MFT Artifact

fte parses $MFT internal file and outputs metadata like time stamp at MFT tab.

MFT Big Picture

MFT Entry

There is $Boot internal file at starting sector in NTFS. $Boot contains administrative information such as number of secters per a cluster, start sector of $MFT, etc... $MFT file consists of fixed length entries. One entry holds metadata for one object(file/folder).

Each entry begins "FILE" signature, and contains several information like number of links, flag(file/folder/unused) and ID in header. Then following area consists of attribute whose role and structure varies.

Normal entry has one $STANDARD_INFORMATION attribute($SI) and one $FILE_NAME attribute($FN).

If name of file or folder exceeds 8.3 DOS style, contains symbol character then one more $FN is added to corresponding entry. $FN also be added when hard link is created.

$SI, $FN time stamp

Both $SI and $FN has 4 time stamps(crtime, mtime, ctime and atime). We can read $SI time stamps via file's property or using Windows API. Windows manages $SI time stamps but the behavior of $FN time stamps are unknown. In Windows Vista or above version, update of atime is disabled by default setting(NtfsDisableLastAccessUpdate registry entry) so atime doesn't indicate original meaning anymore.

NtfsDisableLastAccessUpdate
http://technet.microsoft.com/en-us/library/cc959914.aspx

The table below shows the behavior of $SI/$FN time stamps that I have conducted.

Windows 7 Timestamp Behavior

  $SI crtime $SI mtime $SI ctime $SI atime $FN crtime $FN mtime $FN ctime $FN atime
Creation x x x x x x x x
Access     x1          
Modification   x x x1 x3 x1 x1 x1
Local Move     x   x2 x2 x2 x2
Volume Move x1   x1 x x x x x
Copy x   x x x x x x
Deletion                
  • x - Updated
  • x1 - Updated depends on the condition
  • x2 - Inherited corresponding $SI
  • x3 - Inherited corresponding $SI depends on the condition

rification result indicates that atime can be updated with other time stamps, all of $FN time stamps can be updated the same value, some operation inherits $SI time stamps to $FN, etc.

fte's behavior

On MFT tab, you specify target drive and click run, or drag objects(file/folder) and drop to table area, then fte parses and output result. Here is an example of results.

fte MFT

Each column mean:

  • name - Object(file/folder) name
  • fixup - Fixup value(equal to number of update)
  • id, pid - MFT ID, and parent MFT ID
  • flag - Flag(File, Folder, [D]File: Deleted file, [D]Folder: Deleted folder)
  • nspace - Namespace of object name(POSIX, DOS, Win32, Win32/DOS)
  • links - Number of links
  • crtime, mtime, ctime, atime - $SI time stamp(Created, Modified, Changed, Accessed)
  • crtime(FN), mtime(FN), ctime(FN), atime(FN) - $FN time stamp(Created, Modified, Changed, Accessed)
  • remark - Order of all of $SI, $FN time stamp(ascending order)

Two or more $FN are contained within one entry, fte outputs separately. Therefore there may be multiple results for one ID. However, two $FN within one entry exists, these namespace are DOS and Win32 and these time stamps are the same, then fte outputs only one line and "DOS, Win32" to nspace column.

Remark column shows order of $SI/$FN 8 time stamps. It may be useful for deep analysis of falsification timestamp.

Tags