30: FILE_NAME created timestamp LastModified0x10 LastModified0x30 LastRecordChange0x10 LastRecordChange0x30 LastAccess0x10 LastAccess0x30 UpdateSequenceNumber LogfileSequenceNumber SecurityId: Offset pointing into $Secure ObjectIdFileDroid LoggedUtilStream ZoneIdContents: For ADSs with a name of "Zone.Identifier", the contents of the ADS are extracted and saved to this column. This allows you to see the Zone ID and in some cases, the origin of where a particular file came from (URL will be included in the ADS).
The last column can provide us with
zone.IdentifierADS of a file, if any. We can then shift our focus on files with
zoneID=3(Internet Zone) ADS.
The tool also gives us information about whether the file was copied or not and its MACB timestamps.