The master file table (MFT) is a local file system found in a New Technology File System (NTFS). It contains at least one entry for every file stored on an NTFS volume, including itself. It provides all the NTFS knows about a file, including its size, time and date stamps, permissions, and data content, which are stored in MFT entries or the space outside the MFT described by the MFT entries.
You can liken it to the inventory of a store. Everything every employee needs to know about the store’s products can be found in it. It tells you how many items of a particular product are still available when they were ordered and will expire, and many more. In this scenario, the inventory is the MFT.
Digital forensics investigators can use the MFT to know all about the files stored on any Windows computer or system that uses NTFS.
Other interesting terms…
Read More about a “Master File Table”
Before we know more about the MFT, let’s tackle the basics first.
What Is NTFS?
NTFS is the default journaling file system Microsoft developed for its operating systems (OSs), starting with Windows NT 3.1. It replaced the File Allocation Table (FAT) system. While it was created for Windows, it is also supported in Linux and BSD OSs.
What Is the Difference between NTFS and FAT?
Microsoft probably switched to NTFS because it supports large files, doesn’t corrupt files as much as FAT, supports file permissions and encryption, automatically restores files if needed, enables compression, and limits disk space. FAT only supports files of 4GB at most, can be prone to file corruption, and doesn’t allow file permissions.
Take a look at this simple comparison table.
Feature | NTFS | FAT |
Supports very large files (>4GB in size) | ✓ | ✘ |
Prone to file corruption | ✘ | ✓ |
Supports file permissions | ✓ | ✘ |
Supports encryption | ✓ | ✘ |
Restores corrupted files from stored backups | ✓ | ✘ |
Compresses files when disk is nearly full | ✓ | ✘ |
Employs disk quotas | ✓ | ✘ |
What Does the Master File Table Look Like?
Every file stored in an NTFS volume has a corresponding record in the MFT. The first 16 records on the MFT are reserved for special information, meaning they can’t be changed. The first of these 16 records describe the MFT itself. The second is a mirror copy of the first record, much like a backup. These are followed by a complete list of metadata files in what is called the “System Files” chapter.
After that comes space for each file record. If the files are small (at most 512 bytes), they are stored entirely in the MFT record. If not, their directory records are housed in the MFT. These directories contain index information that points to external locations.
Here’s an illustration of the MFT.
Source: http://ntfs.com/ntfs-mft.htm
Meanwhile, here is a sample MFT record for a small file.
Why Is the Master File Table Critical to Digital Forensics?
As mentioned, the MFT keeps records of all the information on each file stored in the NFTS. That said, even if a suspect hides a file, rendering it sort of invisible to digital forensics experts by renaming or disguising it, a careful look at the MFT will reveal everything about it.
If the suspect doesn’t indicate the file’s extension, the MFT will still tell you what data it contains. For example, if the file has been renamed, the digital forensics investigators can still determine its content using the MFT. Even if it’s kept in a hidden folder, the MFT will still tell experts where it is physically located.
What File Information Does the Master File Table Provide?
An MFT record keeps the following information about all files in an NTFS volume:
- File’s location in the directory
- Physical location of the file on the drive
- File metadata, including when it and its enclosing folder were created, when they were modified, when they were accessed, how big the physical and logical files are, and what their Access Control Lists (ACLs) details are (An ACL file is a text file that lists who can access a particular resource.)
—
As you’ve seen, looking at the MFT is a faster way to look for a file that can serve as evidence in a digital forensics investigation, especially if the suspect hides it.