MFT Parse

Master File Table analysis and viewing

View attributes from a sector view

    With NTFS recovery and analysis, understanding the MFT is extremely important.  To assist with this, CnW data recovery software will high light fields when a MFT sector is displayed using view sector.  MFT sectors can also be viewed by double clicking on the sector number within the log function.  A final way to find an MFT sector is from the NTFS recover options menu.  By clicking on the MFT sector box, the first MFT will be displayed.

    The function works on all versions of CnW, including the free demo, download now.

 

mft_parse

 

Hover with the mouse to decode fields

    When the mouse pointer is set over a field, the tool tip will describe the field contents. The example above shows the file modification date within the Standard Attribute header.

    An MFT always starts with a header, FILE followed by either * or 0 which is the pointer to the fixup bytes.  XP systems always use the value 0x30 (‘0’).  All values are little endian

    After the header are a series of records which always start with a 4 byte number, and then a 4 byte length.  The record types are

    • 0x10 Standard Attribute Header
    • 0x20 Non resident pointers
    • 0x30 File name
    • 0x50 Security descriptor
    • 0x60 Volume name
    • 0x80 Data run pointers and file size
    • 0xA0 Index allocation
    • 0xB0 Bitmap
    • 0xD0 EA information
    • 0xE0 EA
    • 0xF0 Property Set
    • 0x100 Logged utility stream

    For the main header, typically the first 0x38 bytes, the following fields are displayed

    • MFT header pointer to fix up : 0x30
    • Fix up count : 03
    • $Logfile sequence number
    • Number of times MFT has been reused
    • Hard link count
    • Real size of MFT record
    • Allocated size of MFT record
    • MFT value : 0x00   - this is the reference of the MFT in the $MFT file
    • Status flag indicating that theMFT is for a file or directory, and if used or deleted
    • Fix up value, and it verifies that the value in offset 0x1fe and 0x1ff is correct, or incorrect

    For standard Information, record type 0x10 the following fields are displayed

    • Creation date
    • File modified date
    • MFT changed time
    • File read time 
    • File sttribute, such as Read Only, Compressed, Hidden

    For File name record type 0x30

    • Creation date
    • File modified date
    • MFT changed time
    • File read time 

    For data run  record type 0x80 and 0xA0

    • Offset to data runs
    • Allocated size of file
    • Real size of file
    • Initialised size of data stream
    • Cluster start of data runs
    • Length of first data run in clusters

This list is not complete and will be added to in near future releases, as will decoding of other popular sector types.

 

[CnW Recovery] [Downloads] [Purchase Now] [CnW Wizard] [User Manual] [Forensic DR] [Video recovery] [Forensic Tools] [NTFS Forensic] [FAT Forensic] [Unallocated] [Data carving] [Manual Carving] [Forensic CD] [DVD properties] [Overwritten] [Disk scan] [JPG Size] [Forensic Report] [Forensic Practice] [Forensic XML] [Keyword Search] [Search Disk] [File hashing] [MFT Parse] [Data Fragments] [E01 and Virtual] [What will it do?] [Product Details] [FAQ & Links] [Case Studies] [Technical Notes] [Updates] [Development] [Testimonials] [About us] [Site Map] [Contact Us]